Hello, here's a similar question with a clear answer from a Microsoft employee: https://learn.microsoft.com/en-us/answers/questions/160617/azure-ad-application-proxy-licensing-question
Azure AD Application Proxy Licensing
Hello,
I need some clarification around Application Proxy Licensing.
To active Azure Application Proxy I know we need to have at least one Azure AD P1 or P2 license.
But what about the users?
Can i have users that are "Unlicensed" using the Application Proxy?
If i can, can i use all the features with douse users or will some features be restricted to only licensed users?
From what i have tested the Application Proxy works with unlicensed users.
What I'm trying to confirm is that i will be compliant with the service terms if i use this feature with unlicensed users.
Thanks in advance
Microsoft Security Microsoft Entra Microsoft Entra ID
2 additional answers
Sort by: Most helpful
-
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
2023-04-13T16:40:54.4333333+00:00 Only the admin who configures it needs the license https://www.enowsoftware.com/solutions-engine/azure-active-directory-center/using-azure-acitve-directory-application-proxy-to-publish-internal-apps
-
Luís Costa 226 Reputation points
2023-04-14T12:19:10.2066667+00:00 Thanks @Andy David - MVP . I have done a little bit of digging from different sources and questions and I have come up with this information:
- As many features in Azure AD, like Conditional Access or Identity Protection, to activate Azure AD Application Proxy on the tenant we need at least **ONE **Azure AD P1 or P2 license.
- Microsoft licenses are not applied to the tenant, they are applied to the user. As it's stated in the terms of service: "A tenant-level service is an online service that when purchased for any user on the tenant (standalone or as part of Office/Microsoft 365 plans) is activated in part or in full for all users on the tenant." So even in some cases some unlicensed users may be able to access the service, from a compliance perspective a license is required for any user that you intend to benefit from the service.
- Also it states on the pricing and licensing page for Azure AD (link ): With the free edition of Azure AD end users who have been assigned access to software as a service (SaaS) apps can get single sign-on access to unlimited number of cloud apps. On-premises apps require Azure AD Application Proxy or secure hybrid partnerships integrations available with Azure AD Premium P1 and Premium P2. So my take in this is:
- Technically you only need one Azure AD P1 ou P2 license to activate Azure AD Application Proxy;
- Technically even unlicensed users will be able to use Azure AD Application Proxy since Microsoft does not check if the user is licensed;
- If a user without an Azure AD P1 or P2 uses Azure AD Application Proxy you will be violating the terms of the license agreement; Final answer: All users that are using Azure AD Application Proxy must have and Azure AD Premium P1 or P2 license