As far i can see, P1/P2 licenses are assigned to users in a tenant. So if i assign a P1/P2 license to a single user in Azure AD will the entire tenant become Premium? The below link talks of different retention periods for Premium tenants. The three Azure Active Directory licenses are: Office 365 edition, P1, and P2. You may not even know you're using Azure AD, it runs in the background of Office 365 and Microsoft 365. It is the technology that manages the identities of all of your users, a.k.a. The thing that checks whether the credentials you wrote are correct or incorrect.
-->Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.
To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to enable Azure AD Password Protection for your on-premises environment.
For more information on how Azure AD Password Protection works in an on-premises environment, see How to enforce Azure AD Password Protection for Windows Server Active Directory.
Before you begin
This article shows you how to enable Azure AD Password Protection for your on-premises environment. Before you complete this article, install and register the Azure AD Password Protection proxy service and DC agents in your on-premises AD DS environment.
Enable on-premises password protection
Sign in to the Azure portal and browse to Azure Active Directory > Security > Authentication methods > Password protection.
Set the option for Enable password protection on Windows Server Active Directory to Yes.
When this setting is set to No, all deployed Azure AD Password Protection DC agents go into a quiescent mode where all passwords are accepted as-is. No validation activities are performed, and audit events aren't generated.
It's recommended to initially set the Mode to Audit. After you're comfortable with the feature and the impact on users in your organization, you can switch the Mode to Enforced. For more information, see the following section on modes of operation.
When ready, select Save.
Modes of operation
When you enable on-premises Azure AD Password Protection, you can use either audit mode or enforce mode. We recommend that initial deployment and testing always start out in audit mode. Entries in the event log should then be monitored to anticipate whether any existing operational processes would be disturbed once Enforce mode is enabled.
Audit mode
Audit mode is intended as a way to run the software in a 'what if' mode. Each Azure AD Password Protection DC agent service evaluates an incoming password according to the currently active policy.
If the current policy is configured to be in audit mode, 'bad' passwords result in event log messages but are processed and updated. This behavior is the only difference between audit and enforce mode. All other operations run the same.
Enforced Mode
Enforced mode is intended as the final configuration. Like when in audit mode, each Azure AD Password Protection DC agent service evaluates incoming passwords according to the currently active policy. When enforced mode is enabled though, a password that's considered insecure according to the policy is rejected.
When a password is rejected in enforced mode by the Azure AD Password Protection DC agent, an end user sees a similar error like they would see if their password was rejected by traditional on-premises password complexity enforcement. For example, a user might see the following traditional error message at the Windows logon or change password screen:
'Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.'
This message is only one example of several possible outcomes. The specific error message can vary depending on the actual software or scenario that is attempting to set an insecure password.
Affected end users may need to work with their IT staff to understand the new requirements and to choose secure passwords.
Note
Azure AD Password Protection has no control over the specific error message displayed by the client machine when a weak password is rejected.
Next steps
To customize the banned password list for your organization, see Configure the Azure AD Password Protection custom banned password list.
To monitor on-prem events, see Monitoring on-prem Azure AD Password Protection.
-->In this article, you learn about the data retention policies for the different activity reports in Azure Active Directory.
When does Azure AD start collecting data?
| Azure AD Edition | Collection Start |
|---|---|
| Azure AD Premium P1 Azure AD Premium P2 | When you sign up for a subscription |
| Azure AD Free | The first time you open the Azure Active Directory blade or use the reporting APIs |
When is the activity data available in the Azure portal?
- Immediately - If you have already been working with reports in the Azure portal.
- Within 2 hours - If you haven’t turned on reporting in the Azure portal.
How soon can I see activities data after getting a premium license?
Azure P1 Vs P2
If you already have activities data with your free license, then you can see it immediately on upgrade. If you don’t have any data, then it will take up to three days for the data to show up in the reports after you upgrade to a premium license.
When does Azure AD start collecting security signal data?
For security signals, the collection process starts when you opt-in to use the Identity Protection Center.
How long does Azure AD store the data?
Activity reports
| Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
|---|---|---|---|
| Audit logs | 7 days | 30 days | 30 days |
| Sign-ins | 7 days | 30 days | 30 days |
| Azure AD MFA usage | 30 days | 30 days | 30 days |
You can retain the audit and sign-in activity data for longer than the default retention period outlined above by routing it to an Azure storage account using Azure Monitor. For more information, see Archive Azure AD logs to an Azure storage account.
Security signals
Compare Azure P1 And P2
| Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
|---|---|---|---|
| Users at risk | 7 days | 30 days | 90 days |
| Risky sign-ins | 7 days | 30 days | 90 days |
Azure P15
Can I see last month's data after getting an Azure AD premium license?
Azure P1 Vs P2 License
No, you can't. Azure stores up to seven days of activity data for a free version. This means, when you switch from a free to a to a premium version, you can only see up to 7 days of data.