The Four Entra ID Tiers
Microsoft Entra ID licensing has four tiers. There is a Free tier bundled with any Azure or Microsoft 365 subscription; Entra ID P1 at $6 per user per month; Entra ID P2 at $9 per user per month; and the broader Entra Suite at $12 per user per month, which wraps P2 together with ID Governance, Internet Access, Private Access and Verified ID. The Free tier covers basic single sign-on and user management; everything that makes identity an enterprise security control sits in the paid tiers. This identity layer is the foundation of the wider advanced Microsoft estate, and getting the tier choice right shapes the cost of everything stacked above it.
The pricing looks simple, but the real decision is rarely "which tier should everyone get". It is "which users need which features" — because the paid tiers are priced per user and the premium capabilities are needed by very different proportions of the workforce.
| Tier | Price (per user/month) | Headline capability | Bundled in |
|---|---|---|---|
| Entra ID Free | $0 | Basic SSO, user management | Any M365 / Azure |
| Entra ID P1 | $6 | Conditional Access, SSPR, dynamic groups | M365 E3, F3, Business Premium |
| Entra ID P2 | $9 | Identity Protection, PIM | M365 E5 |
| Entra Suite | $12 | P2 + Governance, Internet/Private Access, Verified ID | — |
P1 vs P2: The Feature Split
The line between P1 and P2 is the most important one in the stack. P1 covers the identity features almost every organisation actually uses day-to-day: Conditional Access (the single most-deployed premium feature), self-service password reset, dynamic group membership, and hybrid identity with password write-back. For the large majority of users, P1 is the complete enterprise identity toolset.
P2 adds the risk-based capabilities on top: Identity Protection, which applies risk-based Conditional Access and automated remediation against suspicious sign-ins, and Privileged Identity Management (PIM), which provides just-in-time elevation and approval workflows for administrative roles. These are powerful — but they are security controls aimed at administrators and high-risk roles, not features the entire workforce exercises. That distinction is what makes estate-wide P2 such a common overpayment, and it is the same "tier to the need, not the headcount" discipline that governs security-operations spend in our Sentinel SIEM cost guide.
What E3 and E5 Already Include
The biggest Entra ID cost mistake is buying a tier you already own. Microsoft 365 E3, F3 and Business Premium all include Entra ID P1. Microsoft 365 E5 includes Entra ID P2. So an enterprise standardised on E5 already has P2 for every E5 user — and adding a standalone P2 line on top is a straight double purchase.
Adding standalone Entra ID P2 to a tenant that is already on Microsoft 365 E5 buys nothing — every E5 seat already includes P2. Double-purchase of bundled identity is one of the most common findings in a Microsoft licence review, and it persists for years because nobody re-checks what the suite already covers.
The same logic applies in regulated and public-sector tenants, where SKU availability differs: organisations on Microsoft 365 Government plans need to confirm which Entra tier their specific government SKU bundles before adding anything. And because identity increasingly underpins privacy and data-subject controls, the boundary between Entra governance and Microsoft Priva privacy licensing should be mapped at the same time, so the same control is not licensed twice across two product lines.
Tiering by Role, Not Estate
The cost lever in Entra ID is mixed licensing. Microsoft requires that any user benefiting from a premium feature is licensed for it — but it permits, and effectively expects, that you assign tiers by role. The efficient pattern for most enterprises is P1 (or the P1 already bundled in E3) across the general workforce to deliver Conditional Access everywhere, with P2 assigned only to administrators, finance, executives and other high-risk roles that genuinely need Identity Protection and PIM. For a 10,000-user organisation, restricting P2 to the 500 roles that need it rather than the whole estate is the difference between roughly $54,000 and $1.08M a year in incremental identity spend.
This requires governance — you must be able to demonstrate that only P2-licensed users benefit from P2 features — but that governance is exactly what Identity Protection and PIM are designed to provide. Done properly, the control pays for the licence discipline.
Buying Entra ID Well
Entra ID is rarely bought as a standalone line in a serious enterprise negotiation — it is bundled into the Microsoft 365 decision, which is where the leverage lives. If you are standardising on E5 for security and compliance reasons, P2 comes along for the whole population and the marginal identity decision disappears. If you are on E3 and need P2 only for a subset, negotiate the add-on volume against your committed Microsoft 365 base rather than at list. Either way, the identity tier belongs in the EA conversation, sized to role and benchmarked against what comparable enterprises pay — the approach set out in the Microsoft Enterprise Agreement Guide and anchored by the data in the Microsoft vendor intelligence hub.
Before your next renewal, audit which users actually benefit from P2 features and confirm what your existing suites already include. To pressure-test your identity tiering against current benchmarks, request a confidential briefing — over-licensed P2 is one of the fastest savings to capture in the entire Microsoft estate.