Microsoft 365 Tenants Need to Link their Azure AD to Azure Subscription
Tenant administrators are all too aware of the growth of guest user accounts in tenant directories over recent years. The success of Teams and the use of guest accounts in sharing SharePoint Online and OneDrive for Business documents are the biggest factors in driving the growth in guest accounts. As we’ll discuss, some premium features of Microsoft 365 Groups require consideration of Azure AD guest user licensing.
Apart from cluttering up the directory, guest accounts don’t do any harm. You can try to identify and remove obsolete accounts using a variety of methods such as checking the Azure AD sign-in logs to discover the last sign in to the account or using the Office 365 audit log and message tracking logs to figure out if guest accounts are active.
However, one thing you should keep an eye on is the requirement to license guest accounts if you use premium Azure AD features like conditional access policies or dynamic Microsoft 365 groups. In the past, the rule was that guest accounts needed premium licenses at a 1:5 ratio to Azure AD premium licenses. In other words, each Azure AD premium license covers five guest accounts. Guest accounts don’t need licenses for “normal” activity such as accessing a team or opening a shared document. Azure AD access reviews can help control the need for licenses by forcing group owners to validate continued membership of guests in their groups.
Change in Licensing for External Identities
In September 2020, Microsoft announced a change in licensing for external identities (Azure B2B and B2C collaboration). Instead of requiring customers to buy premium Azure AD licenses to cover guest accounts, the new monthly active users (MAU) billing model allows up to 50,000 free MAU for premium activities monthly. Licenses are still needed for tenant accounts which use Azure AD premium features.
The definition on Microsoft’s billing model for Azure AD external identities page explains that MAU is “the count of unique users with authentication activity within a calendar month.” In other words, the MAU threshold covers all authentication activity by 50,000 external identities (like guest accounts) in a month. Any individual identity within that set can authenticate as many times as they like. If a tenant exceeds the 50,000 MAU threshold, Microsoft bills for authentications by subsequent external identities. Pricing varies according to market and whether an authenticated external identity uses Azure AD Premium P1 or P2 features (see MAU pricing). As an example, in the U.S., an Azure AD premium P1 MAU costs $0.00325.
To date, Microsoft hasn’t done much to enforce the changeover to MAU pricing, and it’s very possible that Microsoft’s change in licensing strategy passed tenant administrators by without registering. It certainly made no impact on me. However, the signs are that some new features might require tenants to use MAU billing, which requires customers to link their Azure AD tenant to an Azure subscription. If you’ve already done this, you don’t need to do anything else as Microsoft bills you based on the MAU model. If you haven’t, you’ll need to link your tenant to an existing or new subscription.
Switching to Azure AD MAU Billing
On the surface, the process to switch to MAU billing seems straightforward:
- Create a new Azure subscription or identify an existing subscription to use for MAU billing.
- Go to the External Directories blade in the Azure AD admin center and select the Linked subscriptions option. Figure 1 shows the result of successfully linking Azure AD to a subscription.
- Select your directory (most tenants have just one).
- Click Link subscription to select the Azure subscription and resource group (within the subscription) to use for MAU billing. Click Apply to link the directory to the subscription.
Registering the Azure AD Resource Provider
In my case, linking proceeded smoothly until Azure rejected my chosen subscription with the error:
The subscription is not registered to use namespace ‘Microsoft.AzureActiveDirectory’. See https://aka.ms/rps-not-found for how to register subscriptions.
The referenced page contains a lot of information about fixing various problems but nothing I could see relating to Azure AD. Some research (aka web searches) revealed that Microsoft.AzureActiveDirectory is the name of the resource provider for Azure AD. As you might imagine, not every resource provider is registered for every Azure subscription, so the solution is to register Azure AD for the subscription.
You can do this in two ways. First, go to the Subscriptions section of the Azure portal and select the subscription you want to use. Now select resource providers and look for Microsoft.AzureActiveDirectory in the set of providers. Select and register the provider. Figure 2 shows that the provider is registered, which is what you want to see.
Those wanting to live on the edge can register the provider using the Azure Cloud Shell. Start a session by clicking the Cloud Shell icon in the menu bar (it’s the icon which looks vaguely like PowerShell). This opens a small pane in the Azure portal into which you can type commands (you have a choice of Bash-like or PowerShell-like environments).
Accessing Cloud Shell from the Azure portal logs into your account automatically. All you need to do is run two commands to select the subscription you want to update and then register the Microsoft.AzureActiveDirectory provider with the subscription:
Az account set –-subscription "Visual Studio Enterprise Subscription" Az provider register –-namespace Microsoft.AzureActiveDirectory
If you access the Cloud Shell directly (https://shell.azure.com/), you’ll need to sign in first with:
In either case, after registering the provider, you can link the subscription to Azure AD and use the MAU billing model.
It seems strange that Microsoft hasn’t optimized the Azure AD admin center to make sure that a selected subscription has access to Azure AD and if not, offer the administrator to register Azure AD with the subscription. There should be no need to force administrators to solve the problem when software can do it automatically.
Extra SMS Charges
Although Microsoft allows for 50,000 free MAU monthly, the MAU pricing page says:
A flat fee of $0.03 is billed for each SMS/Phone-based multi-factor authentication attempt.
Note the wording. The charge applies whether the attempt to send an SMS code is successful or not and covers the telephony charge involved in sending the SMS. The charge does not apply when external identities use the Microsoft Authenticator app for MFA verification, which is another good reason to encourage guest accounts to use the app.
Goodness for Microsoft and Tenants
I’m sure Microsoft likes the new MAU pricing model for external identities because it gives them more control and visibility over the volume of guest account activity with premium Azure AD features. The old 1:5 licensing model was unenforceable and probably ignored in many tenants. On the upside, because MAU pricing is linked to Azure subscriptions, tenants gain more insight into the activity level for guest accounts too. I’ll be keeping an eye on costs as time goes by.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.