Home

Identity Protection - Risk Based Conditional Access Licensing

%3CLINGO-SUB%20id%3D%22lingo-sub-117244%22%20slang%3D%22en-US%22%3EIdentity%20Protection%20-%20Risk%20Based%20Conditional%20Access%20Licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117244%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20enteprise%20with%20thousands%20of%20users%20with%20EMS%20E3%20licenses.%20%26nbsp%3BThe%20finanance%20department%20is%20a%20critical%20space%2C%20and%20they%20have%20500%20people%20working%20on%20that%20department.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20want%20to%20purchase%20EMS%20E5%20license%20and%20assign%20them%20to%20those%20500%20critical%20users%2C%20to%20take%20advantage%20of%20the%20conditiional%20access%20with%20risked%20based%20protection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20possible%3F%20I%20mean%20will%20purchasing%20500%20EMS%20E5%20licenses%20for%20those%20users%2C%20willl%20enable%20risk%20based%20conditional%20access%20for%20them%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-117244%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121975%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20Protection%20-%20Risk%20Based%20Conditional%20Access%20Licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121975%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20curiosity%20I%20tested%20this%20scenario%20with%20CA%20policy%20so%20that%20only%20my%20test%20user%20had%20EMS%20E5%20(P2)%26nbsp%3Blicense%20and%20other%20users%20had%20EMS%20E3%20(P1).%20Regarding%20tests%20made%20today%20risk%20based%20CA%20policy%20seems%20to%20be%20working%20as%20expected.%20Tested%20with%20Tor%20browser%20to%20get%20risk%20based%20mechanism%20to%20work%20immediately%20with%20following%20options%20at%20policy%3A%3C%2FP%3E%3CP%3E-%20grant%20access%20with%20MFA%3C%2FP%3E%3CP%3E-%20Block%20access%20totally%20options%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F23037i61733EC04A3B5099%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22EMS-E5.png%22%20title%3D%22EMS-E5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20agree%2C%20if%20it's%20officially%20announced%20that%20all%20users%20needs%20AAD%20P2%20license%20opinion%20from%20Microsoft%20would%20be%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121866%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20Protection%20-%20Risk%20Based%20Conditional%20Access%20Licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121866%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20reply.%20Ya%20the%20risk%20based%20factor%20appears%20for%20me%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20announced%20that%20this%20will%20not%20work%20unless%20all%20users%20have%20AAD%20P2%20license%20(part%20of%20EMS%20E5)%2C%20and%20that%20if%20portion%20of%20the%20users%20have%20that%20license%2C%20conditional%20access%20with%20risk%20based%20will%20not%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20love%20if%20MS%20could%20say%20something%20here%20and%20help%20us%20figure%20this%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121838%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20Protection%20-%20Risk%20Based%20Conditional%20Access%20Licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121838%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ERegarding%20my%20experience%20It%20should%20work%20with%20Conditional%20Access%20policy%20and%20targeting%20policy%20to%20group%20which%20contains%26nbsp%3Busers%20who%20has%20EMS%20E5%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERisk%20based%20signing%20was%20not%20visible%20in%20our%20tenant%20until%20we%20bought%20EMS%20E5%20licences.%20Below%20are%20pictures%20from%20tenant%20before%20and%20after%20EMS%20E5%20license%20was%20purchased.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F23006iAF06EBB3FDE61F9F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22EMS%20E3.PNG%22%20title%3D%22EMS%20E3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F23008i680AD118E7E8D413%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22EMS%20E5.PNG%22%20title%3D%22EMS%20E5.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ammar Hasayen
MVP

I have an enteprise with thousands of users with EMS E3 licenses.  The finanance department is a critical space, and they have 500 people working on that department.

 

They want to purchase EMS E5 license and assign them to those 500 critical users, to take advantage of the conditiional access with risked based protection.

 

Is this possible? I mean will purchasing 500 EMS E5 licenses for those users, willl enable risk based conditional access for them?

3 Replies

Hi,

Regarding my experience It should work with Conditional Access policy and targeting policy to group which contains users who has EMS E5 license.

 

Risk based signing was not visible in our tenant until we bought EMS E5 licences. Below are pictures from tenant before and after EMS E5 license was purchased.

 

EMS E3.PNGEMS E5.PNG

Thank you for your reply. Ya the risk based factor appears for me too.

 

Microsoft announced that this will not work unless all users have AAD P2 license (part of EMS E5), and that if portion of the users have that license, conditional access with risk based will not work.

 

I would love if MS could say something here and help us figure this out.

For curiosity I tested this scenario with CA policy so that only my test user had EMS E5 (P2) license and other users had EMS E3 (P1). Regarding tests made today risk based CA policy seems to be working as expected. Tested with Tor browser to get risk based mechanism to work immediately with following options at policy:

- grant access with MFA

- Block access totally options

 

EMS-E5.png

 

But I agree, if it's officially announced that all users needs AAD P2 license opinion from Microsoft would be helpful.

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies