Many organizations rely on Microsoft to meet their Identity and Access Management (IAM) needs, with Microsoft Entra ID being a popular tool to manage user identities, streamline access, and enhance security across digital environments. However, with multiple license options available, understanding which features are included and how to maximize their use can be challenging. In this blog post, we’ll break down Microsoft’s Entra ID license models—P1, P2, and the Entra Suite—to help you maximize the value of your Microsoft investment.
Do You Need to Pay for Microsoft Entra ID?
The good news is you don’t necessarily need a license to start using Microsoft Entra ID. When you create a Microsoft tenant, you can access basic Entra ID Free features at no cost. However, for organizations seeking enhanced functionality, Microsoft offers P1 and P2 licenses that unlock more advanced features. Additionally, the Microsoft Entra Suite provides a unified solution with advanced security, governance, and identity features. Let’s dive into each license model to see what they offer.
Microsoft Entra ID Free
Entra ID Free is a great starting point, providing essential identity management functionalities. However, for organizations with more complex IAM requirements or a need for greater customization, it may not be well-suited for large-scale deployments.
Entra ID Free Features:
- Cloud Authentication: Supports Pass-through Authentication or Password Hash Synchronization for users to log in with their existing credentials.
- Users & Groups: Basic user management for static groups and rule assignments.
- Multi-Factor Authentication (MFA): MFA and policies can only be enabled or disabled at the tenant level without more granular control.
- Self-Service Password Reset (SSPR): Available only for cloud users.
- Single Sign-On (SSO): Unlimited SSO, but limited capabilities to publish or integrate certain applications.
- Federated Authentication: Supports federation with Active Directory Federation Services (AD FS) or third-party identity providers.
Microsoft P1 License
P1 builds on the free tier with additional automation and management features, making it a solid choice for organizations needing more control. P1 is included with Microsoft 365 F1, Microsoft 365 E3, Office 365 E3, EMS E3, and Microsoft 365 Business Premium. If you have one of these licenses, you already have access to the features outlined below.
Key P1 Features:
- Users & Groups: P1 introduces dynamic groups and assignments for applications and conditional access, automating user management without manual intervention.
- Multi-Factor Authentication (MFA): P1 allows for group-based MFA, offering more flexibility by assigning different MFA options for specific users or departments.
- Self-Service Password Reset (SSPR): Extends SSPR to on-premises users, allowing password reset policies for specific groups or users across both cloud and on-premises environments.
- Single Sign-On (SSO): Adds support for publishing on-premises applications, providing seamless access through a unified SSO experience.
- Health Monitoring: Tracks performance metrics for Active Directory Federation Services (AD FS) and Active Directory Domain Services (AD DS). Provides real-time alerts for system health and synchronization issues.
- Cross-Tenant Sync: Synchronizes cloud tenants, ensuring consistent security rules and policies across multiple environments.
- Session Lifetime Management: Controls how long users stay logged in by setting token expiration limits, improving security for high-risk applications.
- Conditional Access Engine: Unlocks all conditional access options, allowing for more granular security policies based on user identity, device health, and location.
Microsoft P2 License
Entra ID P2 adds advanced security and identity management capabilities, ideal for organizations requiring real-time risk monitoring and in-depth protection. The P2 license is included in other subscriptions like Microsoft 365 E5, Office 365 E5, Enterprise Mobility + Security (EMS) E5, Microsoft 365 E5 Security, and Microsoft 365 A5.
Key P2 Features:
- Sign-In Risk: Monitor real-time sign-in activity to detect anomalies and take action based on risk levels.
- User Risk: Continuously scan login signals and automatically alert administrators of any compromised credentials.
- Device and Application Filters: Use extended conditional access options. Apply detailed filters for devices, applications, and users.
- Token Protection: Ensure tokens are only used on the specific devices they were issued for.
- Basic Entitlement Management: Includes multi-level approval workflows and role-based access control.
- Self-Service Entitlement Management: Allows employees to manage access requests through the My Access Portal.
