Microsoft Entra ID Licensing Guide 2026: Free vs P1 vs P2 vs Governance

What Is Microsoft Entra ID?

Microsoft Entra ID — formerly Azure Active Directory — is Microsoft's cloud-based identity and access management service. It provides authentication, authorisation, single sign-on, multi-factor authentication, conditional access, and identity governance capabilities for cloud and hybrid environments. Every Microsoft 365 tenant is built on Entra ID as its identity foundation, and Entra ID is also the identity layer for Azure resources, Dynamics 365, and third-party SaaS applications integrated via SAML or OAuth.

The rebranding from Azure Active Directory to Entra ID in 2023 was accompanied by the introduction of the broader Microsoft Entra product family, which now includes Entra ID (core identity management), Entra ID Governance (advanced lifecycle and privileged access management), Entra External ID (B2B and B2C identity), Entra Permissions Management (cloud infrastructure entitlement management), Entra Internet Access (Secure Web Gateway), and Entra Private Access (Zero Trust Network Access). This guide focuses on Entra ID and Entra ID Governance — the two products that determine identity licensing costs for the majority of enterprise Microsoft 365 customers.

Entra ID Licensing Tiers: The Four Levels

Entra ID Free

Entra ID Free is included with every Microsoft cloud subscription — Microsoft 365, Azure, Dynamics 365, or any other Microsoft cloud service. It provides core directory services including user and group management, basic cloud self-service password reset for cloud-only users, basic reporting on sign-in events, limited single sign-on (up to 10 apps per user for pre-integrated gallery apps), and basic multi-factor authentication through the Microsoft Authenticator app for global administrators.

Entra ID Free does not support Conditional Access, group-based access management, dynamic groups, hybrid identity with writeback, Application Proxy for on-premises apps, or any of the advanced security and governance capabilities that enterprise environments require. For organisations with more than a handful of cloud-only users, Entra ID Free is a floor, not a ceiling — the first paid tier (P1) is required for virtually all enterprise deployments.

Entra ID P1: Enterprise Identity Baseline

Entra ID P1 at $6 per user per month adds the capabilities required for enterprise identity management. The most commercially significant addition is Conditional Access — the ability to enforce access policies based on user identity, device compliance state, location, application sensitivity, and sign-in risk level. Conditional Access is the foundational security control for Zero Trust identity architectures and is required by virtually every enterprise security framework.

P1 also includes dynamic groups (automatically managing group membership based on user attributes), group-based licensing assignment, hybrid identity with Azure AD Connect (syncing on-premises Active Directory accounts to Entra ID), Application Proxy (publishing on-premises web applications to cloud users), self-service password reset for hybrid identities, and multi-factor authentication policies with granular controls across user populations.

Entra ID P1 is included with Microsoft 365 E3, Microsoft 365 F3, Microsoft 365 Business Premium, and Enterprise Mobility + Security E3. Organisations running any of these M365 SKUs do not need to purchase Entra ID P1 as a standalone product — it is already included. This is the most common Entra ID over-licensing scenario: organisations paying for Entra ID P1 standalone while simultaneously holding M365 E3 licences that already include P1.

Entra ID P2: Advanced Identity Protection

Entra ID P2 at $9 per user per month adds three major capability sets above P1: Identity Protection, Privileged Identity Management (PIM), and Access Reviews. These three capabilities represent the foundation of a mature identity security posture and are required by most enterprise security frameworks, regulated industries, and organisations with elevated identity compromise risk.

Identity Protection uses Microsoft's machine learning models to detect risky sign-ins (unfamiliar location, impossible travel, leaked credentials, anonymous IP access) and risky users (behaviours indicating account compromise). It enables risk-based Conditional Access policies — policies that respond dynamically to detected risk rather than applying static access rules. When a sign-in is detected as high risk, Identity Protection can automatically require re-authentication, block access, or require a password reset without manual intervention.

Privileged Identity Management (PIM) implements just-in-time access for privileged roles — Azure AD roles (Global Admin, Security Admin, User Admin) and Azure RBAC roles. Instead of permanently assigning privileged roles to accounts that then become high-value attack targets, PIM allows users to request role activation for a defined time window (typically one to eight hours), subject to approval, MFA, and justification. Role assignments are audited and can require regular access reviews.

