Azure Active Directory Premium P1 is coming to Microsoft 365 Business Premium
Published Apr 02 2020 11:08 AM 142K Views
Microsoft

7/14 Update: We have completed the rollout of Azure AD Premium P1 to all Microsoft 365 Business Premium customers and this should be available to both existing and new subscribers. 

 

4/8 Update: We are now rolling out the full Azure AD Premium P1 capabilities to new Microsoft 365 Business Premium customers. Rollout to current Microsoft 365 Business subscribers is scheduled thereafter over the next several weeks.

 

With Microsoft 365 Business Premium (Previously Microsoft 365 Business), we’re on a journey to deliver a comprehensive productivity and security solution for businesses with less than 300 employees.  It integrates your favorite Office apps and collaboration tools including Microsoft Teams with advanced security and device management capabilities.

 

We're adding another key capability to the Microsoft 365 Business Premium subscription - full Azure Active Directory Premium P1 license. This will roll out to new customers in the next few weeks, and to existing customers in the coming months. 
 

Help your employees maintain secure access to apps-at work, at home or on the go

Microsoft 365 Business Premium formerly had just a subset of Azure AD Premium Plan 1 capabilities including Conditional Access, self-service password reset, and Multi-Factor Authentication. With the addition of the full Azure AD Premium P1 license, you will soon get the benefit of cloud app discovery, Application Proxy, dynamic groups, passwordless authentication and more—all of which help your employees maintain secure access to work apps, whether they’re at home or on the go.

 

 

azure ad new.png

 
Simple, centralized app management to enable secure remote access with Azure AD
 
Here are some of the new capabilities that are specially relevant for small and mid-sized businesses-
 
1. Cloud App Discovery:

In modern businesses with Bring Your Own Device (BYOD) environments and work from home set ups, IT departments are often not aware of all the cloud applications that their employees use for work. As a result, administrators often have concerns about unauthorized access to corporate data, possible data leakage and other security risks inherent in the applications.

 

You can address these concerns by using Cloud App Discovery. Cloud App Discovery is a feature of Microsoft Cloud App Security (MCAS) that is also available with Azure Active Directory Premium P1. It enables you to discover cloud applications that are used by employees in your organization and view reports to analyze your environment. Cloud app discovery analyzes your traffic logs against a catalog of over 16,000 cloud apps. The apps are ranked and scored based on more than 80 risk factors to provide you with ongoing visibility into cloud use, shadow IT, and the risk shadow IT poses to your organization.

 

With Cloud App Discovery, you can:

  • Discover applications in use and measure usage by number of users, volume of traffic or number of web requests to the application
  • Identify the users that are using an application
  • Export data for additional offline analysis
  • Prioritize applications to bring under IT control and integrate applications easily to enable single sign-on and user management

Get Started with Cloud App Discovery and refer to Frequently Asked Questions.

 

 

2. Application Proxy: Many organizations run business-critical apps on-premises, and with the advent of remote and work from home scenarios, it becomes important to enable your employees to securely access these apps from anywhere. Azure AD Application Proxy is a lightweight agent that enables access to your on-premises apps, without opening broad access to your network.

 

It's more secure than VPN and reverse proxy solutions and easier to implement. Remote users can access your on-premises applications the same way they access Office 365 and other SaaS apps integrated with Azure AD. With App Proxy, you don't need to change or update your applications and it also doesn't require you to open inbound connections through your firewall. With a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Microsoft Teams, and other line of business (LOB) and SaaS applications.

 

This also proves to be cost-effective as you don't need to change the network infrastructure or install additional appliances in your on-premises environment.

 

Learn more about Application Proxy

 

3. Dynamic groups help automate IT and business processes by automatically adding/removing users from security groups based on their attributes, thereby reducing the administrative overhead of adding and removing users. You can define attributes such as “sales department” for example to dynamically place a user in a certain group. You can use dynamic groups to assign users to groups automatically, then use these groups to grant access to applications.

