Microsoft Entra ID (formerly Azure Active Directory) comes in four tiers: Free, P1, P2, and Entra Suite. Most organisations end up choosing between P1 and P2, but the differences are significant — and the wrong choice can either leave you paying for features you don't need or missing critical security controls.
You will also see these licences written as Entra ID Plan 1 and Plan 2, or under their older names Azure AD Premium P1 and P2 — they all refer to the same two plans compared here.
This guide covers every feature difference between P1 and P2, the three exclusive P2 capabilities that matter most, which Microsoft 365 plans include each tier, and how to decide which license is right for your environment.
Quick answer: Entra ID P1 covers Conditional Access, dynamic groups, hybrid identity, and self-service password reset. Entra ID P2 adds Identity Protection (risk-based access), Privileged Identity Management (PIM), and Identity Governance. If you have admin accounts, compliance requirements, or need to detect compromised identities automatically — you need P2.
Pricing: Entra ID P1 vs P2
| Plan | Standalone price | Included in |
|---|---|---|
| Entra ID Free | Included with Azure / M365 subscriptions | Any Azure AD / M365 tenant |
| Entra ID P1 | $6.00 per user / month | Microsoft 365 E3, EMS E3, Microsoft 365 Business Premium |
| Entra ID P2 | $9.00 per user / month | Microsoft 365 E5, EMS E5 |
| Microsoft Entra Suite | +$12.00 per user / month (add-on) | Requires an Entra ID P1 base licence |
P2 costs $3 more per user per month than P1 — a 50% premium. For a 200-person organisation that's $600/month extra. Whether that's worth it depends entirely on whether you need the three P2-exclusive feature pillars covered below.
Check current pricing directly at Microsoft Entra Pricing as Microsoft periodically adjusts licensing.
Microsoft Entra ID P1 vs P2: Full Feature Comparison
The table below covers every major feature category. "✅" means included, "❌" means not available in that tier.
Core Identity & Access Management
| Feature | Free | P1 | P2 |
|---|---|---|---|
| User and group management | ✅ | ✅ | ✅ |
| Cloud-only SSO (up to 10 apps per user) | ✅ | ✅ | ✅ |
| Unlimited cloud SSO (all apps) | ❌ | ✅ | ✅ |
| Azure AD Application Proxy (on-prem app publishing) | ❌ | ✅ | ✅ |
| B2B collaboration (guest users) | ✅ | ✅ | ✅ |
| Dynamic groups (membership rules) | ❌ | ✅ | ✅ |
| Group-based application access | ❌ | ✅ | ✅ |
| Self-service group management | ❌ | ✅ | ✅ |
| Custom company branding (login pages) | ❌ | ✅ | ✅ |
| Hybrid identity (Azure AD Connect sync) | ❌ | ✅ | ✅ |
| Microsoft Identity Manager (on-prem) | ❌ | ✅ | ✅ |
| Cloud app discovery (app usage visibility) | ❌ | ✅ | ✅ |
Multi-Factor Authentication (MFA)
| Feature | Free | P1 | P2 |
|---|---|---|---|
| MFA for Microsoft admin portals | ✅ | ✅ | ✅ |
| MFA for all cloud apps (via Conditional Access) | ❌ | ✅ | ✅ |
| MFA for on-premises apps | ❌ | ✅ | ✅ |
| Passwordless authentication (FIDO2, Windows Hello) | ✅ | ✅ | ✅ |
| Combined MFA and SSPR registration | ❌ | ✅ | ✅ |
Self-Service Password Reset (SSPR)
| Feature | Free | P1 | P2 |
|---|---|---|---|
| SSPR for cloud-only users | ✅ | ✅ | ✅ |
| SSPR with on-premises writeback | ❌ | ✅ | ✅ |
| Customised authentication methods for SSPR | ❌ | ✅ | ✅ |
Conditional Access
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Basic Conditional Access (location, device, app) | ❌ | ✅ | ✅ |
| Named locations and IP ranges | ❌ | ✅ | ✅ |
| Compliant device enforcement | ❌ | ✅ | ✅ |
| Application-based Conditional Access | ❌ | ✅ | ✅ |
| Terms of use enforcement | ❌ | ✅ | ✅ |
| Risk-based Conditional Access (sign-in risk) | ❌ | ❌ | ✅ |
| Risk-based Conditional Access (user risk) | ❌ | ❌ | ✅ |
| Authentication context (step-up auth) | ❌ | ❌ | ✅ |
| Token protection | ❌ | ❌ | ✅ |
| Device and application filters | ❌ | ❌ | ✅ |
Note on the Free tier: Entra ID Free does not include the Conditional Access policy engine, but it does include Security Defaults — a tenant-wide toggle that enforces MFA for all users and blocks legacy authentication. Security Defaults is all-or-nothing; Conditional Access (P1) is what lets you build granular, targeted policies.
