Microsoft License Requirements for Cloud Capsule Assessments

Microsoft License Requirements for Cloud Capsule Assessments

Cloud Capsule reads security data directly from your customer tenants via the Microsoft Graph API. The depth of data returned depends on the Microsoft licenses present in the customer tenant. This article explains what licenses are required, what happens without them, and how to resolve common license-related errors.

Recommended Licenses

For a full Cloud Capsule assessment, the customer tenant should have one of the following:

• Microsoft 365 Business Premium
• Microsoft 365 E3 or higher
• Microsoft Entra ID P1 or higher

These licenses ensure that Cloud Capsule can access the security data needed for a complete assessment, including authentication method reporting, Conditional Access policy data, and Defender-related signals.

What Happens Without the Right Licenses

If a customer tenant does not have qualifying licenses, Cloud Capsule will return limited assessment results. Some security controls will not have enough data to evaluate, and certain user and policy details may not be available.

Additionally, tenants on lower license tiers may be missing the Windows Defender service principal, which is required for the consent process to complete. Without it, you will see an AADSTS650052 error when attempting to connect the tenant.

Licenses that commonly do not include the Defender service principal:

• Exchange Online Plan 1
• Microsoft 365 Business Basic
• Microsoft 365 Business Standard
• Office 365 E3 / E5

Note: Having a Microsoft Entra ID P1 license assigned does not automatically provision the Defender service principal. If the tenant's base license does not include Defender, the service principal must be added manually even when Entra ID P1 is present.

Resolving the AADSTS650052 Error

If you see the following error when connecting a tenant, the Defender service principal is missing:

This tenant does not have the necessary Microsoft licenses to complete the assessment. (AADSTS650052)

This can be resolved by manually adding the Defender service principal to the tenant via PowerShell. This does not purchase or activate a Defender subscription. It only adds the service principal required for the consent process.

For full resolution steps, refer to the Tenant Onboarding and Access article.

Impact on Specific Features

Frequently Asked Questions

The tenant has Entra ID P1 but is still showing a license error. Why? Entra ID P1 covers authentication and Conditional Access data but does not automatically provision the Defender service principal. If the tenant's base license does not include Defender, you will still need to add the service principal manually using the PowerShell steps in the Tenant Onboarding and Access article.

We recently added the correct license but the error is still showing. What should we do? License provisioning in Microsoft 365 can take time to propagate. If the error persists after 24 hours of adding the license, the Defender service principal may still need to be provisioned manually. Follow the PowerShell steps in the Tenant Onboarding and Access article.

Will limited licenses affect the tenant's Secure Score? Yes. Controls that cannot be evaluated due to missing license data will affect the completeness of the assessment. Upgrading to a qualifying license tier will allow Cloud Capsule to return a more complete picture of the tenant's security posture.

When to Contact Support

If you have confirmed the correct licenses are in place and are still seeing license-related errors, contact support with the following:

• The affected tenant domain or tenant ID
• The Microsoft licenses currently assigned in the tenant
• A screenshot of the error if available

Email: support@cloudcapsule.io In-app: Navigate to Support and open a new ticket.