Entra ID P1 vs. P2: How to choose the right plan?

Entra ID P1 vs. P2: a brief introduction

Due to the constant increase in cyber threats and breaches by malicious agents, the management of digital identities is becoming an increasingly pressing issue within the contemporary technological landscape.

Many organizations rely on Microsoft to meet their Identity and Access Management (IAM) needs, with Microsoft Entra ID being a popular tool for managing user identities, simplifying login, and improving security in digital environments. However, with different licensing options available, understanding what features are included and how to maximize their use can be complicated.

The good news is that you don't need to have a license to start using Microsoft Entra ID. When you create a Microsoft tenant, you get free access to the basic functionality of Entra ID Free. However, for organizations looking for advanced functionality, Microsoft offers P1 and P2 licenses, which unlock additional features.

In addition, the Microsoft Entra Suite provides a unified solution with advanced security, governance, and identity management capabilities. So let's look at each available license model to find out what it offers.

What is Microsoft Entra ID

But what exactly is Entra ID and how does it work? Let's take a moment to introduce it.

Entra ID is a cloud-based identity and access management service, consisting of a database (directory) that stores user information and access permissions and offers a series of services that facilitate authentication and authorization to the tenant, ensuring that end users can securely access only the IT resources for which they have permission.

With its functionalities, the platform aims to become a central pillar in identity and access management strategies for all modern companies that wish to optimize their security protocols in an increasingly digitized world, where their data is now practically the value of gold.

Entra ID provides IT administrators with powerful identity protection tools. Advanced machine learning algorithms proactively detect identity-based threats, allowing for rapid responses to mitigate risks. Access governance requirements are also easily met, ensuring consistent application of policies and adherence to security protocols.

The Identity Protection Score provides Admins with an overall assessment of the security state of identities within the organization and can be used to identify areas for improvement and implement the most effective security measures. Administrators can also configure the generation of Access Reviews, setting specific review criteria that reduce the risk of unauthorized or excessive access. This tool is especially useful in dynamic environments where user roles and access needs change frequently.

The platform offers extensive control over access to applications and resources to Administrators and simplifies user provisioning by seamlessly integrating Windows Server Active Directory (other than Azure AD) with cloud applications, such as those of the Microsoft 365 digital workplace.

For application developers, Entra ID, on the other hand, offers easy access to the integration, which works as a standards-based authentication provider, making it easy to add single sign-on (SSO) functionality to applications. The effectiveness of this solution lies in its compatibility with existing user credentials, thus reducing friction during the authentication process.

In addition, developers can harness the power of the Microsoft Entra ID APIs to provide access to corporate organizational data and thus have the ability to customize applications and align them with the unique needs of company users.

At the heart of Microsoft Entra ID is, as we have already seen above, the management of user identities. This includes creating and managing user profiles, authenticating users, and controlling access to resources. Identities can be managed not only for users within the organization but also for external users, such as partners or customers through B2B (Business-to-Business) and B2C (Business-to-Client) identification functions.

Access management features are enriched by the ability to define role-based access policies (RBAC), which allow organizations to authorize and manage user access to resources based on their roles within the organization and by conditional access policies (which we will see in detail below) that allow dynamic security policies to be applied based on the context of the access, such as the user's location or the device used.

Entra ID supports a variety of authentication methods, including multifactor authentication (MFA), a security measure that requires more than one form of identity verification to grant access to a system, application, or data that adds an additional layer of protection in addition to the traditional password before granting access to sensitive resources.

As the adoption of cloud services increases, MFA offers additional protection against unauthorized access to these environments, which are often accessible from anywhere, and significantly reduces the risk of unauthorized access because it requires more than one verification method. So even if an attacker were able to obtain a user's password through phishing attacks or other techniques, they won't have access to the additional factors required by the MFA.

Integration with Microsoft Authenticator and other MFA services provides tenants with a wide variety of verification options that can be app-based, sending SMS to the user's personal or business number, or voice calls to verify their identity.

The service provides functionality dedicated to the implementation of conditional access strategies and allows organizations to implement security policies that are automatically activated based on certain conditions. For example, a policy might require MFA authentication only when a login is attempted from an unknown geographic location or a non-compliant device.

