Contents

  1. Entra ID: What Changed from Azure AD
  2. Free vs P1 vs P2: Tier-by-Tier Pricing
  3. External ID and MAU Billing
  4. Entra ID Governance Add-On
  5. Microsoft Entra Suite Pricing
  6. Bundled in M365 vs. Standalone Pricing
  7. Enterprise Cost Scenarios
  8. Negotiation Levers That Work

Microsoft rebranded Azure Active Directory as Microsoft Entra ID in 2023, expanding the product family into a broader identity and access management (IAM) platform. The rebrand came with a restructured product portfolio — and pricing changes that caught many organisations off guard, particularly around external identity and identity governance licensing.

Entra ID is foundational to the Microsoft security stack. Almost every other Microsoft security product — Defender, Sentinel, Intune, Security Copilot — derives value from Entra ID identity signals. That dependency gives Microsoft significant pricing leverage, which it exercises through a tiered licensing model where the most critical features (Conditional Access, PIM, identity protection) require P1 or P2 upgrades above the free tier.

This guide breaks down what each tier actually costs, where the hidden charges appear, and how to negotiate Entra ID pricing as part of a broader Microsoft EA strategy. We work on a 25% gainshare basis — if we find savings, you keep 75%.

Entra ID: What Changed from Azure AD

No Save, No Pay

Overpaying for Microsoft? We handle Microsoft EA, NCE, and Azure negotiation on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.

Get a free Microsoft savings estimate →

Beyond the renaming, Microsoft Entra now encompasses a family of products: Entra ID (identity for employees and guests), Entra External ID (B2C/B2B identity for customers and partners), Entra ID Governance (lifecycle management, access reviews, entitlement management), Entra Verified ID (decentralised identity credentials), Entra Permissions Management (CIEM for multi-cloud environments), and Entra Internet Access / Private Access (Secure Service Edge products).

The practical impact for most enterprises: features that were previously part of Azure AD Premium P2 have been pulled into the separate "Entra ID Governance" add-on at additional cost, and external identity has shifted to a monthly active user (MAU) billing model that's more expensive at scale than the previous per-user approach for large external identity deployments.

Free vs P1 vs P2: Tier-by-Tier Pricing

TierPrice/User/MonthKey Features IncludedKey Exclusions
Entra ID Free $0 Basic SSO (10 apps/user), user/group management, MFA via Authenticator app, basic reports Conditional Access, Identity Protection, PIM, Self-Service Password Reset (on-prem)
Entra ID P1 $6.00 Conditional Access, SSPR (cloud + on-prem), hybrid join, unlimited SSO, dynamic groups, custom banned passwords Identity Protection (risk policies), PIM, access reviews, entitlement management
Entra ID P2 $9.00 All P1 features + Identity Protection (risk-based CA), Privileged Identity Management (PIM), access reviews Entra ID Governance (now separate add-on)
Entra ID Governance (add-on) $7.00 Entitlement management, lifecycle workflows, access reviews, privileged access, advanced PIM Requires P2 as prerequisite

The P2 + Governance trap: Features that were previously covered by Azure AD P2 are now split across P2 ($9/user/month) and the Governance add-on ($7/user/month). Organisations that relied on P2 for full lifecycle management and entitlement workflows now need $16/user/month — a 78% increase vs. the $9 P2-only rate. Microsoft made this change without adequately communicating the commercial impact to customers on existing P2 agreements.

External ID and MAU Billing

Entra External ID — used for B2C customer portals, partner extranet access, and supplier portals — is the most commercially disruptive part of the Entra pricing model for organisations with large external user bases.

External ID moved from per-user pricing to Monthly Active User (MAU) billing. An MAU is any external user who authenticates at least once in a given calendar month. The pricing tiers:

Monthly Active UsersPrice Per MAUMonthly Cost (50K MAUs)
First 50,000 MAUsFree$0
50,001 – 100,000 MAUs$0.0165$825
100,001 – 1,000,000 MAUs$0.0165 → $0.0055Variable
1M+ MAUsCustomNegotiated
With MFA (add-on)+$0.03/MAU+$1,500 at 50K

The free tier of 50,000 MAUs/month sounds generous for small deployments but is exhausted quickly by mid-size customer portals. A retail enterprise with 200,000 monthly active customers authenticating to a loyalty platform is paying $2,475/month ($29,700/year) just for the authentication layer — before any MFA charges or feature add-ons.

MFA for external identities is a separate charge above the base MAU rate. Adding $0.03/MAU for 200,000 MAUs adds $6,000/month ($72,000/year) to the bill. For consumer-facing applications where MFA is a compliance or fraud-prevention requirement, this cost is non-optional.

Entra ID Governance Add-On

Entra ID Governance ($7/user/month, requires P2) covers: entitlement management (access packages, policy-based access assignments), lifecycle workflows (automated joiner/mover/leaver processes), access reviews (periodic recertification campaigns), and Privileged Identity Management advanced features (approval workflows, activation justifications).

For regulated industries — financial services, healthcare, government — these governance features are not optional. PCI-DSS, SOC 2, and HIPAA all require demonstrable access control processes that map directly to Governance features. The business case for Governance is clear. The commercial negotiation is where organisations fall short.

Most enterprises include Governance in their EA renewal as an add-on to P2 without negotiating the rate. The $7/user list price for Governance is consistently discounted in large EA deals — we see 15–25% discounts regularly for accounts above 5,000 P2 seats. The mechanism is including Governance in the bundle price rather than licensing it as a separate add-on.

