- New services built on Entra ID help manage the security of identities used in infrastructure access by admins and application entitlement for users.
- Most services come at additional cost to organizations already licensing Entra ID, and new licensing and pricing changes are set to raise costs further.
- Entra technologies will see continued churn, due to new product introductions, retirements, and more expensive licenses, so organizations should pace themselves on broad adoption.
- Do not license services until the organization is ready to deploy and manage them and prepared to license them for everyone.
Entra is a family of services to help organizations manage identities and access to resources. Entra services build on Entra ID and include new, in preview, or renamed versions of older services. These services can help organizations implement identity best practices. That, in turn, helps prevent and detect theft or abuse of identities and limits damage by restricting the resources accessible to a user or administrator to the minimum required for their role (also known as least privilege).
Microsoft’s rebranding around Entra ID did not result in any pricing or licensing changes, but Entra Identity Governance is now required to deliver Microsoft’s complete entitlement management services. However, Entra Identity Governance is not included in any Microsoft 365 suites, adding additional licensing costs. A range of new Entra services are bundled with the new Internet Access and Private Access services in a new higher-end Entra Suite, which continues the trend of ever-increasing per-user licensing charges, and more services also not bundled into Microsoft 365 suites. (For information on the Entra Suite, see the sidebar “What is the Entra Suite?”)
Three Types of Entra Identity Services
Each Microsoft Entra service delivers distinct identity management capabilities, including managing individual identities, access to Microsoft 365 resources by external users, access to internal or external applications, and management of applications running in cloud infrastructures. (Note that some services exclude “ID” as a part of the name, while others add it as a suffix. These names appear to be in flux and are subject to change due to the unintended consequences of continual Microsoft rebranding.)
Although Microsoft does not group them as such, the identity services available under the Microsoft Entra brand umbrella can be organized into three loosely defined categories:
- Identity, Access Management, and Governance
- User Resource Access Services
- Identity Management for Cloud Services
This family of Entra services has been growing rapidly and will likely experience more feature expansion and repackaging over the next few years. For information on other identity services that do not fit in any of these groups, see the chart below.)
Identity, Access Management, and Governance
Identity, Access Management, and Governance includes the two renamed but otherwise unchanged tiers of Entra ID, plus the new premium identity governance add-on.
Entra ID—Identity and Access Management
Entra ID is a multitenant identity and access management (IAM) service hosted by Microsoft. The service has one free and three paid tiers, and the capabilities of the lowest three tiers have remained essentially unchanged since the rebrand to Entra ID from AAD:
Features of the free tier of Entra ID include:
- Basic identity management
- Microsoft 365 Groups for use with Microsoft 365 and Office 365
- Identity management for most Microsoft services, including Microsoft 365.
Features of Entra ID P1 include:
- Conditional access
- Multifactor authentication (MFA)
- Basic security reporting
- Customized user experiences.
Features of Entra ID P2 include all Entra P1 capabilities, plus:
- Identity protection
- Entitlement management and access reviews
- Comprehensive security reporting
- Privileged identity management.
Prerequisites: Entra ID P1 requires Intune Plan 1 (at a minimum) to deliver the baseline set of conditional access features. Additional conditional access checks require additional premium services.
Availability: Entra ID P1 and P2 are generally available, with packaging and pricing that is unchanged from the former AAD Premium tiers. A range of new entitlement management features, Entra Identity Governance, became available in July 2023.
Licensing: Entra ID P1 monthly licensing is US$6 per user, and Entra ID P2 monthly licensing is an additional US$9 per user. Entra ID Governance is included in the new Entra Suite add-on that became available in July 2024 for US$12 per month for P1 users, and US$9 per month for P2 users.
More information on Entra ID plans: https://learn.microsoft.com/entra/identity/.
Entra ID Governance—User Access Governance
Entra ID Governance is a new Entra ID add-on offering that is effectively a new tier of Entra ID to help customers gain oversight and a level of automatic control over application access.
