Azure AD: Premium P1 vs P2

Think of your organization’s Active Directory (AD) like the bouncer outside of your own very popular, hard-to-get-into club. This AD system not only has the guest list of who to let in and who to block, but it knows the regulars, their preferences, and where they should go.

Without this AD standing guard within your network, unknown, unauthorized, and unsafe devices and users could find their way in and wreck your party.

Since (obviously) nobody wants that, Microsoft has given organizations not one, but four different AD methods to manage, authenticate, and organize users and devices within your network.

One method is Azure Active Directory (AD), which runs in the background by default when organizations are using Office 365 and Microsoft 365. Although organizations can choose to use the default configuration, customizing it to fit operational needs can give teams more flexibility in how devices are managed and how users use shared resources.

So how does your organization choose which level (or license type) of Azure AD functionality it needs?

This article will cover not only what you need to know about Azure AD but should also arm you with the information you need to choose the right level for your business needs.

The Basics of Azure Active Directory (AAD)

Microsoft offers three Azure Active Directory license types: Office 365 Edition, Premium P1, and Premium P2. 

However, much like our favorite childhood story, Goldilocks and the Three Bears, every organization is going to have their own preferences and requirements when it comes to which AD license type best fits their needs.

Before we dive into those differences, it is important to know that each Azure AD license type performs the same types of functions as traditional Microsoft AD, but for organizations running on the cloud. 

Some of the key functions include:

• Serving as an identity and authentication management tool hosted on Microsoft Azure
• Managing users and organizational devices (i.e., desktops, laptops, tablets, virtual machines, servers, smartphones, and so on)
• Facilitating access to other Microsoft services, including Office 365 and Intune and, in some cases, other third-party authentication systems

While organizations can still have on-premise or physical devices, if they would like to run Azure AD, they would have to leverage the Hybrid Azure AD model.

Overview of Azure AD License Types

So which of the different Azure AD license types is best for your organization? Well, the answer is going to depend on the functionality and size of your organization, your organization’s infrastructure environment, and how and where your users work.

To help identify the best fit for your operations, here is an overview of the key differences and features between the different license types:

Office 365 Azure AD

Also known as the “basic” AD, this level is best for organizations with users that work primarily with cloud-based tools and data. 

With this level, your organization can:

• Utilize group-based access management to assign privileges for employees in similar roles.
• Access self-service password reset for cloud applications.
• Leverage Azure Active Directory Application Proxy to manage web applications.
• Utilize Microsoft’s enterprise-level support.

Azure AD Premium P1

Azure AD Premium P1 builds on the features of Office 365 Azure AD and adds more functionality for organizations that need more robust identity and access management capabilities across on-premise and cloud services.

In particular, Azure AD Premium P1 provides:

• Support for users working in a hybrid (cloud and on-premise) environment
• Advanced administration and delegation options, such as dynamic user groups and group management
• Microsoft’s Identity Manager, the platform’s identity and access management suite of tools
• Access to the Microsoft Authenticator, the platform’s multifactor authentication app for simple user access verification on their smart device
• The option to go passwordless with Microsoft Hello using a device’s built-in camera or Windows Dynamic lock

Currently, Azure AD P1 is bundled with Microsoft 365 Business Premium (formerly Microsoft 365 Business) for $22 per user per month and Microsoft 365 E3 for $36 per user per month.

Azure AD Premium P2

Azure AD Premium P2 has all the same tools as Azure AD P1, plus features from Microsoft’s Azure Identity Protection and Azure Identity Governance tool suite.

These additional security and authentication features are:

1. Account-level risk management

Custom recommendations improve overall security posture by highlighting vulnerabilities for user accounts, such as calculating login risk levels and a range of other potential vulnerabilities.

For example, organizations can implement policies to:

• Limit fraud and security risks by blocking logins or requiring users to face multifactor authentication challenges.
• Block or secure risky user accounts.
• Require users to register for multifactor authentication.

2. Risk investigation management

Azure can help to facilitate the triage and management of identified known risks by:

• Sending notifications for risk detections
• Investigating risk detections using relevant and contextual information
• Providing basic workflows to track investigations
• Providing easy access to remediation actions such as password reset

3. Privileged Identity Management (PIM)

PIM helps organizations to manage the who, what, when, where, and why of resources in Azure. 

Some of the key features of PIM include:

• Providing just-in-time privileged access for users to Azure AD and Azure resources
• Establishing time-bound access to services and resources with start and end dates
• Requiring approval to activate privileged roles
• Enforcing multifactor authentication to activate any role
• Using justification to understand why users activate
• Sending notifications when privileged roles are activated
• Conducting access reviews to ensure users still need roles
• Downloading audit history for internal or external audit

4. Access reviews

Azure Active Directory (Azure AD) can perform access reviews that enable organizations to more efficiently manage group memberships, access to enterprise applications, and role assignments. 

A user's access can be reviewed on a regular basis to make sure only the right people have continued access to the services that are aligned with their role. 

5. Entitlement management 

Entitlement management helps organizations manage access to groups, applications, and SharePoint Online sites for internal and external users. 

The cost for Azure AD Premium P2 is bundled with Microsoft 365 E5 for $57 per user per month. Organizations can also buy Azure AD P1 for $6 per user per month and P2 for $9 per user per month as standalone products instead of bundled with Microsoft 365.

Get the Most Out of Your Microsoft Azure AD Deployment

Deploying the right Microsoft Azure AD deployment for your organization can empower your employees to collaborate, work efficiently while staying secure, and allow your security team to sleep as soundly as a bear after it has had its fill of porridge. Sounds nice, right?

Ready to take the first step toward boosting the security and productivity of your organization with the right Azure AD to fit your operational and security needs? Schedule a personalized, complimentary meeting with a BEMO expert today.