Azure AD, Conditional Access App Control licensing

%3CLINGO-SUB%20id%3D%22lingo-sub-903943%22%20slang%3D%22en-US%22%3EAzure%20AD%2C%20Conditional%20Access%20App%20Control%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-903943%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ECould%20someone%20clarify%20licensing%20requirements%20for%20using%20%22Use%20Conditional%20Access%20App%20Control%22%20option%20in%20Azure%20AD%20conditional%20access%20policies.%20MCAS%20licensing%20datasheet%20has%20a%20statement%20that%20%22%3CSPAN%20class%3D%22fontstyle0%22%3EIt%20(AADPP1)%20includes%20MCAS%20Discovery%20and%20Risk%20Assessment%20capabilities%20and%20%3CSTRONG%3Eadds%20the%20ability%20to%20leverage%20reverse%20proxy%20capabilities%20to%20apply%20real-time%20monitoring%20and%20control%20of%20user%20sessions%20for%20MCAS%2C%20as%20well%20as%20OCAS%20customers%3C%2FSTRONG%3E.%3C%2FSPAN%3E%22%20Datasheet%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmcaslicensing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fmcaslicensing%3C%2FA%3E%3C%2FP%3E%3CP%3EDoes%20that%20mean%20that%20if%20tenant%20has%20100%20MCAS%20licensed%20users%20and%205000%20AADPP1%20licensed%20users%2C%20all%205000%20AADPP1%20licensed%20users%20are%20also%20licensed%2Fallowed%20to%20use%20conditional%20access%20app%20control%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-903943%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-903981%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%2C%20Conditional%20Access%20App%20Control%20licensing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-903981%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F328791%22%20target%3D%22_blank%22%3E%40helipetr%3C%2FA%3E%2C%20%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20see%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20deploy%20Conditional%20Access%20App%20Control%20for%20Azure%20AD%20apps%2C%20you%20need%20a%20valid%20license%20for%20Azure%20AD%20Premium%20P1%20as%20well%20as%20a%20Cloud%20App%20Security%20license%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20both%20licences%20on%20a%20user%20to%20a%20able%20to%20use%20it.%20In%20the%20example%20you%20gave%20100%20users%20with%20both%20MCAS%20licence%20and%20AADP1%20would%20be%20allowed%20to%20use%20conditional%20access%20app%20control.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

Could someone clarify licensing requirements for using "Use Conditional Access App Control" option in Azure AD conditional access policies. MCAS licensing datasheet has a statement that "It (AADPP1) includes MCAS Discovery and Risk Assessment capabilities and adds the ability to leverage reverse proxy capabilities to apply real-time monitoring and control of user sessions for MCAS, as well as OCAS customers." Datasheet can be found here: https://aka.ms/mcaslicensing

Does that mean that if tenant has 100 MCAS licensed users and 5000 AADPP1 licensed users, all 5000 AADPP1 licensed users are also licensed/allowed to use conditional access app control?

 

1 Reply
Highlighted
Hi @helipetr,

Please see here

https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad

To deploy Conditional Access App Control for Azure AD apps, you need a valid license for Azure AD Premium P1 as well as a Cloud App Security license

You need both licences on a user to a able to use it. In the example you gave 100 users with both MCAS licence and AADP1 would be allowed to use conditional access app control.

Hope that answers your question!

Best, Chris