Share via

How to manage users with and without licenses that have conditional access

Andrew Premier 0 Reputation points
2024-06-03T22:13:54.16+00:00

I have two types of users at my company, Basic users who just need email on their phone who currently use Exchange Online Plan $4/month and Advanced users who need access to Azure Virtual Machines who currently use Business Standard $12/mo. There's about 20 Basic users and 5 Advanced users. I need MFA enabled on everyone's account and dont want to pay a lot of money for Basic users.

Problem: In order for the advanced users to access their VM in AVD, they need licenses with conditional access to bypass MFA. If I purchase a Business Premium license, which comes with conditional access, for the Advanced users, do I also need to purchase licenses that include conditional access for my Basic users?

I need to disable Security Defaults in order to enable conditional access because their policies conflict. If security defaults is off, how do I manage the Basic users to make sure MFA is enabled? I need to make sure we are in compliance with Microsoft licensing. I dont want to use Per-user MFA cuz that is getting deprecated.

Current Setup: We are currently using Security Defaults and have disabled all legacy protocols. We have disabled per-user MFA and old version of SSPR (which are both being deprecated). We are managing everything in Entra under the Policies tab. I dont want to use these methods because I dont want to worry about this in another year when its gone.

This is so confusing trying to understand all this. Any help is greatly appreciated.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,422 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,274 questions
Windows Licensing
Windows Licensing
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Licensing: Rules, regulations, and restrictions that define how software can be used and distributed.
52 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 6,825 Reputation points Microsoft Vendor
    2024-06-06T06:53:08.0966667+00:00

    Hi @Andrew Premier

    Thank you for posting this in Microsoft Q&A!

    To answer your question, if you’re implementing Conditional Access policies, you need to ensure that every user that is affected by a Conditional Access policy needs to have a license that includes Conditional Access, such as Azure AD Premium P1 or P2.
    Please see the overall Azure AD Pricing/Licensing doc found here:

    https://azure.microsoft.com/en-us/pricing/details/active-directory/

    The documentation also says, "Using this feature requires an Azure AD Premium P1 license", which means that it's required for any user who makes use of the feature.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.