Entra ID P1 vs P2: Which License Do You Actually Need?
Every Microsoft licensing conversation eventually lands on the same question: do we need P1 or P2? Your reseller says P2. Your budget says P1. Microsoft’s comparison page lists 40 features with checkmarks but doesn’t tell you which ones actually matter for your environment.
Here’s the straightforward answer: most organizations need P1. Some organizations need P2. And a specific subset — defense contractors pursuing CMMC Level 2 — probably need P2 whether they realize it yet or not.
Let me explain when each tier earns its cost.
What You Get for Free
Before comparing P1 and P2, it’s worth knowing what Entra ID Free includes, because it’s more than people think.
Every Microsoft 365 subscription includes Entra ID Free. You get basic user and group management, cloud authentication, self-service password change (not reset — change), single sign-on for integrated SaaS apps, and MFA via security defaults. Security defaults force MFA for all users with no configuration needed. For a 10-person company that just needs email and file sharing, this might be enough.
The moment you need Conditional Access, you’ve outgrown Free.
P1 vs P2: What Actually Matters
Microsoft’s feature comparison has dozens of line items. Most of them won’t change your decision. Here are the ones that will.
| Feature | P1 ($6/user/mo) | P2 ($9/user/mo) |
|---|---|---|
| Conditional Access | Yes | Yes |
| MFA (granular policies) | Yes | Yes |
| Self-Service Password Reset | Yes | Yes |
| Group-Based Licensing | Yes | Yes |
| Dynamic Groups | Yes | Yes |
| Application Proxy | Yes | Yes |
| Hybrid Identity (Entra Connect) | Yes | Yes |
| Identity Protection (risk-based CA) | No | Yes |
| Privileged Identity Management (PIM) | No | Yes |
| Access Reviews | No | Yes |
| Entitlement Management | No | Yes |
| Identity Governance | No | Yes |
P1 gives you the enforcement layer — Conditional Access is the big one. It’s the engine that says “this user, on this device, from this location, accessing this app, must satisfy these conditions.” If you don’t have Conditional Access, you don’t have granular access control. Period.
P2 gives you the governance layer — the features that answer “who should have access to what, and can we prove it?”
When P1 Is Enough
P1 covers most organizations. You get:
Conditional Access. This is the primary reason to upgrade from Free. You can enforce MFA selectively (admins always, users on untrusted networks), require compliant devices, block legacy authentication, restrict access by location, and control which apps users can reach from which conditions. If someone asks “why do we need P1,” the answer is Conditional Access.
Self-Service Password Reset. Users reset their own passwords without calling the help desk. Seems minor. In practice, it eliminates 20-40% of help desk tickets overnight.
Application Proxy. Publish internal web applications to remote users without a VPN. If you have on-prem web apps that need external access, this is included with P1 at no additional cost.
Dynamic Groups. Groups that automatically add and remove members based on user attributes (department, job title, location). Set it once, stop manually managing group membership.
If your security model is “enforce MFA everywhere, require compliant devices, block legacy auth, restrict by location” — P1 does all of that. You don’t need P2.
When You Need P2
P2 adds four capabilities that matter. Each one solves a specific problem.
Privileged Identity Management (PIM)
PIM is just-in-time, just-enough access for privileged roles. Instead of giving someone permanent Global Admin, you make them eligible for Global Admin. When they need it, they activate the role, it requires MFA and a justification, and the elevation expires after a set window (default 8 hours).
You need PIM if: You have more than two or three people who need admin access occasionally. Without PIM, those accounts sit with standing privileged access 24/7. That’s a surface area problem. An attacker who compromises an account with permanent Global Admin owns your tenant. An attacker who compromises an eligible-but-not-activated account owns… a regular user account.
PIM also generates an audit trail of every activation — who elevated, when, why, and for how long. That trail matters for compliance.
Identity Protection
Identity Protection uses Microsoft’s threat intelligence to detect risky sign-ins and risky users in real time. It feeds into Conditional Access as a condition: “if this sign-in is high risk, require MFA” or “if this user is high risk, force a password change.”
You need Identity Protection if: You want automated response to compromised credentials. Microsoft detects leaked credentials from dark web dumps, password spray attacks, and anomalous sign-in patterns. Without P2, you’re relying on manual detection — meaning you find out about the compromise when the damage is already done.
Access Reviews
Access Reviews are periodic recertifications: “Does this person still need access to this group/app/role?” You define the scope and frequency, assign reviewers, and Entra ID sends them a list of users to approve or deny. Stale access gets cleaned up automatically.
You need Access Reviews if: You have compliance requirements around periodic access recertification, or you’ve accumulated years of group memberships that nobody audits. In practice, every organization over 100 users has this problem. Whether you need a product to solve it depends on your compliance posture.
