The 60-second answer

Microsoft Entra ID (formerly Azure Active Directory) licensing in 2026 has four tiers: Entra ID Free (the base every Microsoft tenant gets), Entra ID P1 ($6 PUPM standalone, bundled in M365 E3 / Business Premium / EMS E3), Entra ID P2 ($9 PUPM standalone, bundled in M365 E5 / EMS E5), and Entra ID Governance ($7 PUPM standalone, separately licensed). The mass-assignment problem on Entra ID P2 is the largest by absolute dollars in the security add-on stack — most enterprises pay for P2 across their whole population when only the admin and privileged-user subset would ever exercise the PIM and Identity Protection capabilities. The decision map and rationalisation playbook below.

The Microsoft Entra ID licensing map in 2026

Microsoft Entra ID licensing follows the same logic as the rest of the M365 stack: free baseline, P1 step-up for general business, P2 step-up for security-intensive use, and a separately-priced governance add-on. The 2026 layout:

  • Entra ID Free. Bundled with every Microsoft tenant. Supports up to 500K objects, basic SSO across the Microsoft cloud, group management, self-service password change (cloud users only), and basic reports. The free tier has improved materially since 2023 but still excludes the features most enterprises need for production identity.
  • Entra ID P1. $6 PUPM standalone. Bundled in M365 E3, M365 Business Premium, M365 F1/F3 (Frontline), EMS E3. Adds conditional access, self-service password reset for hybrid users, MFA, dynamic groups, Microsoft Authenticator passwordless, and SharePoint limited access. P1 is the “production identity” baseline.
  • Entra ID P2. $9 PUPM standalone. Bundled in M365 E5 and EMS E5. Adds Privileged Identity Management (PIM), Identity Protection (risk-based conditional access), access reviews, and entitlement management for the user.
  • Entra ID Governance. $7 PUPM standalone. Bundles entitlement management, access reviews, lifecycle workflows, terms of use, and machine learning-driven access recommendations. Note: there is overlap with P2 on access reviews and entitlement management — we explain the overlap below.

P1 vs P2 — the decision that matters

The P1-to-P2 step-up unlocks four capabilities that determine the buy decision:

  • Privileged Identity Management (PIM). Just-in-time elevation for admin roles. Eliminates standing admin permissions. The single highest-value P2 feature — pulls a major security debt off the table for any enterprise running 100+ admin accounts.
  • Identity Protection. Risk-based conditional access driven by Microsoft’s threat signals. Auto-blocks impossible-travel, leaked credential, and anomalous sign-in patterns.
  • Access reviews (user-licensed). Periodic certification campaigns for group membership and application access. Overlaps with Entra ID Governance.
  • Entitlement management (user-licensed). Self-service access request workflows with approval policies. Overlaps with Entra ID Governance.

The mass-assignment trap is unambiguous on P2: PIM is used by admin users only (typically 1–5% of the workforce), Identity Protection’s risk signals fire on a small subset of users at any time (the rest get the value passively through tenant-level risk policy), and access reviews / entitlement management are licensed by the reviewer, not the reviewed. The result: most enterprises that mass-assign P2 across the whole workforce are paying $9 PUPM for the 95% of users who never exercise the P2 capability.

The PIM-only path

Microsoft permits per-user P2 assignment. The disciplined pattern: keep the workforce on P1 (bundled with E3) and assign P2 only to the admin and privileged-access subset. A 5,000-user enterprise with 200 admin users on P2 spends $21,600/year on Entra P2 instead of $540K. The PIM benefit is identical.

The Entra ID Governance overlap question

Entra ID Governance was launched as a separate $7 PUPM SKU in 2024 with overlapping functionality on access reviews and entitlement management. Microsoft’s positioning: Governance is the “identity governance and administration” product, P2 is the “identity protection” product. Buyer-side reality:

  • Access reviews are in both P2 (per-user) and Governance.
  • Entitlement management is in both P2 (per-user) and Governance.
  • Lifecycle workflows are Governance-only.
  • Terms of use is Governance-only.
  • Machine learning-driven access recommendations are Governance-only.

The decision: if your governance need is access reviews and entitlement management only, P2 covers it for the user populations that need the function. If you need lifecycle workflows or ML-driven recommendations, Governance is the only path. Microsoft will push Governance as a complement to P2; on most enterprises the complement is not needed.

Audit your Entra ID licence assignment
We map every Entra entitlement against PIM activation, conditional access, and access review usage. Mass-assigned P2 is the largest single overspend in most M365 estates.
Request the Audit

The rationalisation playbook

  1. Confirm M365 P1 bundle-in. Every E3, Business Premium, F1, F3, and EMS E3 user has P1 included. Drop any standalone Entra P1 assignments on these users.
  2. Identify the P2 target population. Pull the PIM activation report — users who have activated a PIM role in the past 90 days. Pull the Conditional Access risk policy report — users whose sign-ins triggered risk-based policy. Pull the Access Review reviewer list. Union these three sets — that is your P2 target population.
  3. Deprovision mass-assigned P2 outside the target set. Stage the deprovisioning. Run it at month boundaries.
  4. Decide on Entra ID Governance. If you need lifecycle workflows or ML-driven recommendations, scope to the user population that consumes them. Otherwise do not buy.
  5. Set up the self-service P2 elevation path. Service Catalogue request route for users who later need PIM access. Closes the “what if I need it later” objection.
  6. Build the renewal baseline. The P2 target population becomes the negotiation baseline for 2026 EA renewal.

Anonymised case study: $604K annualised on a 7,800-seat estate

A 7,800-employee retail enterprise carried Entra ID P2 mass-assigned across the entire workforce alongside M365 E3. Annual P2 spend: $842K. PIM activation telemetry across 90 days showed 280 unique users activating any PIM role. Identity Protection risk policy triggered on 1,400 user sign-ins (mostly a small population of frequent travellers). Access reviews ran with 18 reviewers. The target P2 population unioned to about 1,700 users when we included a 20% buffer for growth and edge cases. Rationalisation: 1,700 users on P2, the remaining 6,100 on P1 (bundled with E3). Annual P2 spend dropped from $842K to $184K. Plus a $46K shift to Entra ID Governance for the 600 users who needed lifecycle workflows for contractor onboarding (a genuine need). Net annualised saving: $604K. PIM coverage was identical for the populations that mattered — the 280 active PIM users were inside the 1,700 target set.

$604K
Annualised saving on a $842K mass-assigned Entra ID P2 stack by sizing to the actual PIM and risk-policy population. PIM and Identity Protection coverage preserved on the users who exercise them.

Microsoft Entra ID licensing rewards the buyer who treats identity as a per-user privilege decision rather than a workforce-wide checkbox. The mass-assignment problem on Entra P2 is the largest single recoverable overspend in most 2026 M365 estates, and the discipline to fix it is unglamorous but immediate. Pair this with the broader M365 add-on rationalisation and the Defender stack optimisation for the full security renewal lever.