 

Learn more about dynamic groups

 

4. Passwordless authentication: With the multitude of apps we use everyday, passwords can be frustrating to remember and are easily breached. Passwordless authentication makes life easier for you by replacing the password with something you have, plus something you are or something you know.

 

Microsoft offers the following three passwordless authentication options that integrate with Azure AD - Windows Hello for Business, Microsoft Authenticator app and FIDO2 security keys.

 

Learn more about passwordless authentication options for Azure Active Directory

 

 

Whether you are a customer or a partner, we hope these new capabilities will make the transition to secure remote work a little easier. For a full list of Azure Active Directory Premium P1 capabilities in Microsoft 365 Business Premium, please refer to the Azure AD pricing details page.

 

Partners-register for the April 8th webinar Secure Your SMB Customers as They Cope with COVID-19 to learn more on how to enable secure remote work with Microsoft 365 Business Premium.

42 Comments

Awesome News, Thanks for sharing with the Community :cool:

Copper Contributor

Which Microsoft 36 Business will this apply to?  Business Basic?  Business Standard?  Premium?  Would be nice to know ahead of time for those that want to purchase P1 for their organization or clients (could be a difference from keeping the customer at Office 365 Business Premium (which will become Business Standard) or upgrading the client from Office 365 Business Premium to Microsoft 365 Business (which will become Microsoft 365 Business Premium).  Please comment back or update the article.

Microsoft

Hi @steve02a, As we mention in the first paragraph of the blog, this applies to Microsoft 365 Business, which will be renamed as Microsoft 365 Business Premium starting April 21st.  

Copper Contributor

@Neha Bhaskar Thank you.  Oversight on my part...

Copper Contributor

How can you check if it's been rolled out to your tenant? I'm waiting for P1 to be able to use NPS extension for Azure MFA (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension), but I don't want to try and and set it up every week just to see if I have the license :)

Microsoft

Hi @Mattijs1760 ,

You can check for  Azure Active Directory Premium P1 in your tenant through the following steps

  1. Sign into https://admin.microsoft.com
  2. Click on Users -> Active Users
  3. Select a user with a M365B subscription
  4. Click on “Licenses and Apps”
  5. Expand the Apps like and look for Azure Active Directory Premium P1.

Hope this helps!

 

 

Copper Contributor

Will the Microsoft 365 Business (renamed as Microsoft 365 Business Premium after April 21st), have both Azure Active Directory Premium P1 and also the right to have Office 365 desktop applications to be installed and run from a Remote Desktop Services machine

 

The same as,Office 365 Enterprise E3 plan which allows for Office 365 desktop applications to be installed and run from a Remote Desktop Services machine

Does this mean M365 Business Premium subscribers will now have the Windows Server CAL as part of the AZ Active Directory Premium Plan1?

Copper Contributor

Dear Neha,

 

Tenant has received full Azure Active Directory Premium P1 license, checked on user level and in Az AD (Azure AD Premium P1).

However, I seem to have an issue when trying to Export Sign-In logs to Sentinel. The Sentinel connector for Azure AD states: License: required AAD P1/P2.

 

What would the advice be in this? Exporting sign-in logs to LogAnalytics/Sentinel was a major expectation of P1 for regulated customers.

 

Greetings,

 

Mike

 

Microsoft

Hello @itomic , 

 

Microsoft 365 Business (renamed as Microsoft 365 Business Premium starting April 21st) includes Shared Computer Activation, which I believe is what you were asking. For more details, please see https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/shared-computer-activation-for...

 

Hope that helps!

@MikeStrubbe I'm looking into using Sentinel with AADP1 in M365B and will reply back shortly.

 

@Danielle_Alexander Are you referring to the Windows Server CAL exemption for Azure AD Connect?  If so, this applies to M365 Business Premium.  As far as I know, there are no Windows Server CALs included in Azure AD Premium Plan 1.

Copper Contributor

@David Bjurman-Birr please also check if ingesting sign-in logs directly from Azure AD diagnostic settings towards LogAnalytics would be supported, this also requires a P1 lic.

