This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 83%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Do I need to purchase a license of Azure Active Directory Premium P2 for every 0365 account I have, or is it 1 license per Tenant?
You need a license for any person that will directly or indirectly use a feature requiring P2/is under the scope of such feature.
@Kevin Lister
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Well, I'm still a little unsure of what I need. I did a Chat with Microsoft Sales yesterday, and they said that only the person setting up the functions that are added by Azure AD P2 needed a license, but Michev above is saying that all of my users would need a license for the functionality to work. So I'm still confused about how many licenses I need to buy.
I currently have 65 licenses of Office 365 E3, but only 1 of those licenses has Administrator privilege's.
"Need" here does mean a technical necessity for the feature to work, you can very well configure things with a single P2 license assigned to your admin user, as Microsoft doesnt enforce licensing requirements in code (mostly). Which doesn't mean that things are going to be "OK" from licensing perspective.
@Kevin Lister
Thank you for the quick follow up on this! When it comes to what @Vasil Michev mentioned within the answer and comment, it's correct. For more info.
The Azure Active Directory Premium P2 license is licensed per-user, for example, if you were to have your entire Azure AD tenant utilize Privileged Identity Management (PIM), the license(s) must be assigned to the administrators and relevant users who intend to use PIM.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
So the main use for us will be conditional access policies for use with Multi Factor Authentication. (Basically not requiring MFA while connected to the company LAN). So Based on your response above, I am assuming each O365 license will need a corresponding P2 license as well.
CA policies require Azure AD P1, not P2. And yes, they require it for any user under the scope of a policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 20%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Does “under the scope of the policy” include Excluding users from all the Conditional Access policies explicitly? That seems to be the only avenue to insure that unlicensed accounts don’t use them?
I know this is an old post but hoping to get a response
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Kevin Lister or Jason Newman did you ever figure out if one license assigned to a global admin would provide the Priviledged Identity to the whole tenant?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 92%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
I know this is an old thread but I'm still confused.
As it relates to Risky User/Risky Sign-in. We only really want to enable that functionality for certain users in our tenant. I'm hearing that I need to license all users with P2 licenses even if I only want to enable that functionality for a limited number of users in the tenant. Is that true or not?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Based on Vasil's Answer "You need a license for any person that will directly or indirectly use a feature requiring P2,"
You should only have to license the limited number of users that you'll be enabling the functionality for.