none
ADFS and Azure AD Licensing

    Question

  • Hello there

    Do you guys know if I need a Azure AD Premium license in order to configure conditional access (by location) using ADFS? The documentation is confusing because it says you need a premium license to get conditional access, but it's not clear if it applies to scenarios where you have an ADFS or only when using cloud only users in Azure AD management portal.

    Monday, July 9, 2018 1:38 AM

Answers

  • Hi,

    in addtion using ADFS conditional access (which also has a location based condition) no additional license is needed. This feature is included in ADFS/Server license.

    But keep in mind that (beside some exceptions) CA in ADFS will count for all authentications and therefore all apps.

    AzureAD CA is more fine grained (per App if you like) so it depends on your requirements what to use.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, July 9, 2018 8:29 AM
  • Hi,

    that may be the case, never calculated it. But you get more than just CA with AADP1 so other features might be of value for you to now or in the future.

    Beside that, most of our customers are going away from ADFS for cloud connect switching to PHS with seamless SSO, also because more and more apps can be AAD integrated.

    While costs should of course matter, it should not be the first intention when implementing security features.

    The exact use case and business need should take first place, than evaluate options and last compare costs to the choiced. As I said before, AAD CA is more fine grained, you can have policies for each app while ADFS CA is more the "big" hammer ;-)

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, July 9, 2018 5:11 PM

All replies

  • If you are implementing Azure AD Conditional Access, you would require Azure AD Premium License regardless if you have ADFS or Only Cloud users.

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Monday, July 9, 2018 8:24 AM
    Moderator
  • Hi,

    in addtion using ADFS conditional access (which also has a location based condition) no additional license is needed. This feature is included in ADFS/Server license.

    But keep in mind that (beside some exceptions) CA in ADFS will count for all authentications and therefore all apps.

    AzureAD CA is more fine grained (per App if you like) so it depends on your requirements what to use.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, July 9, 2018 8:29 AM
  • Thank you Neelesh. It's clear to me that if I use the Azure AD CA I would have to acquire a premium license.
    Monday, July 9, 2018 12:53 PM
  • Hi Peter

    Ok. I'm comparing the two scenarios. If I go cloud-only + Azure AD CA it will require only the additional premium licenses. If I choose to implement an on premises AD with ADFS I will have the cost of the virtual machines (AD + ADFS + WAP) but no premium license.

    The ADFS path looks to be cheaper, even if I use Azure VMs. I need that setup for 550 users. It looks like 550 Azure AD premium licenses costs more than 3 VMs. Does that make sense?

    Monday, July 9, 2018 1:02 PM
  • Hi,

    that may be the case, never calculated it. But you get more than just CA with AADP1 so other features might be of value for you to now or in the future.

    Beside that, most of our customers are going away from ADFS for cloud connect switching to PHS with seamless SSO, also because more and more apps can be AAD integrated.

    While costs should of course matter, it should not be the first intention when implementing security features.

    The exact use case and business need should take first place, than evaluate options and last compare costs to the choiced. As I said before, AAD CA is more fine grained, you can have policies for each app while ADFS CA is more the "big" hammer ;-)

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, July 9, 2018 5:11 PM
  • Thank you Peter. Perfect answer.
    Monday, July 9, 2018 7:34 PM