Microsoft Releases Entra ID License Utilization Insights

Posted on by Tony Redmond

Entra ID Usage Insights for Premium Licenses

A February 20 Microsoft Technical Community post covering the introduction of Microsoft Entra License Utilization Insights began by saying that over 800,000 organizations use Entra ID before announcing the preview of a new Entra ID License utilization portal. When I read this first, I assumed that the new portal would help customers manage all licenses assigned to Entra ID accounts but that’s not the case. Instead, the new portal (or rather, a new page in the Entra admin center) focuses on Entra ID premium licenses.

Entra ID premium licenses are available separately or as part of a package such as Enterprise Mobility and Security or Microsoft 365 E3 or E5. Although these licenses enable access to a range of features, the most common reason why Microsoft 365 tenants need Entra ID premium licenses is for conditional access policies. Currently, Microsoft says that 38% of Entra ID accounts use multifactor authentication. Demand is likely to grow in the future when Microsoft deprecates the per-user multifactor authentication capabilities available in Office 365 E3 and E5 and forces tenants to use conditional access policies instead.

Microsoft says that the new page (Figure 1) allows administrators to view usage details for Entra ID premium licenses. The preview is limited to support for conditional access (P1) and risk-based conditional access (P2).

Entra ID License Utilization Insights in the Entra admin center. Entra ID usage insights.
Figure 1: Entra ID Usage Insights in the Entra admin center

Microsoft expects to add support for more features when the feature reaches general availability. They claim that usage insights will help tenants to understand the number of available premium licenses and the value gained by users from these licenses. And of course, if any over-usage is detected, Microsoft will be happy to bring that salient fact to the attention of tenant administrators.

A More Restrictive Regime Coming?

At present, I Microsoft does not enforces licensing requirements for Entra ID premium features with the same precision as happens for Microsoft 365 licenses.  For instance, Entra ID processes connections that require multifactor authentication no matter if the account has a premium license. The advent of this license utilization page might be a pointer to a more restrictive regime that’s coming, including for premium features consumed by guest users (which should now be covered by Monthly Active User (MAU) pricing).

For instance, my tenant has five Microsoft 365 E5 licenses among the licensing mix, so that means that the tenant has five Entra ID P2 licenses. The insights page tells me that there are 11 accounts using conditional access and 45 users using conditional access B2B (guests). Costs for the guests are covered by MAU pricing tied to an Azure subscription, but I seem to have a deficit of six Entra ID P1 licenses to license multifactor authentication for the excess user accounts. Obviously, this is something that I will deal with immediately.

Graph Access to Entra ID Usage Insights

In addition to the page in the Entra admin center, Microsoft has a Graph API to access the usage insights (through the beta endpoint because it’s a preview feature). Here’s how to access the data using the Microsoft Graph PowerShell SDK:

[array]$Data = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/reports/azureADPremiumLicenseInsight" -OutputType PSObject

$Data

@odata.context            : https://graph.microsoft.com/beta/$metadata#reports/azureADPremiumLicenseInsight/$entity
entitledP1LicenseCount    : 0
entitledP2LicenseCount    : 5
entitledTotalLicenseCount : 5
p1FeatureUtilizations     : @{conditionalAccess=; conditionalAccessGuestUsers=}
p2FeatureUtilizations     : @{riskBasedConditionalAccess=; riskBasedConditionalAccessGuestUsers=}

To get the counts of user accessing the licensed features, we can do something like this:

Write-Host ("The tenant has {0} member accounts and {1} guest accounts that use conditional access" -f $Data.p1FeatureUtilizations.conditionalaccess.usercount, $Data.p1FeatureUtilizations.conditionalaccessguestusers.usercount )

The tenant has 11 member accounts and 45 guest accounts that use conditional access

Here’s how to find which accounts actively use multifactor authentication to access your tenant.

Entra ID Usage Insights Serve Microsoft More Than Tenants

It’s natural that the Entra ID development group should take care of their license consumption and revenue, so the provision of a page to make tenants aware of the consumption is unsurprising. I think this is a forerunner of a more restrictive regime for Entra ID premium licensing, which again is unsurprising. I just hope that it doesn’t put tenants off from using multifactor authentication to protect user accounts. Given today’s threat horizon, multifactor authentication is more of a must-have than an added extra and it would be nice if Microsoft supported tenants to use more multifactor authentication rather than putting barriers in the way.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.