Entitlement Management
Entitlement Management bundles resources (groups, apps, SharePoint sites) into “access packages” that users can request through a self-service portal. Requests go through approval workflows, have expiration dates, and are automatically revoked when they expire.
You need Entitlement Management if: You have external users (B2B guests) who need structured, time-limited access to your resources. Or you have internal users who frequently need temporary access to project-specific resources. It’s the difference between “email IT and wait three days” and “request access, get approved in an hour, access expires in 90 days.”
The CMMC Question
If you’re a defense contractor pursuing CMMC Level 2, the P1 vs P2 decision gets simpler — and the answer is probably P2.
Here’s why. Several NIST 800-171 controls that CMMC Level 2 requires map directly to P2 features:
3.1.5 — Least Privilege. Assessors want to see that privileged access is scoped and time-limited. PIM is the cleanest way to demonstrate this. You can show an assessor the PIM activation logs and say “here’s every instance of privileged access in the last 12 months, with justification, duration, and the requesting user.” Try doing that with permanent role assignments.
3.1.7 — Prevent Non-Privileged Users from Executing Privileged Functions. Same story. PIM enforces the boundary between regular and privileged access with a verifiable mechanism.
3.1.6 — Use of Non-Privileged Accounts. PIM ensures privileged accounts aren’t used for daily work because the privileges don’t exist until explicitly activated.
3.13.1 — Monitor and Control Communications at System Boundaries. Identity Protection’s risk-based Conditional Access policies enforce automated boundary controls when suspicious activity is detected. The system responds without waiting for a human to notice.
3.1.1 — Limit System Access. Access Reviews provide evidence that you’re periodically validating who has access to what. An assessor will ask “how do you review access?” Having automated, documented access reviews with approval/denial records is a materially better answer than “we check manually.”
Can you pass a CMMC assessment with P1? Technically, yes — if you have compensating controls that satisfy these requirements through other mechanisms. But P2 gives you the native tools that map cleanest to the assessment objectives. And assessors are familiar with them.
P2 in GCC High: What to Know
If you’re in GCC High, P2 features are available — but with caveats.
GCC High follows a delayed feature rollout compared to commercial Microsoft 365. Features that ship to commercial don’t land in GCC High on the same day. The gap varies: sometimes weeks, sometimes months. This is true across the board, but it’s especially relevant for P2 because the governance features are the ones that tend to lag.
Here’s the current state worth noting:
PIM works in GCC High. Role activation, time-bound assignments, approval workflows, and activation logs all function as expected. This is the P2 feature most GCC High customers care about, and it’s solid.
Identity Protection works in GCC High. Risk detections, risky user reports, and risk-based Conditional Access policies are available. The risk detection models are trained on Microsoft’s global signal, which includes government cloud telemetry.
Access Reviews work in GCC High. You can create and manage reviews for groups, apps, and roles. The self-service portal is accessible at the GCC High-specific endpoint.
Entitlement Management has limitations in cross-tenant scenarios. This matters for defense contractors who collaborate across organizational boundaries (which is most of them). Connected organizations and cross-tenant access packages work differently — or don’t work yet — in GCC High. If B2B guest access governance is a core use case, test it in your tenant before committing to an Entitlement Management strategy.
The GCC High-specific admin center lives at entra.microsoft.us, not the commercial entra.microsoft.com. If you’re following Microsoft documentation or tutorials, make sure you’re using the government endpoint. The commercial portal won’t show your government tenant.
The Math
For a 50-person defense contractor:
| License | Per User/Mo | Monthly Total | Annual Total |
|---|---|---|---|
| P1 (via Business Premium) | $22.00 | $1,100 | $13,200 |
| P2 add-on | +$3.00 | +$150 | +$1,800 |
P2 is $3/user/month when added to a plan that already includes P1. For a 50-person org, that’s $1,800/year for PIM, Identity Protection, Access Reviews, and Entitlement Management. That’s less than one hour of a C3PAO assessor’s time.
If you’re in GCC High, the licensing picture is changing. Microsoft 365 Business Premium is now available in GCC High, which means P1 is included at the Business Premium price point rather than requiring E3 or E5. P2 is still a separate add-on in GCC High.
Bottom Line
Get P1 if: You need Conditional Access, self-service password reset, Application Proxy, and dynamic groups. This covers most commercial organizations.
Get P2 if: You need just-in-time privileged access (PIM), automated risk detection (Identity Protection), periodic access reviews, or structured guest access management. Or if you’re pursuing CMMC Level 2 and want the cleanest path through the access control requirements.
Skip both if: You’re under 10 users, everyone’s an admin anyway, and you don’t have compliance requirements. Security defaults (Free tier) are better than nothing.
If you’re trying to figure out how Entra ID licensing fits into your broader CMMC compliance or GCC High migration plan, let’s talk. We’ll map your actual requirements to the right license tier — not the one your reseller gets the best margin on.