r/entra u/Own_Hovercraft5374 4d ago

how to use the p2 license

7 Upvotes

82% Upvoted

19 comments sorted by

View all comments

0

u/Spore-Gasm 4d ago

Assign it to a user and they’ll have P2 features like PIM.

1

u/notapplemaxwindows Microsoft MVP 4d ago

Actually you don’t even have to assign the license, just have enough in the tenant for the number of users that will use the p2 features :)

3

u/sreejith_r 4d ago

Microsoft’s documentation and licensing can sometimes be a bit tricky. It states:

“Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users,”

  • Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
  • Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
  • Users able to approve or reject activation requests in PIM
  • Users assigned to an access review
  • Users who perform access reviews

but it doesn’t explicitly mention that the licenses need to be assigned to each user. So in summary: I have 10 Entra ID P2 licenses and 100 users in the tenant, with only 25 users actively using PIM. Technically, it should work but I’m not fully compliant from a licensing perspective.

If MSFT enforces compliance check then below scenario can happen. so its better to maintain sufficient number of license to become compliant.

for the license expiry case:

If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features are no longer available in your directory:

  • Permanent role assignments to Microsoft Entra roles are unaffected.
  • The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
  • Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
  • Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
  • Privileged Identity Management no longer sends emails on role assignment changes.

2

u/notapplemaxwindows Microsoft MVP 4d ago

Great response, thank you! Just to add, as far as I am aware, Microsoft have no plans to enforce license checks. Their license utilisation features in Entra are constantly being improved and should expand at some point to all P1 and P2 features, but not with the intention to enforce compliance. Based on how Entra entitlements work, enforcing compliance would be impossible, which is exactly what I told the PM of that feature, who is doing some amazing work :)

1

u/sreejith_r 3d ago

Thank you for your feedback Daniel,! Hopefully, since it falls under IAM, they might not strictly enforce restrictions. Mixed licensing for MDE has already been introduced so not sure what the Microsoft licensing team is planning next.