Microsoft Identity and Security Licensing Assessment
We map your Entra ID tier coverage across every user population, identify the security gaps that tier boundaries create, model the cost of closing them, and negotiate the optimal licensing structure at EA renewal. See our Microsoft EA renewals guide.
1. The Four-Tier Architecture: How Microsoft Monetises Identity
Microsoft's identity licensing strategy follows a pattern that enterprise software vendors have perfected over two decades: give away the foundation for free, include the baseline in the platform subscription, and charge separately for the capabilities that security and compliance teams actually need. The genius of the Entra ID tier structure is that each tier contains exactly the features that make the previous tier's features effective — so the capabilities compound upward, and each tier upgrade feels more like completing a half-built system than purchasing a new product. For the broader M365 licensing context, see our M365 E3 vs E5 vs F3 comparison.
The four tiers are not simply "basic, standard, premium, enterprise." They represent four distinct identity management disciplines: Free covers authentication (users can sign in). P1 covers policy enforcement (you can define rules about who accesses what from where). P2 covers risk intelligence (the system adapts those rules in real time based on threat signals). Governance covers access lifecycle (who should have access in the first place, and when should access be revoked). Each discipline builds on the previous one. Running P1 without P2 is like having a lock on your door but no alarm system — the lock works, but it doesn't know when someone has picked it. Running P2 without Governance is like having the alarm but never checking whether the people with keys still work there.
2. Entra ID Free: What You Get for Nothing (and Why It's Not Enough)
Every Azure subscription and every Microsoft 365 subscription includes Entra ID Free. It's the identity foundation that makes Microsoft's cloud ecosystem work — and it's more capable than most organisations realise, precisely because Microsoft needs it to be functional enough that every organisation uses Entra ID as their primary identity provider.
What Free includes: User and group management (create, manage, and delete user accounts and security groups). Single sign-on for unlimited applications (SAML, OIDC, OAuth integrations with thousands of SaaS applications — this alone replaces basic SSO products). Multi-factor authentication (security defaults — a Microsoft-managed set of MFA policies that require all users to register for and use MFA). Self-service password change (users can change their own passwords, not reset forgotten ones — that requires P1). B2B collaboration basics (invite external users as guests). Limit of 50,000 directory objects.
What Free does not include: Conditional access policies (you cannot define "allow access only from compliant devices" or "block access from untrusted locations" — the most fundamental zero-trust control). Group-based application assignment (you must assign apps user by user). Self-service password reset (SSPR — users who forget their passwords must call the helpdesk). Hybrid identity (no on-premises Azure AD Connect sync in the Free tier for standalone Entra; however, M365 subscriptions that include Entra ID Free may support hybrid scenarios). SLA (Free tier has no uptime SLA — P1 and P2 guarantee 99.99% availability).
The security implication: an organisation running exclusively on Entra ID Free has MFA through security defaults but has no ability to define conditional access policies — meaning every authenticated user gets the same level of access regardless of device compliance, location, risk, or role. There is no identity-driven perimeter. Security defaults are a blunt instrument: they require MFA for everyone, everywhere, always. This is better than nothing but far from the adaptive, risk-proportionate access model that zero-trust architectures require.
3. Entra ID P1: The Conditional Access Baseline
Entra ID P1 is where Microsoft identity licensing becomes a security tool rather than an authentication utility. P1 is included in Microsoft 365 E3, Microsoft 365 Business Premium, and EMS E3 — meaning most enterprise organisations with an M365 subscription already have P1. It can also be purchased standalone at approximately $6/user/month. For the plan comparison, see our enterprise plan selection playbook.
The Capabilities That Define P1
Conditional Access: The flagship P1 capability and the single feature that transforms Entra ID from an authentication service into an access control platform. Conditional access policies evaluate every sign-in against defined conditions — user identity, group membership, device compliance state (via Intune), location (IP ranges, named locations, countries), client application, sign-in risk (P2 only), user risk (P2 only) — and apply controls: allow, block, require MFA, require compliant device, require Terms of Use acceptance, or limit session duration. Without conditional access (Free tier), every authentication is binary: correct password + MFA = access. With conditional access (P1), authentication becomes contextual: correct password + MFA + compliant device + corporate network + low-risk session = full access; correct password + MFA + unknown device + foreign IP = blocked or MFA step-up. See our endpoint management licensing guide.
