Azure MFA licensing explained

Azure MFA (Multi-Factor Authentication) is a well-known and commonly used 2nd factor authentication service delivered as part of the Azure AD platform. The configuration of the service is straightforward and shouldn’t cause a lot of problems for IT specialists. But the Azure MFA licensing is a completely different case, especially if you also have external consultants and guests in your Azure AD tenant. Before we will jump into the licensing options we should check the Microsoft definition of an internal and external user, as defined in the licensing terms: Commercial Licensing Terms (microsoft.com)

Azure MFA

Users Definitions

  1. Internal users – means users that are employees, onsite contractors, or onsite agents – so all people working in your office, on-premise solutions, and using corporate devices (PC and mobile devices) as well as virtual infrastructure like VDI or Azure Virtual Desktop/Windows 365. So all people understood as FTE (Full Time Employee)
    • Licensed User means the single person to whom a license is assigned.
  2. External consultants/users/employees – means users that are not employees, onsite contractors, or onsite agents of Customer or its Affiliates. They are not FTE (Full Time Employee) and just provide temporary and limited service to your organization. They might be using their own PCs to connect to your organization resources.
  3. Guest accounts – similar to External Users those are people not using your infrastructure or devices and connecting only to the specific online services – guests are usually granted access to the limited set of services and usually also for a limited period of time e.g. in your Microsoft 365 tenant.

Due to the above, we can define 2 groups:

  • Internal – employees and contractors performing work for the company as FTE and using physical or virtual infrastructure, and/or corporate devices
  • External – all externals and guest accounts working for a temporary period for the company and not using physical infrastructure or corporate devices – not FTE

Azure MFA licensing

Internal Users

Azure MFA is included in the Azure AD Premium Plan 1 feature and for all internal users, the company has to purchase and assign a valid license to every user.

External Users

In the case of external users and guest accounts, the usage of Azure MFA service is licensed with the AAD Premium External User billing method described here: MAU billing model for Azure AD External Identities | Microsoft Docs. MAU stands for Monthly Active Users and is calculated from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

You do not have to purchase any licenses but simply set up an Azure Subscription as a billing container. Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. In case you exceed this limit your Azure subscription will be billed.

Azure MFA for free?

Azure MFA is part of the Azure AD platform. And as you probably know there is a possibility to create a free tenant of Azure AD. All users in an Azure AD Free tenant can use Azure AD Multi-Factor Authentication by using security defaults. The mobile Authenticator app is the only method that can be used for Azure MFA when using Azure AD Free security defaults. So this is a great environment for your test or development tenants.

Practical scenario:

IT Constructors company has 1000 employees who are covered with Microsoft 365 E3/E5 licenses.

IT Constructors cooperates also with external consultants – 500 external users. They connect via VPN to the company resources. VPN is 3rd party solution e.g. Cisco AnyConnect or Palo Alto that works with 3rd party MFA solution e.g. DUO or any other.

IT Constructors would like to integrate a VPN solution with Azure MFA. There are 2 possibilities:

  1. Integrate with AAD via SAML connection and then use native Azure MFA support.
  2. Integrate with Azure MFA using NPS Extension and RADIUS authentication.

What kind of license is required in both cases 1 and 2 for external users connecting via VPN and using Azure MFA?

And the answer here is…. it depends 🙂 Note that external users Azure MFA MAU licensing is only applicable if the users fulfill the definition of the external user. And external consultants might fall under the definition of an “onsite contractor”, thus external user licensing would not be applicable and each consultant would need to get a normal Azure AD Premium Plan1 license (or higher). So in such cases, you need to prepare a good review of the consultants and be ready when performing the Microsoft licenses audit.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top