Identity Protection (P2 Exclusive)
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Risky user detection | ❌ | ❌ | ✅ |
| Risky sign-in detection | ❌ | ❌ | ✅ |
| Risk event investigation | ❌ | ❌ | ✅ |
| Vulnerability and exposure reporting | ❌ | ❌ | ✅ |
| Export risk data to SIEM | ❌ | ❌ | ✅ |
Identity Governance (P2 Exclusive)
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Access reviews (manual) | ❌ | ❌ | ✅ |
| Access reviews (ML-assisted) | ❌ | ❌ | ✅ |
| Entitlement management | ❌ | ❌ | ✅ |
| Entitlement management – separation of duties | ❌ | ❌ | ✅ |
| Entitlement management with Verified ID | ❌ | ❌ | ✅ |
| Lifecycle workflows (joiner/mover/leaver) | ❌ | ❌ | ✅ |
| Identity governance dashboard | ❌ | ❌ | ✅ |
| Self-service entitlement management (My Access portal) | ❌ | ❌ | ✅ |
Privileged Identity Management — PIM (P2 Exclusive)
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Just-in-time privileged access | ❌ | ❌ | ✅ |
| Time-bound role assignments | ❌ | ❌ | ✅ |
| Approval workflows for role activation | ❌ | ❌ | ✅ |
| MFA on activation | ❌ | ❌ | ✅ |
| Justification required on activation | ❌ | ❌ | ✅ |
| Notification on privileged role activation | ❌ | ❌ | ✅ |
| Access reviews for Azure AD roles | ❌ | ❌ | ✅ |
| Access reviews for Azure resource roles | ❌ | ❌ | ✅ |
| Audit history for privileged roles | ❌ | ❌ | ✅ |
What You Get with Entra ID P1
P1 is a substantial upgrade over Free and covers the identity needs of most small to mid-sized organisations. Here is what P1 adds:
Conditional Access
This is the core reason most organisations choose P1. Conditional Access lets you build policies that evaluate signals — user identity, device compliance, location, application being accessed — and enforce controls like requiring MFA or blocking access entirely.
With P1 Conditional Access you can:
- Require MFA for specific apps or all apps
- Block access from non-compliant devices (requires Intune)
- Restrict access to trusted locations only
- Enforce different policies per user group or application
- Require agreed Terms of Use before accessing resources
What P1 cannot do with Conditional Access: it cannot automatically detect that a sign-in looks risky and respond to it. That requires P2's Identity Protection.
Dynamic Groups
Instead of manually adding and removing users from groups, dynamic groups use attribute-based rules — department -eq "Finance", jobTitle -contains "Manager", extensionAttribute1 -eq "Contractor". Users are automatically added or removed as their attributes change. For the exact rule syntax and how to query these groups with PowerShell, see our guide on dynamic membership rules.
This is essential for automated access management in growing organisations and for keeping app assignments, licence assignments, and Intune device policies accurate without manual effort.