Self-Service Password Reset (SSPR): Users can reset forgotten passwords without calling the helpdesk — including multi-method verification (SMS, email, authenticator app, security questions). The operational savings are significant: Gartner estimates password reset calls constitute 20–50% of helpdesk volume. At an average cost of $15–$25 per helpdesk call, SSPR for a 5,000-user organisation saves $150,000–$500,000 annually in helpdesk costs alone — paying for P1 licensing multiple times over.
Additional P1 capabilities: Group-based application assignment (assign SaaS apps to security groups, not individual users — critical for scalable app provisioning). Dynamic groups (automatically add/remove users from groups based on attributes — department, location, job title — eliminating manual group management). Application proxy (publish on-premises web applications through Entra ID without VPN). Microsoft Identity Manager user CAL (for on-premises identity management integration). 99.99% uptime SLA.
What P1 Cannot Do
P1 conditional access is rule-based, not risk-based. You define static policies: "if location = outside corporate network, then require MFA." The policy applies uniformly regardless of whether the sign-in is from an employee working from a coffee shop (low risk) or from a compromised credential being used by an attacker in a foreign country (high risk). P1 treats both scenarios identically — because P1 doesn't know the difference. Risk signals — sign-in risk (anomalous sign-in patterns, impossible travel, anonymous IP) and user risk (leaked credentials, anomalous behaviour patterns) — are P2 capabilities. This is the most consequential licensing boundary in the entire Microsoft security stack.
4. Entra ID P2: Where Identity Security Actually Begins
Entra ID P2 is included in Microsoft 365 E5 and EMS E5. As a standalone add-on, P2 costs approximately $9/user/month (which includes P1 capabilities). For organisations on M365 E3 that want to add P2, the incremental cost is approximately $9/user/month — or they can upgrade to M365 E5 for approximately $21/user/month and get P2 plus Defender for Endpoint P2, Defender for Office 365 P2, and the full compliance suite. See our E5 security add-ons playbook for the upgrade economics. See our M365 add-on licensing guide.
The Capabilities That Define P2
Identity Protection — Risk-Based Conditional Access: P2 introduces two machine-learning-driven risk engines that transform conditional access from a static rulebook into an adaptive intelligence system. Sign-in risk evaluates each authentication attempt in real time: is the IP address associated with a botnet? Is the geography impossible given the user's last sign-in location? Is the sign-in pattern anomalous (unusual time, unusual device, unusual browser fingerprint)? Each sign-in is scored Low / Medium / High risk. User risk evaluates the identity itself over time: have the user's credentials been found in a dark web dump? Has the account exhibited behaviour patterns consistent with compromise? Is the user's session activity anomalous relative to their baseline? User risk is scored similarly. Risk-based conditional access policies consume these scores: "if sign-in risk = High, block access" or "if user risk = Medium, require password change and MFA." This is the capability that distinguishes zero-trust (adaptive, risk-proportionate access) from rule-based access (static, context-blind policies).
Privileged Identity Management (PIM): Just-in-time (JIT) privileged access — administrators don't hold permanent admin roles. Instead, they activate admin privileges when needed, for a defined duration (e.g., 4 hours), with approval workflows and justification requirements. When the activation window expires, the privileges are automatically revoked. PIM eliminates standing access — the single largest attack surface in identity infrastructure. A compromised Global Admin account with permanent privileges gives an attacker unlimited access indefinitely. A compromised PIM-protected admin account gives an attacker nothing until the role is activated — and activation triggers alerts and requires approval. PIM covers Entra ID roles (Global Admin, Exchange Admin, Security Admin), Azure resource roles (Subscription Owner, Contributor), and group membership. For any organisation subject to regulatory requirements around privileged access (PCI DSS Requirement 7, HIPAA minimum necessary, SOX segregation of duties), PIM is not a feature — it's a control requirement.
Access Reviews: Periodic certification campaigns that require managers or resource owners to review and confirm (or revoke) access entitlements. "Does this user still need access to this application / this group membership / this admin role?" Access reviews can be automated: create a quarterly review of all guest users, all users with privileged roles, all members of sensitive groups. Reviewers approve or deny; denied access is automatically revoked. Access reviews address the "access accumulation" problem — users accumulate entitlements over years through role changes, project assignments, and temporary access grants that are never revoked. Without regular reviews, the average enterprise user has 2–3× the access they need for their current role.
