Microsoft Identity Pricing
Entra ID pricing decoded for buyers.
The Entra ID tier map, the metrics behind the price, and the buyer side moves that hold back the over provisioning trap.
The Entra ID tier map, the metrics behind the price, and the buyer side moves that hold back the over provisioning trap.
A buyer side guide to Entra ID licensing tiers, add ons, and the line items that most enterprises do not see until the renewal proposal lands.
Entra ID is the new Active Directory. It is also the front door to almost every Microsoft cost decision.
The pricing looks simple on the product page. It is not. The decisions that matter sit between tiers, between add ons, and between human identities and workload identities.
This buyer side guide walks through the structure, calls out the line items that surprise people at renewal, and shows where to land in a mixed tier setup.
Bundled with every Microsoft cloud subscription. Provides core directory, SSO to thousands of SaaS apps, and basic security defaults.
No conditional access policies. No risk based sign in. No PIM. Acceptable for very small estates only.
Conditional access, group based licensing, advanced security reports, and access reviews for the basic groups.
P1 is where most enterprises sit for the bulk of their user base. Bundled inside M365 E3.
Adds Identity Protection, Privileged Identity Management, and the full access review surface. Bundled inside M365 E5.
P2 is rarely needed across every user. It is needed across every admin and every high risk role.
Used to manage customer or partner identities. Priced by monthly active users with a free tier of 50,000 MAU, then per MAU bands above that.
A retailer or media business with millions of low engagement users can still hit material costs. Model it carefully.
Workload identities are licensed separately. Service principals, managed identities, and application identities are billed via the Entra Workload Identities SKU.
Enterprises with hundreds of automated workloads often discover this line for the first time at renewal.
Each paying tenant gets a generous block of guest user allowance before any incremental charge. The exact ratio depends on the tenant SKU and current Microsoft policy.
Large partner ecosystems should model guest usage explicitly. It is rarely the dominant cost but it is rarely zero either.
Token issuance is not metered for normal Entra ID usage. Heavy workload identity scenarios can hit limits that drive an upgrade decision.
Entra ID tier comparison for 2026 buyers
| Tier | Best for | Headline features | Sits inside |
|---|---|---|---|
| Free | Very small estates | Directory, SSO, basic security defaults | Any M365 plan |
| P1 | General workforce | Conditional access, group licensing, access reviews | M365 E3 |
| P2 | Admins, high risk roles | Identity Protection, PIM, full access reviews | M365 E5 |
| External ID | Customer or partner identity | Per MAU pricing, social and federated identity | Stand alone SKU |
| ID Governance | Lifecycle and certification | Workflows, access packages, certifications | Add on to P1 or P2 |
P2 across every user is almost never the right answer. P2 on the admins and a clean access review program usually is.
Decentralized identity issuance. Licensed by issuance volume, not per seat. Used today mostly in HR onboarding and partner verification scenarios.
Multi cloud entitlement management across Azure, AWS, and Google Cloud. Licensed per resource. Often pitched into the security renewal conversation.
Adds lifecycle workflows, access certifications, and entitlement management. Sits on top of P1 or P2.
Often missed in renewal forecasts and then bolted on later at a worse discount.
When the M365 E3 to E5 upgrade is sold, P2 comes along for the ride. Some organizations end up paying for P2 on every user when only a few hundred admins actually need it.
Mixed tier licensing solves this. Buy E5 for the people who use the security stack. Buy E3 for everyone else. Layer P2 separately on the admin and high risk users in the E3 group.
Service principals and managed identities can carry a per identity charge if they exceed the included free pool. Enterprises with deep DevOps automation often discover this only at renewal.
Default Entra audit log retention is short. Extending retention to meet regulatory needs requires Microsoft Sentinel or a long term storage subscription.
Almost never. P2 carries Privileged Identity Management and Identity Protection. Both are valuable but only on a defined population. Admins, high risk roles, executive accounts, and developers with elevated rights are the practical targets.
Yes. Mixed tier licensing has been supported for years. Group based licensing makes it operationally clean.
P1 is bundled with E3. P2 is bundled with E5. The bundling is the most common reason organizations end up over licensed on the identity side.
By monthly active users, with a generous free tier and per MAU bands above it. Volume matters more than headcount because many customer estates have a long tail of low engagement users.
Service principals and managed identities can sit inside a free pool. Above the pool, the Entra Workload Identities SKU applies. Estate sizes vary widely so model it from your own data.
It provides the workflow and certification engine. It does not replace the policy work or the auditor sign off. Many regulated estates use it as the system of record for periodic reviews.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
When an enterprise upgrades to E5 for the security suite, P2 comes along. The price story only works if the security features actually get used.
500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.
Buyer side Microsoft updates every fortnight. No spam. Independent and unfiltered.
