How is Azure AD licensing enforced?

Sir A 131 Reputation points
2020-04-26T20:06:00.963+00:00

Our environment has Azure AD P2 license.

I created a test user, but did not explicitly assign that user an Azure AD P2 license. I created a Conditional Access policy for that user only, and set MFA as required.

I was able to use the MFA feature for that user just fine. Security Defaults are off, only the above mentioned Conditional Access policy has been configured.

In the documentation about SSPR it says that SSPR is licensed per-user. I turned on SSPR for all users, and was able to use SSPR for the test user mentioned above, again without explicitly assigning an Azure AD P2 license to that user.

Does this mean that Azure AD licenses are not enforced, but rather you need to assign licenses to users (for particular features) to stay compliant?

Or does it mean that once Azure AD P2 license is enabled on Azure AD, all features of P2 automatically becomes available for all users, and there is no need to explicitly assign licenses to users?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,519 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 100K Reputation points MVP
    2020-04-27T07:00:55.903+00:00

    Microsoft does NOT enforce licensing requirements in code for many of its cloud services, which is not the same as not needing licenses of course. While certain functionalities might/will work, you are still in violation of the licensing agreement and can get into trouble, pending an audit.


2 additional answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2020-04-26T20:23:27.307+00:00

    Hi SirA,

    Yes, as you state it is billed and licensed per user. I would suggest speaking to your licensing vendor of choice and reading the license agreement if you need additional clarification. Your agreement also contains the answers to those questions. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-multi-factor-authentication

    Your licensing rep would be the best person to talk to, but if you would prefer to discuss over email you can also reach me at AzCommunity@microsoft.com.


  2. thgibard-MSFT 356 Reputation points
    2020-04-26T21:47:18.66+00:00

    Is your tenant is newly activated ? You can have trial licences on every tenant for a few days.
    Why no go in Azure Active Directory to check that are the licences activated to the concerned test user you're working on ? If needed, you can add a screenshot directly on your post question.
    If you go on portal.azure.com then Azure Active Directory, then Licences - you will be able to see the licences that are available in your Tenant.

    0 comments No comments