Understanding Microsoft Entra ID P1 and P2 licenses
Updated: August 2025 – Companies that use Microsoft Entra ID productively will sooner or later face the decision of whether they need the P1 or P2 license level. Both models significantly expand the basic functions and enable secure, scalable, and centrally controllable management of user identities. Many organizations prefer P1 because this license already offers a wide range of functions. With P2, Microsoft addresses additional requirements relating to access security, risk detection, and comprehensive governance.
This article details and categorizes the functional differences between P1 and P2. We also explain what other components are included in the Microsoft Entra Suite. We also introduce our cloud service DynamicSync, which enables advanced and cost-effective dynamic group synchronization – features not found in the standard Microsoft solution.
Index
From basic to premium: Getting started with Entra ID P1 and P2
Basic features in Microsoft 365: What you can do without an additional license
In addition to the P1 and P2 license levels, Microsoft offers a free version of Entra ID. This is included in Microsoft 365 or Office 365 subscriptions and forms the basis for user and group management within these services.
Technically speaking, this is a stripped-down version that is licensed through existing Microsoft subscriptions. Premium features are not included. The functionality is sufficient to create user accounts, connect to applications, and enforce basic security policies.
Those who require additional features can upgrade at any time. Microsoft offers a 30-day trial of the premium features for up to 100 users.
Why upgrading to P1 or P2 may be necessary
Multi-factor authentication is only possible via predefined security settings, known as security defaults. These activate MFA across the board for all users, block outdated protocols such as IMAP or POP3, and require MFA for administrative access. Differentiated control of these settings is not possible in the Entra ID Free version.
Customizations such as device-dependent conditions, segmented user groups, or app-specific requirements are only available in P1 or P2. The integrated reports are also severely limited in the free version, both in terms of scope and retention period.
Licensing model, administration, and costs at a glance
All license levels are managed centrally via the Entra Admin Center. There, you can activate trial licenses, control user permissions, and flexibly switch license types. If a company chooses P1 or P2, licensing is for a full year. Many companies start with Entra ID P1 for all users and then expand to P2 for privileged accounts, administrators, or roles that require special protection.
There are significant price differences between the models. The free version does not incur any additional costs as it is included in the Microsoft 365 subscription. Entra ID P1 costs around €5.60 per user per month. For P2, you should budget around €8.40. Both premium versions include a guaranteed service availability of 99.9 percent. (As of July 2025, see also Microsoft’s official price list)
👉 The P2 feature set includes all P1 features; dual licensing is not required.
Whether the additional cost for P2 is justified depends largely on the security and governance requirements of the organization. P2 offers advanced protection mechanisms, detailed reports, and complete control over privileged access. Organizations with increased security needs, audit requirements, or hybrid infrastructures should specifically plan for the advanced features of P2. The gain in control and transparency can deliver measurable value in security-critical areas.
Features common to P1 and P2
Entra ID P1 builds on the free version and adds key features such as conditional access, dynamic group management, advanced reporting and self-service password reset for cloud and hybrid identities.
👉 Many companies start with P1 as their standard configuration and expand to P2 as their protection needs grow.
Both license models offer:
🔐 Access control and authentication
- Full access to conditional access with context-based rules (e.g., location, device status, or app sensitivity).
- Control session lifetime through token policies and re-authentication requirements
- Centrally managed access restrictions for SharePoint
- Protection for global passwords, including user-defined block lists and management of synchronized passwords from local Active Directories
Conditional access is generally available with a Microsoft Entra ID P1 license, but only in its basic scope, e.g., for access to cloud applications, MFA conditions, device status, location, etc.
👥 User and group management
- Dynamic groups with rules for group membership, naming guidelines, and classifications
- Role-based access control (RBAC) enables the assignment of granular permissions based on defined responsibilities
- Functions for self-service password reset, account unlocking, and phone number management by defined employee roles
- Support for cross-client scenarios, including synchronization and multi-client capability
📊 Reports, monitoring and transparency
- Advanced reports on logins, policy violations, and security status (with 30 days of data retention)
- Integrity alerts and access analytics
- Central access to all apps via the “My Apps” portal, including user application collections
Governance and automation features only in P2
Real-time identity protection and privileged access management
The Microsoft Entra ID P2 license includes all features from Free and P1 and extends them, particularly in the areas of security automation, privileged access control, and identity governance:
Entra ID Protection dynamically evaluates sign-ins in real time. Suspicious activities, such as “impossible travel” — for example, signing in in London followed by another sign-in in New York just a few minutes later — are automatically classified as risky. Other risk criteria include:
- Logins from unknown countries
- Use of compromised passwords (dark web leaks)
- Deviating user behavior
In such cases, Microsoft may automatically take measures such as:
- Enforcing multi-factor authentication (MFA)
- Blocking access
- Initiating a password reset
Microsoft Entra ID P2 includes advanced security and governance features. Key features include Microsoft Entra ID Protection (Identity Protection).
