Home

Azure AD Conditional Access and licensing

%3CLINGO-SUB%20id%3D%22lingo-sub-160712%22%20slang%3D%22en-US%22%3EAzure%20AD%20Conditional%20Access%20and%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EScenario%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWe%20use%20Azure%20AD%20Conditional%20Access%20in%20combination%20with%20AD%20FS%20and%20a%20third%20party%20MFA%20solution%20to%20force%20MFA%20for%20users%20from%20outside%20our%20network.%3C%2FLI%3E%0A%3CLI%3EOn%20our%20Azure%20AD%20tenant%20I've%20configured%20%3CEM%3ESupportsMfa%20%24true%2C%20PromptLoginBehavior%20NativeSupport%26nbsp%3B%3C%2FEM%3Eand%3CEM%3E%20PreferredAuthenticationProtocol%20WsFed.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3EOn%20AD%20FS%20I've%20removed%20any%20Additional%20Authentication%20Rules%2C%20made%20sure%20there%20is%20a%20%3CEM%3Einsidecorporatenetwork%3C%2FEM%3E%20and%20a%20%3CEM%3Eauthnmethodsreferences%3C%2FEM%3E%20claim%20on%20the%20Office%20365%20relying%20party%20trust.%3C%2FLI%3E%0A%3CLI%3EEnforcement%20is%20done%20for%20all%20users%20except%20a%20few%26nbsp%3Bwho%20are%26nbsp%3Bmembers%20of%20a%20specific%20group%20and%20on%20all%20cloud%20apps.%20That%20exception%20group%20contains%20some%20cloud-only%20users%20such%20a%20the%20AAD%20Connect%20service%20account.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblem%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20solution%20works%20as%20expected%20apart%20from%20a%20licensing%20quirk.%20Conditional%20Access%20is%20licensed%20through%20a%20Azure%20AD%20Premium%20P1%20license.%3C%2FP%3E%0A%3CP%3E%3CEM%3EWhen%20I%20remove%20the%20Azure%20AD%20Premium%20P1%20license%20from%20a%20user%20I%20expect%20that%20Conditional%20Access%20stops%20working%20for%20that%20specific%20user%20and%20the%20he%2Fshe%20is%20unable%20to%20sign%20in%20and%20presented%20with%20some%20kind%20of%20error%20message.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20the%20case%2C%20Conditional%20Access%20keeps%20working%20for%20that%20user.%26nbsp%3BI've%20tested%20this%20during%20several%20days%20after%20license%20removal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20causing%20this%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160712%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161235%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20and%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161235%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20does%20not%20enforce%20license%20requirements%20for%20many%20of%20the%20products%2C%20thus%20in%20many%20cases%20removing%20a%20license%20is%20not%20a%20way%20to%20control%20access.%20Apart%20from%20CA%2C%20SharePoint%20Online%20is%20the%20prime%20example%20of%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Han Valk
Occasional Contributor

Scenario:

  • We use Azure AD Conditional Access in combination with AD FS and a third party MFA solution to force MFA for users from outside our network.
  • On our Azure AD tenant I've configured SupportsMfa $true, PromptLoginBehavior NativeSupport and PreferredAuthenticationProtocol WsFed.
  • On AD FS I've removed any Additional Authentication Rules, made sure there is a insidecorporatenetwork and a authnmethodsreferences claim on the Office 365 relying party trust.
  • Enforcement is done for all users except a few who are members of a specific group and on all cloud apps. That exception group contains some cloud-only users such a the AAD Connect service account.

 

Problem:

The solution works as expected apart from a licensing quirk. Conditional Access is licensed through a Azure AD Premium P1 license.

When I remove the Azure AD Premium P1 license from a user I expect that Conditional Access stops working for that specific user and the he/she is unable to sign in and presented with some kind of error message.

This is not the case, Conditional Access keeps working for that user. I've tested this during several days after license removal.

 

What is causing this behavior?

1 Reply

Microsoft does not enforce license requirements for many of the products, thus in many cases removing a license is not a way to control access. Apart from CA, SharePoint Online is the prime example of this.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies