Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Azure AD license, is it tenant level or user level?


I am confused how Azure decide which features are available for certain users. 


For example, I have two test Azure tenants:


Tenant 1: doesn't have any Azure AD premium licenses, and in "Azure AD" -> Overview, the license is showing as "Azure AD Free".


If I create a enterprise application and tries to assign a group to the application, I will see a message "Groups are not available for assignment due to your Azure AD plan level"


Tenant 2:  it has a 25 user Microsoft 365 E5 Developer license, and in "Azure AD" -> Overview, the license is showing as "Azure AD Premium P2".


Here is the part I don't understand: I have two users in Tenant 2, one is admin user and one is regular user. I didn't assign any of them license. I used the admin user to create a Enterprise application, assigned a AAD group to this application, and added the regular user into the group.


Tested it and the user can access the application fine ( which means the group permission is working ), but I haven't assigned any of them license yet.


It seems the license is on the tenant level, not per user level ? so if I get 25 AAD Premium license, then I can use the group feature for all users? I know it doesn't sound right, would like to have a better understanding.




4 Replies
As a rule of thumb, Microsoft does not enforce licensing requirements in code. There are exceptions of course. Regardless, it's your job to make sure that your users are properly licensed to use a given functionality, even if there are no soft-blocks for doing so.
best response confirmed by Jack_Chen1780 (Contributor)

This is what Microsoft says about tenant level services.

"A tenant-level service is an online service that when purchased for any user on the tenant (standalone or as part of Office/Microsoft 365 plans) is activated in part or in full for all users on the tenant. While in these cases some unlicensed users may be able to access the service technically, a license is required for any user that you intend to benefit from the service."

Here is the full pdf on this

I hope this helps,
I guess the license is on user level can you check and remove if any unused license refer this article for more details
Hope that helps
Vasil, If I want to use a conditional access policy for a subset of my enterprise (finance team), would I need to have azure ad premium p1 for the entire tenant or only for my finance team?
I need to ensure that the finance team is able to login in from certain locations and place more restrictions on them. Everybody is on the same tenant.