Summary
Microsoft Entra ID Licensing Guide
Key Takeaways
Microsoft Entra is not a single product. It is a family of identity and network access products spanning cloud identity management, secure web gateways, Virtual Private Network (VPN) replacement, identity governance, workload identity, external identity, and agent identity. Each has its own licensing model, and the costs add up quickly.
Every Microsoft 365, Azure, and Dynamics 365 tenant already has Entra ID Free, which covers basic user management, directory sync, and security defaults with multi-factor authentication (MFA) via Authenticator only. There is no Conditional Access at the Free plan, which means Office 365 customers have significantly weaker identity security than Microsoft 365 customers unless they buy add-ons.
Entra ID P1 ($6/user/month) is included in Microsoft 365 E3, F1, F3, and Business Premium. It unlocks Conditional Access, granular MFA controls, and Application Proxy. P2 ($9/user/month) adds risk-based Conditional Access, Privileged Identity Management (PIM), and basic access reviews, and is included in Microsoft 365 (M365) E5.
The Entra Suite costs $12/user/month and undercuts its own components. It bundles ID Protection, full ID Governance, Internet Access, Private Access, and Verified ID premium. Buying these components individually would cost at least $17 on a P1 base, or $23 if starting from standalone P2.
M365 E7 ($99/user/month, generally available 1 May 2026) is the first M365 plan to include the complete Entra Suite. All previous plans top out at P1 (E3) or P2 (E5). E7 adds the full governance, network access, and agent identity layers.
Entra Workload ID Premium ($3/workload/month) is not included in any M365 plan, Entra Suite, or bundle. Every organisation with service principals or applications needing Conditional Access must purchase this separately.
Governance licensing counts users who could use the feature, not users who actually do. If 2,000 employees can request access packages, you need 2,000 licences even if only 150 actually request.
1. The Microsoft Entra Product Family
Microsoft Entra is a family of identity and network access products, each with its own pricing model and prerequisites.
Zero Trust access controls
At the foundation sits Microsoft Entra ID, the cloud identity and access management (IAM) service that was formerly known as Azure Active Directory (Azure AD). Microsoft renamed it in July 2023. Every Microsoft 365, Azure, or Dynamics Customer Relationship Management (CRM) Online tenant is automatically an Entra ID tenant. It is the product that the rest of the family builds upon.
Alongside it is Microsoft Entra Domain Services, which provides managed domain services (group policy, Lightweight Directory Access Protocol (LDAP), NT LAN Manager (NTLM) and Kerberos authentication) for legacy applications that cannot use modern authentication protocols. Domain Services is billed hourly by stock-keeping unit (SKU), completely separate from the per-user model of Entra ID.
Secure access for employees
🔹 Microsoft Entra Private Access is an identity-centric Zero Trust Network Access (ZTNA) solution designed as a Virtual Private Network (VPN) replacement. It connects remote users to internal resources without a traditional VPN tunnel. It is not included in any M365 plan and requires either a standalone licence or the Entra Suite.
🔹 Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) that secures access to internet and Software as a Service (SaaS) applications, including artificial intelligence (AI) applications. It provides web content filtering, threat intelligence filtering, and Transport Layer Security (TLS) inspection. Like Private Access, it is a separate cost on top of any M365 plan.
🔹 Microsoft Entra ID Governance handles the identity lifecycle: access requests, assignments, reviews, entitlement management, lifecycle workflows, and PIM. ID Governance is the product that determines who has access to what, for how long, and who approves it.
🔹 Microsoft Entra ID Protection provides identity-based risk detection and automated remediation. It powers risk-based Conditional Access policies by analysing sign-in patterns and flagging anomalies such as impossible travel, unfamiliar locations, or credentials found in known breach databases.
🔹 Microsoft Entra Verified ID enables decentralised identity (DID) credential verification based on open World Wide Web Consortium (W3C) standards. It includes Face Check as a premium feature for biometric facial matching during verification.
Secure access for customers and partners
Microsoft Entra External ID handles external identity management for Business-to-Business (B2B) collaboration guests and customer-facing Customer Identity and Access Management (CIAM). It uses a monthly active users (MAU) billing model rather than per-user licensing.
Secure access in any cloud
Microsoft Entra Workload ID provides identity and access management for non-human workload identities: applications, services, and containers. It extends Conditional Access and ID Protection to workloads, and it is licensed entirely separately from the rest of the family.
Agent identity
Microsoft Entra Agent ID is the newest addition, currently in public preview as of March 2026. It extends Conditional Access, Identity Governance, Identity Protection, and network controls to AI agent identities. It is included in Agent 365 and is available through Frontier, Microsoft's early-access programme for AI capabilities that requires M365 Copilot. Agent ID is licensed separately from human-user identity.
Retired: Permissions Management
One product has already been retired from the family. Microsoft Entra Permissions Management, a cloud infrastructure entitlement management (CIEM) solution for Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), was no longer available for purchase from 1 April 2025 and was fully retired with support discontinued on 1 November 2025. Organisations needing CIEM capabilities must now use third-party solutions.
2. Entra ID Free, P1, and P2
Entra ID comes in three plans, each building on the one below it.
Entra ID Free
Entra ID Free costs nothing and is included with any Microsoft cloud subscription, whether Azure, Microsoft 365, Dynamics 365, Intune, or Power Platform.
The Free plan covers the basics of cloud identity. You get user and group management, on-premises directory sync via Entra Connect, single sign-on (SSO) across an unlimited number of SaaS applications, self-service password change for cloud users, basic security reports (limited to medium and high risk users without detail), automated user provisioning to SaaS apps, managed identities, core Verified ID features (credential issuance and verification), audit and sign-in logs, and built-in role-based access control (RBAC) roles.
The limitations are significant. MFA is available only through the Authenticator app. There is no phone call as a second factor at all, and Short Message Service (SMS) is available only for global administrators. There is no Conditional Access whatsoever, no MFA reports, no fraud alerts, no custom greetings or caller ID for phone calls, no trusted IPs, and no risk-based policies. Provisioning logs, health monitoring, and Microsoft Graph activity logs are not available. Custom RBAC roles require P1.
Office 365 plans (E1, E3, E5) include only Entra ID Free — no Conditional Access, no granular MFA, no Application Proxy. Upgrading to the equivalent Microsoft 365 plan or adding standalone Entra ID P1 ($6/user/month) closes this gap.
For organisations on Office 365 (O365) plans (E1, E3, E5), this is all they get. Office 365 plans include Entra ID Free only, which means no Conditional Access, no granular MFA controls beyond security defaults, no Application Proxy, and no custom roles. Any Office 365 customer wanting proper identity security must either upgrade to the equivalent Microsoft 365 plan (a significant price jump), buy Entra ID P1 or P2 standalone, or buy Enterprise Mobility + Security (EM+S).
Entra ID P1
Entra ID P1 costs $6.00/user/month on an annual commitment. It is included in Microsoft 365 E3, F1, F3, Business Premium, EM+S E3, and the Cloud Solution Provider (CSP)-only regional Office 365 E1 Plus.
P1 is where Entra ID becomes genuinely useful for enterprise security. On top of everything in the Free plan, P1 adds Conditional Access with policy-based granular control, phone call and SMS as MFA second factors, fraud alerts and MFA reports, custom greetings and caller ID for phone calls, trusted IPs for MFA, MFA for on-premises applications via Application Proxy, self-service password reset (SSPR) with password writeback to on-premises Active Directory, Application Proxy for on-premises app access, human resources (HR)-driven and application programming interface (API)-driven provisioning, automated group provisioning to SaaS apps, automated provisioning to on-premises applications, cross-tenant user synchronisation within the same cloud, Entra Connect Health monitoring, provisioning logs, health monitoring, Microsoft Graph activity logs, usage and insights, custom RBAC roles, administrative units with dynamic membership, identity governance dashboard, and Terms of use attestation via Conditional Access.
P1 also includes Microsoft Entra Internet Access for Microsoft services, which is the Microsoft traffic profile of the Global Secure Access solution. The Microsoft services profile covers Universal Tenant Restrictions, Compliant Network check, Source IP restoration, and Microsoft 365 enriched logs at no extra cost.
What P1 does not include is equally important. There is no risk-based Conditional Access (which requires P2), no ID Protection risk policies (P2), no PIM (P2), no access reviews of any kind (basic requires P2, advanced requires ID Governance), no entitlement management (basic requires P2, advanced requires ID Governance), and no Lifecycle Workflows (requires ID Governance).
🖐 Need help mapping your Entra licensing to actual requirements? Learn more: Microsoft Licensing Services for Enterprises.
An M365 E3 customer wanting identity governance must therefore choose between upgrading to E5 (an additional $21/user/month, a gap that remains the same after the July 2026 price increases since both plans rise by $3), buying the Entra ID Governance add-on at $7/user/month, or buying the Entra Suite at $12/user/month for the complete identity package.
Entra ID P2
Entra ID P2 costs $9.00/user/month on an annual commitment. It is included in Microsoft 365 E5, Microsoft Defender Suite (formerly M365 E5 Security), Microsoft Defender Suite Frontline Worker (FLW), Microsoft Defender + Purview Suite FLW, EM+S E5, Microsoft Defender Suite for M365 Business Premium, and Microsoft Defender and Purview Suites for M365 Business Premium.
P2 adds the full Entra ID Protection feature set, which includes risk-based Conditional Access (user risk and sign-in risk policies), full security reports with risky users showing details and risk history, risky sign-ins with risk detail and level, risk detections with details, users at risk alerts, weekly digest notifications, and MFA registration policy via Conditional Access.
P2 also adds Privileged Identity Management (PIM), which provides just-in-time privileged access for Entra and Azure roles, PIM for Groups, PIM Conditional Access Controls, eligible and time-bound role assignments, and approval workflows for role activation.
On the governance side, P2 includes basic access reviews (scoped to active and inactive users with decision helpers, self-reviews, group-based reviews) and basic entitlement management (users assigned to access packages, self-request, groups/applications/SharePoint sites in access packages, multi-stage approvals with alternate approvers, separation of duties, expiration of access package assignments, guest lifecycle management, and the My Access portal).
However, P2 governance is explicitly "basic." Microsoft's own licensing documentation draws a clear line between what P2 includes and what requires the full ID Governance licence or Entra Suite. P2 does not include Lifecycle Workflows, machine learning (ML) assisted access certifications, PIM for Groups access reviews, cross-cloud synchronisation, Custom Extensions via Logic Apps for entitlement management, Auto Assignment Policies, Verified ID integration in entitlement management, ID Protection or Insider Risk Management integration in entitlement management, managers requesting on behalf of employees, or suggested access packages in My Access.
An M365 E5 customer wanting full governance capabilities must therefore buy either the Entra ID Governance add-on at $4/user/month (reduced from $7 on P1) or the Entra Suite at unpublished "special pricing" for P2/E5 customers, which also adds Internet Access, Private Access, and Verified ID premium. Microsoft directs these customers to contact Sales.
3. The Entra Suite
The Entra Suite at $12/user/month bundles five products that would cost at least $17 individually on a P1 base. For M365 E3 customers, the Suite is $1 cheaper than buying just P2 + Governance separately ($9 + $4 = $13) while including Internet Access, Private Access, and Verified ID premium on top.
The Entra Suite bundles five products into a single subscription at $12/user/month, which is 29% less than buying the same components separately.
What the Suite includes
Entra ID Protection (the P2 feature set for risk-based Conditional Access, PIM, and related capabilities)
Entra ID Governance (the full governance suite with Lifecycle Workflows, advanced access reviews, and advanced entitlement management)
Entra Internet Access (Secure Web Gateway with web content filtering, Fully Qualified Domain Name (FQDN) filtering, TLS inspection, and AI app discovery)
Entra Private Access (ZTNA, VPN replacement, per-app access)
Entra Verified ID premium capabilities, specifically Face Check, limited to 8 Face Checks per user per month
Pricing
SKU | Price | Prerequisite |
|---|---|---|
Entra Suite (add-on to P1) | Entra ID P1 or any plan including P1 (M365 E3, F1, F3, Business Premium, EM+S E3) | |
Entra Suite (add-on to P2) | Unpublished ("special pricing") | Entra ID P2, M365 E5, or any plan including P2 |
The Entra pricing page shows $12/user/month as the headline and states that "Special pricing is available for Microsoft Entra ID P2 and Microsoft 365 E5 customers" without publishing the discounted amount. Microsoft directs customers to contact Sales.
Standalone pricing of Suite components
Component | Standalone price (user/month) | Prerequisite |
|---|---|---|
Entra ID Governance (add-on to P1) | $7 | Entra ID P1 |
Entra ID Governance (add-on to P2) | $4 | Entra ID P2 |
$5 | Entra ID P1 | |
$5 | Entra ID P1 | |
Standalone total (with P1 base) | $17 | |
Entra Suite | $12 | 29% savings |
Entra ID Protection is not sold as a standalone add-on. It is either included in P2 or in the Entra Suite. The Entra pricing page lists only P1, P2, and Suite; there is no standalone ID Protection SKU.