Hybrid Identity and SSPR with Writeback
P1 includes Microsoft Identity Manager (MIM) CAL usage rights and the Azure AD Connect features required to sync on-premises Active Directory accounts to Entra ID. (The MIM CAL is covered by P1, but running a MIM server still needs separate Windows Server and SQL Server licences.) Self-service password reset with on-premises writeback lets users reset their password from any browser and have it sync back to the on-prem domain controller — reducing helpdesk calls significantly.
Azure AD Application Proxy
Publish on-premises web applications securely without a VPN by using Application Proxy. Remote users authenticate through Entra ID and are proxied to the on-prem app. This works with pre-authentication (Entra ID validates the user first) and supports Conditional Access policies.
What You Get with Entra ID P2 (P2-Exclusive Features)
P2 includes everything in P1 and adds three distinct capability areas. These are not incremental improvements — they are entirely new tools that address specific security and compliance scenarios.
1. Identity Protection
Identity Protection continuously analyses sign-in and user behaviour using Microsoft's threat intelligence signals (sourced from billions of sign-ins across the Microsoft cloud). It produces a risk score for each sign-in and each user account.
Sign-in risk reflects the probability that a given authentication was not performed by the account owner — for example, a sign-in from a Tor exit node, an anonymous IP, or an unusual location compared to recent sign-in history.
User risk reflects the probability that an account is compromised — for example, leaked credentials appearing in dark web breach databases, or suspicious activity patterns over time.
With P2 and risk-based Conditional Access, you can build policies such as:
- If sign-in risk is Medium or High → require MFA
- If user risk is High → block access and require password reset
- If sign-in risk is Low → allow without MFA
This is fundamentally different from standard P1 Conditional Access, which only responds to attributes you configure manually (like location or device state). P2 responds to live threat signals automatically.
Other Identity Protection capabilities include:
- Risky Users report — list of all accounts currently flagged as at risk
- Risky Sign-ins report — all authentication events flagged as suspicious
- Risk event investigation — drill into specific events to understand why they were flagged
- SIEM export — stream risk data to Microsoft Sentinel or a third-party SIEM via Diagnostic Settings
2. Privileged Identity Management (PIM)
PIM is for organisations that have users with elevated permissions — Global Administrators, Exchange Admins, SharePoint Admins, Azure Subscription Owners, and similar roles.
Without PIM, these roles are permanent — a compromised account with a Global Admin role has that power 24/7. With PIM, privileged roles become eligible rather than active. When the admin needs to perform a privileged task, they must:
- Open the PIM portal and request role activation
- Provide a business justification
- Approve the request (if an approval workflow is configured)
- Complete MFA before activation
- The role activates for a defined time window (e.g. 1 hour, 4 hours)
- The role automatically deactivates when the window expires
This reduces the standing privilege attack surface dramatically. A compromised account that has never activated a role has no elevated permissions in the environment.
PIM also provides:
- Access reviews for privileged roles — periodic reviews where role owners must confirm each assignment is still needed
- Alerts — notifications when roles are activated outside of normal patterns
- Full audit history — every activation, approval, and denial logged
3. Identity Governance
Identity Governance is for organisations with compliance requirements around who can access what, and proving that access is legitimate.
Access reviews allow you to schedule recurring reviews of group memberships, application assignments, or Azure resource role assignments. Reviewers (managers, resource owners, or the users themselves) are notified and asked to confirm whether access is still needed. Users who are not reviewed or denied access are automatically removed.
Entitlement management lets you create access packages — bundles of resources (groups, applications, SharePoint sites) that users can request access to through a self-service portal (My Access). You define:
- Who can request (employees only, specific departments, external guests)
- Who approves the request
- How long access lasts before it must be renewed
- Whether access requires a policy justification
Lifecycle workflows automate common HR-driven tasks:
- Joiner — when a new user account is created, automatically add them to the right groups and assign the right applications
- Mover — when a user changes department, update their group memberships
- Leaver — when a user's account is disabled, remove licences, revoke sessions, and offboard from applications
Which Microsoft 365 Plan Includes Entra ID P1 or P2?
| Microsoft 365 Plan | Entra ID Tier Included |
|---|---|
| Microsoft 365 Business Basic | Free |
| Microsoft 365 Business Standard | Free |
| Microsoft 365 Business Premium | P1 |
| Microsoft 365 F1 / F3 | P1 |
| Microsoft 365 E3 | P1 |
| Microsoft 365 E5 | P2 |
| EMS E3 (Enterprise Mobility + Security) | P1 |
| EMS E5 | P2 |
| Office 365 E1 / E3 / E5 | Free only |
Important: Office 365 plans (E1, E3, E5) do not include Entra ID P1 or P2. You need Microsoft 365 (not Office 365) or a standalone Entra ID licence.
