Licensing statements still unclear / wrong

[MrAzureAD]

Team,

The licensing statements in this article are still partly wrong, misleading or incomplete:

• "Licenses must also be assigned to the administrators and relevant users". Closed issue #65294 contains the clear information from PG that assignment is in fact not required. So assignment is not a "must" as the current docs imply.

• The docs do not contain clear information on how to license multiple accounts used by a single user (admin account segregation). There is this very clear tweet by Alex Simons stating that AAD licensing is always per human and not per account. Closed issue #95052 unfortunately contains the exact opposite information.

I am unable to reopen the referenced issues - either resolve this in this issue or reopen the original ones.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 61f24489-ccff-4636-2c46-af7daea81126
• Version Independent ID: 3f4d1ed0-3379-9102-983e-6c3488f12b5c
• Content: License requirements to use Privileged Identity Management - Azure Active Directory - Microsoft Entra
• Content Source: articles/active-directory/privileged-identity-management/subscription-requirements.md
• Service: active-directory
• Sub-service: pim
• GitHub Login: @amsliu
• Microsoft Alias: amsliu

[JamesTran-MSFT]

@MrAzureAD Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.

[amsliu]

@MrAzureAD Thank you for your feedback. I am double checking this with our product team.

[amsliu]

reassign @ilyalushnikov

[amsliu]

@JamesTran-MSFT could you please re-assign this issue to the PM @ilyalushnikov? We are pending clarification from the product side. Thanks!

[gh-andrem]

I am following this as well. Is there an update on this?

As mentioned by @MrAzureAD in Issue #95052 it was confirmed by Alex Simmons (https://twitter.com/Alex_A_Simons/status/1232741945190912000) that "If the human is using two accounts, that license covers both accounts."

[JBines]

I have the same question for risk based polices for admin accounts which appears related.

Strangely enough... "Some risks are considered premium available to Microsoft Entra ID P2 customers only, while others are available to Free and Microsoft Entra ID P1 customers." https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection

Yet you require an Entra P2 to apply Conditional Access Polices. The result? Risk found action = None.

Doesn't this seem strange in practice.... for example a global admin account is found as a risky user but no CA policy can be applied to the user to block sign in or force MFA unless the user has a license applied.

I believe this licensing policy should be updated. Sorry if this adds confusion to the thread :(