Have you enabled Guest users in your Microsoft 365 tenant? If your answer is yes then have you applied identity and access governance controls to your Guest users to help minimize security and compliance risks in your tenant?
Read on to find out how to use your existing Azure AD Premium 1 or Premium 2 licences to apply identity and access governance to your Guest users.
What is Azure AD Premium 1 or 2 licencing
Azure AD Premium 1 or 2 licencing allows you to provide Identity and Access governance controls to your Microsoft 365 accounts. This includes
Azure AD Premium 1
- Multi-Factor Authorization (MFA)
- Conditional Access
Azure AD Premium 2
- Access reviews
- Entitlement Management
See the Azure AD Premium | M365 Maps to see a map of all the functionality.
Microsoft allows you to use your existing Azure AD Premium 1 or Premium 2 licencing to apply identity and access governance to your Azure AD B2B users. However there are some rules around the External Identities licencing which have recently changed for the better. However you may need to switch to the new licencing model to take advantage of the licencing.
So let’s look at the different licencing options and see how to check what External Identities licencing model your tenant is on.
Comparing the Microsoft billing models
Microsoft has a new billing model. The Azure Active Directory (Azure AD) External Identities pricing is based on monthly active users (MAU) which includes both Azure AD (B2B) Guest users and the B2C users. The result is that Azure AD Premium 1 and Premium 2 functionality is free for the first 50,000 external MAU each month, and you pay only for any excess. ❗ Important. If you want to use the P2 functionality with your guests for free you must have at least one Azure AD Premium P2 licence to upgrade your tenant to P2.
MAU replaced Microsoft’s historic billing model for Azure AD external users (B2B); this was based on a 1:5 ratio. So for every Azure AD Premium 1 or 2 license in your tenant you could extend the functionality to 5 guest users. For example, Conditional Access for 100 guest users requires at least 20 Azure AD P1 licenses. Or guest Access Reviews with the guest self-reviewing only required one Azure AD Premium 2 licence to upgrade your tenant to P2, then you could use all the Azure AD P2 functionality.
This new billing model is a benefit for organizations with B2B guests or B2C users because identity governance can now be implemented without buying licenses for their guest and external users. However you need to switch to the MAU billing model to take advantage of this new pricing model
Microsoft reference: MAU billing model for Azure AD External Identities | Microsoft Docs.
So how do I switch my billing model to MAU to allow Identity governance for Azure B2B Guest users?
This guide will explain how to change to MAU and take advantage of guest user identity governance features such as:
- Enforce MFA for guests accessing your tenant
- Review and remove guests when they no longer need access, using Access Reviews with the guests as the self-reviewers.
Step 1: Check whether MAU is already enabled
From Azure Active Directory select External identities from the navigation bar.
Then select Linked subscriptions.
If the Status = Linked then the MAU has been enabled; read my guide on How to collaborate securely with guests in Microsoft Teams to implement identity governance best practices for Azure AD B2B Guest users.
If the Status = Not Linked then the MAU has NOT been enabled.
Follow this guide to enable MAU and extend security, governance and compliance to your guest users without needing to extend your licencing.
Step 2: Check or set up your Azure subscription
To take advantage of MAU billing, your Azure AD tenant must be linked to an Azure subscription in order for Microsoft to bill you for any excess activities over the 50,000 MAU.
From the Azure Portal select Subscriptions. This will show you if you have any subscription. You can either use an existing or set up a new Azure subscription.
To create a new Azure subscription select the +Add button and follow the prompts to set up a new Pay as you go Subscription. This will require you to enter credit card details as that will be used to collect any monthly fees.
Step 3: Register Azure Active Directory as a resource provider in Azure
From the Azure Portal select the subscription you wish to assign the Monthly Active users excess subscription billing to. In this scenario I used a Pay-As-You-Go subscription.
Select the Resource Providers from the navigation menu.
From the the Resource Providers page
- Use the Filter option to search for Microsoft.AzureActiveDirectory
- Select Microsoft.AzureActiveDirectory
- Check the status of Microsoft.AzureActiveDirectory.
If the Status = NotRegistered:
- Click Register
Azure will start registering Microsoft.AzureActiveDirectory namespace provider, it will take some time to register.
Try refreshing to see the Registered status to check that the status has changed to Registered.
Step 3: Link your Azure subscription to Azure AD to switch to MAU billing
From Azure Active Directory select External identities from the navigation bar then select Linked subscriptions.
If the status of your tenant shows as Not Linked then you have not switched to MAU billing.
Select the tenant by ticking the box and select Link subscription.
Link your subscription by:
- Selecting the Azure subscription. In this scenario Pay-As-You-Go
- Select your Resource group
- Then Apply
Once processed the Tenant Status changes to Linked and MAU has been enabled.
Additional things to consider:
- If you want to take advantage of the free Azure P2 functionality with your B2B guests you must have at least one Azure AD Premium P2 licence to upgrade your tenant to P2.
- If you implement MFA for guests, use the Authenticator app. If you use SMS then follow this article; there is an additional flat fee of $0.03 / €0.026 for each SMS/Phone-based multi-factor authentication attempt, failed or successful. This is also mentioned in the FAQ:
Next Steps: Implement governance best practices for your Azure AD B2B Guest users
Once you have monthly active users (MAU) billing, read my guide on How to collaborate securely with guests in Microsoft Teams to implement identity governance best practices for your Guest users.