Merge pull request #89367 from rolyon/rolyon-iga-licensing

GitHubber17 · web-flow · commit 13212e8c40c2 · 2020-01-13T14:17:39.000-08:00
[Azure AD] [IGA] Updates to licensing for AR, ELM, and PIM
diff --git a/articles/active-directory/governance/access-reviews-overview.md b/articles/active-directory/governance/access-reviews-overview.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 08/05/2019
+ms.date: 01/10/2020
 ms.author: ajburnle
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -92,27 +92,34 @@ If you are ready to deploy access reviews in your organization, follow these ste
 
 [!INCLUDE [Azure AD Premium P2 license](../../../includes/active-directory-p2-license.md)]
 
-### Which users must have licenses?
+### How many licenses must you have?
 
-Each user who interacts with access reviews must have a paid Azure AD Premium P2 license. Examples include:
+Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:
 
-- Administrators who create an access review
+- Member and guest users who are assigned as reviewers
+- Member and guest users who perform a self-review
 - Group owners who perform an access review
-- Users assigned as reviewers
-- Users who perform a self-review
+- Application owners who perform an access review
 
-You can also ask guest users to review their own access. For each paid Azure AD Premium P2 license that you assign to one of your own organization's users, you can use Azure AD business-to-business (B2B) to invite up to five guest users under the External User Allowance. These guest users can also use Azure AD Premium P2 features. For more information, see [Azure AD B2B collaboration licensing guidance](../b2b/licensing-guidance.md).
+Azure AD Premium P2 licenses are **not** required for the following tasks:
 
-Here are some example scenarios to help you determine the number of licenses you must have.
+- No licenses are required for the users with the Global Administrator or User Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews.
 
-| Scenario | Calculation | Required number of licenses |
-| --- | --- | --- |
-| An administrator creates an access review of Group A with 500 users. Assigns 3 group owners as reviewers. | 1 license for the administrator + 3 licenses for each group owner as reviewers. | 4 |
-| An administrator creates an access review of Group A with 500 users. Makes it a self-review. | 1 license for the administrator + 500 licenses for each user as self-reviewers. | 501 |
-| An administrator creates an access review of Group B with 5 users and 25 guest users. Makes it a self-review. | 1 license for the administrator + 5 licenses for each user as self-reviewers.<br/>(guest users are covered in the required 1:5 ratio) | 6 |
-| An administrator creates an access review of Group C with 5 users and 108 guest users. Makes it a self-review. | 1 license for the administrator + 5 licenses for each user as self-reviewers + 16 additional licenses to cover all 108 guest users in the required 1:5 ratio.<br/>1+5=6 licenses, which cover 5\*6=30 guest users. For the remaining (108-5\*6)=78 guest users, 78/5=16 additional licenses are required. Thus in total, 6+16=22 licenses are required. | 22 |
+For each paid Azure AD Premium P2 license that you assign to one of your own organization's users, you can use Azure AD business-to-business (B2B) to invite up to five guest users under the External User Allowance. These guest users can also use Azure AD Premium P2 features. For more information, see [Azure AD B2B collaboration licensing guidance](../b2b/licensing-guidance.md).
+
+For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+
+### Example license scenarios
 
-For information about how to assign licenses to your uses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+Here are some example license scenarios to help you determine the number of licenses you must have.
+
+| Scenario | Calculation | Number of licenses |
+| --- | --- | --- |
+| An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. | 1 license for the group owner as reviewer | 1 |
+| An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. | 3 licenses for each group owner as reviewers | 3 |
+| An administrator creates an access review of Group B with 500 users. Makes it a self-review. | 500 licenses for each user as self-reviewers | 500 |
+| An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-review. | 50 licenses for each user as self-reviewers.<br/>(guest users are covered in the required 1:5 ratio) | 50 |
+| An administrator creates an access review of Group D with 6 member users and 108 guest users. Makes it a self-review. | 6 licenses for each user as self-reviewers + 16 additional licenses to cover all 108 guest users in the required 1:5 ratio. 6 licenses, which cover 6\*5=30 guest users. For the remaining (108-6\*5)=78 guest users, 78/5=16 additional licenses are required. Thus in total, 6+16=22 licenses are required. | 22 |
 
 ## Next steps
 
diff --git a/articles/active-directory/governance/complete-access-review.md b/articles/active-directory/governance/complete-access-review.md
@@ -29,7 +29,7 @@ As an administrator, you [create an access review of groups or applications](cre
 - Azure AD Premium P2
 - Global administrator, User administrator, Security administrator, or Security reader
 
-For more information, see [Which users must have licenses?](access-reviews-overview.md#which-users-must-have-licenses).
+For more information, see [License requirements](access-reviews-overview.md#license-requirements).
 
 ## View an access review
 
diff --git a/articles/active-directory/governance/create-access-review.md b/articles/active-directory/governance/create-access-review.md
@@ -28,7 +28,7 @@ This article describes how to create one or more access reviews for group member
 - Azure AD Premium P2
 - Global administrator or User administrator
 
-For more information, see [Which users must have licenses?](access-reviews-overview.md#which-users-must-have-licenses).
+For more information, see [License requirements](access-reviews-overview.md#license-requirements).
 