@David Bjurman-Birr 

 

I am wondering if like M365 E3 & E5 will M365 Business Premium will provide the right to access server software running on Licensed Servers or to Manage Operating System Environments for Windows Server?

@Danielle_Alexander Customers using Microsoft 365 Business Premium will still need CALs to access Windows Server and those are not included.  Strategically, we're trying to help customers move away from needing to buy servers and pay for on-premises licensing; however, we are maintaining full compatibility with hybrid environments so customers can move to the cloud at their own pace.

Copper Contributor

Does this include the Azure MFA NPS extension too?

 

 

@idler87 The Azure MFA NPS extension is included!  Are you using NPS for WPA2 Enterprise Auth for WiFi?  If so, you can also configure the WiFi profiles for managed Windows/Mac PCs as well as mobile devices in Intune via the Endpoint Management admin portal.

Copper Contributor

G'day, I suspect this rollout is related to an issue I'm experiencing. I'm in the middle of a fairly urgent rollout of just a handful of Win10 devices and I need to control them via Intune/Azure. Using M365 Business Premium. Several aspects of the process aren't matching the expected response while others are (e.g. I can Join devices to Azure and enroll devices in MDM and all appears fine, but I can't add joined devices to groups nor use the "Manage" button in Azure). It feels like I both do and don't have some features. In addition, if I view subscriptions assigned to my Azure directory, it says none are active.

 

Is all this a symptom of this rollout being halfway through? Or a series of other errors (almost certainly my own) combined? Help would be appreciated, I've been pulling my hair out since a series of these issues mean documentation leads to dead ends! 

Thanks

Copper Contributor

Hi Neha,

 

If a new customer adopts M365 Business Premium, Would he get Azure AD premium p1 (full functionality) right away?

Please confirm at the earliest

Microsoft

Hi @Vikas_Awasthi 

 

Yes, new Microsoft 365 Business Premium customers should see the Azure AD Premium P1 capabilities right away.

It is however, still rolling out to existing subscribers of the next several weeks.

 

Hope this helps!

Neha

Microsoft

Hi @GoodNews ,

 

The issue you describe doesn't seem related to the rollout at the outset. It would be good to have more details on the issue so we can help you better. I have messaged with you so you can share more details on that thread.

 

Thanks,

Neha

Copper Contributor

When will the service plan ID's be updated? They still reflect AAD SMB instead of AAD P1 which causes issues for AAD dynamic groups rules: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-re...

@chrischambersau Thanks for pointing out that page. It needs an update!

 

We don't normally change service plan ID's.  You should see both AAD_SMB and AAD_PREMIUM. Here are the service plans for an M365 Business Premium tenant:

 

 

