Azure AD Licensing Options and Management

Azure AD licensing options can be a bit overwhelming, but don't worry, I've got you covered.

There are several Azure AD licensing options to choose from, including Azure AD Free, Azure AD Premium P1, and Azure AD Premium P2.

Azure AD Free is a great starting point for small businesses or organizations with fewer than 300 users, it provides basic features such as single sign-on and multi-factor authentication.

With Azure AD Premium P1, you get additional features like conditional access, identity protection, and privileged identity management.

Azure AD Premium P2 is the most comprehensive option, it includes all the features of P1, plus advanced threat protection, cloud app security, and privileged access management.

To view the licenses your organization has subscribed to in Office 365, you can use the Get-AzureADSubscribedSku cmdlet. This cmdlet provides a detailed view of the licenses that are enabled and consumed.

You can see the number of licenses your organization has subscribed to, such as 25 "ENTERPRISEPACK" licenses and 5 "EMS" licenses, but the SkuPartNumber values don't always match the friendly names you see in Office 365 documentation or the license management sections of the Office 365 admin portal.

For example, ENTERPRISEPACK is the SkuPartNumber for the Enterprise E3 license, while EMS is the SkuPartNumber for the Enterprise Mobility and Security E3 license. If you're unsure about the meaning of these values, you can search online or open a support ticket with Microsoft for clarification.

Here's a list of some SkuPartNumber values and their corresponding friendly names:

To query the licenses that your organization has subscribed to in Office 365, use the Get-AzureADSubscribedSku cmdlet. This cmdlet provides a detailed view of the licenses that are enabled and consumed.

The output of Get-AzureADSubscribedSku displays the SkuPartNumber for each license, which may not precisely match the name of the license you'll see in Office 365 documentation or the license management sections of the Office 365 admin portal. For example, ENTERPRISEPACK is the SkuPartNumber for the Enterprise E3 license.

A complete list of part numbers and friendly names isn't available on Microsoft online documentation sites, but you can usually work out what they mean with a little searching and common sense. If you're unsure, opening a support ticket with Microsoft will get you the answers you need.

You can also inspect individual license features and services, also referred to as sub-SKU features, by using the Get-AzureADSubscribedSku cmdlet. The ServicePlanName values returned by this cmdlet are not a match for the friendly names you see in the Office 365 or Azure admin portals, but names like SWAY, POWERAPPS_O365_P2, and EXCHANGE_S_ENTERPRISE are obvious.

Here's a list of some common SkuPartNumbers and their corresponding friendly names:

Remember that the SkuPartNumber values are not always a direct match for the friendly names, so be sure to verify the correct name for each license.

Azure Active Directory (Azure AD) licensing has changed, so it's essential to understand the different options available. Azure AD is already bundled into Office 365 licenses and Azure licenses, but Office and Azure clients can still purchase P1 and P2 versions for additional benefits.

There are three core differences between P1 and P2. P2 has Identity Protection, which lets you manage conditional access to apps. P2 also gives you Privileged Identity Management (PIM) and Access Reviews.

Azure Active Directory Premium P1 includes features like Advanced group management, Advanced security and usage reports, and Application Proxy. It also includes Automated group provisioning to apps, Azure AD Connect Health reporting, and Cloud app discovery.

Azure Active Directory Premium P2 includes all the features of P1, plus Access certifications and reviews, Entitlements management, and Identity Protection. It also includes Privileged Identity Management (PIM), just-in-time access, and Self-service entitlement management.

Here's a summary of the key features of Azure AD Premium P1 and P2:

Windows Server Active Directory provides domain services, lightweight directory services, federation services, etc. to handle identity, network policy, and servers on enterprise networks.

It's best suited for handling SSO, identity, etc. within your network, but it can't handle the complexity of identity for cloud apps.

Azure AD is especially valuable for organizations that have already moved apps to the cloud and are dealing with multiple user/password issues due to their current Active Directory being unable to handle the migration.

Windows Server AD uses Kerberos, LDAP, etc. as its enterprise protocol language.

Azure AD, on the other hand, uses Rest APIs and OAuth 2.0 tokens, which means apps need to be built from the ground-up with Azure AD in mind.

To manage licenses effectively in Azure AD, you need to understand how to query and assign licenses to user accounts. You can use the AssignedLicenses property to retrieve the license assignments for a user, which can be found using the Get-AzureADUser cmdlet.

