Why Entra ID Produces Systematic Overspend in Enterprise EAs
Microsoft Entra ID (formerly Azure Active Directory) licensing produces consistent overspend in enterprise EAs through three mechanisms. First, organisations purchase Entra ID P1 or P2 as standalone licences for users whose M365 E3/E5 bundle already includes it — a direct-line duplicate that persists undetected through multiple renewal cycles. Second, organisations provision Entra ID P2 for the full enterprise population when the P2-specific capabilities (Privileged Identity Management, Identity Protection risk-based policies, access reviews) are deployed to a subset — typically privileged accounts and high-risk users — not to the full workforce. Third, the Entra product family has expanded significantly in 2024–2026 (Entra Governance, Entra External ID, Entra Suite) and Microsoft's commercial motion pushes broad adoption of the new SKUs at renewal, creating incremental spend on capabilities that may not be deployed or required.
The 38% average Entra ID licence overspend we observe in enterprise EAs is driven predominantly by the first two mechanisms — P1/P2 duplication of M365 inclusions and P2 full-population provisioning. The Entra Suite and Governance products represent a growing third category but are still emerging as a commercial pattern. For a 10,000-user organisation, P2 overspend from full-population deployment versus a correctly segmented deployment (P2 for 800 privileged and high-risk users, P1 for the remaining 9,200) produces $306,000 in annual excess spend at EA rates. This guide covers the complete Entra licence architecture and the frameworks to avoid each mechanism.
Entra ID Tiers — Free, P1, P2, and What Each Actually Covers
Entra ID Free — The M365 Foundation
Every Microsoft 365 and Office 365 tenant includes Entra ID Free. Free covers: user and group management, basic self-service password reset (SSPR) for cloud-only accounts, single sign-on for up to 10 apps per user, Multi-Factor Authentication via the Microsoft Authenticator app (using the Microsoft per-user MFA capability), and basic security reporting. Free is not the same as no Entra — it is a meaningful identity management layer that many smaller organisations run on for years before hitting its boundaries. Understanding what Free covers prevents unnecessary P1 or P2 purchases where Free is adequate.
The key Free boundary: MFA in Entra ID Free uses per-user MFA configuration, not Conditional Access policies. Conditional Access — the ability to enforce MFA or other controls based on user, device, location, application, and risk signals — requires Entra ID P1. This is the most common driver for P1 adoption in growing organisations, and it is a legitimate P1 requirement. But for organisations that have moved to M365 E3/E5, P1 is already included — the Conditional Access requirement is covered without any additional Entra standalone purchase.
Entra ID P1 — The M365 E3 Inclusion
Entra ID P1 (~$6/user/month standalone at EA; included in M365 E3, M365 E5, EMS E3, EMS E5, Microsoft 365 Business Premium, and Entra P1 standalone) adds: Conditional Access policies (the primary P1 driver for most enterprises), hybrid identity (Entra Connect for AD sync), self-service group management and group-based application assignment, SSPR with write-back to on-premises AD, application proxy for on-premises app publishing, and Terms of Use / custom branding. For organisations on M365 E3 or E5, all of this is included. Standalone Entra P1 purchases on top of M365 E3/E5 are completely redundant.
Entra ID P2 — The M365 E5 Inclusion
Entra ID P2 (~$9/user/month standalone; included in M365 E5 and EMS E5) adds four major capability categories over P1: Privileged Identity Management (PIM — just-in-time privileged access, access request workflows, privileged role activation with approval), Identity Protection (risk-based Conditional Access using sign-in and user risk signals from Microsoft's threat intelligence, risky user reports, risk-based SSPR), Access Reviews (periodic access certification for group memberships and application assignments, guest access reviews), and Entitlement Management (access packages for automated access provisioning and lifecycle management). These are genuine P2 capabilities with no P1 equivalent — but they are most valuable to a specific subset of users, not to the full enterprise population.
The commercial misapplication of P2 is purchasing it for the full workforce because "the security team needs PIM and Identity Protection." PIM and Identity Protection protect specific user accounts — privileged administrator accounts, accounts with access to sensitive data, accounts in high-risk roles. Deploying PIM for 10,000 standard business users who have no privileged roles produces zero incremental security benefit over P1, because there are no privileged role activations to manage or just-in-time elevations to apply. The correct deployment is P2 for the 5–15% of the population with elevated access risk, P1 for the remainder.
| Entra ID Tier | Monthly Cost (EA) | M365 Inclusion | Key Capabilities Added |
|---|---|---|---|
| Entra ID Free | $0 | All M365 tenants | User/group mgmt, basic MFA, SSO (10 apps), basic reporting |
| Entra ID P1 | ~$6/user | M365 E3, E5, EMS E3/E5, Business Premium | Conditional Access, hybrid identity, SSPR write-back, App Proxy, Terms of Use |
| Entra ID P2 | ~$9/user | M365 E5, EMS E5 | PIM, Identity Protection (risk-based CA), Access Reviews, Entitlement Management |
| Entra Governance (add-on) | ~$7/user add-on | Not in E3/E5 | Advanced lifecycle workflows, provisioning, HR-driven provisioning expansions |
| Entra Suite | ~$12/user | Not in E3/E5 | P2 + Governance + Verified ID + Global Secure Access + Internet Access |
M365 Inclusions — The Validation Most Organisations Skip
The single highest-value action in an Entra licence audit is confirming which Entra tier is included in each M365 SKU present in the EA, then cross-referencing against the Entra standalone lines in the EA. The inclusions are clear and documented in the Microsoft Product Terms, but they are not automatically reflected in EA proposals — the account team may propose standalone Entra lines even for users who already have the inclusion via M365.