The integration of artificial intelligence into conditional access functions makes it possible to analyze user behavior patterns and assess risk in real time, dynamically adapting access policies. If a user attempts to log in from an unusual location or with atypical behavior, Entra ID may request additional verification or temporarily block access.

Entra ID also supports a wide range of applications, both cloud-based and on-premise, integrating them into its SSO (Single Sign On) authentication system. This includes Microsoft applications such as Office 365 and Azure, as well as many other SaaS (Software as a Service) and legacy applications. The platform uses open standards such as SAML (Security Assertion Markup Language), OAuth (Open Authorization), and OpenID Connect for identity federation and SSO authentication. This allows easy integration even with third-party applications that support these standards.

Finally, among the most advanced features of Entra ID, we cannot fail to mention the PIM (acronym for Privileged Identity Management). PIM allows organizations to comprehensively manage accounts with elevated privileges, such as system administrators, critical service accounts, and other roles that have privileged access to sensitive resources.

In addition, all the activities of the accounts with elevated privileges are recorded and monitored, allowing you to see who gained access, when and for how long, as well as the actions taken during the login.

Entra ID Licensing: comparing licensing plans

Now that we have concluded this small introductory overview of Entra ID, it is time to discuss the main topic of this article, namely the licensing plans made available for the service.

Microsoft Entra ID Free

Entra ID Free is a great place to start, offering essential identity management features. However, for organizations with more complex IAM needs or a need for greater customization, it may not be suitable for large scale implementations.

Among the features offered by the free plan, we can find:

• Cloud authentication: supports pass-through authentication or the synchronization of password hashes, allowing users to log in with their existing credentials.
  ‍
• Users and groups: basic user management for static groups and rule assignments.
  ‍
• Multi-Factor Authentication: MFA and related policies can only be enabled or disabled at the tenant level, without more granular controls.
  ‍
• Self-service password reset (SSPR): available only to cloud users.
  ‍
• Single Sign-On: Unlimited SSO, but with limited functionality for publishing or integrating certain applications.
  ‍
• Federated authentication: supports federation with Active Directory Federation Services (AD FS) or third-party identity providers.

Microsoft Entra ID P1 License

P1 is based on the free tier by adding advanced automation and management capabilities, representing a solid choice for organizations that need more control. The P1 license is included with Microsoft 365 F1, Microsoft 365 E3, Office 365 E3, EMS E3, and Microsoft 365 Business Premium.

If you have one of these licenses, you already have access to the features listed below:

• Users and groups: P1 introduces dynamic groups and assignments for applications and conditional access, automating user management without manual intervention.
  ‍
• Multi-Factor Authentication (MFA): P1 allows group-based MFA, offering greater flexibility in assigning different MFA options to specific users or departments.
  ‍
• Self-service password reset (SSPR): extends SSPR to on-premises users, allowing password reset policies to be applied to specific groups or users both in the cloud and in on-premises environments.
  ‍
• Single Sign-On (SSO): adds support for publishing on-premises applications, providing seamless access through a unified SSO experience.
  ‍
• Health monitoring: monitors performance metrics for Active Directory Federation Services (AD FS) and Active Directory Domain Services (AD DS). It provides real-time alerts on system health issues and synchronization.
  ‍
• Synchronization between tenants: synchronizes cloud tenants, ensuring consistent security rules and policies across multiple environments.
  ‍
• Managing the duration of the session: You can control how long users stay logged in by setting token expiration limits, improving security for high-risk applications.
  ‍
• Conditional access engine: unlocks all conditional access options, allowing for more granular security policies based on user identity, device status, and location.

Microsoft Entra ID P2 License

Entra ID P2 adds advanced security and identity management capabilities, ideal for organizations that need real-time risk monitoring and in-depth protection. The P2 license is included with other subscriptions such as Microsoft 365 E5, Office 365 E5, Enterprise Mobility + Security (EMS) E5, Microsoft 365 E5 Security, and Microsoft 365 A5.

