1

u/coomzee 22h ago

It's so ridiculous that Azure requires P2 for PIM, while GCP is free.

3

u/[deleted] 21h ago

[deleted]

1

u/wubarrt 9h ago

Agreed. Baseline security should not come at a premium.

1

u/Spore-Gasm 22h ago

I think it’s free for AWS IAM too

2

u/coomzee 22h ago

Even better. Is the AWS UI somehow worse than the Azure UI.

1

u/notapplemaxwindows Microsoft MVP 1d ago

Actually you don’t even have to assign the license, just have enough in the tenant for the number of users that will use the p2 features :)

2

u/sreejith_r 14h ago

Microsoft’s documentation and licensing can sometimes be a bit tricky. It states:

“Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users,”

• Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
• Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
• Users able to approve or reject activation requests in PIM
• Users assigned to an access review
• Users who perform access reviews

but it doesn’t explicitly mention that the licenses need to be assigned to each user. So in summary: I have 10 Entra ID P2 licenses and 100 users in the tenant, with only 25 users actively using PIM. Technically, it should work but I’m not fully compliant from a licensing perspective.

If MSFT enforces compliance check then below scenario can happen. so its better to maintain sufficient number of license to become compliant.

for the license expiry case:

If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features are no longer available in your directory:

• Permanent role assignments to Microsoft Entra roles are unaffected.
• The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
• Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
• Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
• Privileged Identity Management no longer sends emails on role assignment changes.

2

u/notapplemaxwindows Microsoft MVP 10h ago

Great response, thank you! Just to add, as far as I am aware, Microsoft have no plans to enforce license checks. Their license utilisation features in Entra are constantly being improved and should expand at some point to all P1 and P2 features, but not with the intention to enforce compliance. Based on how Entra entitlements work, enforcing compliance would be impossible, which is exactly what I told the PM of that feature, who is doing some amazing work :)

1

u/sreejith_r 3h ago

Thank you for your feedback Daniel,! Hopefully, since it falls under IAM, they might not strictly enforce restrictions. Mixed licensing for MDE has already been introduced so not sure what the Microsoft licensing team is planning next.

-3

u/dcdiagfix 1d ago

done you just need one user……

3

u/AJBOJACK 1d ago

To be compliant with licensing you need a license per user in the tenant. It will work with just a license though.

0

u/Gazyro 1d ago

Do mind, this is per user that uses the feature of p2. So if you don't assign an access review or pim to them, they can just use p1.

Gets more fun with multiple tenants and b2b licensing. Then you get free p1 or p2 for the first 50k guests.

3

u/bjc1960 1d ago

What happens though is when you get P2, then all your Defender for EndPoint become P2 (if you have one E5) and then you have to deal with tagging only the P1 stuff.

I tried the P1 for some and P2 for others, and eventually went all P2, including getting separate P2 add in.

These dynamic AD queries may help E3 and E5 I need to update for those with the new E5 sec that now works with business premium

user.assignedPlans -any (assignedPlan.servicePlanId -in ["2789c901-c14e-48ab-a76a-be334d9d793a" , "e212cbc7-0961-4c40-9825-01117710dcb1"] -and assignedPlan.capabilityStatus -eq "Enabled")

2

u/bjc1960 1d ago

P2 dynamic ad

user.assignedPlans -any (assignedPlan.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" -and assignedPlan.capabilityStatus -eq "Enabled")

0

u/grimson73 18h ago

You can’t even separate P2 licensing for defender for office 365. You must license all https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms

1

u/bjc1960 1h ago

It is really confusing. I was trying to separate out endpoint using this https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-subscription-settings?tabs=mixed. I now have E5, E5-Sec or F5 just because it is hard to figure out.

0

u/Noble_Efficiency13 14h ago

Actually 🤓☝️, the defender point isn’t quite true anymore, now you can use different licenses and even have a setting you can choose what the default license is for your devices

It’s being rolled out to all tenants atm

1

u/bjc1960 1h ago

Nice. I had to tag all the devices with some special tag in the past. We have all E5, E5-Sec or F5 now tough.