cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

PatrickF11
Steel Contributor

‎Nov 03 2022 12:57 AM - edited ‎Nov 03 2022 12:58 AM

‎Nov 03 2022 12:57 AM - edited ‎Nov 03 2022 12:58 AM

Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

Hey folks,

 

i'm wondering on how to deal with the following scenario correctly: (i know how to use the techniques, it's just about the correct licensing)

  1. Contoso has e.g. 100 Users (Members)
    1. 50 Users are licensed with sth. that includes Azure AD Premium P1
    2. 30 Users are licensed with sth. that includes P2
    3. 20 Users are not licensed (Service accounts, administrative accounts, test accounts, ..)
    4. In addition there are e.g. 40 invited guest accounts, which are not licensed at all.
    5. (I guess this is a very common scenaraio) :smile:
  2. Contoso wants to use different technologies like
    1. SSPR (SelfService Password Reset)
    2. Azure AD Identity Protection: MFA Registration Policy
    3. Conditional Access Policies to require MFA
    4. Conditional Access Policies to react to User-Risk or SignIn Risk
    5. (Very common, too i guess)

Question: How to "use" these techniques correctly?

  1. SSPR (SelfService Password Reset)
    1. Allow for anyone?
    2. Only allow for a dynamic group which includes all AAD P1 licensed users?
  2. Azure AD Identity Protection: MFA Registration Policy
    1. Allow for anyone?
    2. Dynamic group with AAD P2 Users?
  3. Conditional Access Policies to require MFA
    1. Allow for anyone?
    2. Dynamic group with AAD P1 Users?
  4. Conditional Access Policies to react to User-Risk or SignIn Risk
    1. Allow for anyone?
    2. Dynamic group with AAD P2 Users?

 

Of course im fine with using dynamic groups including AADP1/P2 Users, but what about all the guest users for example.

What is allowed, what isn't allowed?

 

Thank you very much for any help in advance. :smile:

 

Regards,

Patrick

 

1,137 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by PatrickF11 (Steel Contributor)
nikkichapple

‎Nov 03 2022 02:55 PM

‎Nov 03 2022 02:55 PM

Solution

Re: Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

@PatrickF11 your guest users are covered under the monthly active user  MAU licencing MAU billing model for Azure AD External Identities - Microsoft Entra | Microsoft Learn so can make use of P1 and P1 functionality. Just make sure the tenant is set up for MAU billing. 

I wrote on blog on guest governance you may find useful. Use Azure AD Premium 1 or 2 licence functionality with your Guest users (nikkichapple.com)

1 Like
Reply
PatrickF11

‎Nov 14 2022 08:05 AM

‎Nov 14 2022 08:05 AM

Re: Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

@nikkichapple Thank you very much, these are great information.

One last question: Do you know a way to count the MAU?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by PatrickF11 (Steel Contributor)
nikkichapple

‎Nov 03 2022 02:55 PM

‎Nov 03 2022 02:55 PM

Solution

Re: Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

@PatrickF11 your guest users are covered under the monthly active user  MAU licencing MAU billing model for Azure AD External Identities - Microsoft Entra | Microsoft Learn so can make use of P1 and P1 functionality. Just make sure the tenant is set up for MAU billing. 

I wrote on blog on guest governance you may find useful. Use Azure AD Premium 1 or 2 licence functionality with your Guest users (nikkichapple.com)

View solution in original post

1 Like
Reply