Features of the Entra ID Governance add-on include:
- Life-cycle workflows
- Machine-learning access reviews
- Entitlement management using Entra Verified ID
- Identity Governance dashboard.
Prerequisites: The Entra ID Governance add-on requires either Entra ID P1 or Entra ID P2.
Availability: Entra ID Governance is generally available, but some features remain incomplete.
Licensing: The Entra ID Governance add-on monthly cost is US$7 per user when added to P1 and US$4 per user when added to P2. Entra ID Governance is also included in the new Entra Suite add-on that became available in July 2024 for US$12 per month for P1 users, and US$9 per month for P2 users.
Organizations also need to purchase licenses for their peak number of external monthly active users (MAUs), at a monthly cost of US$0.75 per external user.
More information on Entra ID plans: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id-governance.
User Resource Access Services
User Resource Access Services include three services to help organizations manage internal and external user and partner access to resources and applications. All of these services reached general availability during mid-2024, and customers should expect churn and change for some period of time.
Entra External ID —Customer Identity and Access Management (CIAM)
Entra External ID is a new name and set of capabilities that will gradually replace AAD B2B. It also includes an offering for consumers that will eventually replace AAD B2C, which is no longer available for sale to new customers as of May 1, 2025. Microsoft has noted that the AAD B2C service will remain available until at least May, 2030. ISVs and organizations using AAD B2C should begin considering their replacement options, particularly if they do not intend to move to Entra External ID.
Features of Entra External ID include:
- Controlled access rights for external users, partners, or customers
- Conditional access support
- Role-based access control (RBAC)-based administration
- Integration of Entra ID Governance for external users (at additional charge)
- Integration with Microsoft Authentication Library (MSAL) and Entra Verified ID development SDKs.
Prerequisites: Requires Entra ID and an Azure subscription.
Availability: Entra External ID reached general availability in May 2024.
Licensing: Monthly pricing of Entra External ID is based on MAUs and follows the same MAU model that B2B did previously (free for up to 50,000 MAUs.)
Monthly external user pricing of Entra services is:
- Entra ID P1 is US$0.00325 per MAU beyond the 50,000 free user count
- Entra ID P2 is US$1.625 per MAU beyond the 50,000 free user count
- Entra ID Governance will be US$0.75 per MAU.
More information on Entra External ID:
https://learn.microsoft.com/entra/external-id/.
Entra Internet Access—Secure Web Gateway (SWG)
Entra Internet Access is a new Entra offering that provides secure access to and access monitoring of Microsoft 365 and external applications.
Microsoft describes it as a part of its Security Service Edge. It is also available alongside Entra Private Access under the Global Secure Access brand.
Features of Entra Internet Access include:
- Access management for Microsoft 365 and external applications
- Conditional access controls for any application or system
- Granular access to applications at the user, process, or device level
- Enhanced logging and reporting on application access.
Prerequisites: Entra Internet Access requires Entra ID P1 or Entra ID P2. The use of any Global Secure Access service requires deployment of client software to Windows or Android devices.
Availability: Entra Internet Access reached general availability in July 2024. Entra Internet Access is also included in the new Entra Suite add-on that became available in July 2024.
Licensing: Entra Internet Access monthly licensing is US$5 per user. Entra Internet Access is also included in the new Entra Suite add-on that became available in July 2024 for US$12 per month for P1 users and US$9 per month for P2 users.
More information on Entra Internet Access:
https://learn.microsoft.com/entra/global-secure-access/how-to-get-started-with-global-secure-access.
Entra Private Access—Zero-Trust Network Access (ZTNA)
Entra Private Access is a new Entra offering that provides secure access to and access monitoring of private and on-premises applications.
Microsoft describes it as a part of its Security Service Edge, also described collectively with Entra Internet Access under the Global Secure Access brand.
Features of Entra Private Access include:
- Access management for private and internal (traditionally on-premises) applications
- Conditional access controls for any application or system
- Granular access to applications at the user, process, or device level
- Enhanced logging and reporting on application access.
