Microsoft Entra ID Licensing

The six commercial layers of Microsoft Entra ID licensing

Microsoft Entra ID licensing is not a single SKU — it is a stack of six commercial layers, and the same enterprise often pays for three of them through different channels without realizing the entitlements overlap. The layers are: Entra ID Free (tenant administration), Entra ID P1 (Conditional Access, MFA, hybrid identities, basic governance), Entra ID P2 (Identity Protection, PIM, access reviews), the Entra Suite (Internet Access, Private Access, ID Governance, Verified ID — $12/user/month), Workload Identities Premium ($3/workload/month for service principals and managed identities subject to premium controls), and External ID (consumer/partner identity, billed per monthly active user). Each of these has a list price and a bundle path; an enterprise running Microsoft 365 E5 with EMS E5 attached, plus a standalone Entra Suite purchase, can be paying twice for governance entitlements it already owns.

The negotiation discipline starts with the entitlement map. Before you accept any Entra ID line item on a Microsoft proposal, force the LSP to produce the inclusion table showing which of your existing SKUs already grants the entitlement. The default proposal will rarely show this; you have to ask.

When Entra ID Free is enough (and when it never is)

Entra ID Free covers tenant creation, user and group management, basic single sign-on for SaaS apps in the Entra application gallery, and basic security defaults. That is the entire entitlement. There is no Conditional Access, no risk-based controls, no password protection against custom banned lists, no group-based application assignment, no self-service password reset with on-prem writeback. If your identity posture relies on "we have MFA enforced," and that MFA is being enforced through Conditional Access, you are already past Free.

Free is appropriate for: a brand-new tenant in pre-production; a temporary tenant for an M&A divestiture under 90 days; a small subsidiary running entirely on Business Standard with security defaults turned on. It is inappropriate as the production identity plane of any organization with regulated data, remote workers, or third-party access. Enterprises that try to run on Free with security defaults experience predictable failure modes — they cannot break-glass exclude an account from MFA without losing the policy framework, and they cannot apply differentiated controls by app sensitivity. The license to fix this is P1, and almost everyone with Microsoft 365 already has it.

Entra ID P1 vs P2: what the $3 delta actually buys

Entra ID P1 lists at $6/user/month. P2 lists at $9. The $3 monthly delta — $36 per user per year — covers three discrete entitlements: Identity Protection (risk-based sign-in policies, user-risk detection, leaked-credential intelligence), Privileged Identity Management (just-in-time elevation for Entra roles and Azure subscription roles, eligible-not-permanent assignment, approval workflows, audit), and Entra ID access reviews for both users and guests.

The breakeven on P2 is not symmetrical across your user base. A standard knowledge worker accrues marginal P2 value (risk-based sign-in only). A privileged user — anyone with Global Admin, Exchange Admin, SharePoint Admin, or a privileged Entra role — accrues disproportionate value through PIM alone. The buyer-favorable construction is to run E3 (which includes P1) for the broad estate and add Entra ID P2 standalone to the ~5-15% of users who require PIM-class controls. Microsoft's sales motion will push the cleaner "E5 for everyone" or "EMS E5 for everyone" position; in our engagement data, that construction overspends by 14-22% versus a segmented deployment.

The Microsoft 365 and EMS inclusion table

The Entra ID entitlement you already own through other SKUs is the single most important number in any Entra negotiation. Use this table at every proposal review.

Two patterns recur in our reviews. First, customers running M365 E3 across their estate plus a standalone EMS E3 purchase — duplicate P1, with no incremental entitlement. Second, customers running M365 E3 plus standalone Entra ID P2 add-ons for everyone, when only ~10% of the user base needs P2; the surgical add-on construction is materially cheaper. Both patterns are recoverable at renewal with a clean entitlement audit. See our License Optimization service for the methodology.

The Entra Suite: ZTNA, IGA, Verified ID, Internet Access

The Entra Suite is Microsoft's $12/user/month bundle that adds four entitlements on top of P1: Entra ID Governance (lifecycle workflows, entitlement management, access certifications — historically branded Entra ID Governance and priced at $7/user/month standalone), Entra Private Access (Microsoft's ZTNA replacement for legacy VPN), Entra Internet Access (Secure Web Gateway / SSE function), and Microsoft Entra Verified ID (issued credentials).

Suite economics work cleanly only if you are retiring real spend. The defensible business case looks like this: "We are decommissioning Cisco AnyConnect (or Palo Alto GlobalProtect) for VPN, plus our standalone IGA tool (SailPoint, Saviynt, or One Identity) at renewal, plus a portion of our Zscaler footprint. Combined, those run $X per user. The Entra Suite at $12 prices in at a saving of Y." Without those retirements, the Suite is a $144/user/year addition to the budget for capabilities most enterprises will not deploy in the first year.

Two negotiation cautions. First, the Suite price is "from $12" — your real number depends on what you bring to the table. Aggressive renewal positioning with a credible IGA retirement frequently produces 25-40% off list. Second, the Suite is sold per qualified user, but the underlying components have different scope rules; ensure your LSP itemizes the per-user math and does not assume 100% adoption from day one. Our EA Negotiation service handles this scope construction routinely.

Workload Identities Premium: the silent cost driver

Workload Identities Premium ($3/workload/month list) is the SKU enterprises consistently undercount. The trigger for needing it is using premium controls — Conditional Access for workload identities, Continuous Access Evaluation, Identity Protection risk detection — against a service principal or managed identity. The instinct is to count "production service principals," but the actual count includes every CI/CD pipeline identity, every Logic App connector subject to a CA policy, every Azure Function with a managed identity that is in scope of a workload CA policy, and every third-party SaaS integration using a service principal that is policy-protected.

