Overview 💥
Certain Liongard Microsoft 365 Actionable Alerts depend on Microsoft Entra ID (formerly Azure Active Directory) Premium P1 or P2 licensing. These alerts query Microsoft Graph API endpoints that are only accessible when the required Entra ID licenses are correctly assigned to users being evaluated.
If the appropriate licenses are not assigned, Liongard cannot retrieve the underlying identity or security data, and the affected alerts will not evaluate or trigger, even if the tenant otherwise appears healthy.
Why Do These Alerts Require Entra ID P1 or P2? 🧐
Microsoft restricts access to advanced identity, authentication, and security telemetry—such as Conditional Access changes, sign-in risk, MFA posture, and privileged role activity—behind Entra ID Premium licensing.
Important considerations:
Entra ID licensing is user-scoped, not tenant-scoped
The required P1 or P2 license must be assigned to each user you want Liongard to monitor
Simply having P1 or P2 licenses available in the tenant is not sufficient for most identity-related APIs
⚠️ This behavior differs from some Microsoft services (for example, Exchange Online), where tenant-level license presence can enable API access. Entra ID Premium features generally require active license assignment per user.
Alerts and Licensing Requirements 🧑🏫
The following table lists Microsoft 365 Actionable Alerts that require Entra ID Premium licensing and specifies the minimum license required for each alert to function.
✅ Entra ID Premium P1 Required:
Actionable Alert | License Required |
Azure Active Directory | Change to Conditional Access Policy State | Entra ID Premium P1 |
Azure Active Directory | Conditional Access Policies List Modified | Entra ID Premium P1 |
Azure Active Directory | Enabled Administrative Roles List Modified | Entra ID Premium P1 |
Azure Active Directory | Assigned App Policies Modified | Entra ID Premium P1 |
Azure Active Directory | Active Guest User List Modified | Entra ID Premium P1 |
Microsoft 365 | Hours Since Last Directory Sync ≥ 24 | Entra ID Premium P1 |
Azure Active Directory | Changes to Managed App Policies Assignment | Entra ID Premium P1 |
Azure Active Directory | Application Sign-in Success Has Dropped Below 60% | Entra ID Premium P1 |
Microsoft 365 | Change to Directory Sync Enablement | Entra ID Premium P1 |
✅ Entra ID Premium P2 Required:
Actionable Alert | License Required |
Azure Active Directory | Medium-Level At-Risk User Identified | Entra ID Premium P2 |
Azure Active Directory | High-Level At-Risk User Identified | Entra ID Premium P2 |
Microsoft 365 | Users with Risk Policy Disabled | Entra ID Premium P2 |
Microsoft 365 | Change to Privileged Users | Entra ID Premium P2 |
Microsoft 365 | Exposure to Suspicious Sign-Ins | Entra ID Premium P2 |
Microsoft 365 | Exposure to User Account(s) Due to Lack of Strong Authentication | Entra ID Premium P2 |
Microsoft 365 | Exposure to Account(s) With Weak Password | Entra ID Premium P2 |
Microsoft 365 | Serious Exposure to Privileged Account(s) Due to Overuse | Entra ID Premium P2 |
Microsoft 365 | Exposure to Privileged Account(s) Due to Lack of Strong Authentication | Entra ID Premium P2 |
Included Licensing with Microsoft 365 Plans 🚀
Many organizations already have the required Entra ID licensing through bundled Microsoft 365 plans.
Microsoft License Plan | Included Entra ID Capability |
Microsoft 365 E3 | Entra ID Premium P1 |
Microsoft 365 E5 | Entra ID Premium P2 |
Standalone Entra ID P1 | Entra ID Premium P1 |
Standalone Entra ID P2 | Entra ID Premium P2 |
✅ If users are licensed with Microsoft 365 E3 or E5, no additional Entra ID licenses are required for these alerts.
Why Alerts May Not Trigger? 🧐
An Actionable Alert may fail to trigger if:
The required Entra ID license is not assigned to the affected user.
Licensing was recently changed and Microsoft propagation is still in progress.
The alert relies on Microsoft Graph endpoints restricted to P1 or P2 features.
Without access to these endpoints, Liongard cannot evaluate the alert condition.
Steps to Resolve Missing or Non-Triggering Alerts 👨💻
Identify which Actionable Alert is not triggering
Determine whether the alert requires P1 or P2 licensing
In the Microsoft Entra admin center:
Navigate to Users
Select the affected user(s)
Confirm the required Entra ID license is assigned
Allow time for Microsoft license propagation (typically several minutes)
Re-run the relevant Liongard inspector
Once licensing is correctly assigned, alerts will begin evaluating automatically.
When Should You Contact Support? 🦁
Contact Liongard Support if:
Required licenses are assigned but alerts still do not trigger.
Only a subset of licensed users appear in alert results.
Providing confirmation of user-level license assignment (not just tenant licensing) will help accelerate troubleshooting.
Important Notes & Disclaimers ‼️
Liongard cannot bypass Microsoft licensing restrictions.
Actionable Alerts relying on restricted Microsoft Graph APIs will not function without proper licensing.
Licensing behavior and API availability are controlled entirely by Microsoft and may change over time.
For more details on Microsoft 365 licensing requirements, please refer to the Microsoft Entra Licensing Documentation.
Note : We may reference external third-party resources solely as additional guidance. Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.