Microsoft Entra Suite Pricing

Microsoft launched the Entra Suite in 2024 as a bundle that includes Entra ID P2, Entra ID Governance, Entra Internet Access, Entra Private Access, and Entra Verified ID. List price: $12/user/month.

At $12/user for the full bundle vs. $16/user for P2 + Governance standalone, the Suite offers apparent savings — but only if you actually need Internet Access (SSE/ZTNA proxy) and Private Access (VPN replacement) capabilities. Organisations that are not deploying Secure Service Edge should not pay for the Suite to get the identity features; the discounted P2+Governance bundle pricing available through EA negotiation typically beats the Suite price for identity-only requirements.

$9
Entra ID P2 list price per user/month
$7
Entra ID Governance add-on per user/month
$12
Entra Suite (P2 + Gov + SSE) per user/month

Bundled in M365 vs. Standalone Pricing

The single most important factor in Entra ID licensing cost is whether you're getting it through a Microsoft 365 bundle or purchasing it standalone. Entra ID P1 is included in Microsoft 365 E3 and Business Premium. Entra ID P2 is included in Microsoft 365 E5 and Microsoft 365 E5 Security.

For organisations already on M365 E3 or E5, the incremental cost of Entra ID P1 or P2 is zero — you're already paying for it. The question becomes: are you actively using the features you're already licensed for? Most organisations on E3 aren't using Conditional Access policies, SSPR, and dynamic groups to their full potential — which means they have licensed value they're not extracting before they even consider upgrading.

Organisations purchasing Entra ID P1 or P2 as standalone licences (not through M365) are almost always in a suboptimal commercial position. The standalone per-user rate is typically higher than the effective per-user cost of the equivalent M365 bundle, even accounting for M365 features they may not use.

Enterprise Cost Scenarios

Scenario 1: Mid-Market Enterprise (2,000 employees, M365 E3)

Currently M365 E3 ($36/user/month) with Entra ID P1 included. Needs PIM and Identity Protection: must upgrade to P2 ($9/user standalone) or M365 E5 ($57/user/month, +$21 over E3). Upgrading 200 privileged users to P2 standalone: $9 × 200 = $1,800/month ($21,600/year). E5 Security add-on for all 2,000 users: ~$12 × 2,000 = $24,000/month ($288,000/year). Selective P2 licensing for privileged users only is often the right approach — Microsoft doesn't require P2 for all users if only a subset needs PIM.

Scenario 2: Enterprise with Large Customer Portal (500K monthly customers)

Entra External ID for 500,000 MAUs/month. First 50K free. Remaining 450K at ~$0.0165/MAU = $7,425/month. MFA for all external users: $0.03 × 500,000 = $15,000/month. Total: $22,425/month ($269,100/year) at list pricing. This warrants direct EA negotiation and comparison against Microsoft's competition (Okta, Auth0, Ping Identity) — which we cover in integrated SaaS contract negotiations.

Further Reading

class="cta-inline reveal">

Overpaying on Microsoft Entra ID or External ID?

Whether it's optimising P1/P2 coverage across your employee base, negotiating MAU rates for external identities, or ensuring Governance pricing is bundled correctly in your EA, we find the savings. Microsoft EA negotiation on 25% gainshare — no savings, no fee.

Get Your Free Entra ID Cost Assessment →

Negotiation Levers That Work

Selective P2 Licensing for Privileged Users Only

Entra ID P2 features like PIM are user-specific. An organisation of 10,000 employees typically has 200–500 privileged identities (IT admins, service accounts, elevated business users) that actually need PIM and Identity Protection. Licensing P2 for 500 users instead of 10,000 reduces Entra ID P2 cost from $900,000/year to $54,000/year — at list price. Microsoft supports this model as long as the users actually benefiting from P2 features are licensed at P2.

Bundle Entra Into the Broader EA Rather Than as Add-Ons

Entra ID P2, Governance, and External ID are all most discountable when included as line items in a comprehensive EA renewal — not when purchased as bolt-ons after the EA is signed. The EA renewal is the leverage point. Include projected External ID MAU volumes, Governance seat counts, and P2 user counts in the EA negotiation, and negotiate the full package as a bundle discount rather than individual product discounts.

External ID MAU Volume Commit

If your External ID usage is predictable (customer portal with stable monthly active user patterns), committing to an annual MAU volume in exchange for a negotiated per-MAU rate can reduce External ID costs 20–30% vs. pure PAYG billing. Microsoft will negotiate custom MAU pricing for deployments above 250K MAUs/month.

Use Competitive Alternatives as Leverage

Okta, Auth0 (now Okta), and Ping Identity all compete directly with Entra External ID for B2C identity scenarios. Okta's B2C pricing is broadly comparable to Entra External ID but with different feature trade-offs. Coming to an EA renewal with documented alternative pricing — particularly for External ID — creates legitimate leverage. Microsoft will adjust External ID pricing to retain accounts that are seriously evaluating alternatives.

As part of Microsoft EA negotiations, we routinely benchmark Entra ID pricing against competitive alternatives and use those benchmarks as part of the negotiation strategy. The savings are real, the process is structured, and you keep 75% of every dollar saved.

$

NoSaveNoPay Advisory Team

Former Microsoft licensing executives. We've negotiated Entra ID, Azure AD, and M365 security licensing for enterprises across financial services, healthcare, and technology sectors. 25% gainshare — zero risk to the client.