Azure™ Active Directory (AAD) provides identity validation and access management for Microsoft® hosted products and services such as Azure, Office 365™, Intune and others. Microsoft includes basic AAD functionality with these services at no charge, but they also offer the following enhanced editions, which require users to pay for a Subscription License (SL):
AAD Basic ($1 user/month) – Group-based access management, self-service password reset, AAD Application Proxy, company branding (logon pages, access panel customization)
AAD Premium P1 ($6 user/month) – Adds enhanced ID and access management and enables on-prem and cloud access for hybrid users
AAD Premium P2 ($9 user/month) – Adds Identity Protection and Privileged Identity Management
The paid editions of AAD are licensed on a per-user basis and a Subscription License is required for anyone directly or indirectly using any of their features. This creates a compliance challenge, as so many AAD features address the entire organization, and do not validate whether the user has a license. Even something as seemingly innocent as deploying a company branded logon page in an environment where not everyone has at least an ADD Basic SL will make them non-compliant as soon as a user with only the free credentials logs in.
Another risk of having varying levels of entitlement lies with functionality such as Identity Protection, which performs system-wide analysis seeking at-risk user credentials. The Identity Protection feature of Premium P2 does not differentiate between P2 licensees and others.
Microsoft does not appear to be aggressively enforcing these restrictions today, presumably because they are more interested in increasing adoption, but that probably won’t last forever.