4. Global Secure Access
Global Secure Access is the unified term for Microsoft Entra Internet Access and Microsoft Entra Private Access combined. Global Secure Access is Microsoft's Security Service Edge (SSE) solution.
Licensing model
Global Secure Access uses three traffic profiles, each with different licensing requirements.
Feature | Entra P1/P2 (Microsoft traffic) | Internet Access licence | Private Access licence |
|---|---|---|---|
Windows/macOS/mobile client | ✅ Yes | ✅ Yes | ✅ Yes |
Traffic logs | ✅ Yes | ✅ Yes | ✅ Yes |
Remote network (branch) | ✅ Yes | ✅ Yes | ⚪️ No |
Universal Tenant Restrictions | ✅ Yes | ⚪️ No | ⚪️ No |
Compliant network check | ✅ Yes | ⚪️ No | ⚪️ No |
Source IP restoration | ✅ Yes | ⚪️ No | ⚪️ No |
M365 enriched logs | ✅ Yes | ⚪️ No | ⚪️ No |
Universal Conditional Access | ✅ Yes | ✅ Yes | ⚪️ No |
Web category filtering | ⚪️ No | ✅ Yes | ⚪️ No |
FQDN filtering | ⚪️ No | ✅ Yes | ⚪️ No |
Context-aware network security | ⚪️ No | ✅ Yes | ⚪️ No |
VPN replacement (ZTNA) | ⚪️ No | ⚪️ No | ✅ Yes |
Quick Access | ⚪️ No | ⚪️ No | ✅ Yes |
App Discovery | ⚪️ No | ⚪️ No | ✅ Yes |
Private Domain Name System (DNS) | ⚪️ No | ⚪️ No | ✅ Yes |
SSO across all private apps | ⚪️ No | ⚪️ No | ✅ Yes |
The important detail here is that Entra Internet Access for Microsoft services (the Microsoft traffic profile) is included in P1 or P2 at no extra cost. The Microsoft services profile covers Compliant Network check, Universal Tenant Restrictions, Source IP restoration, and M365 enriched logs. The full Internet Access licence, which adds web content filtering, FQDN filtering, and context-aware network security, requires the standalone product or the Entra Suite.
Remote network connectivity requires a minimum of 50 combined licences from Entra ID P1 and Entra Internet Access.
New Internet Access capabilities for AI workloads
The Internet Access product page lists several AI-related capabilities added in 2026, including discovery of unsanctioned employee AI usage, prompt injection blocking, network file filtering for sensitive data, AI gateway controls for agents, Model Context Protocol (MCP) endpoint controls, and real-time AI and SaaS app usage monitoring with risk scoring. From a licensing perspective, all of these capabilities require either the Internet Access standalone licence at $5/user/month or the Entra Suite at $12/user/month. They are not available in P1 or P2 alone.
5. Entra ID Governance in Detail
Entra ID Governance is the product that manages the identity lifecycle.
Pricing
SKU | Price | Prerequisite |
|---|---|---|
Entra ID Governance (add-on to P1) | Entra ID P1 | |
Entra ID Governance (add-on to P2) | Entra ID P2 | |
Included in Entra Suite | $12/user/month (Suite price) | Entra ID P1 |
Entra ID Governance for External Users | $0.75/MAU | Azure subscription |
Features exclusive to the full Governance licence
These features require the full Entra ID Governance licence (or Entra Suite) and are not available with P2 alone.
🔹 For provisioning, the full Governance licence adds cross-cloud synchronisation.
🔹 All Lifecycle Workflow capabilities are exclusive to the full licence, including Custom Extensions via Logic Apps.
🔹 Advanced access reviews add PIM for Groups reviews, reviews scoped to inactive users without active users in the review, machine learning assisted access certifications, Catalog Access Reviews (preview), custom data provided resource (preview), and Access Review (AR) Agent (preview).
🔹 Advanced entitlement management adds the ability for admins to directly assign any user via email (not yet in directory), managers requesting on behalf of employees, eligible group ownerships and memberships through PIM for Groups, Entra Roles (preview), SAP Identity Access Governance (IAG) business roles (preview), sponsors as approvers from the user profile, external sponsors as approvers, Custom Extensions via Logic Apps, Auto Assignment Policies, Verified ID integration, ID Protection integration, Purview Insider Risk Management integration, mark guest as governed, suggested access packages in My Access, and delegate approvals in My Access (preview).
