Azure Active Directory Premium P1 vs. P2: A Features Comparison

Cloud Computing and Security

In this article, we’ll be comparing Microsoft’s Azure Directory Premium P1 and P2 plans to help you choose the best suite of identity products for your organization. We’ll help you understand the different features between the Azure Active Directory (recently renamed Microsoft Entra ID) Premium P1 and P2 plans, as well as the pricing tiers for each offering.

Part of Microsoft’s newly branded identity and access suite, Microsoft Entra, Azure Active Directory (Azure AD) is the identity and access management (IAM) platform that underpins all Microsoft 365 services (Exchange Online, SharePoint Online. OneDrive for Business, Microsoft Teams, Dynamics 365 and so on). For an IT pro, using a centralized identity provider such as Azure Active Directory for all of an organization’s applications makes it possible to secure all the identities that needs to be managed in a one place.

Azure Active Directory also allows the extension of traditional on-premises Windows Server Active Directory (WAD) servers using Azure AD Connect. This allows orgnizations to enable single sign-on to Microsoft cloud applications, as well as other vendor SaaS applications that support modern cloud authentication protocols such as OATH 2.0 and SAML. With Azure Active Directory.

Azure Active Directory Premium P1 vs. P2: Features comparison

Every organization that has at least one licensed Microsoft 365 user (with an E1, E3, E5, F1, and F3 subscription) or uses Microsoft cloud services such as Azure or Intune also has an Azure Active Directory tenant. There are, however, different editions of Azure AD licenses that provide the organization with different capabilities: Azure AD Free/Office 365, Premium P1, and Premium P2.

Azure AD Free and Azure AD Office 365 are both referred to as “Azure AD Free” in this article. Azure Active Directory Premium P1 and Azure Active Directory Premium P2, however, are licensed services that meet the identity protection requirements of most enterprise organizations. The edition of Azure AD that is right for your organization will depend on those requirements.

The table below provides an overview of the features available across the different editions of Azure Active Directory:

All the features available on Azure Active Directory Premium P1 vs. P2
All the features available on Azure Active Directory Premium P1 vs. P2

Azure Active Directory Premium P1 features

Azure Active Directory Premium P1 builds on top of the basic user and group management features of Azure AD Free edition. Moreover, Microsoft guarantees at least 99.9% availability of the Azure Active Directory service, an SLA that is not available with free edition of Azure AD.

Advanded group management and password protection

With AAD Premium P1, you get advanced group management (dynamic groups, naming policies, expiration, default classification), as well as group assignments for applications.

Azure Active Directory Premium P1 also enables the use of global password protection, preventing cloud and on-premises AD users from setting weak passwords that contain words used in regular password spray attacks.

Banned passwords lists can also be generated for each organization with words specific to them. Azure AD Premium P1 also allows cloud and on-premises users to use the self-service password reset feature to change and unlock their accounts with on-premises write-back on Windows Active Directory.

Azure Active Directory Conditional Access

Azure Active Directory Conditional Access is also included, allowing an organization to govern access to their cloud apps based on the condition of the authentication attempt. The conditions used to assess access include user or group membership, IP location information, the connecting device (Windows, iOS, or Android), and the application.

Configuring conditional access policies based on these conditions allows your organization to block access or grant access with controls such as MFA. AAD Conditional access is a powerful tool in the security administrator’s arsenal to secure user identities.

A conditional access policy in Azure Active Directory
A conditional access policy in Azure Active Directory

Microsoft Defender for Cloud Apps

Also included with Azure AD Premium P1 is Microsoft Defender for Cloud Apps (formally Microsoft Cloud App Security). In most organizations, cloud apps are sprawling and maintaining control of them is key to an organization’s security management.

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that allows your organization to detect shadow IT, protect sensitive information across cloud apps, as well as monitor user activities for anomalous behaviors. This product is great for organizations looking to tighten their grip of cloud apps in use, and it works in two different ways.

First, cloud traffic logs can be sent from firewall and web proxy devices to Microsoft Defender for Cloud Apps to analyze traffic after the fact. This passive mode is also referred to as “cloud discovery” and it enables an organization to review the use of cloud apps. Additionally, Microsoft Defender for Cloud Apps can also be used to actively allow and block traffic to stop breaches and leaks in real time by operating in proxy mode.

Microsoft Defender for Cloud Apps integrates with Azure AD Conditional Access by using Conditional Access App Control. This feature enables app access to be monitored and controlled in real-time using session policies and a reverse proxy architecture. These session policies enable granular control over what users can do, should they satisfy the authentication request. Controls include blocking downloads, as well copying or printing sensitive documents on non-compliant devices.