Access Reviews automate the periodic certification of user access to applications, groups, and roles. Instead of manual spreadsheet-based reviews, Access Reviews routes certification requests to managers or resource owners and enforces decisions (remove access or retain access) automatically based on reviewer responses or inactivity.

Entra ID P2 is included with Microsoft 365 E5 and Enterprise Mobility + Security E5. It is not included in E3 or any lower M365 SKU. Organisations on M365 E3 who need PIM or Identity Protection must either upgrade to E5 or purchase Entra ID P2 as a standalone add-on. The standalone add-on approach — applying P2 only to the users who require Identity Protection and PIM — is often significantly more cost-effective than an E3-to-E5 organisation-wide upgrade for environments where the primary P2 requirement is limited to privileged users.

Entra ID Governance: Advanced Identity Lifecycle

Entra ID Governance at $7 per user per month (standalone, for users not already covered by P2) is a superset of P2 that adds advanced identity governance capabilities beyond what P2 provides. The key additions include Entitlement Management (automated access package workflows for provisioning access to applications and groups), Lifecycle Workflows (automated identity provisioning and deprovisioning triggered by HR system events like joiner, mover, leaver), advanced Access Reviews with delegation and multi-stage approval, and Privileged Identity Management for Groups (extending PIM just-in-time access to group membership, not just directory roles).

Entra ID Governance is the appropriate tier for organisations that require automated identity lifecycle management — particularly in regulated industries where manual provisioning and deprovisioning creates compliance risk and audit findings. It is also the tier required for organisations implementing a full Joiner-Mover-Leaver (JML) process driven by HR system integration.

The Microsoft 365 E7 SKU — the new top tier above E5 — includes the complete Entra Suite (combining Entra ID Governance, Entra Internet Access, and Entra Private Access) in addition to the E5 capabilities. This is the first M365 plan to include Governance-level identity features as part of the base SKU rather than as a separate add-on. For organisations evaluating E5-to-E7 upgrades, the Governance inclusion is a genuine incremental value if identity governance automation is a priority — but only if the capabilities will be deployed and actively used.

What Each M365 SKU Includes

The Entra ID tier included with each M365 enterprise SKU determines whether standalone Entra ID purchases are redundant or genuinely required.

Microsoft 365 E1: Entra ID Free

M365 E1 includes only Entra ID Free. E1 users require standalone Entra ID P1 (or a higher M365 SKU) for Conditional Access, dynamic groups, or hybrid identity with writeback. For organisations with E1 as their base SKU, Conditional Access is typically the first P1 capability that creates licence upgrade pressure — most enterprise security policies require Conditional Access.

Microsoft 365 E3: Entra ID P1

M365 E3 includes Entra ID P1. E3 organisations have Conditional Access, dynamic groups, hybrid identity, Application Proxy, and group-based MFA policies available without additional licensing cost. The most common mistake for E3 organisations is purchasing standalone Entra ID P1 without realising it is already included in their M365 E3 subscription. This over-purchase is straightforward to identify in a licence audit.

E3 organisations that need P2 capabilities (Identity Protection, PIM, Access Reviews) have two options: upgrade specific users to M365 E5 (which includes P2), or add standalone Entra ID P2 at $9 per user per month only for users who require P2 capabilities. For organisations where P2 is needed for 20 to 30 percent of users (privileged accounts, security team, administrators), the targeted P2 add-on approach is typically 40 to 60 percent cheaper than an organisation-wide E3-to-E5 upgrade.

Microsoft 365 E5: Entra ID P2

M365 E5 includes Entra ID P2. E5 organisations have Identity Protection, PIM, and Access Reviews included without additional licensing cost. The E5 inclusion of P2 is one of the genuine value drivers of the E5 premium — for organisations with a meaningful volume of privileged identities or regulated workloads requiring identity governance, E5 can represent better value than E3 plus standalone P2 at scale.

E5 does not include Entra ID Governance features (Lifecycle Workflows, Entitlement Management advanced tier, PIM for Groups). Organisations requiring these capabilities must add Entra ID Governance on top of E5.

Microsoft 365 E7: Entra Suite (Full Governance)

M365 E7 — the new top SKU above E5 — includes the complete Entra Suite: Entra ID Governance, Entra Internet Access (Secure Web Gateway), and Entra Private Access (Zero Trust Network Access). E7 is the first M365 plan to include Governance-level Entra capabilities. For organisations evaluating the E5-to-E7 upgrade, the Entra Suite inclusion adds identity governance automation, Zero Trust network access, and Secure Web Gateway capabilities that would otherwise require separate procurement. Microsoft's field teams are actively driving E5 customers to E7 at renewal — the Entra Suite is frequently cited as a key justification for the upgrade. Independent evaluation of whether these Entra Suite capabilities will be deployed and used within a 12 to 18 month timeframe is essential before accepting the E7 upgrade proposal.

Conditional Access: The P1 Threshold Feature

Conditional Access is the primary reason most enterprises require Entra ID P1. It is the policy engine that enforces access decisions based on identity signals and context. Understanding Conditional Access capabilities at P1 versus the enhanced capabilities at P2 clarifies exactly what is gained at each tier.

Conditional Access at P1

P1 Conditional Access policies can enforce requirements based on user identity and group membership, device compliance status (Intune-managed and compliant), device platform (iOS, Android, Windows, macOS), named locations (trusted IP ranges), cloud application (which apps the policy applies to), session controls (browser session persistence, app-enforced restrictions), and grant controls (require MFA, require compliant device, require approved client app, require Hybrid Azure AD join). These capabilities are sufficient for most enterprise security baselines — enforcing MFA for all users, requiring compliant devices for sensitive app access, and blocking access from untrusted locations.

Risk-Based Conditional Access at P2

P2 adds risk-based signals to Conditional Access policies through Identity Protection. Risk-based Conditional Access policies can respond dynamically to real-time risk signals rather than static conditions. A P2 policy can require additional MFA or block access when sign-in risk is elevated — for example, when a sign-in originates from an anonymous IP, displays impossible travel, or uses leaked credentials. This dynamic response capability is the primary security improvement P2 provides over P1 Conditional Access, and it is the capability most often cited as justification for the P1-to-P2 upgrade in security-sensitive environments.

Privileged Identity Management (PIM): What It Is and Who Needs It

PIM is one of the highest-value identity security capabilities Microsoft provides. It replaces permanently assigned privileged roles with time-limited, approval-gated, audited role activations. For any organisation with more than a handful of Azure AD or Azure RBAC privileged roles, PIM represents a material security improvement over standing access.

PIM Scope in Entra ID P2

Entra ID P2 PIM covers Azure AD directory roles (Global Admin, Exchange Admin, User Admin, Security Admin, and approximately 70 other built-in directory roles), Azure resource roles (Owner, Contributor, and custom RBAC roles across Azure subscriptions and resources), and Entra ID Governance adds PIM for Groups (just-in-time membership in security groups and Microsoft 365 groups).

A licensing clarification that frequently creates confusion: PIM licensing requirements apply to users who are eligible for or actively assigned to privileged roles — not to all users in the tenant. An organisation with 5,000 users and 50 privileged role holders needs Entra ID P2 for those 50 role holders, not for all 5,000 users, provided Identity Protection and Access Reviews are also scoped only to the same 50 users. In practice, most organisations need Identity Protection and Access Reviews more broadly than just privileged users — but the scoping principle is important for cost optimisation.

PIM Deployment Considerations

The most common PIM deployment mistake is enabling PIM without defining the approval workflow and activation policy. PIM without a clear activation policy — who can approve, how long activations last, what justification is required — creates operational friction that causes privileged users to work around PIM rather than through it. PIM deployment requires an accompanying privileged access management policy that defines activation rules, approval chains, and monitoring procedures. The technology investment in PIM is wasted without the operational framework that makes it effective.

Entra ID and the M365 SKU Upgrade Decision

Because Entra ID P1 and P2 are bundled into M365 E3 and E5 respectively, the decision to upgrade M365 SKU tiers is often driven partly by identity capability requirements. Understanding the break-even analysis prevents both over-upgrading and under-licensing.