M365 E3 includes Entra ID P1. M365 E5 includes Entra ID P2. EMS E3 includes Entra P1 plus Intune Plan 1 and Defender for Identity (MDI). EMS E5 includes Entra P2 plus Intune, MIP P2, and Defender for Cloud Apps. If your EA includes any of these M365 or EMS bundles, a standalone Entra P1 or P2 line on top of it is redundant. If your EA includes both M365 E5 (which includes Entra P2) and a standalone Entra P2 for the same users, you are paying $9/user/month for nothing. This is not a hypothetical scenario — it appears in roughly one in four initial EA assessments involving a recent M365 suite upgrade.
P2 Population Segmentation — The Correct Framework
For organisations that do not have M365 E5 (and therefore do not have P2 included in their base suite), the correct P2 deployment model segments the P2 licence to the population that actually has privileged roles or elevated risk profiles requiring P2 capabilities. The correct question is not "should the enterprise have P2?" but "which specific users benefit from PIM, Identity Protection risk-based policies, and Access Reviews?"
PIM Target Population
Privileged Identity Management is designed for accounts with Azure/Entra privileged roles — Global Administrators, User Administrators, Exchange Administrators, SharePoint Administrators, Security Administrators, and Intune Administrators — and for accounts with privileged access to sensitive resources (Azure subscription Owner/Contributor, key database administrator accounts). For most enterprises, this is 50–300 accounts, not 10,000 users. PIM requires P2 only for the users in the PIM scope (the accounts being managed with JIT activation). Standard users with no privileged roles do not need P2 for PIM — PIM simply does not apply to them.
Identity Protection Target Population
Identity Protection risk-based Conditional Access policies can be scoped to specific user groups in Entra ID. A risk-based policy that enforces MFA or blocks access for "high-risk sign-in" signals only requires P2 for users within the policy scope. For a full-enterprise risk-based CA policy, all users in scope require P2. But the alternative — combining P1 Conditional Access (which uses static conditions) for the general population with P2 risk-based policies scoped to privileged and sensitive accounts only — reduces P2 to the target population while maintaining strong CA enforcement for the full enterprise.
Access Reviews Target Population
Access Reviews are licensed per user who is reviewed (the reviewer does not require P2; the user being reviewed does). For organisations using Access Reviews primarily for privileged role certification, external guest access reviews, and sensitive application access certifications, the reviewed population is often 10–20% of the total workforce. Access Reviews for the full 10,000-user population is rarely justified from a compliance or audit requirement perspective — most audit frameworks require periodic access certification for privileged and sensitive-data-access accounts, not for general workforce M365 access. Scope the P2 requirement to the reviewed population, not the full enterprise.
Entra Governance and Entra Suite — The 2026 Commercial Expansion
Microsoft has expanded the Entra product family significantly since 2023. Two products deserve scrutiny at EA renewal: Entra Governance and Entra Suite.
Entra ID Governance (formerly Azure AD Identity Governance add-on)
Entra ID Governance (~$7/user/month add-on to P1 or P2) adds advanced lifecycle management capabilities beyond P2: custom lifecycle workflows for joiner/mover/leaver automation beyond P2 Entitlement Management, advanced provisioning to non-gallery SaaS apps and on-premises apps via APIs, and enhanced Access Reviews with machine-learning-informed access recommendations. For organisations with complex HR-driven identity lifecycle requirements, Governance addresses genuine capability gaps. For organisations already using P2 Entitlement Management for access package lifecycle, the incremental Governance value may not justify the add-on premium. The Governance vs P2 Entitlement Management boundary is the key evaluation point — require a capability-by-capability comparison before accepting Governance as a renewal line item.
Entra Suite
Entra Suite (~$12/user/month) bundles Entra P2, Entra Governance, Entra Verified ID, and Entra Global Secure Access (Internet Access + Private Access — Microsoft's SSE/ZTNA platform). Suite represents Microsoft's Zero Trust networking and identity platform combined. For organisations actively replacing third-party ZTNA (Zscaler, Netskope, Palo Alto Prisma) and investing in Verified ID credential scenarios, Suite economics can be favourable. For most organisations in 2026 that are not in active SSE replacement programmes, Suite is a significant premium ($12 vs $9 for P2 alone) for capabilities that are not yet deployed. Suite should not appear in an EA renewal as a full-population line without a deployment roadmap and competitive displacement analysis for the SSE and ZTNA components. See our detailed analysis of Microsoft Zero Trust licensing for the full network security component breakdown.
