Update 2/26/2015: This post resulted in a follow-up conversation with Microsoft. They suggested some changes and improvements which I’ve incorporated below in italics.
I recently seized an opportunity when an Azure AD product team member offered to explain anything about Azure AD licensing. Until that conversation, I was really confused about when we needed an Azure AD premium (AADp) license and when we didn’t.
There are a number of misconceptions around Azure AD premium. For example, AADp is not something you use to refer to a AAD tenant. AADp is something you use to refer to a user. You do not “have an Azure AD premium”. You have an Azure AD user with a AADp license. Unfortunately, some of the literature from Microsoft encourages this kind of misconception.
Anyhow, at the end of that conversation, I got their OK to share the info I learned (and I encouraged them to publish these more nuanced details), because I suspect that if you are like me, you may have some faulty assumptions like these:
- That to use any of the advanced capabilities, you need to have an AADp license for all of your users
- That since you had to license everyone, that resulting cost meant that the advanced AAD capabilities were dead to you
http://azure.microsoft.com/en-us/pricing/details/active-directory/ is the (only) published guidance to help you navigate these waters. Using the table at the heart of that page, for each of the capabilities listed (the rows) I got clarification about who (or how many) AADp licenses were needed to leverage that capability. I’ve taken the liberty of re-ordering those rows slightly, mostly to more closely group rows that are related to one another. AAD Basic (AADb) licensing is provided by an Office 365 license.
Here’s a breakdown:
|Capability||Licensing coverage needed|
|Directory as a Service||AAD Free (AADf)|
|Service Level Agreement (99.9%)||If you have one user with AADb or better, then you get this.NOTE: If there is an outage, only those users which have AADb or better are entitled for refunds. In other words, AADf users don’t pay anything, so they are entitled to no refund.|
|User and group management||AADf|
|Directory Object Limit (500K)|
|Logon/Access Panel branding||If you have one user with AADb or better, then you can use this.|
|SSO for SaaS Apps (assignment limit of 10)||AADp required for each user that you want to assign > 10 SaaS apps to.|
|Secure Remote Access and SSO to on-premises web apps (i.e. App Proxy)||Each user that leverages this capability must have AADb or better.|
|MFA (AAD only)||Each user needs AADb license or better.NOTE: see http://blogs.technet.com/b/ad/archive/2014/02/11/mfa-for-office-365-and-mfa-for-azure.aspx for more details about this and the following item.|
|MFA (AAD + on-premises)||Each user needs AADp license or better.|
|Group-based Access Management and Provisioning (e.g. license assignment via group)||Each admin that leverages this capability must have an AADp license.|
|Self-service password reset (SSPR)||Each user that needs access to this capability must have an AADb license or better.|
|SSPR write-back to on-premises||Each user that needs access to this capability must have an AADp license.|
|Self-service group management||Each user that needs access to this capability must have an AADp license.|
|Microsoft Identity Manager User CAL||Each user that leverages MIM portal must have an AADp license (or separately a MIM user CAL). This is relevant for the Just In Time (JIT) Admin and other on-premises capabilities|
|Basic Security Reports||AADf|
|Advanced Usage and Security Reports||
NOTE: This isn’t yet enforced, and it’s unclear what future changes would reflect this.
So if you have Office 365 licensing, there are actually only a few of these capabilities that require a broad number of AADp licenses, many actually are either covered by AADb or you only need AADp licenses for a handful of users (your AAD admins).
The next trick is to analyze your needs and figure out how may AADp licenses you’ll need based on which of these capabilities you plan to leverage. Keep in mind that the Enterprise Mobility Suite (EMS) is likely the most cost-effective way to purchase an AADp license, so you may also need to take into account your Intune and Azure RMS licensing needs too.