Conditional Access and Azure Active Directory License Management

Azure AD group based license assignment was made generally available in Feb 2018. It really is a superb way of managing and assigning licenses for services like Office365.

Quite often on projects that I deliver ,  I will work with my customer to build a profile which could be for example standard user, power user , exec user and these groups can assign some or all of the M365 suite of services.

So this means we would have 3 security groups to match each user profile and each organisation can modify their new starter process to add new users into their relevant security group or use Identity Management tools like Microsoft Identity Manager 2016 SP1 to manage the user life cycle.

One of the quickest and most powerful conditional access policy is as follows

  • Assignment : All users , except license groups and break glass admin account
  • Cloud Apps :  All Apps
  • Conditions : Default , NO CHANGE
  • Access Controls \ Grant : BLOCK

So the assignment to all users is the key , If a new user is not setup properly and follows the new user creation process then they cannot access the organisation’s cloud apps that are integrated with Azure AD.

This is a policy to block all unlicensed users.

All licensed users would expect to have the following items configured as a minimum requirement.

  • MFA
  • SSPR
  • Combined SSPR & MFA registration
  • Azure Password Protection Service
  • Microsoft Advanced Threat Protection integration with CASB
  • Azure AD P2 license , Identity Protection policies enabled
  • Azure AD Hybrid joined machines
  • Intune managed bitlocker encrypted devices
  • Intune managed devices with security baselines