ServicePlanId                        TargetClass ServiceType                   ServicePlan
-------------                        ----------- -----------                   -----------
41781fb2-bc02-4b7c-bd55-b576c07bb09d        User AADPremiumService             AAD_PREMIUM
de377cbc-0019-4ec2-b77c-3f223947e102        User AADPremiumService             AAD_SMB
932ad362-64a8-4783-9106-97849a1a30b9        User Adallom                       ADALLOM_S_DISCOVERY
28b0fa46-c39a-4188-89e2-58e979a6b014        User CRM                           DYN365_CDS_O365_P3
8c7d2df8-86f0-4902-b2ed-a0458298f3b3        User Deskless                      Deskless
39b5c996-467e-4e60-bd62-46066f572726        User DynamicsNAV                   DYN365BC_MS_INVOICING
9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed        User Exchange                      BPOS_S_DlpAddOn
176a09a6-7ec5-4039-ac02-b2791c6ba793        User Exchange                      EXCHANGE_S_ARCHIVE_ADDON
9aaf7827-d63c-4b61-89c3-182f06f82e5c        User Exchange                      EXCHANGE_S_STANDARD
199a5c09-e0ca-4e37-8f7c-b05d533e1ea2        User Exchange                      MICROSOFTBOOKINGS
33c4f319-9bdd-48d6-9c4d-410b750a4a5a        User Exchange                      MYANALYTICS_P2
5bfe124c-bbdc-4494-8835-f1297d457d79        User Exchange                      O365_SB_Relationship_Management
4828c8ec-dc2e-4779-b502-87ac9ce28ab7        User MicrosoftCommunicationsOnline MCOEV
f47330e9-c134-43b3-9993-e7f004506889        User MicrosoftCommunicationsOnline MCOEV_VIRTUALUSER
3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40        User MicrosoftCommunicationsOnline MCOMEETADV
4ed3ff63-69d7-4fb7-b984-5aec7f605ca8        User MicrosoftCommunicationsOnline MCOPSTN1
0feaeb32-d00e-4d66-bd5a-43b5b83db82c        User MicrosoftCommunicationsOnline MCOSTANDARD
54fc630f-5a40-48ee-8965-af0503c1386e        User MicrosoftKaizala              KAIZALA_O365_P2
094e7854-93fc-4d55-b2c0-3ab5369ebdc1        User MicrosoftOffice               OFFICE_BUSINESS
276d6e8a-f056-4f70-b7e8-4fc27f79f809        User MicrosoftOffice               OFFICE_SHARED_COMPUTER_ACTIVATION
743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6        User Microsoftstream               STREAM_O365_E1
8a256a2b-b617-496d-b51b-e76466e88db0        User MultiFactorService            MFA_PREMIUM
159f4cd6-e380-449f-a816-af1a9ef76344        User OfficeForms                   FORMS_PLAN_E1
92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c        User PowerAppsService              POWERAPPS_O365_P1
0f9b09cb-62d1-4ff4-9129-43f4996f83f4        User ProcessSimple                 FLOW_O365_P1
b737dad2-2f6c-4c65-90e3-ca563267e8b9        User ProjectWorkManagement         PROJECTWORKMANAGEMENT
bea4c11e-220a-4e6d-8eb8-8ea15d019f90        User RMSOnline                     RMS_S_ENTERPRISE
6c57d4b6-3b23-47a5-9bc9-69f17b4947b3        User RMSOnline                     RMS_S_PREMIUM
c1ec4a95-1f05-45b3-a911-aa3fa01094f5        User SCO                           INTUNE_A
8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2        User SCO                           INTUNE_SMBIZ
c7699d2e-19aa-44de-8edf-1736da088ca1        User SharePoint                    SHAREPOINTSTANDARD
e95bec33-7c88-4a70-8e19-b10bd9d0c014        User SharePoint                    SHAREPOINTWAC
a23b959c-7ce8-4e57-9140-b90eb88a9e97        User Sway                          SWAY
57ff2da0-773e-42df-b2af-ffb7a2317929        User TeamspaceAPI                  TEAMS1
5e62787c-c316-451f-b873-1d05acd4d12c        User To-Do                         BPOS_S_TODO_1
b8afc642-032e-4de5-8c0a-507a7bba7e5d        User WhiteboardServices            WHITEBOARD_PLAN1
8e229017-d77b-43d5-9305-903395523b99        User Windows                       WINBIZ
7547a3fe-08ee-4ccb-b430-5077c5041653        User YammerEnterprise              YAMMER_ENTERPRISE
94065c59-bc8e-4e8b-89e5-5138d471eaff      Tenant Bing                          MICROSOFT_SEARCH
f20fedf3-f3c3-43c3-8267-2bfdd51c0939      Tenant Exchange                      ATP_ENTERPRISE
113feb6c-3fe4-4440-bddc-54d774bf0318      Tenant Exchange                      EXCHANGE_S_FOUNDATION
882e1d05-acd1-4ccb-8708-6ee03664b117      Tenant SCO                           INTUNE_O365
Copper Contributor

Any update on when this will be live to current Microsoft 365 Business subscribers? This is big news and the wait is killing us :)

Copper Contributor

I'd also appreciate an update on this.  Thanks.

Microsoft

Hi @WorkingKris @Jason Carpenter  we're expecting the rollout for existing customers to complete by end of month; will update this post at that time. 

Copper Contributor

Hello,

 

Does this apply to existing users of the E3 & E5 licenses?

