Azure Active Directory Premium P1 plan

%3CLINGO-SUB%20id%3D%22lingo-sub-2194220%22%20slang%3D%22en-US%22%3EAzure%20Azure%20Active%20Directory%20Premium%20P1%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194220%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20i%20only%20need%20to%20use%20the%20extraDynamic%20groups%20or%2Fand%20Conditional%20Access%20features%20in%20Azure%20AD%20i%20need%20at%20least%20Azure%20AD%20Premium%20P1%20plan.%20Therefor%20i%20need%20to%20pay%20for%20each%20user%20in%20my%20tenant%20who%20authenticate%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20have%20a%20test%20environment%20with%20only%20Enterprise%20Mobility%20%2B%20Security%20E5%20license.%20This%20license%20model%20includes%20Azure%20AD%20Premium%20P2.%20So%20my%20test%20tenant%20has%20a%20Azure%20AD%20Premium%20P2%20plan.%26nbsp%3B%20I%20do%20not%20understand%20why%20it%20is%20possible%20to%20assign%20a%20P1%20and%2For%20P2%20license%20per%20user%20if%20the%20whole%20Azure%20AD%20already%20has%20a%20Premium%20P2%20plan.%20I%20can%20still%20use%20the%20Conditional%20Acces%20features%20even%20for%20users%20without%20a%20license.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20far%20as%20I%20have%20understood%3B%26nbsp%3B%20Azure%20AD%20comes%20in%204%20license%20models%3A%20Free%2C%20O365%2C%20Premium%20P1%2C%20Premium%20P2.%20License%20plans%20for%20the%20Azure%20Ad%20tenant.%20I%20therefore%20do%20not%20understand%20why%20I%20can%20still%20select%20P1%20or%20P2%20per%20user%20if%20the%20features%20for%20the%20Azure%20AD%20with%20P1%20or%20P2%20already%20enabled%20(eq%20Condition%20Acces%2C%20Dynamic%20groups).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2194220%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2195295%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Azure%20Active%20Directory%20Premium%20P1%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2195295%22%20slang%3D%22en-US%22%3ESo%20if%20I%20understand%20correctly%2C%20it%20is%20my%20own%20responsibility%20to%20determine%20which%20user%20uses%2C%20for%20example%2C%20Conditional%20Access%20Policy%20and%20for%20this%20I%20have%20to%20activate%20the%20p1%20license.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20I%20only%20pay%20for%20the%20activated%20users%20or%20do%20I%20pay%20for%20the%20entire%20Azure%20AD%20tenant%20with%20all%20my%20users%20in%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2196975%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Azure%20Active%20Directory%20Premium%20P1%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2196975%22%20slang%3D%22en-US%22%3EYou%20pay%20for%20the%20number%20of%20licenses%20purchased%2C%20it's%20your%20responsibility%20to%20make%20sure%20this%20number%20is%20sufficient%20to%20cover%20all%20users%20taking%20advantage%20of%20specific%20feature(s).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2198720%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Azure%20Active%20Directory%20Premium%20P1%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2198720%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20answers.%20I%20do%20understand%20the%20responsibility%20part.%20But%20i%20don't%20understand%20why%20there%20is%20an%20option%20to%20update%20the%20license%20assignment%20per%20user%20and%20enable%20or%20disable%20the%20Azure%20AD%20Premium%201%20(or%202).%20If%20what%20you%20say%20is%20true%20then%20I%20already%20payed%20for%20the%20number%20of%20licenses%20and%20the%20extra%20features%20is%20already%20enabled%20on%20the%20Azure%20AD%20tenant.%20In%20this%20case%20an%20Azure%20AD%20Premium%202%20tenant.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ottovw_0-1615365309347.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F262365i793CBB812BFD3B3A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Ottovw_0-1615365309347.png%22%20alt%3D%22Ottovw_0-1615365309347.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20why%20is%20there%20an%20option%20to%20enable%20or%20disable%20Azure%20AD%20license%20plan%20per%20user(s)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

When i only need to use the extra Dynamic groups or/and Conditional Access features in Azure AD i need at least Azure AD Premium P1 plan. Therefor i need to pay for each user in my tenant who authenticate, right?

 

So I have a test environment with only Enterprise Mobility + Security E5 license. This license model includes Azure AD Premium P2. So my test tenant has a Azure AD Premium P2 plan.  I do not understand why it is possible to assign a P1 and/or P2 license per user if the whole Azure AD already has a Premium P2 plan. I can still use the Conditional Acces features even for users without a license. 

As far as I have understood;  Azure AD comes in 4 license models: Free, O365, Premium P1, Premium P2. License plans for the Azure Ad tenant. I therefore do not understand why I can still select P1 or P2 per user if the features for the Azure AD with P1 or P2 already enabled (eq Condition Acces, Dynamic groups). 

 

5 Replies
Microsoft does not enforce licensing requirements in code for many of the features, thus making them available even when no direct license assignments exist. This doesnt mean that you are allowed to go that route, it still counts as license violation.
So if I understand correctly, it is my own responsibility to determine which user uses, for example, Conditional Access Policy and for this I have to activate the p1 license.

Do I only pay for the activated users or do I pay for the entire Azure AD tenant with all my users in it?
You pay for the number of licenses purchased, it's your responsibility to make sure this number is sufficient to cover all users taking advantage of specific feature(s).

@Vasil Michev Thank you for your answers. I do understand the responsibility part. But i don't understand why there is an option to update the license assignment per user and enable or disable the Azure AD Premium 1 (or 2). If what you say is true then I already payed for the number of licenses and the extra features is already enabled on the Azure AD tenant. In this case an Azure AD Premium 2 tenant. 

 

Ottovw_0-1615365309347.png

 

So why is there an option to enable or disable Azure AD license plan per user(s)?

Why wouldnt there be one, most services can be toggled on a per-user basis. This is no different from having the Exchange Online service listed in the M365 SKU. Although in that example, removing the service will actually affect functionality. Different teams within MS have different views on how to handle licensing requirements in code, that's just something you'll have to get used to.