Microsoft Entra ID — the identity and access management platform formerly known as Azure Active Directory — is the foundational identity layer for virtually every enterprise running Microsoft 365 or Azure. Its licensing model spans from a genuinely free tier through two paid tiers and a separate Governance add-on, with E5 bundling complicating the commercial picture further. The identity component of E5 upgrade decisions accounts for a significant portion of Microsoft's most commercially aggressive sales motions, making independent analysis of what Entra ID licensing you actually need versus what Microsoft's sales teams advocate for an essential commercial exercise.
The Four Entra ID Licensing Tiers
Entra ID Free is included with any Azure subscription and provides core directory services — user and group management, basic SSO for up to 10 apps per user, self-service password change for cloud users, and basic security reports. For organisations without significant identity or access management requirements, Free is genuinely sufficient.
Entra ID Office 365 Apps is included with Microsoft 365 apps subscriptions and adds two-way synchronisation, custom login pages, SLA guarantees, and slightly expanded SSO. It is effectively Free with some Microsoft 365 app integrations layered on top.
Entra ID P1 (included in M365 E3, Microsoft 365 Business Premium, and Enterprise Mobility + Security E3) adds the capabilities that most enterprise security postures genuinely require: Conditional Access policies, Hybrid Entra ID join, Microsoft Entra Application Proxy, self-service group management, and Microsoft Entra Connect Health. P1 is the minimum viable identity tier for any enterprise operating a hybrid environment.
Entra ID P2 (included in M365 E5 and EMS E5, or available as a standalone add-on at approximately $6/user/month) adds Privileged Identity Management (PIM), Identity Protection (risk-based Conditional Access), and Access Reviews. These are meaningful security controls — but their value is highly dependent on operational maturity and security programme investment.
Entra ID Governance: The Separate Add-On
Microsoft separated certain advanced Identity Governance features into a dedicated Entra ID Governance add-on in 2023, priced at approximately $7/user/month. Governance includes entitlement management, lifecycle workflows for automated joiner-mover-leaver processes, access packages, and privileged access management for non-Microsoft resources. Critically, some features previously available in P2 (specifically certain entitlement management capabilities) are now Governance-only, which means organisations that were counting on P2 for full governance functionality need to reassess whether Governance is required on top of P2.
| Tier | Price/User/Month | Key Features | Included In |
|---|---|---|---|
| Free | $0 | Core directory, basic SSO (10 apps), security defaults | Azure subscription |
| Office 365 Apps | $0 (bundled) | Free + M365 integration, custom branding, SLA | M365 Apps for Enterprise |
| P1 | ~$6 | Conditional Access, Hybrid join, App Proxy, self-service | M365 E3, EMS E3 |
| P2 | ~$6 (incremental) | P1 + PIM, Identity Protection, Access Reviews | M365 E5, EMS E5 |
| Governance | ~$7 (add-on) | P2 + Entitlement Mgmt, Lifecycle Workflows, Access Packages | Add-on only |
Insider Perspective: The P1 to P2 transition is where Microsoft's identity sales motion is most aggressive. The pitch is that PIM and Identity Protection are table-stakes security controls for any enterprise with regulatory obligations. This is frequently true — but the implication that all users require P2 typically is not. Most enterprises have a privileged user population that genuinely needs PIM (typically 5–15% of total users) and can leave the remainder on P1. Microsoft's licensing model, however, requires P2 assignment per user, not per role — making partial P2 deployment commercially possible but operationally complex to manage.
Privileged Identity Management: The Core P2 Driver
Privileged Identity Management (PIM) is consistently the most commercially justified P2 feature for enterprise buyers. PIM enables just-in-time privileged access — administrators receive elevated permissions only when they need them and only for the duration required, with approval workflows and audit trails. For organisations subject to SOC 2, ISO 27001, or regulatory frameworks requiring separation of duties and privileged access controls, PIM is a genuine compliance enabler, not an aspirational feature.
The commercial question is not whether PIM has value — it clearly does — but whether every user in your organisation requires a P2 license to enable PIM for the subset of users who need privileged access. The answer is no: PIM requires P2 licenses only for users who are assigned to PIM-managed roles or who approve or review PIM activations. Standard end users who are never in PIM workflows do not require P2 licenses. This segmentation opportunity — P2 for privileged users, P1 for standard users — reduces the effective cost of PIM by the ratio of privileged to non-privileged users, which is typically 85-90% savings on the identity component of an E5 upgrade decision.
Identity Protection: Risk-Based Conditional Access
Entra ID Identity Protection uses machine learning to detect risky sign-in behaviours and compromised identities, generating risk signals that can be consumed by Conditional Access policies to require step-up authentication or block access. This capability requires P2 licenses for the users whose sign-in risk is being evaluated — meaning, in practice, all users in scope for risk-based Conditional Access.
