When working with Azure AD premium features be very intentional about licensing and the features you are using. There was a time where you never had to consider difference security mechanisms and licensing levels for Active Directory. Now that there are premium sku’s, that’s all changed and if you aren’t careful and intentional about licensing you will have unpredictable and difficult to troubleshoot results.
Use this page as a feature guideline between different features of Azure AD
It should be noted that it’s also confusing when talking about multi-factor authentication and that there’s a Azure premium version and a freemium version of it and you have also be careful about that. Let me share a story of what happened to me.
I have quite a few with different licensing levels as we test things in Office 365, and not all have been granted EMS E5 licensing which is where Azure AD P2 lives. I will give you a very intentional piece of advice here…KNOW YOUR LICENSING.
I was testing out a feature in Azure AD P2 that should require everyone to register for MFA and then require an MFA login for medium and high risk sign-ins.
I first had a user report this issue, but then I had it again with a test user. Instead of being prompted for anything when my test user tried to access some services that were protected, they were blocked with this message.
Strange, I don’t have any conditional access policies and working with MSFT support, we still couldn’t nail down why this was happening. It so happened that I was researching what features I had available in Azure AD P2, and it kind of hit me. If this user was being challenged by a premium feature but not licensed for that feature, what would happen? So I checked on the user and low and behold, the license was off…
This prompted me to review all of my licenses for my user base and ensure that there aren’t any discrepancies. The other option is to exclude your test users from the policy.