If your organisation is already on Microsoft 365 E3, you already have P1 at no additional cost — check whether you are using all of its Conditional Access and dynamic group capabilities before purchasing P2.
If you are on Microsoft 365 E5, you already have P2 included — ensure PIM and Identity Protection are configured.
Entra ID Free vs P1 vs P2: Summary
| Scenario | Free | P1 | P2 |
|---|---|---|---|
| Basic SSO and user management | ✅ | ✅ | ✅ |
| Passwordless authentication | ✅ | ✅ | ✅ |
| Require MFA for all apps | ❌ | ✅ | ✅ |
| Block access from unmanaged devices | ❌ | ✅ | ✅ |
| Dynamic group membership | ❌ | ✅ | ✅ |
| Sync on-prem AD with password writeback | ❌ | ✅ | ✅ |
| Publish on-prem apps without VPN | ❌ | ✅ | ✅ |
| Respond to compromised sign-ins automatically | ❌ | ❌ | ✅ |
| Detect leaked credentials | ❌ | ❌ | ✅ |
| Just-in-time admin access (PIM) | ❌ | ❌ | ✅ |
| Access reviews for compliance | ❌ | ❌ | ✅ |
| Automate joiner/mover/leaver workflows | ❌ | ❌ | ✅ |
When Do You Need P2? Real-World Scenarios
You need P2 if any of the following apply:
Scenario 1 — You have privileged admin accounts Any tenant with Global Admins, Exchange Admins, Azure Subscription Owners, or similar roles should implement PIM. Standing admin access is the single most common vector for lateral movement after an initial account compromise. PIM eliminates standing access at the cost of $3/user/month for affected accounts — you can licence only the users who need PIM, not the entire tenant.
Scenario 2 — You have compliance requirements (ISO 27001, SOC 2, HIPAA, Cyber Essentials Plus) Access reviews are a direct control for demonstrating that access is authorised and periodically recertified. Auditors will ask "how do you know the people with access to X still need it?" Access reviews give you a defensible answer with exported reports.
Scenario 3 — You want automatic response to account compromise If a user's credentials are leaked in a breach and appear on the dark web, Identity Protection flags the user as high risk and can automatically block their access or force a password reset — without any human intervention. P1 cannot do this because it cannot detect compromise signals; it only enforces policies you pre-configure.
Scenario 4 — External users and contractors need time-limited access Entitlement management lets you create access packages that expire after 30, 60, or 90 days and require the user to request renewal. This prevents the classic problem of contractor accounts accumulating permanent access over years.
P1 is sufficient if:
- You primarily need MFA enforcement across your apps
- You want Conditional Access based on device compliance and location
- You have hybrid identity requirements (sync with on-prem AD)
- You are a small business without dedicated admins or compliance mandates
- You are already on Microsoft 365 E3 and have not yet fully used P1 features
How to Check Your Current Entra ID Licence
- Sign in to the Microsoft Entra admin centre
- Go to Identity > Overview
- The licence tier is shown under Tenant info
Alternatively, in the Microsoft 365 admin centre:
- Go to Billing > Licences
- Find "Microsoft Entra ID P1" or "Microsoft Entra ID P2" in the list
- Check assigned vs. available quantities
Frequently Asked Questions
Is Microsoft Entra ID the same as Azure Active Directory?
