Share via

As a CSP can we use first 50,000 MAU with guest accounts for managing our customer?

JND 20 Reputation points
2024-11-22T20:28:14.9533333+00:00

Hi,

As CSP, we have an Azure management tenant where all our support/admin engineers have a local account. We would like to implement this scenario :

  • The management tenant hosts the local accounts of admins with P2 licences for each one
  • We use Identity Gouvernance feature PIM for managing this management tenant an requesting high privileges
  • For managing all our customers we have guest accounts for connecting to their tenant
    • Local accounts of all admins in the Management tenant, invited in each customer tenant for managing them with the guest account resulting from the invitation
  • In the customer tenant we would like to also use PIM for requesting high privileges with our guest accounts (guest account linked to our management tenant with accounts already having a P2 licences)

The guest account will be used for managing customer tenant : managing customer users/groups, managing RBAC, creation/deletion/change of azure resources (RG, VNet, Storage account...), and everything based on customer needs/requests.

The questions are the following :

  • Since we have P2 licences in our Management tenant for all admins, can the guest accounts of the same account in the customer tenant use PIM without any additional cost, as describe here the first 50,000 MAU : https://azure.microsoft.com/en-gb/pricing/details/active-directory-b2c/
  • Or does the the first 50,000 MAU only applies for B2C Identity for applications authencation?
  • I guess there is just one licence P2 to buy for the customer tenant, only if the only accounts using the PIM are our guest account (already having the P2 licence in the management tenant)? is this correct?
  • Do we have something to configure on our tenant or in the customer tenant for enabling the usage of the MAU and being compliant regarding the licencing? Any configuration in the Azure portal of the management tenant or the customers?
  • Does it make any difference for the licencing purpose if the guest account is created manually, by Powershell script or by the Cross tenant sync?

For information : The confusing part is the several terms used by Microsoft for describing the type of account for which it applies : B2B account, B2C account, External account, Guest account...

Thanks,

JND.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
736 questions
Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,908 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,856 questions
0 comments
Accepted answer
  1. Goutam Pratti 1,310 Reputation points Microsoft Vendor
    2024-11-26T14:57:55.98+00:00

    Hello @JND ,

    Thank you for reaching out Microsoft Q&A.

    Based on your questions, I have provided the answers as follows::

    1. Yes, since you have P2 license in your management tenant for all admins, the guest accounts of the same account in the customer tenant can use PIM without any additional cost as per the documentation: https://azure.microsoft.com/en-gb/pricing/details/active-directory-b2c/
    2. The first 50,000 MAUs apply not only to B2C Identity for application authentication but to the entire B2C tenant.
    3. It is correct to purchase a P2 license for the customer tenant only if the accounts using PIM are guest accounts that already have a P2 license in the management tenant.
    4. There is no specific configuration required in the Azure portal to enable the use of MAU for licensing purposes in this scenario.
    5. For licensing purposes, it does not matter whether the guest account is created manually, via a PowerShell script, or through cross-tenant synchronization.

    For your confusion part you can check the documentation: B2B Users, B2C Users, External or Guest Account

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Regards,
    Goutam Pratti.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.