This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 92%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I am reading various articles about Microsoft cloud security features. Many of them list having a Entra ID P1 / P2 license as a prerequisite. But I am unclear on exactly what that means.
On the Azure portal, the "All Services > Licenses" page, my organization shows as having a single Entra ID P2 license. It's assigned to a single admin user, leaving "available" licenses at zero. The pricing page for Entra ID also lists everything as per-user.
However, on the "All Services > Licenses > Licensed Features" page there is a big blue box that appears to be saying it's the tenant that has the license.
Additionally, there are services we have been using for a long time (e.g., Risk-Based Conditional Access) that are listed as only being available with an Entra ID P2 license -- yet these services are administered by more than my one P2 license assignee and are deployed at the tenant level.
So, I guess my question is: For a service that both applies to all users and requires an Entra ID P2 license, would my tenant qualify or not?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Each account that consumes a P2 service requires a license. You can have one P2 to light up the feature and enable it but each user that takes advantage of that service needs to be licensed to be compliant. The docs arent very clear about that sometimes.
How would you define "take advantage of a service"? Every user in the tenant, for example, benefits from using Risk-Based Conditional Access. Would that not be taking advantage of that service?
How would that work with Risk Policies? Every user is taking advantage of that feature. We have Risk-Based Conditional Access policies that apply to everyone org-wide, with no service limitations that I've run into. Yet all with only a single P2 license.
If you are using a Ca policy that leverages risk-based actions, then every member account you have in scope of that policy needs a P2:
https://www.reddit.com/r/AZURE/comments/16d6ez2/does_every_user_need_a_azure_ad_p2_license_to_use/
Not sure why I had to dig for so long to find this particular information, but as least I appear to have an answer now. -- as least with regard to risk-based CA policies.
According to this article, Microsoft splits risk-based policy result visibility into "Premium" and "Nonpremium". From what I read, it seems the risk-based policies would work regardless of the license level. The tenant would still be protected, but the customer may not know what they were protected from.
The license level appears to only matter if a tenant admin wants the details on why a particular user/sign-in was flagged as "risky". There are a handful of detections that a nonpremium tenant can see (3 for sign-in risk & 2 for user risk), but any detection that's restricted to Premium will just be displayed as "Additional Risk Detected".
Example: Impossible Travel risk policy
The good news is, the risk-based policy action would still have the desired effect (e.g., blocked).
The bad news is, if an admin what's to know what activity triggered the risk flag, they gotta pay up.
and depending on how you want to handle the risk, a CA policy is required and that needs a license :) Its way t0o confusing
Beyond the single P1/2 needed to enable CA in general, I can't find anything in the documentation that says just implementing a risk-based CA policy requires any additional licensing. Not even sure how that would be possible since, under the hood, all the different CA policies are rolled up into a single policy at runtime.
All the risk-based policies still do their intended work regardless of the end-user license assignment status. The additional Premium licenses are needed for more robust reporting after the CA policies have applied, but the tenant is still protected against risky sign-ins or risky users without them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 90%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hello, this isn't what Alex Simons claim here:
https://twitter.com/Alex_A_Simons/status/1466290109062385672
https://twitter.com/Alex_A_Simons/status/1232741945190912000
And he is the "Corporate VP Product Management Microsoft Identity and Network Access Division"
One license per human vs one license per account.
@Adrien Maugard For most M365 "Premium" features, it would be one for each person. But for Conditional Access policies, it's only a single license.
For most M365 "Premium" features, it would be one for each person. But for Conditional Access policies, it's only a single license.
@Mike Baker Any user (aka Human) that a CA policy applies to needs at least P1 license. If I understand your statement correctly, you are saying that only single license is required for CA, regardless of how many users are using the feature, which is incorrect.
There is published Microsoft documentation indicating otherwise.
There is published Microsoft documentation indicating otherwise.
Link? The actual legal documents that are agreed to when setting up Azure, Microsoft 365, etc., spell out the requirement in regards to use of a feature requires a license be assigned to each user. It also stipulates that the customer agrees that Microsoft may have an auditor verify compliance, and spells out remedies for non-compliance, including higher price, purchase licenses for unlicensed users, reimbursing for cost of verifying compliance, etc.
For example, below is excerpt from Universal License Terms for Online Services that apply to Entra ID P1/P2 via Microsoft Customer Agreement (MCA):
Licensing the Online Services Customer must acquire and assign the appropriate subscription licenses required for its use of each Online Service. Usage exceeding the Online Service’s documented entitlement(s) and/or usage limits require additional purchase of licenses to cover overage. Each user that accesses the Online Service must be assigned a User SL or access the Online Service only through a device that has been assigned a Device SL, unless specified otherwise in the Online Service-specific Terms. Subscription License Suites describes SL Suites that also fulfill requirements for User SLs. Customer has no right to use an Online Service after the SL for that Online Service ends.
Now, let's walk through common sample scenario. Company has 100 employees, each has one Entra ID user account that they use to authenticate to various Microsoft services. MFA is enforced via Conditional Access policy for all accounts.
In this example, ALL 100 users require at least an Entra ID P1 license or have a license to a suite that includes it. The reason all 100 users require a license is because all 100 users are using an Entra ID P1 feature (Conditional Access).
Microsoft does not provide documentation on how customers should use there services outside a trial period and without a paid license. Some of their cloud offerings will still work without a license, but they don't have usage guidelines for customers telling them "if you aren't licensed, this is how this is how you should use our product". If you are out of compliance, you are largely on your own for support and documentation.
That is not the case with Conditional Access. One example of this is with the risk-based policies. The documentation contains a section called "Nonpremium detections". It covers how the outcome these types of Conditional Access policies are displayed in the logs when the end-user has no premium license. The policies still work just as they should regardless of the license, but the security logs in Defender are more detailed for licensed users. As Microsoft doesn't provide support documentation for non-compliant scenarios, they wouldn't be providing this information if the absence of a dedicated premium license made the entire detection an unlicensed, non-compliant service.
But there's more! Another source is the licensing guide to "tenant-level" services. This is a very detailed list of all the 365 offerings available within an Entra tenant, including Conditional Access. It is mentioned only twice; once in relation to the risk-based policies I've already touched on and the other is only related to "Conditional Access App Control capabilities in Defender for Cloud Apps" -- which is unrelated to the Conditional Access policies available in Entra.
Lastly, I have my own experience. About 18 months ago I was working as one of the the Global Admins for a billion-dollar company with nearly 200k users around the globe. As you can imagine, they were huge target for Microsoft auditors. But were also very proud of their compliance status. All of their users were included in a single Entra ID tenant, and all were covered under Conditional Access. Total number of premium Entra licenses: 100
The documentation you provided covers compliance in general. The references I've provided are about Conditional Access specifically.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 52%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
It is my interpretation the many referenced "capabilities" only benefits those assigned particular roles tasked with monitoring such events -- these assigned roles would be where Entra ID P2 is required, not each/every individual user.
In other words, who's reading and responding to these reports and receiving these notifications? Certainly not the risky user.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 22%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Yes, I also share this confusion regarding licensing per "user". It does not seem correct that each and every Entra ID "account" would need a P2 license assigned.
For example, we use the "External identities -> Cross tenant access settings -> Trust settings" to add organizations for which we trust the home organization's MFA.
Now, that requires a P1/P2 (+ possibly Identity Governance license) "per user", but I am convinced that it only applies to users that actually manage this feature in Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 78%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Yes, this is per user licensing.
one approach to use the license effectively is to identify privileged and important credentials and have license for those.