25,206 questions
You need a license for any person that will directly or indirectly use a feature requiring P2/is under the scope of such feature.
Is Azure Active Directory Premium P2 required for every e-mail address or 1 per tenant?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 83%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Kevin Lister
6
Reputation points
Do I need to purchase a license of Azure Active Directory Premium P2 for every 0365 account I have, or is it 1 license per Tenant?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
Vasil Michev 119.8K Reputation points MVP Volunteer Moderator2021-08-18T16:27:33.433+00:00 -
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2021-08-19T17:40:49.513+00:00 @Kevin Lister
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? -
Kevin Lister 6 Reputation points
2021-08-19T17:47:35.077+00:00 Well, I'm still a little unsure of what I need. I did a Chat with Microsoft Sales yesterday, and they said that only the person setting up the functions that are added by Azure AD P2 needed a license, but Michev above is saying that all of my users would need a license for the functionality to work. So I'm still confused about how many licenses I need to buy.
I currently have 65 licenses of Office 365 E3, but only 1 of those licenses has Administrator privilege's.
-
Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
2021-08-19T18:10:34.287+00:00 "Need" here does mean a technical necessity for the feature to work, you can very well configure things with a single P2 license assigned to your admin user, as Microsoft doesnt enforce licensing requirements in code (mostly). Which doesn't mean that things are going to be "OK" from licensing perspective.
Sign in to comment -
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
2021-08-19T18:46:30.413+00:00 @Kevin Lister
Thank you for the quick follow up on this! When it comes to what @Vasil Michev mentioned within the answer and comment, it's correct. For more info.The Azure Active Directory Premium P2 license is licensed per-user, for example, if you were to have your entire Azure AD tenant utilize Privileged Identity Management (PIM), the license(s) must be assigned to the administrators and relevant users who intend to use PIM.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
-
Kevin Lister 6 Reputation points
2021-08-19T18:50:55.197+00:00 So the main use for us will be conditional access policies for use with Multi Factor Authentication. (Basically not requiring MFA while connected to the company LAN). So Based on your response above, I am assuming each O365 license will need a corresponding P2 license as well.
-
Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
2021-08-20T05:33:27.903+00:00 CA policies require Azure AD P1, not P2. And yes, they require it for any user under the scope of a policy.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-07-19T18:30:14.003+00:00 Does “under the scope of the policy” include Excluding users from all the Conditional Access policies explicitly? That seems to be the only avenue to insure that unlicensed accounts don’t use them?
I know this is an old post but hoping to get a response
-
Anonymous
2023-06-12T20:22:17.9566667+00:00 Kevin Lister or Jason Newman did you ever figure out if one license assigned to a global admin would provide the Priviledged Identity to the whole tenant?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 92%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Rick Vines 5 Reputation points2023-11-01T17:09:03.9966667+00:00 I know this is an old thread but I'm still confused.
As it relates to Risky User/Risky Sign-in. We only really want to enable that functionality for certain users in our tenant. I'm hearing that I need to license all users with P2 licenses even if I only want to enable that functionality for a limited number of users in the tenant. Is that true or not?
Thanks!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Anthony DeBenedet 0 Reputation points2024-04-23T14:55:08.56+00:00 Based on Vasil's Answer "You need a license for any person that will directly or indirectly use a feature requiring P2,"
You should only have to license the limited number of users that you'll be enabling the functionality for.
Sign in to comment -