Prerequisites: The use of any Global Secure Access service requires deployment of client software to Windows or Android devices.
Availability: Entra Private Access reached general availability in July 2024.
Licensing: Entra Private Access monthly licensing is US$5 per user. Entra Private Access is also included in the new Entra Suite add-on that became available in July 2024 for US$12 per month for P1 users, and US$9 per month for P2 users.
More information on Entra Private Access:
https://learn.microsoft.com/entra/global-secure-access/how-to-get-started-with-global-secure-access.
Identity Management for Cloud Services
Identity Management for Cloud Services includes hosted Active Directory (AD) services for use with Azure-based applications, management of workload identities, and management of cloud application permissions. The service is intended to help customers move applications that depend on AD into Azure.
Entra Domain Services—Hosted AD for Applications
Entra Domain Services (previously AD Domain Services) offers hosted AD services as a service running in Azure and includes domain join, Group Policy Object (GPO), Lightweight Directory Access Protocol (LDAP), and Kerberos/NTLM authentication, for use by legacy applications running in Azure. Like AD Domain Services before it, Entra Domain Services is not designed to help organizations retire their on-premises AD because it cannot meet the performance and latency requirements necessary for on-premises clients.
Note that AD on-premises is not required for Entra Domain Services to function, as identity information is rooted off of Entra ID, which in turn can be synchronized with AD on-premises as required.
Features of Entra Domain Services include:
- AD services as a service in Azure
- Replication of Entra ID data
- High availability
- One- or two-way trusts are currently in preview.
Prerequisites: Entra Domain Services requires Entra ID.
Availability: Entra Domain Services is generally available.
Licensing: Entra Domain Services is available in three tiers, offering graduated performance and object counts, as well as increased backup.
These three tiers are Standard, Enterprise, and Premium, which have hourly charges of US$0.15, US$0.40, or US$1.60 per domain set, respectively. This equates to a monthly cost of US$109.50, US$292, or US$1,168, respectively.
More information on Entra Domain Services:
https://learn.microsoft.com/entra/identity/domain-services/overview.
Entra Workload ID—Management of Workload Identities
Entra Workload ID is a service that allows customers to add security and auditing capabilities to their existing workload identities (credentials used for service accounts or applications).
Features of Entra Workload ID include:
- Conditional access for workload identities (limited set of checks)
- Access reviews and continuous access evaluation
- Identity protection
- Integrates with Azure managed identities, using Azure Key Vault
- Enables workload identity management within GitHub Actions, Kubernetes, and workloads outside Azure using workload identity federation.
Prerequisites: Requires Entra ID, Azure, and Azure Key Vault.
Availability: Entra Workload ID is generally available. The service is likely to regularly take on new capabilities to manage additional types of workloads.
Licensing: Monthly pricing of Entra Workload ID is US$3 per workload identity.
More information on Entra Workload ID:
https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id.
Entra Permissions Management—(Retiring)
Entra Permissions Management automatically manages, applies, or revokes access rights as necessary to infrastructure in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This allows the organization to ensure that their cloud services are secure, with access only granted for individuals in the organization who require it.
Entra Permissions Management, a centralized service offering multi-cloud permissions management, has been retired, is no longer available to license, and is supported only through Sept. 2025.
Features of Entra Permissions Management include:
- Automated management of administrative access control across clouds
- Reporting on assigned permissions
- Machine learning–based anomaly alerting to identify suspicious access attempts.
Prerequisites: Entra Permissions Management requires Entra ID, and the features are only for infrastructure in Azure, AWS, or GCP. Permissions management is supported with compute resources, container clusters, serverless functions, and databases across those three clouds.
Availability: Entra Permissions Management is no longer generally available as of Apr. 1, 2025. The product remains supported through Sept. 2025, and customers must deploy a replacement from a third party by Oct. 1, 2025.
