Home

Azure AD Conditional Access and licensing

%3CLINGO-SUB%20id%3D%22lingo-sub-160712%22%20slang%3D%22en-US%22%3EAzure%20AD%20Conditional%20Access%20and%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EScenario%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWe%20use%20Azure%20AD%20Conditional%20Access%20in%20combination%20with%20AD%20FS%20and%20a%20third%20party%20MFA%20solution%20to%20force%20MFA%20for%20users%20from%20outside%20our%20network.%3C%2FLI%3E%0A%3CLI%3EOn%20our%20Azure%20AD%20tenant%20I've%20configured%20%3CEM%3ESupportsMfa%20%24true%2C%20PromptLoginBehavior%20NativeSupport%26nbsp%3B%3C%2FEM%3Eand%3CEM%3E%20PreferredAuthenticationProtocol%20WsFed.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3EOn%20AD%20FS%20I've%20removed%20any%20Additional%20Authentication%20Rules%2C%20made%20sure%20there%20is%20a%20%3CEM%3Einsidecorporatenetwork%3C%2FEM%3E%20and%20a%20%3CEM%3Eauthnmethodsreferences%3C%2FEM%3E%20claim%20on%20the%20Office%20365%20relying%20party%20trust.%3C%2FLI%3E%0A%3CLI%3EEnforcement%20is%20done%20for%20all%20users%20except%20a%20few%26nbsp%3Bwho%20are%26nbsp%3Bmembers%20of%20a%20specific%20group%20and%20on%20all%20cloud%20apps.%20That%20exception%20group%20contains%20some%20cloud-only%20users%20such%20a%20the%20AAD%20Connect%20service%20account.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblem%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20solution%20works%20as%20expected%20apart%20from%20a%20licensing%20quirk.%20Conditional%20Access%20is%20licensed%20through%20a%20Azure%20AD%20Premium%20P1%20license.%3C%2FP%3E%0A%3CP%3E%3CEM%3EWhen%20I%20remove%20the%20Azure%20AD%20Premium%20P1%20license%20from%20a%20user%20I%20expect%20that%20Conditional%20Access%20stops%20working%20for%20that%20specific%20user%20and%20the%20he%2Fshe%20is%20unable%20to%20sign%20in%20and%20presented%20with%20some%20kind%20of%20error%20message.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20the%20case%2C%20Conditional%20Access%20keeps%20working%20for%20that%20user.%26nbsp%3BI've%20tested%20this%20during%20several%20days%20after%20license%20removal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20causing%20this%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160712%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161235%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20and%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161235%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20does%20not%20enforce%20license%20requirements%20for%20many%20of%20the%20products%2C%20thus%20in%20many%20cases%20removing%20a%20license%20is%20not%20a%20way%20to%20control%20access.%20Apart%20from%20CA%2C%20SharePoint%20Online%20is%20the%20prime%20example%20of%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Han Valk
Occasional Contributor

Scenario:

  • We use Azure AD Conditional Access in combination with AD FS and a third party MFA solution to force MFA for users from outside our network.
  • On our Azure AD tenant I've configured SupportsMfa $true, PromptLoginBehavior NativeSupport and PreferredAuthenticationProtocol WsFed.
  • On AD FS I've removed any Additional Authentication Rules, made sure there is a insidecorporatenetwork and a authnmethodsreferences claim on the Office 365 relying party trust.
  • Enforcement is done for all users except a few who are members of a specific group and on all cloud apps. That exception group contains some cloud-only users such a the AAD Connect service account.

 

Problem:

The solution works as expected apart from a licensing quirk. Conditional Access is licensed through a Azure AD Premium P1 license.

When I remove the Azure AD Premium P1 license from a user I expect that Conditional Access stops working for that specific user and the he/she is unable to sign in and presented with some kind of error message.

This is not the case, Conditional Access keeps working for that user. I've tested this during several days after license removal.

 

What is causing this behavior?

1 Reply
Highlighted

Microsoft does not enforce license requirements for many of the products, thus in many cases removing a license is not a way to control access. Apart from CA, SharePoint Online is the prime example of this.

Related Conversations
Migrating Access back end to the cloud
GrahamCresswell in Access on
1 Replies
access updates
tina12--__ in Access on
1 Replies
help needed on simple maths in Access
KellieJean-in-Newie in Access on
0 Replies
MS Access
jmtreky in Access on
0 Replies
Get the user role from Azure AD by Laravel azure ad oauth
Arulraj123 in Azure on
0 Replies