Entra is Microsoft’s identity and network access grouping of services. Historically, it was known as Azure AD, but last year Azure AD was rebranded as Entra ID, and new Entra capabilities were added beyond the Azure AD frame of old.
In this post, Head of Service Architecture, Tristan Watkins, covers the current shape of this entire set of identity and network access services, and introduces the new ways they can be purchased. As these capabilities are described, we’ll refer to some advanced options as ‘beyond P2’ before we get around to making sense of how this all comes together in new licensing options.
Entra ID
Although Entra now extends beyond what was Azure AD, it’s still worth starting with a summary of what we get in the two Entra ID SKUs that align with the Azure AD SKUs of old. They can be purchased standalone, or in broader suites.
Entra ID P1
The Entra ID P1 SKU is Microsoft’s core cloud identity and access management (IAM) platform, in space the analysts have dubbed IDaaS (Identity as a Service), provided to customers with wider M365 SKUs such as M365 E3, Business Premium, or Enterprise Mobility + Security E3.
Entra ID Free is always provisioned behind Microsoft 365 tenants (this is a one-to-one relationship), and an Azure Subscription must always be bound to an Entra ID tenant for its Identity capabilities. Entra ID P1 provides MFA for all licensed users, self-service password reset, password protection, cross-tenant capabilities, advanced group management, automated user/group provisioning to integrated apps, and the bulk of what we get in Conditional Access. We also get verifiable credentials issuance and verification from the Entra Verified ID capabilities, although there are additional Verified ID capabilities only available beyond P2.
Entra ID P2
Entra ID P2 adds to the core P1 capabilities, and is included in M365 E5, M365 E5 Security, or Enterprise Mobility + Security E5. It primarily comprises Entra ID Protection and the original Entra ID Governance features (see the Entra ID Governance section below). Entra ID Protection brings user and sign-in risks indicators to Entra ID, typically implemented within Conditional Access Policy, allowing protections to be aligned with dynamic risk indicators.
Also in Conditional Access, we get device and application filters, which can be exceptionally helpful for handling things like targeting a policy at only Entra ID-joined or Hybrid-Joined devices. Beyond Conditional Access, we also get the forthcoming token protection feature, which mitigates token theft risks by introducing additional binding.
Entra ID Governance
From a licensing perspective, Entra ID Governance is where things get a bit more complex, since there is a dividing line between capabilities that have always been offered with Entra ID P2, and newer features that have been introduced beyond P2. Entra ID Governance capabilities are focused on how access is granted (including authentication or approval requirements) and the lifecycle of those permissions.
P2 features
The P2 ID Governance functionality comprises ‘basic’ Entitlement Management (Access Packages, Access Requests, and Access Reviews) and PIM features (including the unsung ability to use those features on Privileged Access Groups). We shouldn’t read too much into this ‘basic’ terminology, however, since these features are extremely powerful, offering some of the biggest efficiency savings and security management improvements available in Entra.
Beyond P2 features
The newer ID Governance capabilities extend Entitlement Management with Lifecycle workflows, Logic App extensibility, ML-assisted Access Reviews, an Identity Governance Dashboard, and support for Verified ID. This is all extremely powerful, but typically something an organisation would consider once they have already embedded the P2 ID Governance capabilities in their working practices.
Entra Verified ID
Entra Verified ID offers identity verification from external bodies, such as a driving licence authority. This strong, digital verification can simplify and strengthen often laborious and costly hiring processes, and many other needs that can’t be satisfied with an organisational identity (often because an identity hasn’t been created yet or can’t be for some other reason).
As mentioned in the Entra ID P1 section above, the core credential issuance and verification capabilities are included in Entra ID P1. Linking Verified ID to ID Governance, and a high-assurance facial matching verification capability are the two features only available beyond P2.
Global Secure Access
As mentioned in recent posts, Global Secure Access rounds out the ‘network access’ side of Entra. It the newest addition to Entra, completing Microsoft’s Security Services Edge (SSE) solution.
Global Secure Access is primarily split between Entra Private Access (which is most like a VPN replacement technology, with many added security features), and Entra Internet Access (which is most like a combined forward proxy and Web Content Filtering technology). The two halves of Global Secure Access are supported by the same agent, and access is controlled through Conditional Access in both directions.