Entitlement Management (Basic): Access packages that bundle resources (groups, apps, SharePoint sites) into requestable packages with approval workflows and automatic expiration. Users request access packages through a self-service portal; approvers grant or deny; access expires after a defined period. This is the P2 foundation that the Governance add-on extends significantly.
5. Entra ID Governance: The Access Lifecycle Layer Nobody Budgets For
Entra ID Governance is the newest and most misunderstood tier in the Entra licensing stack. It is not included in M365 E5 — a fact that surprises virtually every CIO and procurement team we work with. Governance is a standalone add-on at approximately $7/user/month, available on top of any plan that includes Entra ID P1 or P2. It extends P2's access review and entitlement management capabilities into a full identity governance platform.
Why Governance Exists as a Separate Tier
Microsoft positioned Governance as an add-on rather than including it in E5 because it competes directly with established Identity Governance and Administration (IGA) vendors — SailPoint, Saviynt, CyberArk (formerly Idaptive), One Identity — whose products cost $8–$20/user/month. By pricing Governance at $7/user/month and keeping it outside E5, Microsoft achieves two things: it avoids devaluing E5 with a feature that many organisations address through third-party tools, and it creates a competitive price point against IGA vendors that can drive replacement sales. For most organisations evaluating IGA platforms, Entra ID Governance at $7/user/month versus SailPoint or Saviynt at $12–$20/user/month is a compelling comparison — especially given the native integration with M365, Azure, and the rest of the Microsoft security stack.
The Capabilities That Define Governance
Lifecycle Workflows: Automated identity lifecycle management tied to HR events. When a new employee is onboarded (joiner event in the HR system — Workday, SAP SuccessFactors, Oracle HCM), Lifecycle Workflows automatically create the Entra ID account, assign the appropriate licence (M365 E3/E5/F3 based on role), add the user to the correct groups, provision access to role-specific applications, and send a welcome email with onboarding instructions. When the employee changes roles (mover event), workflows adjust group memberships, application access, and licence assignments. When the employee leaves (leaver event), workflows disable the account, revoke all access, remove licences, convert the mailbox to shared, and archive OneDrive content. Lifecycle Workflows replace the manual onboarding/offboarding checklists that every IT team maintains — and that every IT team executes inconsistently.
Advanced Entitlement Management: Governance extends P2's basic entitlement management with custom extension attributes, multi-stage approval workflows (manager → resource owner → security review), automatic access package assignment based on HR attributes (department + location + job title = specific access package), verified ID integration (requiring verifiable credentials before granting access), and separation of duties policies (users cannot hold conflicting access packages — e.g., "payment approval" and "vendor creation"). Advanced Access Reviews: Machine-learning-based review recommendations (the system recommends "revoke" for users who haven't accessed the resource in 90 days, reducing reviewer fatigue), inactive user reviews (automatically identify and review users who haven't signed in), and stale guest reviews (identify external collaborators whose access should expire).
The Governance Gap in Regulated Industries
For organisations in regulated industries — financial services (SOX, GLBA), healthcare (HIPAA), defence (CMMC, NIST 800-171), government (FedRAMP, FISMA) — the Governance tier addresses control requirements that P2 alone doesn't cover. Access lifecycle automation (Lifecycle Workflows) satisfies provisioning and de-provisioning controls. Separation of duties policies satisfy segregation requirements. Access certifications (Access Reviews) satisfy periodic entitlement review requirements. Without Governance, these controls must be implemented manually or through third-party IGA tools — either of which costs more than $7/user/month in operational overhead or vendor licensing.