 ## Create one or more access reviews
 
diff --git a/articles/active-directory/governance/entitlement-management-overview.md b/articles/active-directory/governance/entitlement-management-overview.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 10/24/2019
+ms.date: 01/10/2020
 ms.author: ajburnle
 ms.reviewer: markwahl-msft
 ms.collection: M365-identity-device-management
@@ -132,17 +132,32 @@ To better understand entitlement management and its documentation, you can refer
 
 Specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, are not currently available for use.
 
-### Which users must have licenses?
+### How many licenses must you have?
 
-Your tenant must have at least as many Azure AD Premium P2 licenses as you have member users active in entitlement management. Active member users in entitlement management include:
+Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:
 
-- A user that initiates or approves a request for an access package.
-- A user that has been assigned an access package.
-- A user that manages access packages.
+- Member users who **can** request an access package.
+- Member and guest users who request an access package.
+- Member and guest users who approve requests for an access package.
 
-As part of the licenses for member users, you can also allow a number of guest users to interact with entitlement management. For information about how to calculate the number of guest users you can include, see [Azure Active Directory B2B collaboration licensing guidance](../b2b/licensing-guidance.md).
+Azure AD Premium P2 licenses are **not** required for the following tasks:
 
-For information about how to assign licenses to your users, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md). Note that entitlement management currently does not enforce license assignment for users.
+- No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users.
+- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
+- No licenses are required for guests who **can** request access packages, but do **not** request an access package.
+
+For each paid Azure AD Premium P2 license that you purchase for your member users (employees), you can use Azure AD B2B to invite up to 5 guest users. These guest users can also use Azure AD Premium P2 features. For more information, see [Azure AD B2B collaboration licensing guidance](../b2b/licensing-guidance.md).
+
+For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+
+### Example license scenarios
+
+Here are some example license scenarios to help you determine the number of licenses you must have.
+
+| Scenario | Calculation | Number of licenses |
+| --- | --- | --- |
+| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to 6 other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees who **can** request the access packages | 2,000 |
+| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to 6 other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. Another policy specifies that some users from **Users from partner Contoso** (guests) can request the same access packages subject to approval. Contoso has 30,000 users. 150 employees request the access packages and 10,500 users from Contoso request access. | 2,000 employees + 500 guest users from Contoso that exceed the 1:5 ratio (10,500 - (2,000 * 5)) | 2,500 |
 
 ## Next steps
 
diff --git a/articles/active-directory/governance/manage-guest-access-with-access-reviews.md b/articles/active-directory/governance/manage-guest-access-with-access-reviews.md
@@ -32,7 +32,7 @@ You also can easily ensure that guest users have appropriate access. You can ask
 
 - Azure AD Premium P2
 
-For more information, see [Which users must have licenses?](access-reviews-overview.md#which-users-must-have-licenses).
+For more information, [License requirements](access-reviews-overview.md#license-requirements).
 
 ## Create and perform an access review for guests
 
diff --git a/articles/active-directory/governance/manage-user-access-with-access-reviews.md b/articles/active-directory/governance/manage-user-access-with-access-reviews.md
@@ -29,7 +29,7 @@ With Azure Active Directory (Azure AD), you can easily ensure that users have ap
 
 - Azure AD Premium P2
 
-For more information, see [Which users must have licenses?](access-reviews-overview.md#which-users-must-have-licenses).
+For more information, see [License requirements](access-reviews-overview.md#license-requirements).
 
 ## Create and perform an access review
 
diff --git a/articles/active-directory/privileged-identity-management/subscription-requirements.md b/articles/active-directory/privileged-identity-management/subscription-requirements.md
@@ -13,7 +13,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: pim
-ms.date: 10/23/2019
+ms.date: 01/10/2020
 ms.author: curtand
 ms.custom: pim
 
@@ -24,30 +24,35 @@ ms.collection: M365-identity-device-management
 
 To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), a directory must have a valid license. Furthermore, licenses must be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management.
 
-## Prerequisites
+## Valid licenses
 
-To use Privileged Identity Management, your directory must have one of the following paid or trial licenses:
+[!INCLUDE [Azure AD Premium P2 license](../../../includes/active-directory-p2-license.md)]
 
-- Azure AD Premium P2
-- Enterprise Mobility + Security (EMS) E5
-- Microsoft 365 M5
+## How many licenses must you have?
 
-For more information, see [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md).
+Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:
 
-## Which users must have licenses?
-
-Each administrator or user who interacts with or receives a benefit from Privileged Identity Management must have a license. Examples include:
-
-- Administrators with Azure AD roles managed using PIM
-- Administrators with Azure resource roles managed using PIM
-- Administrators assigned to the Privileged Role Administrator role
 - Users assigned as eligible to Azure AD roles managed using PIM
-- Users able to approve/reject requests in PIM
+- Users able to approve or reject activation requests in PIM
 - Users assigned to an Azure resource role with just-in-time or direct (time-based) assignments  
 - Users assigned to an access review
 - Users who perform access reviews
 
-For information about how to assign licenses to your uses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+Azure AD Premium P2 licenses are **not** required for the following tasks:
+
+- No licenses are required for users with the Global Administrator or Privileged Role Administrator roles that set up PIM, configure policies, receive alerts, and set up access reviews.
+
+For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+
+## Example license scenarios
+
+Here are some example license scenarios to help you determine the number of licenses you must have.
+
+| Scenario | Calculation | Number of licenses |
+| --- | --- | --- |
+| Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
+| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
+| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six are not in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
 
 ## What happens when a license expires?
 
