A recent blog post by Kaitlin Murphy at Microsoft explained Microsoft Entra license entitlements when you have a single user with identities in multiple Microsoft Entra tenants, that post can be read here. Unfortunately, it still left some ambiguity around what and when a user is actually entitled to Microsoft Entra ID Premium in multi-tenant scenarios and left a lot of people hanging without answers to their own questions. In this post, I will aim to explain in layman terms how the one-person, one-license philosophy works and cover common scenarios where it can be utilised.
One-person, one Microsoft Entra license
The philosophy of ‘one person, one license’ for Microsoft Entra, essentially means that if your organisation owns multiple Microsoft Entra tenants and you have a persons in your organisation with an account in both tenants, then you only need to purchase one license for Microsoft Entra ID and Microsoft Entra ID Governance in their primary tenant.
However, be very sure that this entitlement only covers Microsoft Entra ID and ID Governance, not any other license feature such as for your productivity services. For example, your organisation may own 2 tenants, in tenant 1 your user is assigned a Microsoft 365 E3 license that entitles them to Microsoft Entra ID plan 1, as well as other Office 365, Intune and Windows features. If that same person has a user account in tenant 2, they are already entitled to Microsoft Entra ID plan 1 and do not need to be assigned a license for these features.
Do I need alteast 1 Microsoft Entra license in my second tenant?
In most cases, a user who has an identity in a second tenant (in addition to their primary tenant where their productivity licenses reside) it is likely that they only require premium Microsoft Entra ID features in that second tenant. If this is the case for all users in the second tenant, as the second tenant will have no Microsoft Entra premium licenses, none of the features will be physically available. In this scenario, you must purchase at least 1 Microsoft Entra Premium license in your second tenant.
Does there need to be synchronisation between tenants?
In a Microsoft world, the use of the term multi-tenant organisation usually makes people assume the need for either MTO or tenant-to-tenant synchronisation features to be enabled to support this entitlement. In reality, no synchronisation is needed to make use of these benefits.
Scenario: You are an service provider and have dedicated accounts in our customers tenants that need a premium license
If you provide managed services to customers which necessitates that your staff have dedicated user accounts in their tenant, then your staff are not entitled to Microsoft Entra premium licensing in your customer’s tenant. In this scenario, because you as the MSP do not own the customer’s tenant, the license entitlement does not apply, so additional licenses for these accounts must be purchased.
Scenario: You are a service provider and have guest accounts in our customers tenants that need a premium license
If you provide managed services to customers which necessitates that your staff have guest accounts in their tenant, then your staff are not entitled to Microsoft Entra ID premium licensing in your customer’s tenant. Microsoft External ID for business guests is based on monthly active users and is currently free for up to 50,000 guest users. However, in this scenario, your requirement is likely around the use of Microsoft Entra ID Governance features for your business guest accounts (from the perspective of the customer’s tenants), while these features are currently free during their preview stage, there will eventually be a cost associated with them. More info on External ID premium feature pricing can be found here.
Scenario: You are a CSP and operate a tenant for day to day work and a partner tenant for CSP operations
If you are part of the Microsoft Cloud Solution Provider program, regardless of the CSP model you adhere to, i.e. if you procure client licenses directly through Microsoft (direct-bill model) or you re-sell licenses from another reseller (indirect model), you will likely have a separate tenant (as per Microsoft best practice) whereby you can claim your CSP benefits and access customer environments via GDAP or Lighthouse.
It is also likely that in your partner tenant, there is no need for any productivity licenses and you only need to utilise premium Microsoft Entra ID features for security, governance and control. In this scenario, as there are likely no supporting licenses which include Microsoft Entra ID Premium, a single Microsoft Entra ID Premium license should be purchased. Every user with a supporting license in your primary tenant is entitled to use the Microsoft Entra ID premium features in the partner tenant.
Scenario: You are an organisation that operate multiple Microsoft tenants
For enterprise organisations (or any size of organisation), if you operate multiple Microsoft tenants if users in your primary tenant are assigned licenses with Microsoft Entra ID premium features, then they will always be entitled to Microsoft Entra ID premium in the additional tenants. For example, enterprise organisations may be a second tenant which they use as a development environment, so they can test changes before implementing them in production. In another example, your organisation may be developing an application which facilitates external users’ access through Microsoft Entra, as this would likely be done through a dedicated tenant, your users will be entitled to Microsoft Entra ID premium.