6. The Inclusion Matrix: What's in E3, E5, and Standalone
| Capability | Free | P1 (in M365 E3) | P2 (in M365 E5) | Governance (add-on) |
|---|---|---|---|---|
| User/group management | ✅ | ✅ | ✅ | ✅ |
| SSO for unlimited apps | ✅ | ✅ | ✅ | ✅ |
| MFA (security defaults) | ✅ | ✅ | ✅ | ✅ |
| Conditional access (policy-based) | ❌ | ✅ | ✅ | ✅ |
| Self-service password reset | ❌ | ✅ | ✅ | ✅ |
| Dynamic groups | ❌ | ✅ | ✅ | ✅ |
| Application proxy | ❌ | ✅ | ✅ | ✅ |
| 99.99% SLA | ❌ | ✅ | ✅ | ✅ |
| Identity Protection (risk-based CA) | ❌ | ❌ | ✅ | ✅ |
| Privileged Identity Management | ❌ | ❌ | ✅ | ✅ |
| Access Reviews (basic) | ❌ | ❌ | ✅ | ✅ |
| Entitlement Management (basic) | ❌ | ❌ | ✅ | ✅ |
| Lifecycle Workflows | ❌ | ❌ | ❌ | ✅ |
| Advanced Entitlement Management | ❌ | ❌ | ❌ | ✅ |
| ML-based Access Review recommendations | ❌ | ❌ | ❌ | ✅ |
| Separation of duties policies | ❌ | ❌ | ❌ | ✅ |
The critical takeaway: M365 E3 gives you P1 (policy-based conditional access — the foundation). M365 E5 gives you P2 (risk-based intelligence — the brains). Neither E3 nor E5 gives you Governance (access lifecycle — the discipline). Organisations that assume E5 "covers identity" are missing the governance layer that regulated industries require and that all organisations benefit from. And organisations that assume E3 "has conditional access" are running static rules without the risk intelligence that makes those rules adaptive.
7. The Five Security Gaps That Tier Boundaries Create
Gap 1 — The Risk Blindness Gap (P1 without P2). P1 conditional access evaluates conditions you define: location, device, group. It cannot evaluate conditions it detects: anomalous sign-in patterns, impossible travel, compromised credentials, behavioural anomalies. A compromised credential used from a corporate-managed device on the corporate network passes every P1 conditional access policy — because P1 sees a valid user, valid device, trusted location. P2 Identity Protection would flag the credential as compromised (dark web leak detection) and the sign-in as anomalous (unusual activity pattern) — triggering automatic remediation before the attacker accesses resources. This gap is the difference between preventing known scenarios (P1) and detecting unknown threats (P2).
Gap 2 — The Standing Privilege Gap (P1 without P2 PIM). Without PIM, admin roles are permanently assigned. The Global Admin, Exchange Admin, SharePoint Admin, and Security Admin accounts hold their privileges 24/7/365 — whether or not they're actively performing administrative tasks. Every permanently assigned admin account is a high-value target. PIM eliminates standing privilege: admins activate roles when needed, for defined periods, with approval and justification. The gap is not theoretical — Microsoft's own incident reports identify compromised privileged accounts as the initial access vector in the majority of cloud-based breaches.
Gap 3 — The Access Accumulation Gap (P2 without Governance). P2 access reviews can certify existing access. But without Governance's Lifecycle Workflows, the access that accumulates between reviews is unchecked. An employee who changes roles gets new access for the new role — but the old role's access is rarely revoked manually. Lifecycle Workflows automate this: mover events trigger access adjustment, removing old entitlements and granting new ones. Without it, every role change is an access accumulation event that the next quarterly access review must catch — months after the access was no longer appropriate.
Gap 4 — The Guest Lifecycle Gap (any tier without Governance). B2B guests (external collaborators) are invited with access to Teams channels, SharePoint sites, and shared mailboxes. Their access rarely expires automatically, and their sponsoring employees rarely remember to revoke it when the collaboration ends. Governance's entitlement management with automatic expiration and stale guest reviews addresses this directly — access packages for external collaborators expire after 90/180 days and require re-approval to extend.
Gap 5 — The Segregation of Duties Gap (any tier without Governance). Separation of duties — ensuring no single user holds conflicting entitlements (e.g., ability to create vendors and approve payments) — requires Governance's SOD policies. Without Governance, SOD enforcement is a manual process: someone must check every access request against a conflict matrix. Governance automates this: conflicting access packages cannot be held simultaneously, and the system blocks requests that would violate defined SOD policies.
8. The Economics: When Each Tier Pays for Itself
P1: Pays for Itself Through SSPR Alone
Self-service password reset eliminates 20–50% of helpdesk tickets. At $15–$25 per helpdesk password reset and an average of 0.5–1.0 resets per user per year, SSPR saves $7.50–$25.00 per user per year. P1 costs approximately $72/user/year ($6/month) as standalone — but is included in M365 E3 ($432/user/year), so for M365 E3 organisations, P1 is free. For organisations on M365 Business Basic or other plans without P1, the standalone P1 cost is recovered through SSPR savings alone — before counting conditional access value.