Entra External ID — B2B and B2C Licensing
Entra External ID covers two distinct scenarios with different pricing models that are frequently confused in EA proposals. Entra External ID for B2B collaboration (guest user access to your Microsoft 365 environment — previously Azure AD B2B) is priced based on Monthly Active Users (MAU) of external identities. The first 50,000 MAU of guest users are free. Beyond 50,000 MAU, Entra External ID B2B pricing applies at approximately $0.00325 per MAU for P1-tier guest features and $0.01625 per MAU for P2-tier guest features. For most enterprise B2B collaboration scenarios involving external partners accessing Teams channels or SharePoint sites, the 50,000 MAU free tier is sufficient — many enterprises never exceed it.
Entra External ID for customer-facing applications (previously Azure AD B2C) is consumption-based, priced per MAU, billed through Azure — not through the EA. If Microsoft proposes a pre-committed External ID package in your EA, validate the expected MAU against the free tier before accepting any commitment. Pre-committed External ID in an EA at renewal is frequently overkill for organisations whose guest user counts are well within the free tier.
Entra ID EA Negotiation — Four Tactics
1. Audit M365 Inclusions Before Any Entra Standalone Line
Before any Entra P1 or P2 standalone line is accepted in an EA or amendment, produce a cross-reference of every M365/EMS SKU in the EA and the Entra entitlement each includes. Any user with M365 E3 has Entra P1 included. Any user with M365 E5 has Entra P2 included. Remove all standalone Entra lines that duplicate M365 inclusions and seek amendment credits for historical overpayment. This is the highest-ROI action in an Entra audit — typically completed in one meeting with the procurement and IT identity teams.
2. Anchor P2 to Validated Deployment Population
For organisations on M365 E3 (which does not include P2) that are evaluating P2 for PIM, Identity Protection, and Access Reviews, anchor the P2 commitment to the documented deployment population — not the full enterprise user count. Prepare a deployment scope document: list of privileged role holders (from Entra admin centre > Roles and Administrators), Identity Protection risk-based CA policy target groups, and Access Review scope. This deployment population is your P2 licence count anchor. For a 10,000-user organisation, this is typically 500–1,500 users. The $306,000/year difference versus full-population P2 is the commercial outcome of this anchor.
3. Require Deployment Roadmap for Entra Suite and Governance
If Entra Suite or Entra Governance appears in a renewal proposal without a deployment roadmap, the proposal is commercially speculative — Microsoft's account team is future-positioning product revenue, not addressing a current deployment requirement. Require a documented deployment timeline for each Suite or Governance feature, with deployment milestones built into the EA as the basis for licence count expansion. Start with the validated P2 population, add Suite or Governance only when SSE/ZTNA or advanced lifecycle features reach production deployment, and negotiate the right to expand at committed pricing rather than committing full-population Suite at signing.
4. Use Okta as Competitive Signal for Entra P2 and Suite Pricing
Okta Workforce Identity — specifically Okta Governance and Okta Identity Threat Protection — is a credible competitive alternative to Entra P2 and Suite for the privileged identity and governance use cases. In an EA negotiation context, a documented Okta evaluation (even if the organisation does not ultimately switch) generates pricing flexibility from the Entra product team that is not available from the core EA account team. Okta's pricing for PIM-equivalent and identity governance capabilities is similar to Entra P2 at list price — but the Microsoft account team has significant discount authority for Entra P2 and Suite lines when competitive displacement is documented. A 20–30% discount on standalone Entra P2 or Suite is achievable with documented competitive evaluation, compared to 5–10% for standard volume discounting.
1. Map M365/EMS inclusions — list every SKU in the EA and the Entra tier each includes; mark every user with M365 E3 as "Entra P1 included" and M365 E5 as "Entra P2 included."
2. Identify standalone Entra lines — cross-reference standalone Entra P1/P2 assignments against users with M365 E3/E5; flag and remove duplicates.
3. Scope P2 to deployment population — export privileged role holders, Identity Protection policy groups, and Access Review scopes; this is your P2 anchor for M365 E3 environments.
4. Evaluate Entra Suite / Governance against deployment roadmap — require documented deployment timeline before any Suite/Governance commitment; negotiate right-to-expand at committed pricing.
5. Validate External ID B2B MAU — confirm guest user MAU against the 50,000-user free tier; remove any pre-committed External ID packages that are within the free tier.
Entra ID in the Full Microsoft EA
Entra ID licensing interacts with three major EA components. First, the M365 suite tier: the Entra P1/P2 inclusion is the primary driver. If your organisation is evaluating E3-to-E5 upgrade, the Entra P2 inclusion is part of the E5 value analysis alongside Defender for Endpoint P2, Purview IP P2, and Sentinel free ingestion benefit. Our M365 E3 vs E5 comparison covers the full upgrade economics. Second, the Microsoft Security stack: Entra ID P2's Identity Protection generates the risk signals that feed Defender for Identity, Sentinel, and the Microsoft Security Copilot context. The security licensing guide covers the integrated security licence architecture. Third, the Intune deployment: Entra P1 Conditional Access is the enforcement layer for Intune device compliance policies — the Intune compliance signal feeds Entra CA decisions. Our Intune licensing guide covers this integration in detail.