Azure Active Directory & Office 365: Am I on the Right Plan?

Posted on 19 March 2019

When it comes to your Azure Active Directory and O365 subscription, you may be wondering if the plan you’re on is right for you. Amy Stokes-Waters explores how to find out.


If you’re an Office 365 user, you may be aware that your subscription also comes with Azure Active Directory, giving you the ability to leverage multi-factor authentication (MFA) to provide an extra layer of security for your data and apps. But are you aware that the version of Azure AD included with your O365 subscription might not be the right plan for your organisation after all?

The Story of Azure Active Directory

Let’s start with a bit of a history lesson. Azure Active Directory comes in five different flavours: Free, Basic, Plan 1, Plan 2 and O365 Apps. The latter was created in response to the 2016 Azure AD outage – prior to 2016, O365 users were given the Free version of AAD as standard, which came without SLAs for fixes.


When the outage hit EMEA and North America, users were left unable to log in to their O365 applications, as the system couldn’t authenticate their credentials. But, as you may have guessed, people without a paid version of a product naturally occupy the back of the queue for fixes. To placate O365 users following the backlash, Microsoft created the O365 Apps SKU for Azure AD which provides a few upgrades on the free version – most importantly an SLA for fix times if there is ever another issue.

History lesson over. Now let’s talk about the fun stuff – the big differences.

Single Sign-On

Single Sign-On (SSO) stops your users from having to remember multiple passwords. With the average business using over 1,000 apps (most of which aren’t authorised by IT – but that’s another conversation..!), a single user often has multiple usernames and passwords for their email client, HR system, CRM application, etc.


Whilst Azure AD for O365 Apps lets you leverage SSO for up to 10 cloud-based apps per user, with Azure AD P1 and P2 you can link in with over 3,500 applications natively to enable single sign-on facilities, meaning your users no longer have to remember 50 different passwords to log in to their applications. Winner, right?

Self-Serve Password Resets

I know what you’re thinking: what if the user forgets their password? I’m sure you know with Azure AD for O365 Apps, you can do self-serve password resets (SSPR). Excellent! Not so much when you realise it’s only cloud-based and doesn’t write back to your on-prem AD though. Back to two passwords? No thanks!


Azure AD Plan 1 and Plan 2 DOES write back to your on-prem AD, giving your workforce the ability to leverage full SSPR functionality. And with the right licence, you can even view reports on how often the functionality is being used, what admins are resetting their passwords frequently, and if there is any suspicious activity going on with password resets.

Multi-Factor Authentication

So now we’ve got one password to work with, we need to make sure it’s secure, right? This is where MFA and Conditional Access come in. If you’ve never used MFA before (I know you’re out there!), then essentially, the system is trying to ascertain that you are who you say you are. That means you’ll be asked for your credentials, and then you’ll be asked to authenticate these credentials via text message, phone call or the authenticator app (available in all good app stores).


With AAD for O365 Apps, you can leverage this functionality on your cloud apps. Brilliant! But what about the on premises applications you want to secure? Your HR system, billing platform, CRM solution, etc.? Azure AD Premium allows for MFA for cloud and on-premises solutions, even providing the capability to use MFA functionality from a third party if you want to authenticate with a non-Microsoft solution.

Conditional Access

 Now we have MFA, when do we want to prompt use of it? Using conditional access in Azure AD Premium, we can enforce MFA depending on a user’s group (e.g. are they an admin? Are they in a manager’s group? Do they have access to more sensitive information?) or their location.


Users can be set up to have a usual location within O365 (i.e. the office) and when a user tries to log in via Azure AD from an “unusual” location, the system can prompt an alternative method of authenticating their credentials. We can force the same prompts based on device health, or device status. If a user is attempting to login from a browser with a hidden IP or a personal device, then Azure AD can force MFA.


If all of this sounds a little too complicated and you don’t want to have to be constantly tweaking condition to suit the latest attack vector, then guess what?! You can lean on Microsoft instead and allow them to react to the threats with Risk Based Conditional Access, feeding data directly from Microsoft’s Machine Learning / AI & security metaverse, the Intelligent Security Graph.

Using the Premium P2 licence, dependent on the user risk and the session risk, we can force not only MFA prompts but also password resets, and we can even block access where the risk is deemed too high. Obviously, there is a fine line that we must tread between keeping our data secure and keeping our users productive, so use the policies carefully!

How Do I Choose the Right Azure Active Directory Plan?

It’s simple: Azure Active Directory Premium is the sensible way to go!

If you need any more convincing, then please drop me a line:!

And if you want to see for yourself a more in-depth comparison, check out Microsoft’s Azure price comparison tool.


A few people we've already done it for