Microsoft Entra Suite
The Microsoft Entra Suite offers a comprehensive solution for managing secure access, identity verification, and Zero Trust security across both cloud and on-premises environments. It integrates five key capabilities—Private Access, Internet Access, ID Protection, ID Governance, and Face Check in Verified ID Premium—into one cohesive platform. With these tools, organizations can streamline identity management processes, safeguard network traffic, verify user identities seamlessly, and more.
To access the Entra Suite, a subscription to Microsoft Entra ID P1, or a package that includes P1, is required. Special pricing is available for Microsoft Entra ID P2 and Microsoft 365 E5 customers.
Key Entra Suite features:
- Microsoft Entra Private Access: Provides Zero Trust Network Access (ZTNA) for on-premises apps without code changes. It assesses real-time risks with Conditional Access using identity, device, and application signals, adding network protections to block lateral attacks, reduce over-permissioning, and replace legacy VPNs.
- Microsoft Entra Internet Access: Guards against unsafe content with cloud-delivered security controls and web content filtering. While it currently offers domain-based filtering, further enhancements like TLS termination are planned. A key advantage is that traffic flows through Microsoft’s global network, reducing the risk of physical man-in-the-middle attacks. It uses Conditional Access to assess identity, device, location, and risk signals for real-time protection and integrates with ID Protection and ID Governance.
- Microsoft Entra ID Protection: Uses machine learning to detect sign-in risks and applies Conditional Access to block or allow access based on risk. It integrates risk-based MFA and token protection, supporting hybrid environments with on-premises Active Directory.
- Microsoft Entra ID Governance: Automates identity lifecycle management, ensuring correct access duration and preventing over-permissioning. It supports workflow automation for provisioning, delegation to business groups, and managing joiner, mover, and leaver workflows.
- Face Check with Verified ID: A decentralized solution for verifying credentials, working with ID Protection and ID Governance to streamline onboarding. This feature is part of the Microsoft Entra Verified ID platform. It uses the Authenticator app and device camera for live motion verification of government-issued IDs.
How to Make the Most of Your Microsoft Entra ID Licenses
Now that you’re familiar with the different Microsoft Entra ID license models, here’s how you can maximize your existing setup and make informed decisions about upgrades:
Evaluate your current license usage
You might already have access to P1 or P2 features through licenses such as Microsoft 365 F1, Microsoft 365 E3, Office 365 E3, EMS E3, or Microsoft 365 E5. Make sure you’re using all available features before considering an upgrade.
Evaluate Microsoft Entra ID Capabilities
Explore the range of functionalities Microsoft Entra ID offers. From basic identity access management to advanced governance and security features, understanding these tools will help you assess if your current license meets your needs.
Consider upgrading
If you need features like real-time risk monitoring or advanced conditional access, upgrading to P2 or adding the Entra ID Suite could significantly enhance your security.
Leverage flexible licensing and cost savings
While it’s possible to license individual Entra products, it’s more efficient to use them together for comprehensive scenarios like Zero Trust, B2E, B2B, and B2C. Bundled packages are typically 50% more cost-effective than licensing products separately. You can also mix and match licenses based on specific needs. For example, you can use P1 licenses for most users and reserve P2 licenses for those accessing critical systems and requiring advanced security features.
Embrace Zero Trust with Conditional Access
Microsoft Entra’s cloud-first approach offers robust identity protection tools, with conditional access deeply rooted in Zero Trust principles. Leveraging these solutions enhances security by enforcing Zero Trust at its core, significantly reducing reliance on traditional perimeter-based defenses.
Consider transitioning to a hybrid identity environment
For organizations with both on-premises and cloud infrastructures, adopting a hybrid identity model can ensure seamless management and better alignment with cloud migration strategies.
Conclusion
Navigating Microsoft Entra ID’s various products and license packages can feel complex. However, with the right approach, you can leverage its full potential to enhance your organization’s security. At iC Consult, our experts can guide you through every step of your Microsoft Entra journey. We can help you determine which Microsoft Entra licenses and features best fit your business. From license evaluation to full integration and support, our experts ensure your IAM solution is fully optimized to meet your goals. Contact us to learn how we can make Microsoft Entra ID work seamlessly for you. Or learn more about our Microsoft services here.