🔹 The full Governance licence also provides inactive guest account insights and reporting.
Agent-specific governance features
The Entra licensing table shows specific entries marked "in preview as part of Microsoft Agent 365" with no checkmarks under any existing plan. These are agents and service principals assigned to access packages, owners and sponsors requesting access on behalf of their agents or service principals, and API permissions in access packages. The absence of checkmarks under existing plans confirms that agent governance features will require Agent 365, not the Entra Suite or ID Governance standalone.
The licensing count that catches people out
Governance licences are counted by users who could use the feature, not users who actually do. If 2,000 employees can request access packages, you need 2,000 licences — even if only 150 submit requests.
Governance licensing is per-user, but the counting logic is based on users who could use the feature, not actual usage. Microsoft's own licensing documentation gives these examples: if 2,000 employees can request access packages through entitlement management, you need 2,000 licences even if only 150 actually submit requests. For auto-assignment, all users who meet the auto-assignment criteria need licences. For access reviews, all users being reviewed plus all reviewers need licences. For Lifecycle Workflows, all users processed by workflows plus the administrator need licences.
6. Entra Workload ID
Entra Workload ID provides identity and access management for non-human workload identities, covering applications, services, and containers. It is entirely separate from the rest of the Entra licensing structure.
Pricing
SKU | Price | Notes |
|---|---|---|
Entra Workload ID Free | $0 | Included with Azure and Power Platform subscriptions |
$3/workload identity/month | Annual commitment |
Workload ID Premium is a standalone SKU. It is not part of any other SKU: not in P1, not in P2, not in the Entra Suite, and not in any Microsoft 365 plan including E7. One licence per workload identity per month is required, but no individual assignment is needed because one licence in the tenant unlocks all features for all workload identities. It is available through Microsoft representatives, the Open Volume Licence Programme, and the Cloud Solution Provider (CSP) programme. A 90-day free trial is available (30 days in the Modern channel).
Free versus Premium features
Capability | Free | Premium |
|---|---|---|
Create, read, update, delete workload identities | ✅ Yes | ✅ Yes |
Access resources via authentication and tokens | ✅ Yes | ✅ Yes |
Sign-in activity and audit trail | ✅ Yes | ✅ Yes |
Managed identities | ✅ Yes | ✅ Yes |
Workload identity federation | ✅ Yes | ✅ Yes |
Application management policies | ✅ Yes | ✅ Yes |
Access reviews for privileged roles | ⚪️ No | ✅ Yes |
App Health Recommendations | ⚪️ No | ✅ Yes |
Conditional Access for workload identities | ⚪️ No | ✅ Yes |
ID Protection for workload identities | ⚪️ No | ✅ Yes |
Conditional Access and ID Protection for workload identities cover enterprise applications and service principals only. Managed identities are not eligible for Conditional Access or ID Protection, though they are eligible for access reviews.
Every organisation with non-human identities (service principals, applications) that needs Conditional Access or ID Protection for those identities must purchase Workload ID Premium separately, regardless of what other Entra licences they hold.
7. Entra External ID
Entra External ID handles external identity management for B2B collaboration guests and customer-facing CIAM scenarios. Unlike the rest of Entra, it uses a monthly active users (MAU) billing model.
Pricing
SKU | Price |
|---|---|
Entra External ID (up to 50,000 MAU) | Free |
Entra External ID P1 (above 50,000 MAU) | $0.00325/MAU |
Entra External ID P2 (above 50,000 MAU) | $1.625/MAU |
Entra ID Governance for External Users | $0.75/MAU |
How the billing works
The MAU count combines workforce and external tenants linked to a subscription. It applies to B2B collaboration guests (UserType = Guest), internal guests, and all users in external tenants. Member users authenticating across owned tenants are not counted in the MAU total. An Azure subscription linked to the tenant is required for billing.
8. Entra Domain Services
Entra Domain Services provides managed domain services for legacy applications, and it uses a completely different pricing model from the rest of the Entra family, with hourly billing by SKU rather than per-user subscriptions.
SKU | Authentication load (peak/hour) | Object count | Backup frequency |
|---|---|---|---|
Standard | 0-3,000 | 0-25,000 | Every 5 days |
Enterprise | 3,001-10,000 | 25,001-100,000 | Every 3 days |
Premium | 10,001-70,000 | 100,001-500,000 | Daily |
The pricing is hourly and region-dependent. The pricing page uses a dynamic calculator that requires selecting a region to display actual rates. A standard load balancer and public IP are also deployed and billed separately.
