Hey there! I'm looking for some clarity on the licensing model for Microsoft Entra ID P1/P2, especially about how security policies apply across an entire tenant. I've got a few specific questions:
1. If only one user, like an admin, has an Entra ID P1 or P2 license, can we enable tenant-wide features such as Conditional Access or Identity Protection for all users?
2. If those policies can technically be enforced across the tenant, do they align with Microsoft's licensing rules? Do all users benefitting from those features need to have their own P1/P2 licenses?
3. In essence, should the licensing be done per user who is protected by the feature, or just per user managing or configuring the feature?
I want to make sure our setup is both technically sound and compliant with Microsoft's licensing regulations. Thanks for any insights!
7 Answers
There are two topics here. Technical Capabilities and Guardrails - Licensing Compliance. The straight answer is this. Even (1) Entra ID P2 license will unlock tenant wide capabilities. So, and admin could create identity protection policies (Risk Based CA) and broadly apply those policies to all users. From a technical perspective, this will function. From a licensing compliance model, your organization would be in violation of the terms of use for that service.
Each user must be licensed for a service to use OR benefit from it.
For example - Although Microsoft E5 Security and Compliance solution bundles are transacted on per-user basis, licenses must be assigned to every user who benefits from a capability. Some Microsoft services are designed as tenant level activations and features cannot be technically restricted to a subset of licensed users. In those cases, where features benefit all users, then all benefiting users must be licensed to remain compliant. Additional information is available in the Microsoft Service Descriptions for Security and Compliance and Microsoft Purview service description. The binding licensing terms are the Microsoft Product Terms, which govern use rights for online services (including tenant level scenarios).
In the case of Entra ID P2, it is possible to procure licensing for a subset of users and this is common for a use case where admins need "PIM" functionality. However, as stated above this activates other services tenant wide. The customer is responsible for managing compliance. In an audit, if the service has been configured by the customer to apply broadly to all users but licensed for a subset... The company could face issues.
As soon as you configure policies with a single license, you're not compliant. You need to cover all users who might be impacted, which usually means everyone. Just keep that in mind when rolling out those features!
The real danger isn't just having to sort out licensing later; it’s thinking that P1/P2 features are black and white. We had a case where enforced policies were bypassed because the tenant didn’t have the necessary P2 signaling for risk-based MFA on unlicensed accounts. If your identity protection isn’t working for the majority of your users, it feels like you're just going through the motions and not really securing anything!
Just to reiterate, all users benefitting from any features must be appropriately licensed to ensure everything's covered.
1) Nope, each user needs a license for those premium Entra features like Conditional Access policies. 2) If you enable those features with just one license, you won’t be compliant. You need to license all users to keep it above board!
I know many customers run into licensing issues without realizing it. Has anyone actually dealt with the repercussions of being incorrectly licensed?
You can enable Conditional Access policies with just one P2 license, but remember, if you're doing so, every user who utilizes these features must also be licensed. Otherwise, you’re not compliant.
Exactly! It’s all about compliance. If you don’t license everyone who benefits, you could face issues.
This is super crucial! Even if a feature is activated by one license, you have to license all potentially affected users, and that often includes the entire user base.