Azure licensing and MFA for guests - azure

Good afternoon,
I am confused about licensing in Azure and I am hoping someone here can help me understand. Regrettably, Microsoft was not particularly helpful when I contacted sales.
I have an on-prem AD synced with Azure AD cloud (free edition). We have a number of guests (for purposes of this question, 10) for Teams access, and I would like to implement an MFA requirement for them. It appears Azure AD premium licensing may be required to do this. If it is, does each guest user need an Azure AD Premium P1 or P2 license assigned (so 10 Azure AD Px licenses)? Or do I just need one for the administrator?
I'm finding the licensing portion confusing.
Thank you.

The licensing agreement requires that every user using Azure MFA needs at least a Premium P1 license. (See related discussion.)
If you are using the free version with security defaults enabled, then you can use a subset of the MFA features and the users can only authenticate using the Authenticator app. But you won't be able to use conditional access or have MFA turned on for some users and not others.

Related

Azure Free licensing

I have two account Azure FREE MSDN account and Azure Enterprise account.
Can I combine the Azure Free and Enterprise License with one account
so that I can start using only one account and switch between subscriptions
Thank you
Due to authentication requirements and licensing we cannot do that, thats what I heard from one the MSFT team members just now.

Azure AD Premium enterprise applications licensing

This is a licensing related question for Azure Active Directory.
We would like to use Azure AD as a SAML identity provider for our own applications, using the available method in the Azure AD Premium subscription, i.e. by creating a new custom application in the 'enterprise applications' list. Now do I need to assign a Premium license to every user that is going to login to this application via SAML? Or does it suffice to assign this license to the users that are administering the application?
The former case seems more plausible to me, however it would be way too expensive for us, and during testing the custom applications seems to work also for users which do not have the license.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
I am not a licesing expert, that said, Azure AD licenses are per user. Read the doc above. If the app is pre-integrated in the gallery, Azure AD users with the free tier can connect to 10 apps at no cost. If the app is on-premises, that requires Azure Application Proxy which would require Azure AD Basic.
If it's a custom application not in the gallery AD Premium is required. Keep in mind AD premium has a ton more functionality. Conditional Access is a Game Changer. Very powerful. Multifactor Authentication, self service password reset, MIM, SCCM CALs, are all included.
Being able to simplify identity for users and link All applications they use to their AD account is important. Ems gives you the ability to monitor identity with Advanced Threat Analytics etc. It's actually a very useful suite of services and not drastically different in price than stand alone AD premium.
There is an interesting point on license page too
Blockquote
With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as one app.

Enable Azure Active Directory Access Control with Office 365 Azure Active Directory tenant

I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.

Two-step verification for microsoft company account?

I have a MS company account using Office 365 (so myname#mydomain.com is my account), and I use Office, Azure, and Visual Studio Team Services.
However, I cannot find anywhere how to enable 2FA for this account. I can set up 2FA for my normal, personal, windows live Id using this page:
http://windows.microsoft.com/en-US/windows/two-step-verification-faq.
But that doesnt work for company accounts.
Anyone knows if this is possible? thanks!
What you need is Multi-Factor Authentication for Azure Active Directory. It is part of AAD Premium features.
You can read how to enable and configure it here. And more info on it here.
UPDATE
As per documentation:
Multi-Factor Authentication is now included with Premium and can help
you to secure access to on-premises applications (VPN, RADIUS, etc.),
As well as per this documentation:
Azure Multi Factor Authentication is included in Azure Active
Directory Premium and as a result it is also included with the
Enterprise Mobility Suite
Note: MFA is (at least was) possible with the free AAD but only for the Global Admins in the directory, or for Subscription Administrators within an Azure Subscription.

Can you cancel Access to Azure Active Directory if you have Office 365?

I added for testing purposes Access to Azure Active Directory in Windows Azure. Now I realize there is no button to cancel the subscription:
As discussed here "the underlying directory for Office 365 is Azure Active Directory (AAD). This means that if you have an Office 365 account, you already have a directory -or "tenant"- in AAD."
1) Does this mean that this particular subscription has always been there - just not visible?
2) Can you cancel it?
3) According to the pricing list adding objects is free (Free up to 500,000 objects), Application Enhancements (Preview) and Access Control. At which point would I be billed? (I know Azure generally bills for usage, the question is what counts as the usage in this particular situation)
1) The Azure AD was created when you signed up for Office365. This Azure subscription however was created when you signed up for Azure. Azure subscription is required to manage the many aspects of Azure AD that aren't available in the O365 portal.
2) you can create a support ticket (type billing) to have the subscription cancelled. If it's a free trial subscription it will automatically get cancelled. If it's a pay-as-you-go - it won't cost you anything until you use paid services. Which takes us to your last question ...
3) general Azure AD usage is free. If you need paid services of Azure AD like multi-factor auth for users, application access, self-service password reset you will need to but Azure AD licenses. As a thumb rule - if you haven't turned on multi-factor auth for users and you haven't bought AAD basic or AAD premium licenses - you won't spend any money on Azure AD. The object limit is a cap.
Hope that helps

Resources