9. Entra Verified ID and Face Check
Verified ID core features
Entra Verified ID provides decentralised identity (DID) credential verification based on open W3C standards. The core features, credential issuance and verification, are free with any Entra ID subscription including the Free plan. No special licensing is required. It is useful for employee onboarding, credential verification, and account recovery.
Face Check (premium)
Face Check is a premium add-on feature within Verified ID that provides privacy-respecting facial matching, comparing a selfie to a credential photo.
It is included in the Entra Suite with an allocation of 8 Face Checks per user per month. Outside the Suite, it is consumption-based via an Azure subscription, requiring a linked subscription and Contributor role to set up.
The specific per-verification price for standalone Face Check is not published (the Microsoft Learn billing page returns 404 as of March 2026). Standalone Face Check cannot be budgeted without contacting Microsoft Sales.
10. Entra Agent ID and the Agent 365 Connection
Status and availability
Entra Agent ID is in public preview as of March 2026. It is included in Agent 365 and available through Frontier. Using it requires a Microsoft 365 Copilot licence with Frontier enabled for users.
Agent 365 reaches general availability on 1 May 2026 at $15/user/month. It is also included in M365 E7 at $99/user/month.
What Entra Agent ID does
Agent ID lets organisations register agent identities in Entra, apply Conditional Access policies to agent access attempts, manage agent lifecycle and access packages through Identity Governance, and feed agent sign-in signals into Identity Protection. It is in public preview, with no published service level agreement (SLA) and no generally available date announced.
What Agent 365 adds to the Entra security perimeter
Agent 365 extends Conditional Access, Identity Protection, and Identity Governance to AI agent identities, but it is not bundled with any existing Entra or M365 plan. Microsoft has created a separate SKU for agent governance that is not included in any existing plan, including the Entra Suite. The mapping between human and agent capabilities is as follows:
Entra capability | For humans (existing) | For agents (Agent 365) |
|---|---|---|
Identity | Entra ID (user accounts) | Entra Agent ID (agent identities) |
Authentication | MFA, passwordless, Fast Identity Online 2 (FIDO2) | Agent authentication, credentials |
Conditional Access | Risk-based, location-based | Policy enforcement for agent access |
Identity Protection | User/sign-in risk detection | Agent risk signals, rogue agent detection |
Identity Governance | Access packages, lifecycle workflows, access reviews | Agent access packages, agent lifecycle, sponsor-based governance |
The licensing boundary between Entra Suite and Agent 365
The Entra Suite at $12/user/month covers human identity governance, SSE (Internet Access and Private Access), ID Protection, and Verified ID premium, but it does not cover agent governance features. Agent 365 at $15/user/month covers agent identity, governance, security, and observability, and it requires Entra infrastructure but adds the agent-specific layer. M365 E7 at $99/user/month is the first plan to include both Entra Suite and Agent 365 together.
The three agent-specific entitlement management features (agents in access packages, sponsor requests for agents, API permissions in access packages) are marked "in preview as part of Microsoft Agent 365" with no existing plan checked. The empty checkmarks confirm Agent 365 is the exclusive licence for agent governance in Entra.
11. How Entra is Bundled in Microsoft 365 and Other Plans
Microsoft 365 enterprise plans
Plan | Current price (user/month) | July 2026 price (user/month) | Entra ID plan |
|---|---|---|---|
$2.25 | P1 | ||
$8 | P1 | ||
$36 | P1 | ||
$57 | P2 | ||
$99 | $99 | P2 + Entra Suite | |
$22 | N/A | P1 | |
$10 | N/A | Free | |
$23 | N/A | Free | |
$38 | N/A | Free |
Office 365 plans include Entra ID Free only. Microsoft 365 plans include either P1 (E3, F1, F3, Business Premium) or P2 (E5).
M365 F1 at $2.25/user/month (rising to $3 from July 2026) includes Entra ID P1, the same identity plan as M365 E3 at $36. A frontline worker gets the same Conditional Access and granular MFA as an E3 user.
Enterprise Mobility + Security
Plan | Price (user/month) | Entra ID plan |
|---|---|---|
$10.60 | P1 | |
$16.40 | P2 |
Microsoft Defender Suites
Several security add-on suites include Entra ID P2 alongside other capabilities: Microsoft Defender Suite, Microsoft Defender Suite FLW, Microsoft Defender + Purview Suite FLW, Microsoft Defender Suite for M365 Business Premium, and Microsoft Defender and Purview Suites for M365 Business Premium.