Licensing: Entra Permissions Management monthly pricing is US$10.40 per managed resource.
More information on Entra Permissions Management plans:
https://learn.microsoft.com/entra/permissions-management/.
Roadmap
The family of Entra services has been expanding rapidly as illustrated by the following examples:
- After enabling a preview of group writeback for the traditional Entra Connect Sync cloud sync agent, Microsoft walked this decision back, telling customers to use Entra Cloud Sync instead. This clearly indicates Microsoft’s long-term objective to move away from Entra Connect Sync in favor of cloud-based sync.
- The addition of Entra ID Governance as a tier above Entra ID P2 (formerly AAD Premium P2) rather than adding the features to Entra ID P2 follows Microsoft’s broader tendency to add new features to new, higher-priced tiers of service while letting older, lesser tiers of service go stale. (Customers who previously bought into AAD Premium P2 for identity protection should use this subtle price increase as a negotiation tool during their next Enterprise Agreement [EA] renewal.)
- The Entra Suite release in July 2024 continues this trend of moving upmarket, bundling together Entra ID Governance, Entra Internet Access, Entra Public Access, and premium Entra Internet Access, and adding premium face check capabilities to the free Entra Verified ID service.
- This move toward Entra as a broader access hub likely indicates that organizations will need to buy into the entire Microsoft 365 E5 suite for all users, as well as buy numerous add-on batteries that are not included, to achieve the complete Entra story told by Microsoft.
Microsoft had stated that some aspects of Global Secure Access would be made available to add on to Microsoft 365 E3 licenses, but in Nov. 2024, Microsoft announced that this Secure Access Essentials offering would not be released after all.
Customers should expect that Microsoft will continue to expand the family of Entra services, include changes to existing services, and create more premium add-ons for identity management, governance, and access control.
Directions Recommends
Evaluate before adding. A large number of organizations license Entra ID P1, and a much smaller number have licensed Entra ID P2, which arrived much later. Beyond those two services, most Entra offerings are quite new, and vary in maturity. Organizations should evaluate any additional tiers before adopting to assess the value the organization and users will actually receive.
Do not license until ready to deploy. Most of the offerings in this report, including Entra ID Governance, the Entra Suite, and the other components of the Entra Suite will require significant expense to license and time to deploy effectively. Do not add them on to Microsoft 365 suites until the organization has evaluated them properly and has a plan to deploy them within the next calendar year for all licensed users, to prevent wasted spending.
Understand your existing use and potential noncompliance. A growing number of organizations should be licensing Entra ID P2 due to their existing use of Entra ID Protection, which does not perform proper license compliance checking. It should be anticipated between licensing summary reporting and new external user billing that Microsoft will begin increased license enforcement of Entra to drive revenue. (The first instance Directions discovered of this were two organizations found in 2017 to be noncompliant with AAD Premium P2, due to use of Identity Protection in conjunction with conditional access, which can occur accidentally.
Understand these add-ons require add-on licenses for every user. Most licenses discussed in this report other than Verified ID are licensed for every user that may benefit from them. The cost—and need to license every user—may not initially be worth it for organizations, particularly if they are not ready to broadly deploy them.
Negotiate to save. Customers may be able to negotiate lower prices for the Entra Suite while Microsoft attempts to increase adoption of multiple premium licensing tiers atop Microsoft 365. Customers should still not license them, even at a discount, until ready to deploy them and retrain users to take advantage of them.
Resources
General availability of the Entra Suite was described in the Directions report “Entra Suite Bundles Governance, New Secure Access Services”.
The set of Entra services is described at https://www.microsoft.com/security/business/microsoft-entra.
Entra services documentation is at https://learn.microsoft.com/entra/.
Global Secure Access (Entra Private Access and Entra Internet Access) documentation is at https://learn.microsoft.com/entra/global-secure-access/.
The general availability of Entra Security Service Edge (Global Secure Access) was announced at https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-expands-into-security-service-edge-with-two-new/ba-p/3847829.