There is a scenario which came up recently, and, with the usual disclaimer that you may want to run any licensing suggestion by Microsoft, here is where this landed (the credit for those explanations goes to those who provided them)
Let’s say you were using Power Pages, or, perhaps, you were using a custom web portal which would be connecting to Dataverse through web api using an application service account.
You would definitely need to have licenses for your internal users to give them access to that environment internally so they’d be able to user Canvas and/or Model-Driven applications, and, perhaps, so they’d be able to use restricted tables if and when needed:
And, of course, you’d need to make sure they are licensed for one of those first-party applications if that’s what they’d need access to (even if only to access those restricted tables).
Just as a side note, there is an interesting exception related to the usage of the case table in the employee self-service and/or case creation on behalf of customers:
This exception does not apply to the other tables, though, so, in that sense, do not attempt to extend it to the other restricted tables you may be using in the solution.
However, that’s not what I really wanted to talk about – let’s get back to the Power Pages / custom portals.
What if an organization had a portal where external clients would be able to book some training courses, and what if an of employee of that organization showed up there to book a course for themselves?
Interestingly enough, this might not require a license for that employee (unless, of course, the same employee needs to be able to do employee-specific work in the same environment). Which makes sense when an employee is acting as a client, since how would you even know reliably that’s an employee, right?
There is a caveat, though. If that employee used Azure AD to authenticate into the Power Pages / Portal, this situation would become different, since, in that case, you would definitely know. And I’d think this is where, ultimately, the intent would matter, so the outcome would still be the same, but, it seems, that Azure AD scenario may require your employee to be licensed even when acting as a client on the portal side. And the end result? Either turn off Azure AD when your employees are going to use the portal in the client capacity, or license such employees for Power Apps / D365 properly… At the very least, talk to Microsoft to make sure this is not going to be a licensing issue if you keep Azure AD authentication enabled there without assigning a license to the employees who’d be using Azure AD for portal authentication.