Azure Premium P1 & P2 Licensing Question
I'm having a very hard time finding the answer to what seems like a simple question. I am global admin for ~ 5500 K-12 school district accounts (Our company is the IT Management provider/MS Partner for the district). With security issues and attacks becoming more prevalent, we're interested in utilizing some of the more advanced features of Azure AD security. With the free version we were, until recently, able to look at the Risky Sign-In report showing suspect logins to Azure and O365. That's no longer available, but even when it was, a P1 or P2 license was required to drill down to the actual risk detections.
With 5500 licensed accounts, would I really have to purchase P1 for 5500 * $6 = $33,000 or 5500 * $9 = $49,500 per MONTH in order to do things like block any emails or logins from Nigeria or Azerbaijan, etc. for my users, or viewing the specific risk detections used to flag an account? I was told by a Microsoft Engineer on an O365 support ticket related to this question that all I would need was a license for each account that woud ADMINISTER the services - in our case that would be a single licence.
$9/month or $50K/month - Which is it?
Re: Azure Premium P1 & P2 Licensing Question
Disclaimer: The answer below is based on my understanding of the scenario, it is not an official, binding statement of conformance. For legally binding answers the license terms as defined in the respective contracts should be checked directly.
I will also check again internally with our licensing team.
The risky sign-in detection and defining risk policies come with AAD Premium Plan2, and from the descrption of the scenario it seems to me that really all users where risk policies should be set for auto-remediation of risky sign-ins would need a license. See also this article for info how on the feature is licensed, who needs a license and how to scope the monitoring to only licensed users: https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#azure-active-directory-identity-protection
See "How do users benefit from the service?" in the above mentioned link and also the general statement on top of the article "Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service".
Overall, the question is if you just want to have access to more detailed reports or if you want to configure the risk policies.
You mentioned "in order to do things like block any emails or logins from Nigeria or Azerbaijan, etc. for my users" - this is not necessarily an Identity Protection feature that requires P2, blocking logins based on country of origin would be done using conditional access rules, and every user targeted by such a a policy would need AzureAD Premium P1.
Also, for K-12 school district there be discounted licenses available that cover also AAD Premium, like Microsoft 365 Education A3 or A5.