Frontrow Technology
← All insights & guides
Guide

Identity — Entra licensing

Entra ID P1 vs P2 (Australia 2026): the $4.50 a month difference and who actually needs P2

Entra ID P1 vs P2 for Australian buyers: standalone P1 is $9 AUD per user per month, P2 is $13.50. The seven P2-only features (PIM, Identity Protection, access reviews) and the five scenarios where the $4.50 upgrade pays back.

Daniel Brown · Last reviewed 3 July 2026 · 7 min read

Microsoft Entra ID ships in three tiers — Free (the tenant default), P1 (in Microsoft 365 Business Premium, E3, EMS E3) and P2 (in M365 E5 and EMS E5). For Australian organisations the meaningful question is rarely Free vs P1 (Business Premium covers P1 for every commercial workload), but P1 vs P2. The upgrade is significant — both in capability and in price.

What is Entra ID P2?

Microsoft Entra ID P2 is the top identity tier. It includes everything in P1 — Conditional Access, self-service password reset, dynamic groups — and adds the governance and risk layer: Privileged Identity Management (PIM), Identity Protection (risk-based Conditional Access), access reviews, basic entitlement management and authentication strength. If P1 is "secure the front door", P2 is "prove who has the keys, and respond automatically when a key looks stolen".

Seven features that come with P2 and not P1

  1. 1Microsoft Entra Privileged Identity Management (PIM) — just-in-time activation of admin roles. The Essential Eight Maturity Level 2 control for privileged access.
  2. 2Microsoft Entra ID Protection — risk-based Conditional Access decisions using sign-in risk and user risk signals from Microsoft's threat graph. Without P2, Conditional Access can't read risk signals; it can only make static decisions.
  3. 3Access reviews — periodic confirmation of user entitlements (groups, app assignments, role assignments). Required for IGA evidence.
  4. 4Entitlement management — basic — package access, time-bound assignments, request workflows. (Advanced entitlement management is in the separate Entra ID Governance SKU.)
  5. 5Risk-based Conditional Access policies — block, MFA, password reset based on sign-in risk or user risk. The signal flows from Identity Protection.
  6. 6Lifecycle workflows — basic joiner/mover/leaver automation. (Advanced lifecycle workflows are in Entra ID Governance.)
  7. 7Authentication strength — granular control of which authentication methods satisfy a Conditional Access policy (e.g., 'must be phishing-resistant'). Available in P2 only.

AUD pricing in 2026

Entra ID P1 standalone is $9 AUD per user per month. Entra ID P2 standalone is $13.50 AUD per user per month. Inside Microsoft 365 bundles: P1 ships in Business Premium ($35.20 AUD), E3 ($59.40 AUD) and EMS E3. P2 ships in M365 E5 ($89.60 AUD) and EMS E5. Standalone P2 add-on is available for E3 tenants at $4.50 AUD per user per month (the difference between standalone P1 and standalone P2).

When P2 pays back

The break-even for P2 in an AU mid-market is rarely about the licence cost — it's about the alternative cost of meeting the controls another way. Five common scenarios where P2 wins:

  • Essential Eight Maturity Level 2 — without PIM, satisfying the privileged access control requires manual processes that don't scale. P2 is the practical answer.
  • APRA CPS 234 obligations — paragraph 17 expects access review evidence; P2 access reviews provide this without third-party tooling.
  • Insider risk and offboarding evidence — P2 lifecycle workflows automate the leaver process and produce the audit trail.
  • Identity-driven security model — without P2's risk signals, Conditional Access decisions are coarse. With them, the same policy can let a low-risk login through unchallenged while requiring MFA + device compliance on a medium-risk one.
  • Authentication strength enforcement — when you want to require phishing-resistant MFA for specific apps, you need P2's authentication strength control.

When P2 doesn't pay back

Three patterns where staying on P1 is the right call. First, your admin team is two people and lives on PIM-less standing roles for now because the operational cost of PIM activation outweighs the risk. Second, you don't have a privileged access management problem because you're a 30-person tenant with controlled admin assignments and a tight Conditional Access ruleset. Third, you've decided to invest in third-party PAM (CyberArk, Delinea) for both cloud and on-premises — P2's PIM is then partially redundant.

The realistic upgrade path

Most AU mid-market organisations end up on M365 E5 within 24 months of Microsoft 365 standardisation, which delivers P2 by default. The standalone P2 add-on to E3 is more expensive per-user when you're also paying for standalone Defender for Endpoint and Sentinel and MCAS — by the time you're paying for those, the E3 + Security E5 or E3 + E5 maths usually favours the bundle.

Try it

See where your admin posture is today

Score the admin role footprint before deciding whether P2 is the right next step.

Common questions

Frequently asked

What is the difference between Entra ID P1 and P2?
P1 covers Conditional Access, self-service password reset and dynamic groups — the controls that secure most businesses. P2 adds the governance and risk tier: Privileged Identity Management (just-in-time admin), Identity Protection (risk-based Conditional Access), access reviews, entitlement management and authentication strength.
How much does Entra ID P2 cost in Australia?
Indicative AUD list pricing is about $9.00/user/month for P1 and about $13.50/user/month for P2 (ex GST). P2 is also included in Microsoft 365 E5 and EMS E5. Confirm current pricing at purchase.
Do I need Entra ID P2?
You need P2 if you require PIM, risk-based Conditional Access (Identity Protection) or identity governance such as access reviews — common for Essential Eight Maturity Level 2, APRA CPS 234 and regulated environments. Many SMEs are well served by P1 and mature into P2 later, often by buying it only for admins and high-risk users.
Do I already have Entra ID P2?
If you license Microsoft 365 E5, EMS E5 or the Entra Suite, P2 is included. Many organisations pay for it and never enable PIM or Identity Protection — so check what is licensed versus what is actually configured.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.