Real enterprise counts we have seen at audit: a 12,000-user financial services firm had 4,800 service principals in their Entra tenant; ~1,100 were genuinely premium-controlled and license-bearing; only ~340 were on a Workload ID subscription. The under-licensing exposure was $2.7M cumulative. The recommended discipline is a quarterly Workload Identity inventory — Microsoft will not run this for you, and your LSP will not flag it unless asked.

External ID: customer identity (CIAM) economics

Microsoft Entra External ID is the successor to Azure AD B2C and serves customer and partner identity. Pricing is per monthly active user (MAU). The first 50,000 MAUs per month are free in the standard tier; beyond that, pricing tiers in volume bands with steep break points. Premium External ID features (custom domains, custom branding beyond defaults, advanced risk-based controls) carry a separate per-MAU premium.

The External ID negotiation is volume-based, not seat-based, so it follows different math than your enterprise Entra negotiation. Two patterns matter: (1) seasonal MAU spikes around product launches or retail cycles can blow through tier caps — model annualized peak, not flat-line; (2) the migration from legacy Azure AD B2C tenants has commitment-acceptance moments where Microsoft will package incentives if you push back. If you have a B2C estate of 1M+ MAUs, this is a six-figure annual negotiation in its own right.

Agent 365 and the Entra Agent ID entitlement

Agent 365 — Microsoft's 2026 SKU for governing AI agents at enterprise scale — includes an embedded Entra Agent ID entitlement. Each AI agent (Copilot Studio agents, third-party agents registered to your tenant, Microsoft 365 Copilot extensions) gets a first-class identity that is enumerable, governable, and subject to Conditional Access and PIM workflows without a separate Workload Identities Premium purchase for that agent.

The procurement implication is immediate: if you are committing to Agent 365 in 2026, audit your Workload Identities Premium roster and retire the seats for agents that will move under the Agent 365 umbrella. The double-billing window can run six months if not caught at procurement. Our Copilot Advisory service handles this scoping during AI program planning.

Where enterprises overpay on Entra ID

Five patterns account for the majority of Entra ID overspend we see in client audits. Each is recoverable at the next renewal with disciplined entitlement mapping.

1. Duplicate P1/P2 entitlement. Standalone Entra ID P1 (or EMS E3) bought on top of Microsoft 365 E3, when M365 E3 already grants P1. Standalone P2 (or EMS E5) bought on top of M365 E5, when M365 E5 already grants P2. Run the inclusion check against every line item.
2. Blanket P2 deployment. P2 added to every seat when only the privileged subset (5-15%) requires PIM and Identity Protection. The cleaner construction is E3-everywhere plus P2-on-the-privileged.
3. Entra Suite without retirement plan. Suite purchased on Microsoft's "modernize identity" pitch with no concrete retirement of legacy VPN, IGA, or SSE tools to fund the new spend.
4. Under-counted Workload Identities. Premium controls applied to service principals without commensurate Workload ID subscription. Audit exposure plus under-licensing risk.
5. External ID tier mismanagement. Seasonal MAU spikes pushing into higher-cost tiers because pricing was modeled on average rather than peak.

Entra ID negotiation levers at EA renewal

The 2026 EA renewal is the moment to reset Entra ID economics. Five levers consistently produce discount:

1. Bundle leverage. If you are also negotiating an M365 E3-to-E5 step-up, attaching Entra Suite into the same conversation creates a real bundle, not a stacked list-price addition. The price you should target is the Suite at 30-40% off list, contingent on the E5 commitment.

2. ZTNA retirement evidence. Walk in with the current annual run-rate for AnyConnect, GlobalProtect, Zscaler, or whichever VPN/SSE incumbent the Suite is replacing. The discount conversation is anchored on the replaced spend, not on the new spend.

3. PIM-only carve-out. If your only P2 driver is PIM for ~10% of users, you do not need the full P2 SKU envelope. A standalone P2 add-on at LSP-negotiated discount for the privileged subset is materially cheaper than an EMS E5 estate-wide lift.

4. Workload ID step-down. If you have under-licensed Workload Identities historically, Microsoft will frequently waive prior-period exposure in exchange for a clean go-forward commitment with a multi-year SKU position. Negotiate this with Compliance, not with Sales.

5. Renewal price protection. Entra Suite is a new pricing surface; Microsoft has limited public price history. Lock the 2026 unit price for the full EA term with a contractual price-protection clause, not just a footnote in the proposal.

For renewal-cycle play-by-play, the EA Negotiation guide covers timing mechanics in detail, and the Microsoft 365 Licensing guide covers the host-SKU inclusion math that drives the Entra entitlement table.

Major 2026 changes affecting Entra ID licensing

Three discrete 2026 changes have re-priced the Entra ID conversation, and every enterprise approaching renewal needs to model them independently rather than absorb them as generic uplift.

1. E7 Frontier Suite includes Entra ID P2 and Entra Agent ID. Microsoft's $99/user/month E7 SKU bundles AI plus the full P2 + Agent ID stack. If your justification for E5 was largely the P2 entitlement and you also have a serious Copilot ambition, E7 changes the unit-economics question. See our E7 Frontier Suite analysis.

2. EA volume-tier collapse at renewal. The legacy A/B/C/D pricing structure has been compressed, meaning Entra ID line items renew at a flatter discount curve than three years ago. Buyers who expected Level D Entra discounts are recovering 8-14% less than prior cycles unless they negotiate the new construct head-on. See the tier collapse analysis.

3. Workload Identities Premium enforcement tightening. Microsoft Verification activity in 2026 has increased focus on Workload ID true-ups. Service principals using premium features without a corresponding subscription are surfacing in audit findings at materially higher rates than 2024-2025.