This article explains which Entra ID (formerly Azure AD) accounts are counted for licensing purposes for Entra ID and why.
For Red Canary Identity Protection MDR customers integrated with Entra ID, Red Canary periodically calls the getUsers endpoint on the Microsoft Graph API to count Identity Accounts in your environment. Microsoft Graph will only return users that exist in Entra ID (which doesn’t automatically include all users in an on-premise Active Directory environment). Suppose Entra ID Connect is in use, and users are being synchronized from the on-premises Active Directory to Entra ID. In that case, those accounts will exist in Entra ID and be discoverable by Red Canary.
A trust relationship between forests in an on-premises Active Directory solution does not automatically guarantee that all users from all trusted forests will be synchronized to Entra ID. Entra ID Connect configuration determines the scope of synchronization. Users from multiple forests will be visible in Entra ID Connect and discoverable by Red Canary if Entra ID Connect is enabled to sync them.
When an organization has numerous domains within a forest or trusts with other forests and wants users from all of these domains and forests in Entra ID, Entra ID Connect must be configured to include these sources in its sync process.
To learn more about how Red Canary counts licenses, see MDR Identities Licensing: How licensing and usage are determined.