Aug 06, 2018 - 02:46 AM
We have some staff with both admin accounts and restricted accounts in our on-premise AD. If their admin accounts are federated / synchronised to Azure AD, they may have some admin rights within the O365 tenancy but they're not given any licences for cloud or on-premise applications (they shouldn't do production work like writing reports or even sending & receiving email with their admin accounts because of the security risks, so that's why they have the restricted accounts). If these staff need to launch Office 365 Pro Plus applications while logged on to a machine with their admin accouts, they manually sign in with their restricted account credentials instead of using the single sign-on / passthrough authentication.
My understanding is that because it's the same physical person, they can use a single user licence for both accounts - obviously if they have been granted multiple mailboxes, OneDrive areas etc. and those are what's being metered then they could be consuming more than one.
True service accounts usually aren't linked to a person, they're used autonomously and only for specific tasks, servers & products. We haven't had a requirement for that type of account to need access to O365 yet, but I imagine Microsoft would "prefer" they be allocated their own licence in much the same way that you're expected to give a network printer or scanner its own CAL if you licence Windows Server on a per-device metric.