The key commercial evaluation for Identity Protection is whether you are operationally ready to act on the risk signals it generates. Identity Protection produces risk detections — high, medium, low, and unknown — that require Security Operations Centre (SOC) review and response workflows. Organisations with mature security operations teams who can investigate and remediate risky user detections extract genuine value from Identity Protection. Organisations without those capabilities will generate alerts they cannot act on, making the P2 investment in Identity Protection functionally equivalent to P1 Conditional Access with more noise. Before purchasing P2 for Identity Protection, assess your SOC capacity to operationalise it.
Access Reviews: Governance vs P2
Access Reviews — the ability to periodically certify that users still require access to applications, groups, and privileged roles — is available in both P2 and the Entra ID Governance add-on, with different scope and automation capabilities at each tier. P2 provides basic access reviews for groups and applications. Governance provides more advanced certification campaigns, automated reviewer assignment, and inactive access detection.
For organisations with straightforward access certification requirements — periodic attestation by managers that their team members still need access to assigned applications — P2's Access Reviews are sufficient. For organisations with complex entitlement structures, multi-stage approval workflows, or automated access removal requirements, Governance adds meaningful capability above P2. The $7/user/month Governance premium is typically justified only for the subset of users in complex access certification workflows, making Governance well-suited to a segmented licensing model rather than tenant-wide deployment.
Advisory Insight: Independent advisors including Redress Compliance consistently find that enterprises purchasing M365 E5 for security features are paying the $20/user/month E3-to-E5 delta for identity capabilities they could obtain for $6/user/month (P2) or less through selective P2 assignment. The most common identity licensing overspend pattern is E5 tenant-wide deployment driven by identity and security requirements that actually affect only 10-20% of the user population.
Workload Identities: The Non-Human Licensing Dimension
Microsoft introduced Workload Identities licensing in 2022 — paid plans for securing non-human identities such as service principals, managed identities, and applications. Workload Identities Premium (approximately $3/workload/month) adds Conditional Access for workload identities and Identity Protection risk detection for service principals. This is a commercially significant consideration for enterprises with large Azure application estates, where the number of service principals can exceed the human user count.
The compliance driver for Workload Identities Premium is real: compromised service principals are a primary attack vector in cloud environments, and Conditional Access for workload identities provides meaningful protection. The commercial risk is license sprawl — enterprises that deploy Workload Identities Premium across all service principals without segmenting by risk profile can face substantial costs on a workload population they had not previously modelled as a licensing cost centre.
Entra ID in the Context of the E5 Decision
Entra ID P2 features are included in M365 E5, and Microsoft's commercial motion for E5 frequently leads with identity security as the primary justification alongside Defender and Sentinel. When evaluating the E5 upgrade from a pure identity perspective, the relevant question is: what is the cost of achieving equivalent identity security through standalone P2 and selective Governance licensing versus the E5 premium?
For a 10,000-user organisation with 1,500 privileged users genuinely requiring PIM and 8,500 standard users requiring only P1 Conditional Access, the standalone cost of P2 for privileged users is approximately $108,000/year. The E5 upgrade cost for all 10,000 users, if identity is the primary E5 driver, would be $2.4M/year for the M365 E3 to E5 delta. The identity-specific economics overwhelmingly favour selective P2 deployment unless the other E5 components — Defender for Endpoint P2, E5 Compliance, E5 Security — independently justify their portions of the premium.
For a comprehensive analysis of E5 versus E3 economics across all security components, see our Microsoft E5 vs E3 Cost Analysis. For identity considerations within the broader Microsoft EA negotiation, our Complete Microsoft EA Guide covers licensing segmentation strategies. Our Software Licensing Advisory practice provides identity licensing assessments as part of Microsoft portfolio optimisation engagements. The Microsoft EA White Paper includes an Entra ID licensing decision framework.
Practical Recommendations for Entra ID Licensing
The most commercially effective approach to Entra ID licensing follows a segmentation model: P1 for all users as the baseline identity tier, P2 for privileged users and those in Identity Protection scope, and Governance for users in complex entitlement management workflows. Tenant-wide P2 or E5 deployment is justified only when you have assessed that the majority of users genuinely require P2 features — which is rare outside of highly regulated industries with universal privileged access policies.
Before your next EA renewal, conduct an identity licensing audit that maps your current P2 and E5 assignments against actual PIM role membership, Identity Protection scope, and Access Review participation. Most enterprises find that a structured segmentation exercise reduces their effective identity licensing cost by 30–60% without compromising security posture, because the features that justify P2 are typically needed by a fraction of the user population, not the full enterprise.