Azure AD Application Proxy

The Application Proxy product included in Azure AD Premium P1 allows on-premises web applications to be accessed remotely by users. The proxy works by passing the users’ Azure AD sign-in token through on-premises web applications that use Integrated Windows Authentication. A user’s access to the web application is then proxied through the Application Proxy service, removing the need to publish the application out to the Internet.

Microsoft Identity Manager

Azure AD Premium P1 licenses also allow the use of Microsoft Identity Manager (MIM). This is a tool used by organizations that have advanced identity synchronization needs. This is really powerful tool should bespoke identity synchronization be required in an orgnization.

Azure Active Directory Premium P2 features

AAD Premium P2 includes all the products on AAD Premium P1, however, adds a few additional products for enhanced identity security.

Azure Active Directory Identity Protection

Azure Active Directory Identity Protection can analyze a user’s sign-in request against risk factors such as known leaked credentials, atypical travel, malware-linked IP addresses, and unfamiliar sign-in properties. This additional intelligence is useful for organizations looking to automate responses to suspected compromised user accounts without relying on users reporting odd behavior or administrators reviewing logs after the fact.

Access reviews

Access reviews allow better management of group memberships and access to enterprise applications by delegating regular access reviews to specific reviewers to confirm whether the provided access is still required. This is particularly useful for high-privilege security groups or applications that process sensitive data. It is often a regulatory and/or audit requirement to demonstrate effective access management processes.

Privileged Identity Management

Privileged Identity Management (PIM) is another AAD Premium P2 feature that enables just-in-time access for admins to privileged Azure AD roles such as Global Administrator. It also supports Azure roles such as Owner and Contributor.

This tool allows admins to elevate their accounts to the required role only when they need to, rather than having the permissions permanently assigned. This helps to mitigate high-privileged account compromises that are often the target of attackers.

Privileged Identity Management with Azure AD Premium P2 lets you create new role assignments for a specific time
Privileged Identity Management with Azure AD Premium P2 lets you create new role assignments for a specific time

Azure Active Directory Premium P1 vs. P2: Pricing comparison

Licensing Azure AD Premium P1 and Premium P2 can be confusing as these offerings can be purchased standalone, but they are also bundled in with other Microsoft 365 and Enterprise Mobility Suite (EMS) packages.

A standalone Azure Premium P1 license costs $6 per user / per month, whereas Azure Premium P2 license cost $9 per user / per month. All member user accounts in the Azure AD tenant must be licensed.

If your organization licenses Microsoft 365, then Microsoft 365 E3 licenses include Azure Active Directory Premium P1. Microsoft 365 E5 licenses also include Azure Active Directory Premium P2.

If you do not need to step up to the full Microsoft 365 E5 license, then an EMS E5 license can be bolted onto Microsoft 365 E3 to access the Azure Active Directory Premium P2 features.

Active Directory Premium P1 vs. P2: Which plan is right for you?

The plan that is right for your organization should be driven by the identity and access management requirements. Azure AD Premium P2 licenses are beneficial for organizations that are expected to demonstrate a high level of governance of identities. That implies managing privileged access and automating access reviews and responses to potentially compromised accounts.

If your organization does not have these requirements, then an Azure AD Premium P1 license will likely suffice.

What can you do with the Azure AD free tier?

The core authentication capabilities expected of a cloud-based identity and access management platform are available in the Azure AD free tier. Here are the main features you can use with this free tier:

  • Cloud authentication (both pass-through authentication and password hash synchronization)
  • Federated authentication with on-premises Active Directory Federation Services (ADFS).
  • Basic security and management of users and groups.
  • Support for Single sign-on (SSO) to an unlimited number of apps and Multi-factor authentication (MFA) for users
  • Support for Directory sync in hybrid environments from on-premises Windows Server Active Directory via Azure AD Connect software. However, the Azure AD free tier only offers Self-service password change for cloud users (not on-premises users).
  • Passwordless authentication (using Windows Hello for Business, Microsoft Authenticator, or FIDO2 security key integrations) is also supported in the free tier, should organizations want to start making the transition.

Last but not least, you should keep in mind that no SLA is provided for the free tier of Azure Active Directory.

Conclusion

In summary, Azure AD Premium licensing provides a good toolset for security administrators to securely manage identity and access within the organization. For those using Microsoft 365 and Azure AD for single sign-on, it is the optimal tool as all the Azure AD products are well integrated with the rest of the Microsoft cloud stack.