Microsoft Entra Suite 2026: license the base wide, the suite narrow
The Entra Suite undercuts its own parts at about 12 dollars per user, yet only 30 to 60 percent of seats use the access layer that drives its value. In a representative 10,000 seat estate, cohort allocation cut $828,000, or 38.3 percent, off blanket suite licensing.
Prepared by Redress Compliance · June 2026 · Representative Microsoft estate scenario (benchmark scenario, not a quote)
Executive summary
The Microsoft Entra Suite bundles ID Protection, ID Governance, Internet Access, Private Access, and Verified ID Premium on an Entra ID P1 or P2 base for about 12 dollars per user per month. Bought separately the parts run about 17 dollars on P1, or 23 dollars from standalone P2. The suite undercuts its own components.
The value is not spread evenly. Internet Access and Private Access, the secure network access layer, are the strongest reason to buy the suite. In the engagements behind this paper only 30 to 60 percent of seats used them.
The buyer side move is allocation, not avoidance. License the identity base widely and reserve the full suite for the cohorts that use access and governance. In a representative 10,000 seat estate that move cut $828,000 a year, or 38.3 percent, off blanket licensing.
The same logic decides E7. The Entra Suite ships inside the $99 Microsoft 365 E7 Frontier Suite, so the suite allocation and the take E7 or assemble decision are one analysis.
What is in the Entra Suite, and where is the value?
The Entra Suite layers five capabilities on an Entra ID P1 or P2 base. The value is not evenly spread across them, and that uneven spread is the key to allocating the suite well. Two of the five components carry most of the reason to buy it.
Microsoft lists the contents and price on its Entra plans and pricing page, and the base prerequisite on Microsoft Learn. The suite sits on top of the base; the 12 dollar figure is an add on, not an all in price.
| Component | What it does | Primary value driver | Natural cohort |
|---|---|---|---|
| Internet Access | Secure web and SaaS access through Global Secure Access | Yes, top driver | Remote and field access |
| Private Access | Zero trust access to internal applications | Yes, top driver | Remote and field access |
| ID Governance | Access reviews, entitlement management, lifecycle | Partial | Privileged and high risk |
| ID Protection | Risk based identity protection signals | Partial | Privileged and high risk |
| Verified ID Premium | Verifiable credentials with Face Check | Niche | Onboarding and verification |
Where does the suite actually save money?
At about 12 dollars per user per month on a P1 base, the suite undercuts buying its components individually. The same pieces run about 17 dollars assembled on P1, or about 23 dollars from standalone P2. The saving is genuine for users who need the access and governance pieces, and illusory for users who do not.
| Option | Approx per user per month | Best fit | Buyer side note |
|---|---|---|---|
| Entra ID P1 | $6 base identity | Most users | Often enough on its own |
| Entra ID P2 | $9 identity plus risk | Higher risk roles | Allocate to a subset |
| Entra Suite | About $12 on top of a P1 base | Need access plus governance | Right size to real need |
| Inside E7 | Part of about $99 | Need all four E7 products | Do not pay for unused access |
How should you allocate the Entra Suite by cohort?
Split the estate. Give most users the identity base they need, and reserve the full suite for the cohorts that actually use Internet Access, Private Access, or governance. Blanket licensing is where the overspend hides, because the suite is priced to look like a sensible default.
Allocation becomes concrete once you map cohorts to need. Three recur across the engagements behind this paper, and they cover most enterprise estates without a long tail of exceptions.
Remote and field access cohorts
Users who reach internal applications from anywhere are the natural home for Internet Access and Private Access. For them the full suite earns its price, because the secure access layer is used daily, not held in reserve.
Privileged and high risk roles
Administrators and sensitive function holders justify P2 risk features and ID Governance. The suite can fit here for governance, but the driver is risk, not blanket policy. This cohort is small and high value.
Standard information workers
The majority. Most need a solid identity base, not the network access layer. Licensing them on P1, with the suite reserved for genuine need, is where the saving lives.
| Cohort | Seats | License | Per user per year | Annual cost |
|---|---|---|---|---|
| Remote and field access | 3,000 | P1 plus Entra Suite | $216 | $648,000 |
| Privileged and high risk | 1,000 | P2 plus Entra Suite | $252 | $252,000 |
| Standard information workers | 6,000 | P1 base only | $72 | $432,000 |
| Allocated estate | 10,000 | $1,332,000 |
Cohort costs match the allocation table and sum to $1,332,000. Benchmark scenario, not a quote.
What does blanket versus allocated licensing cost?
Consider a representative enterprise with 10,000 users weighing the Entra Suite. The blanket path licenses the full suite to every seat at about 12 dollars on a P1 base, which looks efficient because the suite undercuts its parts. The problem surfaces in usage.
The access layer that justifies the suite is used by a fraction of the estate, so most of that spend buys capability nobody touches. The allocated path reads usage first and puts the suite only where it earns its price.
| Approach | What happens | Annual cost | Versus blanket |
|---|---|---|---|
| Blanket suite | Full suite to every seat on a P1 base, 10,000 at $216 | $2,160,000 | Baseline |
| Allocated | Base widely, suite to the access and risk cohorts | $1,332,000 | Down $828,000 |
| Saving from allocation | Same security outcome, spend tracks real need | $828,000 | 38.3% |
Figures match the table above; the gap is the 38.3 percent saving. Benchmark scenario, not a quote.
Seats that use the access layer
Across the identity engagements behind this paper, only 30 to 60 percent of seats used the Internet Access and Private Access features that drive suite value.
Recovered by allocation
Moving from blanket suite to cohort allocation cut the worked 10,000 seat estate from $2,160,000 to $1,332,000 a year, a saving of $828,000.
