Federation Setup

Lonnie 1 Reputation point
2020-01-22T05:01:14.12+00:00

Hi All,

Clearly a newbie at this, required to setup federated identity for a Bentley systems application.
At present we simply sync on-premise AD to Azure for the purpose of activating our Office ProPlus Subscription.

The instruction from Bentley is to go to Enterprise applications>Categories>Add an application and "add" a "non-gallery" application. However when I attempt to do this Azure console says "require an upgrade to premium".

1) Can anyone tell me what level, or what is the minimum level of AD subscription that will allow me to add this non-gallery application?

2) In the referenced comparison chart can anybody tell me exactly which feature refers to what I am trying to do? https://azure.microsoft.com/en-us/pricing/details/active-directory/
I thought it was "Federated Authentication (ADFS or 3rd party IDP)" which suggests I should be covered for?

3) Is the ProPlus Subscription not included as an "Office 365 App" and hence does not have the same level AD as E3 or E5?

4) If point 3 were the case do would E3 or E5 include or do I need the separate AD subscription.

5) If I need to upgrade to a P1 or P2 subscription, does this mean I have to purchase 1 x subscription for every user in my AD? As this becomes many thousands of dollars per year.

I have attempted to ask this of Azure providers and no one has been able to advise, however I am trying to get an answer before i commit to many thousands of dollars.

Thanks in advance

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,705 questions
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,606 Reputation points Microsoft Employee
    2020-01-22T09:45:01.803+00:00

    @Lonnie , Thank you for reaching out. Based on teh question you posted I will try to answer those below:

    1) Can anyone tell me what level, or what is the minimum level of AD subscription that will allow me to add this non-gallery application?

    Ans: Inorder to register a non-gallery app in your AAD tenant, you would need to have either a AAD-P1 or AAD-P2 license.

    2) In the referenced comparison chart can anybody tell me exactly which feature refers to what I am trying to do? https://azure.microsoft.com/en-us/pricing/details/active-directory/ I thought it was "Federated Authentication (ADFS or 3rd party IDP)" which suggests I should be covered for?

    Ans: Federation authentication is just the authentication mode for the on-prem users to get authenticated to AAD and then access the intended applications. A non-gallery is an app that is registered in AAD and it is also protected by AAD. When I say protected by AAD, I mean that until the user authenticates to AAD, he/she wont be able to access that non-gallery app.

    3) Is the ProPlus Subscription not included as an "Office 365 App" and hence does not have the same level AD as E3 or E5?

    Ans: O365 ProPlus is not same as O365 E3 or O365 E5 license. Also having O365 E3 license or O365 E5 license doesnt get you to use the AAD premium features. For AAD premium features, you would need to have either an AAD-P1/AAD-P2 or EMS licenses.

    4) If point 3 were the case do would E3 or E5 include or do I need the separate AD subscription.

    Ans: Yes.

    5) If I need to upgrade to a P1 or P2 subscription, does this mean I have to purchase 1 x subscription for every user in my AD? As this becomes many thousands of dollars per year.

    Ans: Ideally the AAD-P1/AAD-P2 license would only be assigned to users who are going to maintain the AAD, like Global Administrators, Application Administrator etc. Hence its always a handful of people like admins who would need this license.

    Azure AD Premium P1

    • is an enterprise level edition which provides identity management for on-premise users, remote users and hybrid users accessing applications both locally and over the cloud. This edition includes support for self-service identity, access management, administration of dynamic groups including self-service group management, as well as Microsoft Identity Manager which is a suite of on-premise identity and access management tools.

    Azure AD Premium P2

    • is an edition includes all of the features of Azure AD Premium P1 with the addition of Identity Protection and Privileged Identity Management (PIM). Identity Protection provided management of conditional access to apps and critical data. PIM enhances management of privileged accounts tied to administrative access to resources.

    Hope this helps.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    No comments

  2. Lonnie 1 Reputation point
    2020-01-28T06:05:14.857+00:00

    Hi Soumi,

    Thank you for your response, much appreciated.

    Can you just confirm from the license agreement perspective to be covered legally I only need to have P1 subscriptions for the administrators and not each and every user who might authenticate in the AD or with the federation?

    Thanks in advance