Azure AD prevent login user without liense

Question

Azure AD prevent login user without liense

Mönnikes, Marc 1

Hello,

users are synchronized with local AD for Exchange hybrid GAL.
We hae users without Office365 or other Cloud license.

this users can login to cloud websites like www.office.com (only myapps are visible).

But we want to prevent that users without license can login to cloud websites.

Only users with active office365 license should be possible to login.

Can we configure this?

thank you

Answer 1

@Mönnikes, Marc Unfortunately, there is no direct way to do this. However, in order to prevent unlicensed users form login to cloud apps, you can use Conditional Access policy. If you are using Group Based Licensing (GBL), you can add the group to Conditional Access policy with rule like All Users except member of the group that you are using for GBL should be blocked for All Cloud Apps.

If you are not using GBL, you may consider using it, as assigning licenses at the individual user level, can make large-scale management difficult. This will help you achieving the requirement that you have described.

Note: Conditional Access is a premium feature and would require Azure AD Premium P1/P2 license.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Mönnikes, Marc 1 Reputation point

2020-01-29T10:30:42.687+00:00

Hello,

thank you for reply.

So, we need for every user (with and without office 365 license) an Azure AD P1 license?

This would incease cost dramatically.

Regards
NR 1 Reputation point

2020-04-17T23:21:10.21+00:00

Hi, thanks for the suggestion. If we want to block users from a certain group, should those users also need to have P1 license just because they are part of the conditional access policy?

Answer 2

Vasil Michev 71,116 MVP

Why don't you simply block those users via the corresponding controls in the portal (or the BlockCredential parameter in PowerShell)? It's easy enough to list them...

Answer 3

Mönnikes, Marc 1

Hello michev,

thank you for your answer.
Which controls do you mean in the portal?

The "sign in blocked" was overwritten after next Azure AD synchronisation, when i remember correctly.

Regards

Vasil Michev 71,116 Reputation points MVP

2020-01-30T16:54:56.967+00:00

Right, but you can customize the sync rules to block specific users. Some companies for example populate one of the custromattributeXX with the O365 license value, so you can configure a rule that does the block part based on the presence of said attribute.
Mönnikes, Marc 1 Reputation point

2020-02-03T15:26:00.663+00:00

Hello,

thank you very much, we will try.
Marilee Turscak-MSFT 24,056 Reputation points Microsoft Employee

2020-02-10T16:56:41.757+00:00

Did you ever get this to work?
Heidemann Thomas 1 Reputation point

2021-04-07T12:07:26.723+00:00

Hello MnnikesMark,

do you have a solution for your case?

I'am in the same situation and search for a solution.

Kind regards.

Azure AD prevent login user without liense

3 answers

Activity