Another key element in P2 is Privileged Identity Management (PIM). Instead of permanent administrative permissions, users are granted temporary extended rights – subject to prior approval and only for a defined period of time. These rights must be activated, justified, and logged. The entire process can be documented in an audit-proof manner. This significantly reduces the attack surface, especially for external service providers or project-related roles.
Advanced reporting, automated permission management, and compliance
P2 also offers advanced security reporting and protection features:
- Comprehensive security reports with more metrics for risk assessment
- More detailed recommendations for threat mitigation
- Token protection and protection against session hijacking
- Adaptive session control
These features are only available in P2.
P2 also expands the range of functions to include automated authorization management and traceability of access chains. Automated user provisioning is possible for both SaaS applications and local systems. Group provisioning for applications can be defined via central policies. HR systems such as SAP SuccessFactors or Workday can be integrated to control the entire identity lifecycle. Terms of use can be stored, assigned, and verified in a standardized format.
P2 contains complete access certification. Standardized testing procedures are supplemented by machine learning-based recommendations. This allows orphaned or unused permissions to be identified and revoked at an early stage. Standard permission management is also included in full. Extensions via Microsoft Azure Logic Apps enable customized processes for role assignment.
Integration of Microsoft Entra Verified ID for secure identity verification
P2 also includes the ability to create verifiable identity credentials with Verified ID. Features include:
- Issuance of verifiable credentials
- Validation via highly secure biometric facial recognition
- Up to eight checks per month per license
These functions are particularly relevant in security-critical areas such as government, healthcare, and finance.
Integration with Microsoft Entra Verified ID allows access rights to be validated using verifiable proof of identity.
Comparison for quick reference
This table provides a clear overview of the license levels and helps you classify the features:
| Function/Feature | Entra ID Free | Microsoft Entra ID P1 | Microsoft Entra ID P2 |
| Target group |
Basic users, M365 customers |
Companies with hybrid environments |
Organizations with high security & governance requirements |
| License costs (approx. per user/month, as of 2025) |
Inclusive in M365 |
approx. 5.60 EUR/user/month | approx. 8.40 EUR/user/month |
| User and group management | User and group management in the cloud | Includes all free features + Dynamic group memberships + Advanced group management |
Includes all P1 features |
| Directory synchronization | Local directory synchronization (e.g., Microsoft Entra Connect) | Includes all free features | Includes all P1 features |
| Single sign-On (SSO) |
Single sign-on (SSO) for Entra, Microsoft 365, and many SaaS apps | Includes all free features | Includes all P1 features |
| Self-service password reset | Available for cloud users | Extension with write-back function for local users | Includes all P1 features |
| Multi-factor authentication (MFA) |
MFA supported for global administrators (e.g., Microsoft Authenticator app); Only Authenticator as second factor (no SMS or calls) |
Extended MFA, e.g. telephone calls and SMS as a second factor | Includes all P1 features + Automated, risk-based MFA |
| Conditional access | ❌ | Creation and use of CA policies (without risk identification) | Risk-based conditional access including dynamic risk assessment |
| Identity Protection (Risk assessment) |
❌ | Very limited risk alerts without details and automated response | Complete Entra ID Protection with real-time risk assessment, risk alerts, automatic responses (MFA, access lock, password reset) |
| Privileged Identity Management (PIM) | ❌ | ❌ | Full PIM functionality: temporary, approved role assignment, auditing, and logging |
| Security reports & monitoring |
Simple reports on user and login activity | Basic reports | Advanced security reports with in-depth risk analysis and recommendations |
| Automation & provisioning |
❌ | Restricted user and group provisioning | Automated user provisioning including HR system integration, workflow extensions |
| Session protection & token protection | ❌ | ❌ | Protection against session hijacking, token protection, adaptive session control |
| Verified ID (Facial verification) | ❌ | ❌ | Issuance and validation of verifiable identity credentials including biometric facial recognition |
| Zero trust network capabilities (Entra Private Access) | ❌ | ❌ | Complete zero trust architecture for private apps and networks with conditional access |
| Expandability & integration |
Basic features | Extended | Extendable with Azure Logic Apps, integration with third-party tools |
Microsoft Entra Suite: Extending identity security beyond P1 and P2
The Microsoft Entra Suite is a higher-level product family that bundles various security and access management solutions for cloud and on-premises environments. It goes well beyond the individual P1 and P2 license levels and integrates key Microsoft Entra products into a unified platform.
