Identity Protection - Risk Based Conditional Access Licensing

Iron Contributor

I have an enteprise with thousands of users with EMS E3 licenses.  The finanance department is a critical space, and they have 500 people working on that department.


They want to purchase EMS E5 license and assign them to those 500 critical users, to take advantage of the conditiional access with risked based protection.


Is this possible? I mean will purchasing 500 EMS E5 licenses for those users, willl enable risk based conditional access for them?

3 Replies


Regarding my experience It should work with Conditional Access policy and targeting policy to group which contains users who has EMS E5 license.


Risk based signing was not visible in our tenant until we bought EMS E5 licences. Below are pictures from tenant before and after EMS E5 license was purchased.



Thank you for your reply. Ya the risk based factor appears for me too.


Microsoft announced that this will not work unless all users have AAD P2 license (part of EMS E5), and that if portion of the users have that license, conditional access with risk based will not work.


I would love if MS could say something here and help us figure this out.

For curiosity I tested this scenario with CA policy so that only my test user had EMS E5 (P2) license and other users had EMS E3 (P1). Regarding tests made today risk based CA policy seems to be working as expected. Tested with Tor browser to get risk based mechanism to work immediately with following options at policy:

- grant access with MFA

- Block access totally options




But I agree, if it's officially announced that all users needs AAD P2 license opinion from Microsoft would be helpful.