The E7 bundle and Entra
M365 E7 at $99/user/month (generally available 1 May 2026) includes M365 E5 ($60 from July 2026), which provides Entra ID P2; Agent 365 ($15), which includes Entra Agent ID; and Entra Suite ($12), which covers ID Governance, ID Protection, Internet Access, Private Access, and Verified ID premium.
🖐 Optimising your Microsoft 365 stack and identity costs? Learn more: Microsoft 365 Planning and Optimisation.
Buying the Entra-relevant components separately on an E5 base would be Agent 365 at $15 plus the Entra Suite at unpublished "special pricing" for P2/E5 customers. Even using the published P1-base Suite price of $12 as a floor, the standalone Entra components would cost at least $27 on top of P2. E7 bundles these alongside productivity, compliance, and AI components at $99 total.
12. Complete Entra Pricing Summary
All Entra SKUs and prices
SKU | Price | Model | Prerequisite |
|---|---|---|---|
Entra ID Free | $0 | Per-user | Any cloud subscription |
$6/user/month | Per-user, annual | Standalone or in M365 E3/F1/F3/Business Premium/EM+S E3 | |
$9/user/month | Per-user, annual | Standalone or in M365 E5/EM+S E5/Defender Suite | |
Entra Suite (on P1) | $12/user/month | Per-user, annual | Entra ID P1 |
Entra Suite (on P2) | Unpublished ("special pricing") | Per-user, annual | Entra ID P2 or M365 E5 |
Entra ID Governance (on P1) | $7/user/month | Per-user, annual | Entra ID P1 |
Entra ID Governance (on P2) | $4/user/month | Per-user, annual | Entra ID P2 |
$0.75/MAU | Consumption | Azure subscription | |
$5/user/month | Per-user | Entra ID P1 | |
$5/user/month | Per-user | Entra ID P1 | |
$3/workload/month | Per-workload | Azure or M365 subscription | |
Entra External ID (core) | Free (50K MAU) | MAU | Azure subscription |
Entra External ID P1 | $0.00325/MAU | MAU | Azure subscription |
Entra External ID P2 | $1.625/MAU | MAU | Azure subscription |
Hourly (by SKU) | Consumption | Azure subscription | |
Verified ID (core) | Free | N/A | Any Entra ID |
Verified ID Face Check | Consumption (TBD) | Per-verification | Azure subscription or Entra Suite (8/user/month) |
Preview (in Agent 365) | Per-user | M365 Copilot + Frontier | |
$15/user/month | Per-user | generally available 1 May 2026 |
Total identity cost scenarios
Scenario | Monthly cost per user | What you get |
|---|---|---|
O365 E3 only | $23 | Entra ID Free. No Conditional Access, no MFA controls beyond security defaults. |
M365 E3 | $36 (rising to $39 from July 2026) | Entra ID P1. Conditional Access, MFA, provisioning, SSPR with writeback. |
M365 E3 + ID Governance | $43 (rising to $46) | P1 + full governance (lifecycle workflows, advanced access reviews, advanced entitlement management). |
M365 E3 + Entra Suite | $48 (rising to $51) | P1 + full governance + ID Protection + Internet Access + Private Access + Verified ID premium. |
M365 E5 | $57 (rising to $60) | Entra ID P2. Risk-based Conditional Access, PIM, basic access reviews, basic entitlement management. |
M365 E5 + Entra Suite | $60 + unpublished add-on | P2 + full governance + Internet Access + Private Access + Verified ID premium. Microsoft does not publish the P2/E5 discount, so this line item cannot be budgeted without a Sales quote. |
M365 E7 | $99 | P2 + Entra Suite + Agent 365. The complete Entra stack. |
Cost path from E3 to the full Entra stack
For an M365 E3 customer wanting the complete Entra identity capabilities, the options break down as follows.
