Forum Discussion
User classed as internal or external for Azure AD P2.
A customer has two tenants. Their main corporate tenant (A), and a separate tenant (B) they use for other purposes and want to keep this way.
Some users from the main corporate tenant (A) access the (B) tenant using guest accounts or via Azure B2B.
Where Azure AD P2, specifically PIM is concerned, are the (A) users classed as external and therefore do not require an assigned AAD P2 license?
Technically this is how the AAD P2 licensing works, but is it compliant?
LicensingConcierge1Microsoft
It depends on the reason that the tenant A users are accessing tenant B.
To explain, since Privileged Identity Management (PIM) in Azure Active Directory (Azure AD) is licensed per tenant, the users in your scenario will need to be licenses for tenant A as well as tenant B.
However, if the tenant A users are accessing tenant B to simply do the following tasks, then they do not need a license:
- set up PIM
- configure policies
- receive alerts
- and set up access reviews
License requirements to use Privileged Identity Management - Microsoft Entra | Microsoft Learn
If this (or someone else's) reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.
Regards,Microsoft CSP Licensing Concierge
Thanks for the responses so far.
In this case users from tenant (A) would access resources in tenant (B) but would be required to activate an eligible role in tenant (B) using PIM.
In this case, the tenant (A) user has AAD P2, tenant (B) has at least one AAD P2 to enable the features. Would they still require an AAD P2 license in tenant (B) for their guest/external user account to use PIM or are these features included in the PAYG capacity as per this document?Pricing - Active Directory External Identities | Microsoft Azure
- LicensingConcierge1
- When it comes to Azure AD P2 (Premium P2) licensing and the usage of guest accounts or Azure B2B to access a separate tenant, the licensing requirements and compliance can be a bit nuanced. Here are a few considerations:
Licensing Requirements: Azure AD P2 features, including Privileged Identity Management (PIM), typically require a license for each user in the tenant where the features are being used. This means that users in the main corporate tenant (A) would generally need Azure AD P2 licenses to utilize PIM features within that tenant.
External Users: In the context of Azure AD, external users are typically considered users who reside in a different organization's tenant and are invited as guests to access resources in another tenant. If users from the main corporate tenant (A) are accessing the separate tenant (B) as guests or via Azure B2B, they may still be classified as external users. In such cases, they might not require an assigned Azure AD P2 license in the separate tenant (B) if they are only accessing resources there as guests.
Compliance Considerations: Compliance requirements can vary depending on the specific regulations and policies applicable to your customer's organization. It's essential to consult with your customer's IT, compliance, or legal department to ensure that the usage of guest accounts, Azure B2B, and licensing arrangements align with their compliance obligations.
To ensure compliance and accurately determine the licensing requirements, it is recommended to engage with Microsoft or a licensing specialist who can provide guidance based on the specific details of your customer's environment and licensing agreements. They can help ensure that the licensing arrangements and usage of Azure AD P2 features are compliant with applicable regulations and licensing terms.