Among the main features offered by the P2 license we can find:

• Access risk: monitors access activities in real time to detect anomalies and act based on risk levels.
  ‍
• User risk: continuously scans login signs and automatically alerts administrators in case of compromised credentials.
  ‍
• Device and application filters: offers advanced conditional access options, applying detailed filters for devices, applications and users.
  ‍
• Token protection: ensures that the tokens are used exclusively on the devices for which they were issued.
  ‍
• Managing basic permissions: includes multilevel approval workflows and role-based access controls.
  ‍
• Self-service authorization management: allows employees to manage access requests through the My Access portal.

Microsoft Entra Suite

The Microsoft Entra Suite offers a complete solution for managing secure access, verifying identities and implementing Zero Trust security in both cloud and on-premises environments. It integrates five key features—Private Access, Internet Access, ID Protection, ID Governance, and Face Check in Verified ID Premium—into a unified platform.

With these tools, organizations can simplify identity management processes, protect network traffic, verify user identities without interruption, and much more.

To access the Entra Suite, you need a subscription to Microsoft Entra ID P1 or a package that includes P1. Special pricing is available for Microsoft Entra ID P2 and Microsoft 365 E5 customers.

Let's see what are the main offers of the Entra Suite in the list below:

• Microsoft Entra Private Access: provides Zero Trust Network Access (ZTNA) for on-premises applications without the need for code changes. Assess risks in real time with Conditional Access using identity, device, and application signals, adding network protections to block lateral attacks, reduce excessive permissions, and replace legacy VPNs.
  ‍
• Microsoft Access Internet Access: protects against unsafe content with cloud security controls and web content filtering. It currently supports domain-based filtering, but improvements such as TLS termination are expected. A key benefit is that traffic passes through Microsoft's global network, reducing the risk of man-in-the-middle physical attacks. It uses Conditional Access to evaluate identity, device, location and risk signals in real time and integrates with ID Protection and ID Governance.
  ‍
• Microsoft Entra ID Protection: uses machine learning to detect access risks and apply Conditional Access to block or allow access based on risk. It integrates risk-based MFA and token protection, supporting hybrid environments with on-premises Active Directory.
  ‍
• Microsoft Entra Governance ID: automates identity lifecycle management, ensuring the correct duration of accesses and preventing excessive authorizations. It supports the automation of workflows for provisioning, delegation to business groups, and managing workflows for new hires, transfers, and exits.
  ‍
• Face Check with Verified ID: A decentralized solution for verifying credentials, which works with ID Protection and ID Governance to simplify onboarding. This functionality is part of the Microsoft Entra Verified ID platform. Use the Authenticator app and the device's camera for real-time verification with movement of government-issued IDs.
  ‍

Let's conclude this section with a short summary table for those who just want to know which paid license plan offers what:

Entra ID Licensing: considerations to maximize your investment

Now that we're familiar with the different Microsoft Entra ID licensing models, here's how you can maximize your current configuration and make informed upgrade decisions:

• Evaluate the use of current licenses: You may already have access to P1 or P2 functionality through licenses such as Microsoft 365 F1, Microsoft 365 E3, Office 365 E3, EMS E3 or Microsoft 365 E5. Make sure you take advantage of all the available features before considering an upgrade.
  ‍
• Review the features of Microsoft Entra ID: Explore the range of features offered by Microsoft Entra ID. From basic identity management to advanced administration and security, understanding these tools will help you assess whether your current license meets your needs.
  ‍
• Consider an upgrade: If you need features such as real-time risk monitoring or advanced conditional access, upgrading to P2 or adding the Entra ID Suite could significantly improve your security.
  ‍
• Take advantage of flexible licensing and cost savings: Although it is possible to license Entra products individually, it is more efficient to use them together for complete scenarios such as Zero Trust, B2E, B2B and B2C. Combined packages are generally 50% cheaper than licensing separate products. You can also combine different licenses based on your specific needs. For example, you can use P1 licenses for most users and reserve P2 licenses for those who access critical systems and need advanced security features.
  ‍
• Adopt Zero Trust with Conditional Access: Microsoft Entra's cloud-first approach offers robust tools for identity protection, with conditional access rooted in the principles of Zero Trust. Leveraging these solutions improves security by applying Zero Trust principles, significantly reducing dependence on traditional perimeter-based defenses.
  ‍
• Consider transitioning to a hybrid identity environment: For organizations with both on-premises and cloud infrastructures, adopting a hybrid identity model can ensure smooth management and better integration with cloud migration strategies.