How does the Entra Suite change the E7 versus assemble decision?
The Microsoft 365 E7 Frontier Suite bundles E5, Copilot, the full Entra Suite, and Agent 365 for about 99 dollars per user per month. So part of the E7 value depends directly on Entra Suite usage. The Entra allocation and the E7 decision are the same analysis.
Assembled, the four parts list at about 117 dollars per user per month, so E7 saves about 18 dollars, roughly 15 percent, but only when all four are genuinely used. Microsoft confirmed the lineup on its Frontier Suite announcement.
| Component | List per user per month | Identity included |
|---|---|---|
| Microsoft 365 E5 | $60 | Entra ID P2 |
| Microsoft 365 Copilot | $30 | None added |
| Entra Suite add on | $12 | Adds access plus governance |
| Agent 365 | $15 | None added |
| Assemble all four | $117 | E7 bundles at $99 |
If your seats only need identity and productivity, E7 makes you pay for access features they will not use. The decision is per cohort, not estate wide. Price E7 against the parts each cohort actually needs.
| Copilot cohort | What they need | Best buy | Per user per month |
|---|---|---|---|
| Full use (1,200 seats) | E5, Copilot, agents, Entra access | E7 bundle | $99 |
| Copilot only (800 seats) | E5 and Copilot, no Entra access or agents | Assemble E5 plus Copilot | $90 |
E7 wins on full use seats; assembling wins on Copilot only seats. Figures match the tables above. Benchmark scenario, not a quote.
How does this play at the negotiation table?
The account team presents the suite as a saving because it undercuts its components, and presents E7 as a saving because it bundles the suite. Both are true only under full use. The buyer who arrives with a usage read can accept the premise and still decline the blanket move.
- Concede the bundle math, contest the scope: agree the suite is well priced, then license it only where the access layer is used.
- Bring usage, not assumption: show telemetry on Internet Access and Private Access adoption by cohort.
- Tie E7 to four product use: accept E7 only where E5, Copilot, agents, and Entra access are all genuinely used.
Where the common advice on the Entra Suite is wrong
The common advice is that the Entra Suite is a clear saving because it undercuts its own components, so you should license it broadly. We disagree with the broad part.
In the 25 to 35 Microsoft identity and E5 engagements Fredrik Filipsson advised on between 2025 and 2026, only 30 to 60 percent of seats used the network access features that drive suite value. Governance was configured for a fraction of users.
The buyer side move is to license the identity base widely and the full suite narrowly, to the cohorts that use the access and governance layers. A bundle that undercuts its parts still wastes money when you buy it for people who never touch half of it. The discount is the hook, not the case.
How does this fit a zero trust program?
Entra Suite allocation and zero trust are complementary, not in tension. Zero trust argues for strong identity everywhere and secure access where users cross boundaries. That maps onto the model: a solid identity base for the whole estate, and the access layer concentrated on the cohorts that cross those boundaries. Allocating by need is zero trust priced honestly.
Does the suite replace third party tools?
It can. Where Internet Access and Private Access cover secure access you currently buy from a separate vendor, you can retire that tool to offset the suite cost, after confirming feature parity first. That retirement is often what funds the allocation, turning a new line into a net neutral move.
How do you run a sixty day allocation?
Treat allocation as a short, evidence driven project. The shape below has worked across the engagements behind this paper, and it ends with a documented logic the next renewal and any E7 conversation can start from.
Inventory and read usage
Map current P1 and P2 licensing, then pull usage telemetry on Internet Access, Private Access, and ID Governance. Identify the access cohorts and high risk roles from data, not org charts.
Design the allocation
Assign the base to the majority, the suite to the access and governance cohorts, and P2 to high risk roles. Model E7 per cohort against the assembled parts and flag third party tools the suite can replace.
Execute and document
Reassign licenses to match the design, retire the duplicated tools, and document the allocation logic so the next renewal starts from evidence rather than a blanket default.
What should you do before bundling Entra broadly?
- Measure what share of seats actually uses Internet Access and Private Access today.
- Confirm for how many users ID Governance is configured, not just licensed.
- Check whether moving to E7 makes you pay for Entra access your seats will not use.
- List the third party access tools the suite could replace, with parity.
- Read what your top suites already include before adding identity on top.
- Document the defensible allocation before any suite or E7 commitment.
What are the five recommendations?
These five moves replace blanket licensing with cohort based allocation, whether you buy Entra directly or take it inside E7. They are ordered, and each one feeds the next.
- Inventory the base. Map current Entra ID P1 and P2 licensing across the estate before any suite or E7 decision, so you know what you already own.
- Find the access cohorts. Identify which users actually use Internet Access, Private Access, and ID Governance, using telemetry, not assumption.
- Allocate the suite narrowly. License the full Entra Suite to the access and governance cohorts only, on top of the base, and keep standard workers on the identity base.
- Model E7 per cohort. Price E7 against P1 or P2 plus a targeted suite allocation for each cohort, and adopt E7 only where all four bundled products are genuinely used.
- Retire the duplicates. Remove third party secure access tools the suite replaces, confirming feature parity first, and use the saving to fund the allocation.
Recommendation: license the identity base widely and the Entra Suite narrowly, and resolve the E7 decision per cohort on the same usage read.
- Before you bundle: pull access telemetry, map the three cohorts, and reserve the full suite for seats that use Internet Access, Private Access, or governance.
- On E7: price the bundle against the parts each cohort needs, take E7 only where all four products are used, and offset the suite by retiring duplicate access tools at parity.
Our fee is modest against the spend a single allocation recovers. We are glad to tie a meaningful part of the fee to delivered value.
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
