Diving Deeper on Azure AD Premium Licensing

Update 2/26/2015: This post resulted in a follow-up conversation with Microsoft. They suggested some changes and improvements which I’ve incorporated below in italics.

I recently seized an opportunity when an Azure AD product team member offered to explain anything about Azure AD licensing. Until that conversation, I was really confused about when we needed an Azure AD premium (AADp) license and when we didn’t.

There are a number of misconceptions around Azure AD premium. For example, AADp is not something you use to refer to a AAD tenant. AADp is something you use to refer to a user. You do not “have an Azure AD premium”. You have an Azure AD user with a AADp license. Unfortunately, some of the literature from Microsoft encourages this kind of misconception.

Anyhow, at the end of that conversation, I got their OK to share the info I learned (and I encouraged them to publish these more nuanced details), because I suspect that if you are like me, you may have some faulty assumptions like these:

  1. That to use any of the advanced capabilities, you need to have an AADp license for all of your users
  2. That since you had to license everyone, that resulting cost meant that the advanced AAD capabilities were dead to you

http://azure.microsoft.com/en-us/pricing/details/active-directory/ is the (only) published guidance to help you navigate these waters. Using the table at the heart of that page, for each of the capabilities listed (the rows) I got clarification about who (or how many) AADp licenses were needed to leverage that capability. I’ve taken the liberty of re-ordering those rows slightly, mostly to more closely group rows that are related to one another. AAD Basic (AADb) licensing is provided by an Office 365 license.

Here’s a breakdown:

Capability Licensing coverage needed
Directory as a Service AAD Free (AADf)
Service Level Agreement (99.9%) If you have one user with AADb or better, then you get this.NOTE: If there is an outage, only those users which have AADb or better are entitled for refunds. In other words, AADf users don’t pay anything, so they are entitled to no refund.
User and group management AADf
Directory Synchronization AADf
Directory Object Limit (500K) If you have one user with AADb or better, then no limit.Your number of AADf users can not exceed 500K.
Logon/Access Panel branding If you have one user with AADb or better, then you can use this.
Access Panel AADf
SSO for SaaS Apps (assignment limit of 10) AADp required for each user that you want to assign > 10 SaaS apps to.
Secure Remote Access and SSO to on-premises web apps (i.e. App Proxy) Each user that leverages this capability must have AADb or better.
MFA (AAD only) Each user needs AADb license or better.NOTE: see http://blogs.technet.com/b/ad/archive/2014/02/11/mfa-for-office-365-and-mfa-for-azure.aspx for more details about this and the following item.
MFA (AAD + on-premises) Each user needs AADp license or better.
Group-based Access Management and Provisioning (e.g. license assignment via group) Each admin that leverages this capability must have an AADp license.
Self-service password reset (SSPR) Each user that needs access to this capability must have an AADb license or better.
SSPR write-back to on-premises Each user that needs access to this capability must have an AADp license.
Self-service group management Each user that needs access to this capability must have an AADp license.
Microsoft Identity Manager User CAL Each user that leverages MIM portal must have an AADp license (or separately a MIM user CAL). This is relevant for the Just In Time (JIT) Admin and other on-premises capabilities
Basic Security Reports AADf
Advanced Usage and Security Reports Each admin that leverages this capability must have an AADp license.Every user in a report must have an AADp license.
NOTE: This isn’t yet enforced, and it’s unclear what future changes would reflect this.

So if you have Office 365 licensing, there are actually only a few of these capabilities that require a broad number of AADp licenses, many actually are either covered by AADb or you only need AADp licenses for a handful of users (your AAD admins).

The next trick is to analyze your needs and figure out how may AADp licenses you’ll need based on which of these capabilities you plan to leverage. Keep in mind that the Enterprise Mobility Suite (EMS) is likely the most cost-effective way to purchase an AADp license, so you may also need to take into account your Intune and Azure RMS licensing needs too.