@DZ_101 Azure Active Directory has four editions: free, Office 365 Apps, Premium P1, and Premium 2.  Azure Active Directory Premium 1 was recently added to Microsoft 365 Business Premium (Previously it had a subset of Premium P1 features)

 

Customers with Microsoft 365 Business Premium licenses get Premium 1

Customers with Microsoft 365 E3 licenses get Premium 1

Customers with Microsoft 365 E5 licenses get Premium 1 + Premium 2

Customers with Office 365 licenses get the Office 365 apps edition outlined here: https://azure.microsoft.com/en-us/pricing/details/active-directory/.  This includes Office 365 E1, E3 & E5 as well as Microsoft 365 Business Basic and Microsoft 365 Business Standard.

 

Hope that helps!

 

David

Copper Contributor

please update

@Ab_Khan What would you like an update on?

Brass Contributor

I just set up a new Microsoft 365 Business Premium tenant and I clicked through the dialog on default conditional access policies too quickly. Is there a place to see the default policies that are applied to new tenants documented?

Copper Contributor

Has this been rolled out to existing Business customers yet? We have licenses of Microsoft 365 Business Standard, but AAD shows we still have "Azure AD for Office 365". 

@solmssen Have a look at this page: What are security defaults? 

 

That will give you the details on what Security Defaults does.  At the bottom of the page are links to the instructions on how to create the corresponding Conditional Access policies.  If you turn off Security Defaults, I recommend implementing those policies right away.

 

I also recommend having a look at this page: Common Conditional Access policies 

 

Hope that helps!

 

David

@StephenOtt Azure Active Directory Premium P1 is included with Microsoft 365 Business Premium, but not Business Standard or Business Basic.

 

David

Copper Contributor

@David Bjurman-Birr  Thanks for the clarification. I didn't even realize M365 Biz Premium was a thing. I thought going from O365 Biz Premium just became Biz Standard. 

Copper Contributor

Do you know when this will be complete? 

https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products?t...

Will it be shown on here once it's available for new and existing deployments?

Many thanks.

 

Microsoft

@nicolestevens  Yes, I will update this blog once the rollout is complete to existing deployments. It should already be available to new customers (who purchased after mid April)

Copper Contributor

@Neha Bhaskar Is Azure AD P1 rolled out to all regions? Is it available in India? One of our SPLA vendor/partner mentioned Azure AD P1 is not yet rolled out for O365 Business Premium plans in India. Can you please confirm this.

Microsoft

@Rupesh_Nair123  Azure AD Premium P1 is now available to all Microsoft 365 Business Premium customers worldwide. Note, that this is not included with Microsoft 365 Business Standard (previously Office 365 Business Premium) which is a different SKU. for comparison, please review https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/mi...

Copper Contributor

@Neha Bhaskar Am I correct in understanding that Microsoft 365 Business licensing for Azure AD Premium P1 works at the tenant level  - e.g. If I have a tenant with 12 users, licensed as follows:

  • 10 Microsoft 365 Business Premium licences
  • 2 Microsoft 365 Business Basic licenses,

In this case, because I am using Business Premium, the tenant is licensed with Azure AD Premium P1 and I am correctly licensed to create an Azure Conditional Access MFA policy that says 'all users must be MFA registered' - e.g.  Require MFA for all users?

Thanks, Marcus.

Iron Contributor

It enables the functionality at tenant level, but can only be applied to users with the right license.

Copper Contributor

Does Azure virtual desktop is included on this subscription? As per article https://docs.microsoft.com/en-us/microsoft-365/admin/misc/microsoft-365-business-faqs?view=o365-worl... . How to enable?

Hi @Rico_De_Lara_mico ,

 

The licensing for AVD use is included in M365 Business Premium; however, the cost of compute (Virtual machine hosts, storage, bandwidth, etc.) is not included.  To set up AVD you'll need to also set up an Azure subscription for the compute resources. Check out Deploy Azure Virtual Desktop with the getting started feature  for the details on how to get started.

Version history
Last update:
‎Jul 20 2020 01:36 PM
Updated by: