Entra ID Free is bundled with every Microsoft 365 and Azure subscription at zero incremental cost. Entra ID P1 lists at $6.00 per user per month. Entra ID P2 lists at $9.00 per user per month. Microsoft Entra ID Governance is a $7.00 per user per month add-on requiring P1 or P2 as the prerequisite. Entra Workload Identities is $3.00 per service principal per month. Entra Verified ID is $0.25 per credential issued. The single largest cost mistake is buying P2 across the full estate when only 15 to 30 percent of seats actually use a P2-only feature.
This page is the 2026 pricing reference for the Entra family: what each tier costs, what features sit at each tier, when the Microsoft 365 E5 bundle is cheaper than standalone P2, and the conditional-access policies that justify the P2 upgrade. Built from Microsoft's Product Terms (May 2026), the Entra service description, and advisor-led identity-licensing negotiations during 2024 to 2026.
Inside This Pillar
- Entra ID 2026 price snapshot
- What Entra ID Free includes
- Entra ID P1 feature set
- Entra ID P2 feature set
- P1 vs P2 decision matrix
- When Microsoft 365 E5 beats standalone P2
- Entra ID Governance add-on
- Entra Workload Identities
- Entra Verified ID pricing
- Conditional Access policies that justify P2
- 2026 negotiation levers
- Tier-down optimisation framework
Entra ID 2026 price snapshot
Entra is sold as a five-product family. Each product has its own per-user or per-resource metric.
| Entra SKU | List price | Metric | Prerequisite |
|---|---|---|---|
| Entra ID Free | $0.00 | Per user | Bundled with M365 or Azure |
| Entra ID P1 | $6.00 per user per month | Per user | None |
| Entra ID P2 | $9.00 per user per month | Per user | None (includes P1) |
| Entra ID Governance | $7.00 per user per month | Per user | P1 or P2 |
| Entra Workload Identities Premium | $3.00 per workload identity per month | Per service principal or managed identity | None |
| Entra Verified ID | $0.25 per credential issued or verified | Per transaction | Entra ID tenant |
| Entra External ID (B2C) | $0.00325 per MAU under 50K, then tiered | Per monthly active user | None |
| Entra Internet Access (SSE) | $8.00 per user per month | Per user | Entra ID |
| Entra Private Access | $5.00 per user per month | Per user | Entra ID |
| Entra Suite (bundle) | $12.00 per user per month | Per user | Includes Internet, Private, Verified, Governance |
Microsoft 365 plans bundle Entra. Microsoft 365 E3 includes Entra ID P1 (value $72 per user per year). Microsoft 365 E5 includes Entra ID P2 (value $108 per user per year). Office 365 plans do not include Entra premium. EMS E3 and EMS E5 also include P1 and P2 respectively as standalone bundles for organisations not on Microsoft 365.
What Entra ID Free includes
Entra ID Free, formerly Azure AD Free, is delivered with every Microsoft cloud subscription. It is not a separately licensed SKU. The Free tier supports up to 500,000 directory objects, single sign-on for up to 10 cloud applications per user, self-service password change for cloud users, security defaults (a baseline enforcement of MFA and modern authentication), basic audit and sign-in reports retained 7 days, and B2B collaboration up to 50,000 monthly active users at no cost on the inviting tenant.
The Free tier supports Conditional Access only through Security Defaults, which apply uniformly across the tenant and cannot be tuned per user, per app, or per condition. There is no MFA registration enforcement, no self-service password reset for hybrid users, no application proxy, no group-based licence assignment, and no risk-based sign-in detection.
For organisations whose identity surface is purely cloud-native Microsoft and whose security needs are met by tenant-wide MFA enforcement, the Free tier is sufficient. Most enterprises hit one of the Free-tier limits within the first six months. The first is usually self-service password reset for hybrid (on-premise synced) users, which requires P1.
Entra ID P1 feature set
Entra ID P1 at $6.00 per user per month adds the features that most enterprises consider table stakes for identity.
Conditional Access becomes a first-class policy engine: per-user, per-app, per-device, per-network, per-risk policies, with grant and session controls including require MFA, require compliant device, require app protection policy, require Terms of Use, sign-in frequency, and persistent browser session. This is the foundation for modern zero-trust architectures.
P1 enables group-based licence assignment, dynamic group membership rules, application proxy for on-premise app publishing, self-service password reset for hybrid users (writeback to Active Directory), self-service group management, password protection (banned password lists), Microsoft Identity Manager licensing, and the Entra Connect Health monitoring service. It includes Cloud App Discovery (a subset of Defender for Cloud Apps) for shadow IT visibility.
Reporting expands: sign-in reports retained 30 days, audit logs 30 days, with Log Analytics export for longer retention. Microsoft Authenticator passwordless sign-in, FIDO2 security keys, and Temporary Access Pass for onboarding are included. P1 is the prerequisite for Entra ID Governance and for the Entra Suite.
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Single sign-on (gallery + custom apps) | 10 apps | Unlimited | Unlimited |
| Multi-factor authentication | Security defaults only | Conditional Access policies | Conditional Access + risk-based |
| Conditional Access | No | Yes | Yes |
| Self-service password reset (cloud) | Yes | Yes | Yes |
| Self-service password reset (hybrid, AD writeback) | No | Yes | Yes |
| Application Proxy | No | Yes | Yes |
| Group-based licence assignment | No | Yes | Yes |
| Identity Protection (risky sign-in, risky user) | No | No | Yes |
| Privileged Identity Management (PIM) | No | No | Yes |
| Access Reviews | No | No | Yes |
| Entitlement Management | No | No | Yes (via Governance) |
| Sign-in and audit log retention | 7 days | 30 days | 30 days |
Entra ID P2 feature set
Entra ID P2 at $9.00 per user per month adds two capabilities that are not available at P1.
Identity Protection delivers machine-learning-based risk detection on sign-in events (atypical travel, anonymous IP, malware-linked IP, leaked credentials) and on user accounts (anomalous behaviour, password spray detection, leaked credential found in dark-web feeds). Risk scores feed into Conditional Access policies as a condition, so an automated response (require MFA, block sign-in, force password change) can be enforced on the risk signal alone. Identity Protection is the only path to risk-based Conditional Access. Without P2, Conditional Access is rule-based, not adaptive.
Privileged Identity Management (PIM) delivers just-in-time, time-bound, and approval-based elevation for Entra directory roles and for Azure RBAC roles. PIM eliminates standing administrative access. Eligible users request activation, optionally trigger an approval workflow, complete MFA, and receive role membership for a bounded time window. PIM emits an audit log of every activation, every approval, and every role assignment, with built-in access reviews on the assignments themselves.
P2 also includes Access Reviews on access packages and on group memberships, automated provisioning of catalogue access via Entra ID Governance access packages, and reporting on stale users and stale groups.
P1 vs P2 decision matrix
The P1-to-P2 upgrade is $3.00 per user per month, $36 per user per year. For a 10,000-seat estate the upgrade is $360,000 per year. The decision is whether the seats need Identity Protection, PIM, or Access Reviews. Most do not.
| Persona | Required Entra tier | Why |
|---|---|---|
| Standard knowledge worker | P1 | Conditional Access, MFA, SSPR. Identity Protection is overkill. |
| Frontline / shift worker | Free or P1 via F SKU | Minimal app surface. F3 includes Entra P1 features for $0.50 increment. |
| External contractor or vendor | P1 via B2B guest model | Guest pricing model: invite + MFA from Free tier, P1 for invited app surface. |
| IT administrator (helpdesk to global admin) | P2 | PIM eligibility is the single largest control. Identity Protection on admin sign-in is mandatory. |
| Developer with cloud access | P2 | PIM for Azure RBAC role activation. Identity Protection on production access. |
| Finance and legal users | P1 + targeted P2 | P2 for users with elevated SharePoint or Purview access. P1 for the rest. |
| Executive (C-suite) | P2 | Identity Protection elevated risk monitoring. Conditional Access plus Verified ID. |
The optimised estate has P2 on 15 to 30 percent of seats (admins, developers, executives, high-risk roles) and P1 on the rest. Tenants that buy Microsoft 365 E5 across the whole estate get P2 bundled and effectively pay the P2 premium on every seat, regardless of whether each seat uses it. That is a deliberate Microsoft pricing choice. It is not a constraint.
When Microsoft 365 E5 beats standalone P2
Microsoft 365 E5 lists at $57.00 per user per month versus Microsoft 365 E3 at $36.00. The $21.00 premium delivers Power BI Pro ($14.00 standalone), Entra ID P2 ($3.00 incremental over P1), Defender for Endpoint P2 ($5.20 standalone), Defender for Office 365 P2 ($5.00 standalone), Defender for Identity ($5.50 standalone), Defender for Cloud Apps full ($5.00 standalone), Purview Information Protection P2 (eDiscovery + Records Management + Insider Risk), Teams Phone with Calling Plan ($8.00 standalone), and Microsoft Stream Premium.
The standalone equivalents total over $40 per user per month. The E5 premium of $21 buys the bundle for roughly half. The bundle is worth it on seats that consume four or more of the bundled premium features. Seats that consume only Entra ID P2 should buy standalone Entra ID P2 instead, or stay on Microsoft 365 E3 plus the $3 P2 add-on.
The E5 selectivity principle: Microsoft 365 E5 is only the cheapest path for seats that consume the security plus communications plus analytics bundle. For seats that only need Entra ID P2 (admins, developers) the cheaper combination is Microsoft 365 E3 plus Entra ID P2 standalone, totalling $45 per user per month against E5 at $57.
Entra ID Governance add-on
Entra ID Governance at $7.00 per user per month delivers entitlement management, access packages with policy-driven approval, lifecycle workflows, separation-of-duties checks, and machine-learning recommendations for access reviews. It requires P1 or P2 as the prerequisite, with P2 covering the prerequisite if already in place.
Governance economics work for organisations with active joiner-mover-leaver automation, regulated identity audits (SOX, HIPAA, FedRAMP, GDPR access controls), or external contractor populations of 1,000 or more. For a 5,000-employee estate Governance lists at $420,000 per year. The substitution opportunities are Saviynt, SailPoint, and Omada Identity Cloud, all of which can be significantly cheaper per seat at small scale but are typically priced at parity or above at 10,000 seats. Governance also includes lifecycle workflow execution that requires no additional automation platform, eliminating the cost of a separate orchestration tool.
Entra Workload Identities
Workload Identities Premium at $3.00 per workload identity per month covers service principals, managed identities, and application identities that need Conditional Access enforcement, Identity Protection risk signals on application sign-in, or access reviews on the workload itself. The metric counts active workload identities, not the user identities. A tenant with 500 service principals consuming the premium features lists at $18,000 per year.
The Free tier supports the existence of service principals and managed identities without premium features. The Premium tier is required only when Conditional Access policies target service principals (e.g. block access from non-corporate IPs, require certificate auth), when Identity Protection risk detection is needed on application sign-ins, or when application access reviews are mandated by audit.
Entra Verified ID pricing
Entra Verified ID at $0.25 per credential issued or verified delivers decentralised digital credentials using W3C Verifiable Credentials and the Microsoft Authenticator wallet. Issuance and verification are billed separately at the same rate. A typical onboarding workflow that issues an employee ID, a security clearance level, and a department membership consumes three issuances ($0.75) plus subsequent verification events per resource accessed.
Verified ID is in production use for employee onboarding (issuance of verified-employee credentials by HR), partner ecosystem authentication, healthcare provider credentialing, and education student-record portability. Pricing scales linearly. The 50,000-employee enterprise that issues 5 credentials per employee at onboarding and verifies 12 times per employee per year runs at $0.25 x (5 + 12) x 50,000 = $212,500 per year.
Conditional Access policies that justify P2
The features unique to P2 are Identity Protection (risky sign-in and risky user signals) and Privileged Identity Management. The Conditional Access policies that depend on those features are the only seats that strictly require P2.
| Policy | Required tier | Why |
|---|---|---|
| Require MFA for all users | P1 | Standard Conditional Access |
| Require compliant device | P1 | Standard Conditional Access |
| Block legacy authentication | P1 | Standard Conditional Access |
| Require password change on risky user | P2 | Uses Identity Protection user-risk signal |
| Require MFA on risky sign-in | P2 | Uses Identity Protection sign-in-risk signal |
| Block sign-in on high-risk user | P2 | Uses Identity Protection user-risk signal |
| PIM activation for Azure RBAC role | P2 | PIM is P2-only |
| PIM activation for Entra role | P2 | PIM is P2-only |
| Access Reviews on Entra ID Governance access packages | P2 | Access Reviews are P2-only |
If a tenant uses none of the four P2-only policy patterns, the P2 spend is unused. The audit question to put to the security team is: which Conditional Access policies in production today use sign-in risk or user risk as a condition? Tenants that answer "none" should not be paying for P2 across the estate.
2026 negotiation levers
Entra is licensed inside the Microsoft Customer Agreement, the Enterprise Agreement, the New Commerce Experience, or as a standalone CSP SKU. Negotiation discount on Entra is typically 8 to 15 percent at EA Level A, 15 to 25 percent at Level D, and lower for NCE monthly. The volume metrics that move pricing are total committed seat count, mix of P1 and P2, and inclusion within a broader Microsoft 365 commitment.
Three levers materially move the realised price. First, structuring Entra as a mid-term add-on at true-up tends to deliver lower discount than including it in the initial three-year EA. Build the Entra commitment into the initial EA term. Second, mixing P1 and P2 by role gives a substantially lower blended cost than a uniform P2 estate, with a typical saving of 35 to 50 percent of total Entra spend. Third, negotiating the Entra Suite ($12.00 per user per month) versus stacking components (P2 + Internet Access + Private Access + Governance + Verified ID) lands a 20 to 30 percent discount on the bundle for organisations that genuinely consume the full suite.
Tier-down optimisation framework
The Entra optimisation engagement runs in three steps.
Step 1: usage assessment. Pull sign-in logs from each tenant for the last 90 days. Filter on Conditional Access policies invoked. Count distinct users who triggered a P2-only policy. The result is the upper bound on P2 demand. Any user who never triggered a P2-only policy in 90 days does not need P2.
Step 2: PIM and Identity Protection requirement scan. Identify every user who holds an Entra role, an Azure RBAC role, or membership in a privileged Azure resource group. Those users need P2. Identify every user flagged by the regulatory mandate to have user-risk or sign-in-risk policies (typically C-suite, finance leads, HR leads, and IT admins). They need P2.
Step 3: assign the right SKU. Build the optimised mix: P2 for the privileged-and-regulated population, P1 for the rest, F1 or F3 with included Entra rights for the frontline. Run the resulting per-seat math against the current invoice. The recovered spend on a typical 10,000-seat estate is $1.1M to $2.6M per year. The exercise repeats annually because the privileged population drifts and because Microsoft adjusts P1 and P2 feature scope twice a year.
For the broader identity strategy see Microsoft Security Licensing, the Microsoft EA Complete Guide, the Microsoft vendor hub, and our software licensing advisory service for assessment engagements.