Option | What you buy | Extra cost per user per month | What you get |
|---|---|---|---|
A: Entra Suite | Suite add-on to P1 | $12 | Everything: P2 features + full governance + SSE + Verified ID premium |
B: P2 standalone | P2 | $9 | P2 only: risk-based Conditional Access, PIM, basic reviews and entitlement management |
C: P2 + Governance | P2 + Governance add-on to P2 | $9 + $4 = $13 | P2 + full governance |
D: Full individual components | P2 + Governance + Internet Access + Private Access | $9 + $4 + $5 + $5 = $23 | Everything except Verified ID premium |
13. What Microsoft Does Not Emphasise
The Office 365 identity gap
Office 365 plans (E1, E3, E5) include Entra ID Free only. Office 365 customers get no Conditional Access, no MFA beyond Authenticator-only security defaults, no Application Proxy, no provisioning logs or health monitoring, and no custom RBAC roles. If you are on Office 365 and cannot justify the full M365 upgrade, Conditional Access can be added via standalone Entra ID P1 at $6/user/month or EM+S E3 at $10.60/user/month (which also includes Intune).
Features that remain active without valid licences
Microsoft's own licensing documentation states this about Conditional Access: "When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture."
PIM behaves differently. When P2 licences expire, permanent role assignments to Entra roles remain unaffected, but eligible role assignments are removed, meaning users can no longer activate privileged roles. Ongoing access reviews end, and PIM configuration settings are removed. The PIM service in the admin centre and Graph API becomes unavailable.
Conditional Access policies remain active without licences, which means organisations can inadvertently use P2 features and face retroactive licensing demands at audit. PIM, by contrast, degrades when licences expire, removing eligible role assignments and access reviews.
Frequently Asked Questions
Do I already have Entra ID? Yes. Every Microsoft 365, Azure, or Dynamics 365 tenant is automatically an Entra ID tenant. The question is which plan you have. Check whether your plan includes P1 (M365 E3, F1, F3, Business Premium) or P2 (M365 E5), or only Free (Office 365 plans, Azure-only).
What is the difference between Entra ID and the old Azure Active Directory? They are the same product. Microsoft renamed Azure Active Directory to Microsoft Entra ID in July 2023. All functionality, APIs, licensing, and integration points remain the same.
I have M365 E3. Do I need to buy Entra ID P1 separately? No. M365 E3 includes Entra ID P1. You do not need to buy it as a standalone add-on.
I have M365 E5. Do I need the Entra Suite? M365 E5 includes Entra ID P2, which covers risk-based Conditional Access, PIM, and basic access reviews and entitlement management. You need the Entra Suite or the standalone Governance add-on only if you require full governance capabilities (Lifecycle Workflows, advanced access reviews, advanced entitlement management) or if you need Internet Access, Private Access, or Verified ID premium features.
What is the difference between Entra ID P2 and the Entra Suite? P2 adds risk-based Conditional Access, PIM, and "basic" governance to the P1 feature set. The Entra Suite includes the full P2 features plus advanced governance (Lifecycle Workflows, ML-assisted reviews, auto-assignment), Internet Access (full SWG), Private Access (ZTNA/VPN replacement), and Verified ID premium (Face Check). For an E3 customer, the Suite at $12 is cheaper than buying P2 standalone at $9 plus Governance at $4, and it includes substantially more.
Does the Entra Suite include Workload ID? No. Entra Workload ID Premium at $3/workload identity/month is a completely separate SKU. It is not included in any M365 plan, EM+S plan, or the Entra Suite.
What happens to my Conditional Access policies if my P1 or P2 licences expire? Microsoft's documentation states that Conditional Access policies are not automatically disabled or deleted when licences expire. They remain active, which means the policies continue to work, but you are technically using unlicensed features and could face compliance issues during an audit.
What is Entra Agent ID? Entra Agent ID extends Entra's identity and access management capabilities to AI agents. It is currently in public preview and is included in Agent 365 ($15/user/month, generally available 1 May 2026). Agent governance features are exclusive to Agent 365 and are not available through the Entra Suite or any existing plan.
Are there any antitrust concerns around Entra ID bundling? Entra ID's inclusion in Microsoft 365 plans has drawn regulatory scrutiny. The European Commission and other regulators have examined the bundling of identity services with productivity software, because organisations that use M365 get Conditional Access and MFA at no incremental cost while competitors must sell those capabilities separately. No enforcement action has resulted so far, but the investigations are ongoing, and any future unbundling decision could change the pricing structure described in this guide.
I have Office 365 E3. How does my identity security compare to M365 E3? Office 365 E3 includes Entra ID Free only, which means no Conditional Access, no granular MFA controls, no Application Proxy, and no custom roles. M365 E3 includes Entra ID P1, which adds all of these. The identity security gap between Office 365 and Microsoft 365 is substantial.
If you need help understanding your licensing position or optimising your identity costs, get in touch. We don't sell Microsoft licences or cloud services, so our advice is independent.