P2: Pays for Itself Through Breach Cost Avoidance
The average cost of a credential-based breach is $4.5–$5.0 million (IBM Cost of a Data Breach Report). P2's Identity Protection reduces credential-based breach probability through real-time compromised credential detection, anomalous sign-in blocking, and automatic user remediation. The expected value calculation: if P2 reduces credential-based breach probability by even 10% for an organisation facing a 5% annual breach probability, the expected annual savings are $22,500–$25,000 per organisation — dwarfing the P2 cost ($108/user/year × 5,000 users = $540,000). P2 doesn't "pay for itself" through operational savings like SSPR — it pays for itself through risk reduction that's harder to quantify but orders of magnitude larger in impact.
Governance: Pays for Itself Through IGA Vendor Replacement or Audit Avoidance
Two pathways to ROI. Pathway 1 — IGA replacement: If Governance replaces SailPoint ($12–$18/user/month), Saviynt ($10–$16/user/month), or a similar IGA platform, the $7/user/month Governance cost delivers 30–60% savings while eliminating integration complexity between the IGA platform and Microsoft's identity stack. Pathway 2 — manual process replacement: If the organisation doesn't have an IGA tool and manages access lifecycle manually (helpdesk tickets for onboarding, manual checklists for offboarding, spreadsheet-based access reviews), the operational cost of manual identity governance typically exceeds $15–$30/user/year in IT staff time. Governance at $84/user/year automates these processes while delivering audit-defensible evidence that manual processes cannot. See our Microsoft audit compliance playbook.
9. Optimisation Strategy: Aligning Identity Licensing With Identity Risk
Strategy 1: The E5 Consolidation Path
If your organisation is on M365 E3 and needs Entra P2 ($9/user/month standalone), the E3-to-E5 upgrade ($21/user/month) includes P2 plus Defender for Endpoint P2 ($5.20 standalone), Defender for Office 365 P2 ($5 standalone), and the full compliance suite. The net incremental cost of E5's non-P2 capabilities is approximately $6.80/user/month — often cheaper than buying any single additional security product. The E5 upgrade should be the default evaluation for any E3 organisation that needs P2. See our E3 vs E5 vs F3 comparison.
Strategy 2: Risk-Tiered Identity Licensing
Not every user carries the same identity risk. A risk-tiered approach assigns identity licensing based on the user's access profile, not their M365 subscription.
| Risk Tier | User Profile | Recommended Entra Tier | Rationale |
|---|---|---|---|
| Critical | IT admins, security team, C-suite, privileged access | P2 + Governance | PIM mandatory for admin roles; risk-based CA for high-value targets; lifecycle workflows for admin role rotation |
| High | Finance, HR, legal, executives with sensitive data access | P2 | Risk-based conditional access detects compromised credentials; access reviews certify entitlements quarterly |
| Standard | Knowledge workers with M365 and standard app access | P1 (via M365 E3) | Policy-based conditional access sufficient; SSPR reduces helpdesk load; dynamic groups automate provisioning |
| Frontline | Retail, manufacturing, clinical staff with limited access | P1 (via M365 F3) | Conditional access for shared device compliance; limited app access reduces risk surface |
The savings: a 5,000-user organisation with 200 critical, 800 high, 3,000 standard, and 1,000 frontline users pays approximately $28,200/month in identity licensing with risk-tiered approach versus $45,000/month with blanket P2 for all users — a 37% reduction while maintaining stronger security for the users who need it most.
Strategy 3: Governance Procurement as IGA Replacement
If your organisation currently operates a third-party IGA platform (SailPoint, Saviynt, One Identity, CyberArk), evaluate whether Entra ID Governance can replace it. The evaluation criteria: does Governance cover your identity governance requirements (lifecycle automation, access certification, entitlement management, SOD policies)? Does your environment extend beyond Microsoft (non-Microsoft applications, on-premises infrastructure, multi-cloud) in ways that Governance's connectors don't reach? If Governance covers 80%+ of your IGA requirements, the 30–60% cost reduction and the elimination of integration complexity typically justify the migration. If your IGA requirements extend significantly beyond the Microsoft ecosystem, Governance may serve as a complement (covering M365 and Azure identity governance) while the third-party IGA handles the broader scope.