When Standalone P1 Makes Sense

If the organisation's primary M365 SKU is E1 and the only M365 gap is Conditional Access, purchasing standalone Entra ID P1 at $6 per user per month for the relevant users is significantly cheaper than upgrading all users to E3 at $36 per user per month. Standalone P1 is appropriate when the identity requirement is isolated and does not align with a broader need to upgrade the M365 SKU tier.

When the E3 Bundle Makes Sense

If the organisation is already on E1 and needs Conditional Access plus desktop Office apps plus advanced Exchange Online capabilities — all of which are in E3 — upgrading to E3 is commercially rational. The E3 bundle provides P1 as one of many capabilities included in a $36 per user per month licence. Paying $6 for standalone P1 on top of E1 to avoid upgrading to E3 only makes sense if E3's other capabilities are genuinely not needed — and in most enterprise environments, they are.

When Targeted P2 Beats the E5 Upgrade

For E3 organisations that need PIM and Identity Protection for a defined subset of users (typically 20 to 30 percent — privileged accounts, security team, IT administrators), purchasing standalone Entra ID P2 at $9 per user per month for those users is typically 40 to 70 percent cheaper than upgrading the entire organisation to M365 E5 at $57 per user per month. The E5 upgrade makes sense when the organisation also needs E5 Security (Defender for Endpoint P2, Defender for Identity), E5 Compliance (eDiscovery, Insider Risk Management), or Teams Phone System. If the only driver is P2 identity capabilities, targeted P2 licensing is almost always the better commercial choice.

The Entra Suite: Microsoft's Identity Platform Future Direction

The Microsoft Entra Suite represents Microsoft's strategic direction for enterprise identity — consolidating identity, network security, and access management into a single licensing bundle. The Entra Suite includes Entra ID P2 capabilities, Entra ID Governance, Entra Internet Access (cloud-based Secure Web Gateway replacing traditional proxy solutions), and Entra Private Access (Zero Trust Network Access replacing traditional VPN for application-level access). The complete Entra Suite is available as a standalone add-on or included in Microsoft 365 E7.

For organisations currently running a combination of Entra ID P2, a third-party SWG (Zscaler, Palo Alto Prisma, Netskope), and a legacy VPN solution, the Entra Suite TCO requires careful analysis. Microsoft positions the Entra Suite as a consolidation play — replacing multiple point products with an integrated platform. The consolidation economics depend on the negotiated pricing for current third-party solutions, the maturity and deployment timeline for Entra Internet Access and Private Access in production environments, and the total cost of transitioning from established security tools to Microsoft's emerging network security platform.

Seven Common Entra ID Licensing Mistakes

Buying standalone P1 when M365 E3 already includes it: This is the most frequent Entra ID over-licensing pattern. E3 includes P1. If you have E3, you do not need standalone P1.

Licensing P2 for all users when PIM is only needed for privileged accounts: PIM and Identity Protection can be licensed for the subset of users who actually need them. Blanket P2 for all users is rarely necessary and typically 40 to 60 percent more expensive than targeted deployment.

Accepting the E5 upgrade primarily for P2: If PIM and Identity Protection are the only drivers for an E5 upgrade consideration, standalone P2 at $9 per user per month for the affected users is substantially cheaper. E5 makes sense when multiple E5 capabilities are required together.

Deploying PIM without an operational framework: PIM without a defined activation policy, approval chain, and monitoring process creates compliance-bypassing behaviour. The technology deployment must be accompanied by operational procedures.

Not consuming Conditional Access policies included with E3: A surprisingly large proportion of M365 E3 organisations have Conditional Access available but have not deployed policies. Conditional Access is the highest-value P1 feature — failure to deploy it represents wasted licence value.

Ignoring Entra ID Governance when E5 is already deployed: E5 P2 does not include all Governance capabilities. Organisations with E5 who need Lifecycle Workflows, Entitlement Management, or PIM for Groups need to add Entra ID Governance separately unless they upgrade to E7.

Accepting E7 for Entra Suite without deployment planning: E7 includes the full Entra Suite, including Entra Internet Access and Private Access. These are early-to-mid maturity products that require significant deployment planning. Paying for E7 to access Entra Suite features without a realistic deployment timeline within the EA term represents shelfware risk identical to the E5 feature deployment problem.