Forum Discussion

Ammar Hasayen's avatar
Ammar Hasayen
Iron Contributor
Oct 17, 2017

Identity Protection - Risk Based Conditional Access Licensing

I have an enteprise with thousands of users with EMS E3 licenses.  The finanance department is a critical space, and they have 500 people working on that department.   They want to purchase EMS E5 ...
Azure Active Directory (AAD)
Identity Management
SamiLamppu's avatar
SamiLamppu
Brass Contributor
Oct 28, 2017

Hi,

Regarding my experience It should work with Conditional Access policy and targeting policy to group which contains users who has EMS E5 license.

 

Risk based signing was not visible in our tenant until we bought EMS E5 licences. Below are pictures from tenant before and after EMS E5 license was purchased.

 

  • Ammar Hasayen's avatar
    Ammar Hasayen
    Iron Contributor
    Oct 28, 2017

    Thank you for your reply. Ya the risk based factor appears for me too.

     

    Microsoft announced that this will not work unless all users have AAD P2 license (part of EMS E5), and that if portion of the users have that license, conditional access with risk based will not work.

     

    I would love if MS could say something here and help us figure this out.

    • SamiLamppu's avatar
      SamiLamppu
      Brass Contributor
      Oct 29, 2017

      For curiosity I tested this scenario with CA policy so that only my test user had EMS E5 (P2) license and other users had EMS E3 (P1). Regarding tests made today risk based CA policy seems to be working as expected. Tested with Tor browser to get risk based mechanism to work immediately with following options at policy:

      - grant access with MFA

      - Block access totally options

       

       

      But I agree, if it's officially announced that all users needs AAD P2 license opinion from Microsoft would be helpful.

       

Resources