Azure Active Authentication

Details about Azure Active Authentication were released June 12th, 2013:

-Overview on the Azure Identity page: http://www.windowsazure.com/en-us/services/identity/

-Pricing: http://www.windowsazure.com/en-us/pricing/details/active-directory/

-How to manage: http://technet.microsoft.com/library/dn249466.aspx

-How to integrate with your own applications: http://technet.microsoft.com/en-us/library/dn249464.aspx

Excerpt from the last page:

“The Windows Azure Active Authentication SDK allows for you to directly integrate the features of Windows Azure Active Authentication. You can build Active Authentication phone call and text message verifications directly into your applications sign-in or transaction processes. To get started with the Windows Azure Active Authentication SDK see Download”

Azure and Microsoft cloud developments announced at TechEd 2013

Here’s a round-up of various new developments announced at TechEd 2013:

-Azure Active Authentication is being launched. This is the PhoneFactor acquisition re-branded and deployed as part of the Azure Active Directory ecosystem. See http://blog.phonefactor.com/2013/06/03/phonefactor-windows-azure-active-authentication/ for something about that. I believe you can deploy this today via the Azure Service portal (with some kind of subscription required), and Office 365 plans to roll it out in the next 3 months. O365 will require it for all “admin” accounts with a free license for them, and they are still working out the licensing details for other O365 users. I haven’t yet heard any plans to allow this service to be integrated with on-premise solutions, but it was a question at one of the sessions and the speaker noted they were thinking about that.

-Azure Authentication Library is being launched. This is a new library that allows you to easily integrate your on-premise or cloud based web application with Azure Active Directory. See http://www.cloudidentity.com/blog/2013/04/22/windows-azure-authentication-library-aal-for-windows-store-a-deep-dive/ for something about that. Note support for OAuth2.

-BYOD enhancements for AD-DS and Azure Active Directory (AAD). Later this year, AAD and WS2012R2 will provide a way for you to “workplace join” personally owned devices from iOS to Android based. On premise, a new component in ADFS facilitates this and issues a long-lived certificate to the device which provides a SSO like experience to the device user. There is good support for deprovisioning the device, with additional selective wipe capabilities dependent on various other Microsoft product integrations. One of those integration points is Microsoft InTune in concert with SCCM. InTune is a cloud-based device management service. We own InTune licenses, but don’t yet have any service leveraging it …

-Along with the BYOD enhancement, Microsoft is enabling per SP multifactor support in ADFS. 3rd party providers can leverage a new multi-factor authentication (MFA) provider capability in ADFS to integrate their authentication methods. As an example of this, SafeNet has been working with Microsoft to provide one of these MFA providers using their hardware/software OTP, SMS, and GrIDSure options as a strong authentication as a service via a cloud based service. Whether cloud-based multi-factor services emerge might be something interesting to keep an eye on.

-I expect most folks saw that Microsoft slashed Azure VM rates 8 days ago to match Amazon EC2 rates, as well as announcing they won’t charge for stopped VMs, and moving to a per-minute charge model. Microsoft had several sessions promoting using Azure VMs for pre-prod/product evaluation/development purposes because you don’t sink costs into a physical on-premise box–and you only pay for the actual time you need the VM.

-Microsoft revealed a strategy to provide a consistent management interface for private cloud and Azure based services. For those that missed it, back in January Microsoft released the Azure Services for Windows  Server, so you can deploy private cloud capabilities on-premise just like Microsoft’s. Last week, this release was renamed the “Azure pack” and a number of enhancements were revealed that will come with Windows Server 2012 R2 planned for release this year. Among the various announcements are System Center capabilities that make it very easy to migrate VMs between on-premise HyperV and Azure, and enhancements to the HyperV Replica features that include using Azure as a HA failover for your on-premise HyperV VMs.

Lots more, but my memory is running dry. 😉

I expect that we’ll learn more details about these new capabilities in a couple weeks when Microsoft holds its annual conference for developers and the Windows 8.1, Windows Server 2012 R2, and System Center preview bits are likely to be released.


AAD and O365 Integration

This post is based on information in the following TechEd 2013 sessions: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B341



There are many sources of information about integrating with Azure Active Directory and Office 365, but to date, they’ve been spotty and the technical details  haven’t really been all that clear. This appears to be changing under the leadership of Program Managers like Jono Luk and Ross Adams. In particular, the OUC-B341 session was excellent and most of the content of this post comes from that session.

Here are some key bits of information I gleaned from the presentations given:

  • new DirSync version is the first version that is upgradable, i.e. after you install this version you won’t have to uninstall and reinstall to move to a new version
  • new DirSync version supports SQL 2012
  • can use same ADFS server for multiple domains, just must use different issuer URIs for each (i think this is documented somewhere)
  • when syncing, if anchor is missing in AAD, then soft-match uses primary SMTP value
  • federated authentication immutableID (or user source address) must match the “sourceAnchor” from DirSync (or whatever you use to create the AAD user)
  • slide showing the authentication flows between clients and O365 and which have a username/password going over them, and more detail about the authentication flows within O365
  • FIM AAD connector will be released to Beta sometime in June via Connect site
  • DirSync is required for Exchange hybrid mode (via a question)