Conclusions

In recent years, the topic of cybersecurity has become hotter than ever and any breach within your organization's digital infrastructures can result in significant waste of time and money.

Microsoft aims with its Entra ID to protect companies from these threats with the most advanced tools and to provide users and organizations with tools to effectively manage digital identities and guarantee secure access to corporate resources, both on-premises and in the cloud.

Choosing the right license plan for the purchase of Microsoft Entra ID can make a serious difference in terms of costs/benefits for your company and is not something to be taken lightly; therefore, we invite you to explore the topic also through the official Microsoft documentation to be able to find the option that best suits your protection needs with peace of mind.

FAQ about Entra ID subscription plans

What is Microsoft Entra ID?

Microsoft Entra ID is a cloud service for identity and access management. It allows companies to protect access to applications and data, ensuring that only authorized users can access corporate resources. It includes tools such as authentication, Single Sign-On (SSO), and conditional access management.

What license plans are available for Microsoft Entra ID?

Entra ID is available in three versions: Free, P1 and P2. The Free version offers basic functionality, while the P1 adds advanced tools for identity management and conditional access. P2 includes all the features of P1 and introduces advanced identity protection, risk management, and elevated privilege access administration capabilities.

What are the main differences between Entra ID P1 and Entra ID P2?

Entra ID P1 provides identity management tools such as conditional access, dynamic groups, and advanced user management. P2 includes these features and adds advanced AI-based protection tools, such as real-time risk monitoring and managing elevated privilege accounts through Privileged Identity Management (PIM). P2 is more suitable for companies with advanced security needs and need to protect against unauthorized access.

Is Entra ID Free enough for a business?

It depends on the company's security needs. The Free version offers basic identity management functionality, but does not include advanced tools such as conditional access or risk-based protection. For companies that need greater access control, P1 or P2 are more suitable options.

Which Microsoft licenses include Entra ID P1 or P2?

Some Microsoft 365 licenses include Entra ID P1 or P2. P1 is available with Microsoft 365 E3, Office 365 E3, and other business licenses, while P2 is included with Microsoft 365 E5 and Office 365 E5. It's always a good idea to check your license specifications to determine what features are available.

When is an upgrade to Entra ID P2 necessary?

If an organization needs advanced identity protection tools, such as real-time risk monitoring and managing elevated privilege accounts, Entra ID P2 is the best choice. It is suitable for companies with a high level of exposure to cyber threats or that operate in highly regulated sectors.

Is it possible to combine P1 and P2 licenses in the same organization?

Yes, it is possible to assign different licenses to different user groups. A company can provide P1 licenses to most employees and reserve P2 licenses for users with access to critical resources or sensitive data. This strategy makes it possible to optimize costs while maintaining a high level of security.

What is Microsoft Entra Suite?

Microsoft Entra Suite is a package that integrates Entra ID with other advanced security and identity management solutions. It includes features for Zero Trust protection, conditional access management, and AI-based identity verification. It's designed for businesses that need a comprehensive approach to identity management and cybersecurity.

What happens if you don't have an Entra ID P1 or P2 license?

Users without a P1 or P2 license will only have access to the basic functionality of Entra ID Free. This means they'll be able to use SSO and basic authentication, but they won't have access to advanced tools like conditional access or risk monitoring.

What are the advantages of Entra ID compared to traditional Active Directory?

Entra ID offers a cloud-based infrastructure that eliminates the need to manage local servers. It supports modern authentication methods, integrates SaaS applications, and provides advanced AI-based protection tools. Unlike on-premise Active Directory, Entra ID allows you to manage identities and accesses in hybrid and fully cloud environments.

How much does Entra ID P1 and P2 cost?

The cost varies depending on the number of users and the license purchased. In many cases, P1 or P2 functionality is already included in the Microsoft 365 licenses E3 and E5. For details on pricing and purchase options, it is advisable to consult the official Microsoft website or a certified partner.