A Microsoft Entra ID P1 license is required to use Entra Suite. However, many components are also included in P2 or are extended by the suite. The individual components can be licensed separately, but offer pricing advantages and coordinated integration when purchased as a package.
Entra Suite as a complete package: It bundles (licensing from Microsoft, as of mid-2025) five major functional areas:
- Entra Private Access (zero trust network access, e.g. as a VPN replacement)
- Entra Internet Access (protected access to Internet services/SaaS)
- Entra ID Governance (role & authorization management, identity lifecycle, access recertification)
- Entra ID Protection (risk-based access control, real-time monitoring)
- Entra Verified ID Premium (verifiable identity credentials, including Face Check)
Global Secure Access in the Microsoft Entra Suite combines the Microsoft Entra Internet Access and Microsoft Entra Private Access components in a single dashboard in the Microsoft Entra Admin Center.
A central element is Entra Private Access. This service replaces traditional VPN solutions with a zero-trust network architecture. Access to internal applications is identity-based via the global Secure Access Client, without a direct network connection between the client and the application. At the same time, Entra Internet Access offers cloud-based web access control with content filtering. Policies can secure all internet traffic without routing it through central firewalls or local networks.
Microsoft designed the Entra Suite for organizations that already use Entra ID and require additional network security, identity validation, or cross-cloud access control.
DynamicSync – Advanced dynamic group synchronization for Microsoft Entra ID
DynamicSync is an independent cloud service from FirstAttribute that technically extends the native group management capabilities of Microsoft Entra ID.
👉 Especially powerful: DynamicSync can synchronize different group types in Entra ID – for example, distribution groups in M365 groups or M365 groups in security groups. This keeps memberships automatically up to date and allows them to be flexibly adapted to different use cases.
While Microsoft’s dynamic groups offer limited capabilities (depending on the license level), DynamicSync enables advanced, nested filter queries of up to 50 filters.
DynamicSync processes synchronized Active Directory groups in the cloud and transfers their members to M365 groups. This feature is particularly useful for hybrid environments with extensive on-premises management. Administrators retain their familiar centralized control, while DynamicSync reliably keeps cloud memberships up to date.
💡Since DynamicSync works independently of Microsoft’s Entra ID P1 or P2 licenses, it offers a cost-effective alternative or supplement to Microsoft’s limited native features — especially for complex and nested group structures or when P2 license options are not available. The solution also automatically integrates Microsoft Teams and other M365 group management scenarios.
Conclusion
Entra ID Free covers basic identity management functions, is included in most Microsoft cloud subscriptions, and provides essential basic protection and SSO.
The Microsoft Entra ID P1 license is suitable for organizations that need dynamic access control and basic security features in a hybrid environment. P2 addresses complex scenarios with high regulatory requirements, external auditor expectations, and extensive requirements for traceability, automation, and least privilege principles. You can mix licenses, equipping privileged users with P2 while securing standard users with P1.
DynamicSync provides companies with maximum flexibility and automation in dynamic group management, significantly exceeding Microsoft’s native limitations and enabling the synchronization of different group types in Microsoft Entra ID. This allows complex authorization and communication structures to be mapped efficiently and securely – with reduced administrative effort and optimized costs.
Dynamic groups in Entra ID – Find out more
DynamicSync is an automation solution for cloud groups from FirstAttribute AG. As a pure cloud service (SaaS), DynamicSync specializes in dynamic and automatic group synchronization in
Entra ID.
In addition to the free online demo, our friendly staff are also available to answer your questions by phone. Call us on +49 81 969 984 330.