Understanding Entra ID’s Premium P2 Tier

Written by David Worthington on February 3, 2023

Share This Article


Contents


To better understand the structure of Entra ID, we are exploring each tier of their service offerings in a four-part series. This is the final part of the series.

Each article covers the benefits and drawbacks that come with each of Entra ID’s pricing tiers. If interested, feel free to read our previous blogs on Entra ID Free and Entra ID Premium P1.

Entra ID Premium P2

Entra ID is a cloud-based user management platform often introduced to organizations via the purchase of a Microsoft 365™ license or Azure subscription. IT teams start their organizations with Entra ID Free or Microsoft 365 apps (since those are included with a subscription to either service), but that SKU has limited functionality. It’s not uncommon for organizations to upgrade their Entra ID instances to P2 licenses just to get “that one thing” they need or be able to deploy other Microsoft services that require the Premium SKUs. There’s also guidance for organizations that use Active Directory (AD) to pay for P2 for better security.

The highest level of Entra’s paid licenses, Entra ID Premium 2, delivers most of its value when it’s used with Active Directory. Its premium features are most appropriate for organizations that are either heavily regulated or have extensive in-house application and data center resources that need to be monitored and secured. It has many features for compliance and security that are only suitable for large enterprises that have the capacity to deploy and support their usage. A word of caution for any IT admin that becomes heavily involved with Microsoft services: some governance features were recently moved out of P2 and into a supplemental governance SKU. Microsoft often exercises its control after organizations have consolidated onto its platforms.

Note: Microsoft Learn stresses the importance of features including Identity Protection for AD, access packages, and Privileged Identity Management (PIM). The majority of this functionality has been moved to the Governance SKU, increasing subscription costs.

Entra ID lacks device management features, even P2. There are additional costs for managing external identities, and management overhead increases when single sign-on (SSO) is necessary to secure access to your network devices. Microsoft offers appear to be integrated, but in reality are a patchwork of services and consoles that admins must make work together.

As such, we will evaluate Entra ID Premium P2’s native capabilities as a standalone product, and how organizations can best utilize its services to enhance their productivity and security.

Benefits of Entra ID Premium P2

Entra ID Premium P2 is most commonly used for providing insight into user activity within Azure infrastructure, Microsoft 365, and web applications. Entra ID Premium P2’s feature set offers admins the opportunity to thoroughly manage their users and access control. Lower tiers of Entra have limitations such as no session and user risk factors, or Identity Protection for AD. 

Entra ID Premium 2 offers the following features:

  • Includes all of the features listed for Entra ID Microsoft 365 apps 
  • SSO for an unlimited number of pre-integrated SaaS applications
  • Self-service application assignment to enable users to self-discover and request access to resources
  • On-prem write-back for all password changes
  • Advanced usage reporting
  • HR-driven provisioning
  • Self-service group management and application management 
  • Microsoft® Identity Management (MIM) CAL + MIM server for simplified lifecycle user management
  • Conditional access based on device state, app filters, location, and groups
  • Step-up authentication based on authentication context
  • Continuous access evaluation, token protection, and session lifetime management
  • Risk event investigation
  • Automate password rollover for group accounts
  • Application proxy for on-premises, header-based, and Integrated Windows Authentication
  • Role-based access control (RBAC)
  • Risk-based Identity Protection, which is mandatory to protect legacy AD 
  • Privileged identity management
  • Self-service entitlement management (My Access) and other basic entitlements management features not found in the Governance SKU
  • Privileged Identity Management (PIM) is included, but access reviews that are essential for attestation have been moved into the Governance SKU
  • Cloud app discovery (Windows Defender for Cloud Apps)
  • Identity Protection reporting: vulnerabilities and risky accounts
  • Identity Protection reporting: risk events investigation, SIEM connectivity
  • A service-level agreement

The biggest difference between Entra Premium P1 and P2 is that when admins purchase Entra ID Premium P2, they attain the ability to deeply observe their users and detect possible threats by automating the detection and remediation of identity-based risks, investigating risks using data in the portal, and exporting risk detection data to third-party utilities for further analysis.

These sound like features that are nice to have, but they’re mandatory if you’re using AD. Microsoft’s reference architecture and public statements indicate that AD is considered a legacy technology that must be secured and protected. However, even P2 isn’t enough to accomplish that objective: Defender for Identity is also prescribed (and a separate subscription).

Entra ID Premium 2 provides admins with much more data than its previous iterations, effectively alerting organizations in a way that helps them attain compliance and troubleshoot issues that may exist with Entra or Azure. However, it doesn’t include everything.

JumpCloud

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Drawbacks of Entra ID Premium P2

As mentioned above, Entra P2 integrates with AD and offers Identity Protection, but doesn’t include services that are required to prevent lateral movement by attackers. Even in relation to the P1 tier, workarounds are required to utilize core network protocols to secure and manage access to network devices. Devices serve as the gateway to access resources to work and leaving devices unmanaged fails to achieve a Zero Trust security posture like Microsoft recommends. Entra P2 is the highest tier of the product line, but it won’t manage devices without an Intune® subscription from Microsoft or a different M365 SKU that includes it.

Implementation

Many admins just want to use MS Office, tighten up their security posture, and be business enablers by providing users with the solutions that they need. Organizations that adopt Microsoft become focused on rolling out its products instead of assisting business performance.

Microsoft licensing can be complex, and implementing best practices for Entra takes a lot of work. License management and pricing can be complex/unpredictable without understanding how everything interconnects and what features are included in each plan. Some features are gated off and require more services to run, including reporting for conditional access policies.

Many organizations may have to hire consultants to guide them through the migration. These challenges have given rise to a cottage industry of consultants. Otherwise deploying all of these features leads to reskilling and new hires at market rates. This is due to the breadth of configurations and resulting complexity that Microsoft’s enterprise features involve. Entra P2 includes more sophisticated features that are more likely to require dedicated internal teams with support from specialized external resources. Otherwise, implementations will be incomplete or small and medium-sized enterprises (SMEs) will pay for services that won’t be used.

There are also licensing stipulations to deploy the features that are listed in P2. For example, Entra Connect Health reporting includes fine print:  “First monitoring agent requires at least one license. Each additional agent requires 25 additional incremental licenses. Agents monitoring Entra ID Federation Services, Entra ID Connect, and Entra ID Domain Services are considered separate agents.”

Fit and Value for SMEs

It’s unlikely that SMEs will have the ability to support a full Entra P2 implementation or have the requirements for advanced compliance reporting or a security operations center to support it. Unfortunately, some useful IT management capabilities are also walled off into the P2 tier. SMEs that have P2 recommended to them should evaluate whether they’ll receive enough payback.

The Bad Economics of Lock-In

Entra P2 is usually packaged with a vast vertically integrated suite of tools and applications that will dominate your enterprise. There are stipulations where additional licenses are required. For example, using reporting mode in Entra ID requires that you pay for Azure Monitor to set up a Log Analytics Workspace. The reporting feature is seemingly included in P1 and P2, but really isn’t.

Many organizations are looking for options outside of Microsoft to deal with the diversities of mixed device types, mixed working arrangements, and accelerated cloud adoption. Adopting P2 is a decision that may not have an immediate impact on those objectives, but it eventually will, because P2 is usually bundled with many unrelated apps and services that take over your stack. Organizations will lose the flexibility to use best of breed services that users may prefer. McKinsey advises closer involvement between IT and the business sides of companies. Microsoft’s bundling increases its customer lifetime value versus making SMEs more responsive/competitive. Time spent implementing the product impedes business/IT alignment. 

Missing Identity and Access Control Functionality 

SSO to Everything

Entra P2 is designed to work in conjunction with a directory service and lacks features most organizations find necessary to achieve SSO to everything. For example, no matter the subscription tier, Entra lacks the ability to manage user access to networks via RADIUS or LDAP unless you pay Microsoft more money and use more of its services.

Note: Windows Hello doesn’t extend beyond Windows, limiting modern authentication.

