Microsoft Entra ID Free, P1, and P2: What’s the Difference and Which One Do You Need?

Alan Curtis

If you’re diving into Microsoft Entra ID (formerly Azure AD), you’ve likely come across its different licensing tiers: Free, Premium P1, and Premium P2. With various options, it can be tricky to know which one is best suited for your organization. Let’s break it down, exploring what each version offers, the differences, and why you might choose one over the other.

Entra ID Free: The Basics

Entra ID Free is a great starting point for small businesses or organizations with simpler needs. This tier offers the essential tools for managing identities and access without any cost.

What You Get with Entra ID Free:

  • User and group management: Manage who’s in your organization and assign them to specific groups.
  • Single Sign-On (SSO): Users sign in once and gain access to multiple Microsoft services (like Office 365) and supported third-party apps.
  • Basic Multi-Factor Authentication (MFA): Add an extra layer of security by requiring users to authenticate using a second factor (e.g., phone, app, or biometric).
  • Self-Service Password Reset (for cloud users): Let cloud users reset their passwords on their own, freeing up IT resources.
  • Device registration: Users can register their devices to access corporate resources more securely.
  • Security Reporting: Get insights into risky sign-ins and suspicious activity to detect potential threats.
  • Azure AD Join: Users can connect their Windows devices to Azure AD for centralized management.
  • Azure AD Connect: This free tool allows you to sync on-premises Active Directory with Azure AD, enabling a hybrid identity environment. Basic sync, such as syncing users and passwords, is available with the Free tier.
  • Global Blocked Password List: Microsoft maintains a list of weak passwords that are automatically blocked.

Why Entra ID Free is Great:

  • It’s free: Perfect for small businesses that don’t need advanced features.
  • Core functionality: Provides essential security tools like SSO, MFA, and Azure AD Connect to enable basic hybrid identity management.

Included with Microsoft 365 Plans:

  • Business Standard: Entra ID Free is included, giving you basic identity management but lacking the advanced features of the Premium tiers.

Entra ID Premium P1: Stepping Up Your Security Game

As your business grows and your security needs become more complex, Entra ID Premium P1 offers the advanced tools you’ll need. P1 includes everything from the Free tier, but with additional security features like Conditional Access and dynamic groups, giving you better control over who accesses what, and from where.

What You Get with Entra ID P1:

  • All Free Tier Features: Everything from the Free plan, plus more.
  • Conditional Access: This is a key feature. You can set up policies that grant or block access based on certain conditions—like location, device, or user status. For example, if someone logs in from an unfamiliar device or risky location, Conditional Access can prompt for additional authentication or block access.
  • Self-Service Password Reset (for On-Premises Users): Users with on-premises accounts can reset their passwords without IT’s help.
  • Dynamic Groups: Automatically adjust group memberships based on user attributes (like department or location).
  • Azure AD Connect: This tool remains free with Entra ID Premium P1. However, advanced features like password writeback (allowing users to reset their passwords in the cloud and have changes reflected on-premises) require a P1 license.
  • Custom Blocked Password Lists: You can create a custom list of banned passwords (in addition to the global one) to prevent users from choosing weak or predictable passwords.

Why P1 Might Be Right for You:

  • More control: Conditional Access gives you the flexibility to secure access based on various conditions like location or device type, ensuring stronger security without compromising usability.
  • Hybrid identity with advanced sync features: While Azure AD Connect is free for syncing users and groups, features like password writeback or group writeback are only available with Premium P1, making it a must-have for hybrid identity management.
  • Custom password protection: P1 allows you to enhance password security by blocking weak passwords tailored to your organization’s needs.

Included with Microsoft 365 Plans:

  • Microsoft 365 E3: Comes with Entra ID Premium P1, providing access to advanced security features like Conditional Access, dynamic groups, and custom blocked password lists.
  • Microsoft 365 Business Premium: Also includes Entra ID Premium P1, offering small to medium-sized businesses access to advanced security without the higher costs of an E3 or E5 plan.

Why Conditional Access with MFA is a Big Improvement Over Basic MFA

Multi-Factor Authentication (MFA) is already a great way to enhance your organization’s security by requiring users to provide a second form of identification beyond just a password. But Conditional Access with MFA takes this protection to a whole new level.

1. Contextual Security Based on Real-Time Conditions

Basic MFA prompts users for an additional authentication step. That’s great for security, but it can get annoying for employees who are always logging in from trusted locations and devices. Conditional Access with MFA, on the other hand, only triggers MFA when it’s necessary.

  • For example, if someone is logging in from a known device and a trusted location, they may not be prompted for MFA. But if the same user suddenly tries to access resources from a new country or an untrusted device, MFA can be enforced.

This context-aware approach makes your security more intelligent and reduces the friction for users, only stepping in when there’s a real need to verify their identity.

2. Protects Against More Sophisticated Attacks

Basic MFA protects against common attacks like phishing or credential stuffing, where attackers might steal usernames and passwords. But cybercriminals are getting smarter. They may try to bypass MFA using tactics like man-in-the-middle (MITM) attacks, where they intercept communication between the user and authentication system, or they might try to access your resources from trusted networks to avoid detection.

Conditional Access lets you enforce stricter security policies based on real-time risk factors. For example:

  • If a user’s credentials have been flagged as compromised or they’re attempting to sign in from a high-risk country, Conditional Access can either block access outright or require additional verification.
  • Risk-based Conditional Access (available with Entra ID Premium P2) even analyses things like impossible travel (logging in from two distant locations within minutes) and adapts security policies automatically.

3. Granular Access Control

Conditional Access lets you set precise policies based on factors like:

  • Location: You can block or require MFA for logins from specific locations (like certain countries or unknown IP addresses).
  • Device: You can allow or deny access depending on whether the device is registered, compliant, or up to date.
  • Applications: For especially sensitive apps (like financial systems or data management tools), you can enforce more stringent Conditional Access rules, like always requiring MFA.

With basic MFA, you’re asking for that second factor of authentication every time. With Conditional Access, you can fine-tune these rules to give you greater control over how users access different parts of your system.

Entra ID Premium P2: Top-Tier Security for Big Organizations

If your organization handles highly sensitive data or operates in a heavily regulated industry, Entra ID Premium P2 is your best bet. P2 adds even more advanced security and identity governance features to give you peace of mind.

What You Get with Entra ID P2:

  • All P1 Tier Features: Everything from P1, plus more advanced tools.
  • Identity Protection: Automatically detects and mitigates identity-based risks, such as compromised credentials or risky sign-ins.
  • Privileged Identity Management (PIM): Control and monitor access to sensitive roles. You can assign admin privileges temporarily, only when necessary, reducing the risk of unnecessary access.
  • Risk-Based Conditional Access: This takes Conditional Access a step further by dynamically responding to the risk level of each login attempt. For example, if a login from an unusual location is detected, it can require additional authentication or block the user altogether.
  • Access Reviews: Regularly review user access to resources to ensure they still need it—helpful for compliance.
  • Just-in-Time Access: Ensure users only get access to critical resources when they absolutely need it, reducing the chance of misuse.
  • Custom and Global Blocked Password Lists: Like P1, you can define custom blocked passwords, while also using Microsoft’s global blocked password list for added protection.

Why P2 is a Must for Larger Organizations:

  • Top-level security: If you deal with sensitive data or need to meet strict compliance standards, P2 offers the most robust security features.
  • Identity governance: P2 helps you stay compliant by ensuring the right people have the right access, and only when they need it.

Included with Microsoft 365 Plans:

  • Microsoft 365 E5: Includes Entra ID Premium P2, offering the full suite of features, including Identity Protection, Privileged Identity Management, and risk-based Conditional Access.

Recommendation: P2 Licenses for Executives and Global Admins

While Entra ID Premium P2 is great for any organization with high-level security needs, I strongly recommend P2 licenses for certain key roles, such as global administrators and executives. Here’s why:

1. High-Risk Accounts Are the Biggest Targets

Executives and global admins often have elevated permissions and access to the most sensitive data and resources in the organization. These high-level accounts are frequent targets for cyberattacks, including phishing and credential theft. P2’s advanced security features—like Privileged Identity Management (PIM) and Risk-Based Conditional Access—help ensure these accounts remain secure even under heightened threat scenarios.

2. Privileged Access Should Be Temporary

Executives and admins often require privileged access, but these permissions don’t need to be active all the time. With Just-in-Time Access, you can grant high-level access temporarily, limiting the risk window for attackers.

3. Proactive Risk Detection and Response

Executives often log in from various locations and devices, which can introduce security risks. With Risk-Based Conditional Access, P2 automatically adjusts access rules based on factors like the user’s behaviour, location, or device security. This ensures that high-value accounts are always protected, even when the risk level changes.

For these reasons, upgrading your key users to Entra ID Premium P2 provides an added layer of protection for your most valuable accounts.

Wrapping It Up

Microsoft Entra ID offers something for everyone, whether you’re a small business needing basic security or a large enterprise looking for advanced identity protection. The key is understanding your organization’s specific needs and matching them to the right Entra ID tier.

For companies looking to tighten security around executives or users with global access, we highly recommend going with Entra ID Premium P2. The advanced features, especially when combined with a Zero Trust approach, give you robust protection without sacrificing usability.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.