Yes. Microsoft rebranded Azure Active Directory (Azure AD) to Microsoft Entra ID in July 2023. The feature set, licensing tiers, and PowerShell modules are the same — only the name changed. "Azure AD P1" and "Entra ID P1" refer to exactly the same licence.
What is the difference between Entra ID P1 and P2?
Entra ID P2 adds three capabilities not available in P1: Identity Protection (automated detection and response to compromised accounts), Privileged Identity Management or PIM (just-in-time admin access with approval workflows), and Identity Governance (access reviews, entitlement management, and lifecycle workflows). Everything in P1 is included in P2.
Do I need P2 for Conditional Access?
No. Standard Conditional Access is included with P1 and covers location-based, device compliance, and app-based policies. You only need P2 for risk-based Conditional Access — policies that respond to sign-in risk or user risk signals generated by Identity Protection.
What is Privileged Identity Management (PIM) and why does it need P2?
PIM replaces permanent admin role assignments with just-in-time access. Instead of having Global Admin access 24/7, an administrator must activate their role when needed, providing a justification and completing MFA. The role deactivates automatically after a defined window. This reduces the attack surface significantly and is exclusively available with the P2 licence.
Is Entra ID P2 included in any Microsoft 365 plans?
Yes. Entra ID P2 is included in Microsoft 365 E5 and EMS E5 (Enterprise Mobility + Security E5). Entra ID P1 is included in Microsoft 365 E3, Microsoft 365 F1/F3, Microsoft 365 Business Premium, and EMS E3. Standard Office 365 plans (E1, E3, E5) include only Entra ID Free.
Can I assign P2 to only some users instead of the whole organisation?
Yes. Entra ID licences are assigned per user. You can assign P2 to only your administrators or specific security-sensitive roles, and keep the rest of your users on P1. PIM specifically only needs to be licensed for users who hold eligible roles, not the entire tenant.
Can I upgrade from P1 to P2 without losing existing configuration?
Yes. Upgrading from P1 to P2 preserves all existing Conditional Access policies, user settings, and group configurations. The upgrade simply makes the additional P2 features available in the portal. No migration is required.
What is Entra ID Identity Protection?
Identity Protection is a P2 feature that uses Microsoft's global threat intelligence to assign risk scores to sign-ins and user accounts. It can detect leaked credentials, anonymous IP sign-ins, atypical travel (signing in from London and New York within 30 minutes), and dozens of other signals. You can configure Conditional Access policies that respond to these risk scores automatically — for example, requiring a password reset if a user's credentials appear in a known breach.
What is the difference between Entra ID P1 and Entra ID Free?
Entra ID Free includes basic user and group management, SSO for up to 10 apps per user, basic MFA for admin portals, and B2B guest access. Entra ID P1 adds unlimited SSO, Conditional Access, dynamic groups, hybrid identity with password writeback, Azure AD Application Proxy, and the full MFA capability set for all cloud and on-premises applications.
Which service bridges on-premises AD DS with Microsoft Entra ID?
Microsoft Entra Connect (formerly Azure AD Connect) is the service that bridges on-premises identity stores like Active Directory Domain Services (AD DS) with Microsoft Entra ID. It synchronises users, groups, and password hashes to the cloud so people use the same credentials on-premises and online. Hybrid identity sync is available from Entra ID P1 upward, and P1 also adds self-service password reset with writeback to the on-premises domain controller.
What is entitlement management in Entra ID P2?
Entitlement management is a P2 feature that lets you define access packages — collections of resources (groups, applications, SharePoint sites) bundled together. Users request access through the My Access self-service portal. Administrators define who can request access, who must approve, and how long the access lasts before requiring renewal. This replaces manual provisioning workflows and creates a documented, auditable trail of access decisions.
Is Microsoft Entra ID P1 enough for a company with 50 employees?
For most 50-person organisations, P1 is sufficient. It provides MFA enforcement via Conditional Access, dynamic groups, device compliance policies (when combined with Intune), and self-service password reset with on-premises writeback. You would only need P2 if you have compliance requirements requiring access reviews, admin accounts that should be PIM-protected, or you want automated response to compromised credentials.