Unfortunately, this ingrains many admins into Microsoft’s hybrid infrastructure, which is less than ideal for cloud-forward organizations looking to leave behind the time and cost of running server rooms. Additionally, AD’s RADIUS authentication is performed via an on-prem NPS server, which requires additional infrastructure and increases the attack surface area. Remember, Microsoft has designated AD as a legacy technology that must be modernized and protected.

IT admins that are looking to move past legacy hardware will find that AD + Entra ID P2 isn’t the most ideal choice. Using P2 with AD still leaves gaps in security posture and access management.

It’s important to note that extensive manual implementation can leave the door open for human error and welcome cyberthreats such as opportunistic attacks on misconfigured networks.

Note:

Management overhead for on-premise resources and the requirement for additional Azure services raises Entra P2’s TCO.

External Identities

Microsoft Entra’s Governance SKU may be required to fully manage external identities. There are also a few ad hoc costs, such as a charge for authenticating external identities with its MFA. Features are geared toward advanced enterprise workflows and governance requirements.

Device Management

Many IT administrators choose to implement their Entra instances in conjunction with a directory service. They often use on-prem AD, which syncs with Entra via Entra ID Connect, allowing users to leverage their AD credentials for SSO to web applications and Azure infrastructure. However, this leaves a device management gap for organizations that are also invested in systems beyond Windows (such as Android, macOS®, and Linux®). Organizations that adopt Entra ID will need to buy additional solutions to manage those endpoints, such as Microsoft’s Intune subscription. Unmanaged endpoints defeat the purpose of having strong access control.

Admins looking to use Entra ID Premium P2 as their directory typically choose it for its cloud-based Identity and Access Management (IAM) and security infrastructure. However, it’s not the only option and may not be the best fit for your organization. A cloud-based directory service should be able to modernize AD, provide access to every resource, and manage cross-OS devices. That combination of features is necessary to achieve a Zero Trust posture that makes identity the new perimeter with secure access to resources from all devices.

Open Directory Services

Organizations that are cloud-first, have external identities (such as Google Workspace), and devices other than Windows may find more value in JumpCloud. JumpCloud is an open directory platform that unifies identity, access, and endpoint management, regardless of the underlying authentication method or device ecosystem. It also integrates with AD

In contrast to standalone Entra, the JumpCloud platform provides SSO to everything and includes environment-wide MFA. It supports the following network protocols:

  • LDAP
  • RADIUS
  • SAML
  • RESTful APIs
  • SCIM
  • OIDC

IAM is handled through groups using attribute-based access control, which helps to automate user lifecycle and entitlements management.Changes also flow seamlessly from other directories or human resource systems. Dynamic groups automatically organize users and devices using basic attributes. The next phase in JumpCloud’s product roadmap will include operators to create compound queries that will increase admin efficiency and streamline device and identity lifecycles.

Conditional access is optional in JumpCloud for organizations that require privileged access management (PAM), and several password-less authentication methods are supported. Those include JumpCloud Go, which provides a phishing-resistant credential for Macs and Windows. Linux support for Go is coming soon, and will be driven by customer demand.

Extend and Improve M365

JumpCloud’s M365 integration syncs Microsoft 365/Entra ID users into the directory. It can then serve as the source of truth and manage nearly all systems, applications, networks, file servers, Infrastructure-as-a-Service platforms, and more regardless of their location (on-prem, at other cloud providers such as AWS®, etc.). This way, admins can still leverage Entra ID but avoid going down the path of spiraling costs and feature creep by not adopting the P2 SKU.

Additionally, JumpCloud is platform agnostic, so organizations can implement unified endpoint management (UEM) in conjunction with their Entra ID Premium P2 instance. JumpCloud will also federate with upstream IdPs. The directory integrates with Entra ID Free, so organizations can still manage their Azure/Microsoft 365 users with a directory service entirely from the cloud.

Note:

It’s possible to modernize AD with JumpCloud without Entra ID at no additional cost.

JumpCloud also offers additional IT management options that extend its utility:

Try JumpCloud

Interested in learning more? Check out our latest webinar on the modernization of Active Directory, or feel free to register for a personalized demo to see JumpCloud in action. 

We also invite you to get started with JumpCloud today.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter