Multi-Factor Authentication with Conditional Access and Licensing

HaileSelassie 21 Reputation points
2019-12-05T11:55:03.92+00:00

I am testing Multi-Factor Authentication with Conditional Access for Exchange online. According to the following site I understand that, at a minimum, an "Azure Active Directory PREMIUM P1" license is required for each user included in the conditional access policy:

https://azure.microsoft.com/en-us/pricing/details/active-directory/

Now, while all works as desired for a user which has the license assigned, it also works as desired for a user which does not have an "Azure Active Directory PREMIUM P1" license assigned, meaning has only assigned the Conditional Access Policy

So my question is: Does anyone know why it also works for a user which does not have an "Azure Active Directory PREMIUM P1" license assigned? Do i take it wrong to think that an "Azure Active Directory PREMIUM P1" license is required for each user when using Multi-Factor Authentication with Conditional Access?

Thanks for your feedback in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 98,201 Reputation points MVP
    2019-12-05T12:11:44.18+00:00

    It works simply because Microsoft does not enforce licensing requirements in code for many of the features available in Azure AD/Office 365. This doesn't mean that it's OK to use them without an appropriate license, as you are in violation of the licensing agreement.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. chris tailor 1 Reputation point
    2019-12-05T13:25:13.45+00:00

    Please note that you can use MFA as part of the old legacy conditional access baseline policies without any AD P1 or P2 licences or you can use new new Azure AD security defaults without any AD P1 or P2. But this will then be MFA for all or non.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

    0 comments No comments