The SkuId of the assigned license can be matched with the ENTERPRISEPACK license, which is the Enterprise E3 license. You can also use the DisabledPlans property to view the ServicePlanId values of the sub-SKU features that have been disabled for the user.

To assign multiple licenses at the same time, you can create an assigned license object and add it to an assigned licenses object. This allows you to assign multiple licenses with just a small modification to the process.

The Get-AzureADUser cmdlet is used to query license assignments for user accounts. You can retrieve the AssignedLicenses property to see the SkuId of the license assigned to the user.

To match the SkuId to the actual license name, you can use the Get-AzureADSubscribedSku cmdlet, which displays the SkuPartNumber for each license. For example, the SkuPartNumber "ENTERPRISEPACK" corresponds to the Enterprise E3 license.

The DisabledPlans property in the Get-AzureADUser output shows the ServicePlanId values of the sub-SKU features that have been disabled for the user. You can match these IDs to the actual service names by looking at the output of Get-AzureADSubscribedSku.

There are two ways to match ServicePlanId values to actual service names: by using the output of Get-AzureADSubscribedSku, or by looking at the AssignedPlans property of the user.

The AssignedPlans property shows the service names, but they may not match the service plan names returned in the Get-AzureADSubscribedSku output. For example, Get-AzureADUser shows a service name of "TeamspaceAPI" whereas Get-AzureADSubscribedSku shows the same service as "TEAMS1".

Here's a summary of the properties used to query license assignments:

Users and groups are the foundation of Azure AD, allowing you to organize users into groups that behave similarly.

You can put your Product Management team in one Azure AD group and grant permissions at the group level, making it easier to manage permissions when team members leave the organization.

Users can come from both inside and outside of Azure AD, including users from outside your organization with a Microsoft account.

This means you can bring people outside your organization into your tenant and grant them specific permissions, providing an additional level of security to your organization's data.

Azure AD is available for governments, and both Azure Government and GCC High come with Azure AD.

Azure AD is also available for educational institutions, where it's bundled into education licensing for Office 365.

With a Windows 10 license, you can use Azure AD and take advantage of unique features like joining a device to Azure AD and using Windows Hello for Azure AD.

Azure AD Free is a great option for educational institutions, and it's included with education licensing for Office 365.

Azure AD offers features like Administrator Bitlock recovery and MDM self-enrollment for businesses with a Windows 10 license, specifically for P1 and P2 plans.

These unique features make Azure AD a valuable tool for businesses of all sizes, especially those with a Windows 10 license.

You can inspect the individual license features and services, also referred to as sub-SKU features, using the Get-AzureADSubscribedSku cmdlet. These features and services are listed under the ServicePlanName property.

Some ServicePlanName values are obvious, such as SWAY, POWERAPPS_O365_P2, and EXCHANGE_S_ENTERPRISE, which correspond to specific features and services. Others, like MCOSTANDARD, may require some searching online to understand what they mean.

The Get-AzureADSubscribedSku cmdlet provides a detailed view of the licenses that are enabled and consumed, including the PrepaidUnits property. This property can be expanded to see a more detailed view of the licenses.

A complete list of ServicePlanName values and their corresponding friendly names isn't available on Microsoft online documentation sites, but you can usually figure out what they mean with a little searching and common sense.

Azure AD licensing can be complex, but breaking it down into key considerations can help. There are four license levels – Free, Office 365 Apps, Premium P1, and Premium P2.

The Free license comes with a subscription to Azure, Dynamics 365, Intune, and Power Platform. You get Office 365 Apps as part of your Office 365 subscription. The Premium tier adds features like advanced password protection and self-service password management.

Choosing the right scenario is crucial. If you already have Windows AD, a Hybrid Azure AD setup might be the best option. If you're building a cloud-only infrastructure, Azure AD is the way to go.

For a Hybrid environment, you can choose between Managed and Federated configurations. If you're creating users in Windows AD, you'll need Azure AD Connect to sync with Azure AD. Device management in Azure AD requires Windows 10 on all devices.

Single Sign-on (SSO) with Azure AD is a great feature, but it requires configuring cloud apps and services to use Azure SSO, and setting up a hybrid cloud for printing.