Azure AD Application Proxy Licensing

Luís Costa 226 Reputation points
2023-04-13T14:46:27.15+00:00

Hello, I need some clarification around Application Proxy Licensing.
To active Azure Application Proxy I know we need to have at least one Azure AD P1 or P2 license.
But what about the users?
Can i have users that are "Unlicensed" using the Application Proxy?
If i can, can i use all the features with douse users or will some features be restricted to only licensed users?

From what i have tested the Application Proxy works with unlicensed users.
What I'm trying to confirm is that i will be compliant with the service terms if i use this feature with unlicensed users.

Thanks in advance

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Rafael da Rocha 5,251 Reputation points
    2023-04-13T14:52:46.5966667+00:00

    Hello, here's a similar question with a clear answer from a Microsoft employee: https://learn.microsoft.com/en-us/answers/questions/160617/azure-ad-application-proxy-licensing-question

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2023-04-13T16:40:54.4333333+00:00
    0 comments No comments

  2. Luís Costa 226 Reputation points
    2023-04-14T12:19:10.2066667+00:00

    Thanks @Andy David - MVP . I have done a little bit of digging from different sources and questions and I have come up with this information:

    • As many features in Azure AD, like Conditional Access or Identity Protection, to activate Azure AD Application Proxy on the tenant we need at least **ONE **Azure AD P1 or P2 license.
    • Microsoft licenses are not applied to the tenant, they are applied to the user. As it's stated in the terms of service: "A tenant-level service is an online service that when purchased for any user on the tenant (standalone or as part of Office/Microsoft 365 plans) is activated in part or in full for all users on the tenant." So even in some cases some unlicensed users may be able to access the service, from a compliance perspective a license is required for any user that you intend to benefit from the service.
    • Also it states on the pricing and licensing page for Azure AD (link ): With the free edition of Azure AD end users who have been assigned access to software as a service (SaaS) apps can get single sign-on access to unlimited number of cloud apps. On-premises apps require Azure AD Application Proxy or secure hybrid partnerships integrations available with Azure AD Premium P1 and Premium P2. So my take in this is:
    • Technically you only need one Azure AD P1 ou P2 license to activate Azure AD Application Proxy;
    • Technically even unlicensed users will be able to use Azure AD Application Proxy since Microsoft does not check if the user is licensed;
    • If a user without an Azure AD P1 or P2 uses Azure AD Application Proxy you will be violating the terms of the license agreement; Final answer: All users that are using Azure AD Application Proxy must have and Azure AD Premium P1 or P2 license
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.