There is much more to explain about these compelling new capabilities, as covered in our recent posts. Nearly all of Entra Internet Access and Entra Private Access sits beyond P2, but these new costs represent incredible value for money.
Additional Entra products
There are three additional Entra products which can only be purchased with standalone licences.
External ID
Entra External ID supports collaboration with external (B2B or B2C) users. External ID is priced by Monthly Active Users (MAU), which is, ‘the count of unique users with authentication activity within a calendar month’. Beyond this initial dispensation: “additional active users are priced at $0.03 per MAU (with a launch discounted price of $0.01625 per MAU until May 2025)”. It is reasonably uncommon for most organisations to exceed the free threshold.
Permissions Management
Entra Permissions Management, or Entra PM, is Microsoft’s Cloud Infrastructure Entitlement Management (CIEM service, originally brought into Entra through the CloudKnox acquisition). Entra PM offers visibility and control over privileged workloads in Azure, AWS and GCP, seeking to remove any unused, stale or excessive permissions.
Where Entra ID Governance is tightly bound to Entra ID, Entra PM is tightly bound to roles within these cloud infrastructures, so it is mainly of interest to organisations who haven’t fully orientated on Entra ID yet. Entra PM is licensed per-resource, per-month, where a resource is a cloud service using compute or data services.
Workload ID Premium
An Entra Workload Identity is an application or service with the ability to authenticate itself to other services. With Workload ID Premium, we can promote these workloads so they can be targeted with Conditional Access, so they can benefit from risk protections, and so we can manage the lifecycle of authentication and authorisation for them. In other words, we can begin to offer them the same sort of protections that are offered to Entra ID users. Workload ID Premium is licensed per-workload identity, per-month.
What is the new Entra Suite?
As you can see, there’s a lot more to Entra than the Entra ID P1 capabilities that first come to mind for most people. Even Entra ID P2 usage is not as widespread as it should be. But now, especially with the advent of Global Secure Access, it’s time to take a fresh look at this entire identity and network access space, with a view to understanding modernisations needs, potential technology displacement/consolidation opportunities, and how this all might be purchased. Enter: Entra Suite.
Entra Suite builds on Entra ID P1, wrapping up everything in Entra ID P2 plus the ‘beyond P2’ capabilities across all of ID Governance, Verified ID and Global Secure Access. In other words, everything above the ‘Additional Entra products’ section of this post is included in the Suite. This is a ton of capability bundled in one SKU.
For instance, Entra Internet Access + Entra Private Access = $10/user/month, while Entra Suite comes in at $12/user/month. The newer features in ID Governance and Verified ID become the icing on the cake. You can find a full breakdown of Entra features by SKU from Microsoft’s Entra Plans and Pricing.
What about my current licences?
You may wonder how this suite relates to existing suites, such as M365 E3, E5, E5 Security, EM+S E3/E5, and Business Premium. Although the Entra Suite and Global Secure Access are now generally available, there are still some things in-flight here.
- There is an element of Global Secure Access that will be given to M365 E3 customers as part of that licence. So far, we know that the Microsoft Traffic Profile of Entra Internet Access will be provided within this dispensation, but it isn’t yet clear if it might cover other capabilities as well. We can only speculate about that, but for now it is safe to assume that the headline dispensation will be the Microsoft Traffic Profile, since that is already mentioned in Microsoft’s licensing documentation.
- There is no clear commitment from Microsoft about an additional dispensation for the Entra Suite where an organisation already purchases Entra ID P2 through M365 E5 SKUs, EM+S E5, or stand-alone. We hear that this is something many organisations expect, but Microsoft has not committed to offering such as dispensation currently. In our view, this does not taint the value of the Entra Suite, especially where so much is to be gained through the Global Secure Access licences alone. It’s reasonable to assume that with monthly subscriptions, it should be possible to take an advantage of such a dispensation in future (if it is ever offered), simply by changing the licensing at that time. In other words, we don’t feel that this is a barrier to buying the Entra Suite today.
All told, Entra Suite becomes a new IAM, network security, and SSE platform, which is the foundation of zero trust adaptation. With Global Secure Access and Entra ID Governance, we can address an enormous chunk of what we must consider when embracing this modern architecture. When opportunities to displace existing technologies are also factored in, we expect many organisations will not see substantial total cost increases and may find total cost savings. This will be especially true if on-premises infrastructure no longer needs to be managed.