How Identity Licensing and Usage are Determined
    • 16 Jul 2024
    • 2 Minutes to read
    • PDF

    How Identity Licensing and Usage are Determined

    • PDF

    Article summary

    MDR Identities and MDR Email & Productivity Suites are scoped by Monitored Accounts. Monitored Accounts are counted as the median number of accounts (by email address) which exists in a calendar month, as calculated by sampling of accounts at least once per day. 

    An individual usually has more than one account across platforms and applications. 

    Example:

    • marvin.martian@acme.com

    • mmartian2023

    • marvin.martian 

    Each example above would count towards license utilization, for a total of three accounts.

    Additionally, Red Canary licensing includes service accounts as these identities have privileges which need to be monitored for security purposes.

    Viewing recent license usage

    The number of accounts observed is recorded on a monthly basis.

    1. From the Red Canary homepage, click your user icon, and then click License Usage.

    2. Review your monthly usage.

    3. To download a CSV of your License Usage, click View Data Table.

    4. Choose the month to download and click the icon.

    FAQ

    What happens if I exceed my license amount?

    When you exceed your license amount, Red Canary continues processing data received from all your accounts. We do not want an increase in usage to harm your security.

    Red Canary then reviews your usage every three months and audits your usage against your licensing at that time. If you had an overage, we calculate that overage and you can either increase your license amount (prorated for the remainder of your contract) or you can pay a one time overage fee. Increasing your license count is a good way to take advantage of volume discounts when available.

    How is usage calculated?

    License usage is measured based on the Monitored Accounts we see each month, which is the number of unique accounts (de-duplicated by email address) we observe in a calendar month.

    What if something doesn’t add up or seem right?

    Sometimes you encounter an edge case: you onboarded a new Identity provider at the end of the month, and the numbers don't look correct. To make it easier to identify those oddities, the download links let you obtain the data that you need to run these successfully.

    If something still doesn't look right, let us know and we'll get to the bottom of it.

    Counting Identity Accounts in Entra ID

    For Red Canary Identity Protection MDR customers integrated with Entra ID, Red Canary periodically calls the getUsers endpoint on the Microsoft Graph API to count Identity Accounts in your environment. Microsoft Graph will only return users that exist in Entra ID (which doesn’t automatically include all users in an on-premise Active Directory environment). Suppose Entra ID Connect is in use, and users are being synchronized from the on-premises Active Directory to Entra ID. In that case, those accounts will exist in Entra ID and be discoverable by Red Canary.

    A trust relationship between forests in an on-premises Active Directory solution does not automatically guarantee that all users from all trusted forests will be synchronized to Entra ID. Entra ID Connect configuration determines the scope of synchronization. Users from multiple forests will be visible in Entra ID Connect and discoverable by Red Canary if Entra ID Connect is enabled to sync them.

    When an organization has numerous domains within a forest or trusts with other forests and wants users from all of these domains and forests in Entra ID, Entra ID Connect must be configured to include these sources in its sync process.

    To learn more about how Red Canary counts licenses, see How licensing and usage are determined


    Was this article helpful?