Strategy 4: Negotiate Entra Add-Ons at EA Renewal
P2 standalone and Governance standalone are both negotiable within the EA negotiation. Microsoft's list prices ($9 for P2, $7 for Governance) are starting points for enterprise commitments. When bundled with an M365 E5 upgrade or a broader EA commitment that includes Azure and Dynamics 365, Entra add-ons can be discounted 10–20%. The Governance add-on in particular — as Microsoft's newest identity product competing for IGA market share — is frequently discountable when positioned as an IGA vendor replacement that increases the organisation's Microsoft dependency. Use our Contract Negotiation Service to benchmark and negotiate Entra pricing.
10. Frequently Asked Questions
Yes — Entra ID P2 is fully included in M365 E5, EMS E5, and the Microsoft 365 E5 Security add-on. If your users are on M365 E5, they have P2 at no additional cost, including Identity Protection (risk-based conditional access), Privileged Identity Management, basic access reviews, and basic entitlement management. What E5 does not include is Entra ID Governance — the lifecycle workflows, advanced entitlement management, and separation of duties capabilities. Governance is a separate add-on at approximately $7/user/month regardless of your M365 tier.
Microsoft's licensing terms require P2 for every user who benefits from P2 features. In practice, this means: every user whose sign-in is evaluated by risk-based conditional access policies needs P2 (if you create a policy that applies to "all users" with sign-in risk, all users need P2). Every user with a privileged role managed through PIM needs P2. Every user included in an access review needs P2. You can scope P2 to specific user groups — for example, assigning P2 only to admin accounts and high-risk user populations — if your risk-based conditional access policies are scoped to those same groups. The risk-tiered approach (Strategy 2 in Section 9) is both licence-compliant and cost-optimised: scope P2 to the populations that need it and P1 to those that don't.
It depends on the scope of your IGA requirements. Governance is strongest for Microsoft-ecosystem identity governance: M365, Azure, Entra-integrated SaaS applications, and on-premises apps published through Application Proxy. For organisations whose identity governance requirements are primarily Microsoft-centric (80%+ of governed applications are M365, Azure, or Entra-integrated SaaS), Governance can replace a third-party IGA at 30–60% lower cost with tighter integration. For organisations with significant non-Microsoft application estates (Oracle EBS, SAP, mainframe, custom apps with no Entra connector), Governance covers the Microsoft portion but may not reach the full scope. In these cases, a hybrid approach — Governance for Microsoft ecosystem, third-party IGA for non-Microsoft — sometimes reduces total cost while maintaining coverage. Evaluate based on connector availability and workflow requirements.
P1 conditional access evaluates static conditions you configure: group membership, device compliance, location, client application. These conditions are known at the time you write the policy. P2 Identity Protection adds dynamic risk signals that are detected in real time by Microsoft's machine learning models: is this sign-in anomalous? Has this credential been leaked? Is this device behaving unusually? P1 asks "does this sign-in match my rules?" — P2 asks "does this sign-in look safe?" The practical difference: P1 blocks a sign-in from a known bad location; P2 blocks a sign-in from a good location using a compromised credential that was found on the dark web three hours ago. Both are valuable; P2 catches threats that P1 structurally cannot detect. For any organisation facing targeted credential attacks (which is every enterprise), P2 is the minimum effective identity security tier.
For any organisation with 1,000+ users where identity licensing spans multiple tiers, M365 SKUs, or overlaps with third-party identity products, independent advisory identifies both security gaps and cost savings. The value is threefold: mapping the current state (which users have which Entra tier, where gaps exist between security policy requirements and licensing reality), modelling the optimised state (risk-tiered licensing that provides the right tier for each population at the lowest total cost), and negotiating the transition (securing P2, Governance, and E5 upgrade pricing at EA renewal with appropriate discounts). At Redress Compliance, identity licensing is analysed as part of our EA Optimisation Service, and Entra add-on pricing is a standard component of our Contract Negotiation Service. Our Microsoft Advisory Services cover the complete M365 and identity licensing lifecycle.