Microsoft Entra ID P1 vs P2 — the feature gap, the price, when to upgrade (AU 2026)

Microsoft Entra ID ships in three tiers — Free (the tenant default), P1 (in Microsoft 365 Business Premium, E3, EMS E3) and P2 (in M365 E5 and EMS E5). For Australian organisations the meaningful question is rarely Free vs P1 (Business Premium covers P1 for every commercial workload), but P1 vs P2. The upgrade is significant — both in capability and in price.

Seven features that come with P2 and not P1

1. 1Microsoft Entra Privileged Identity Management (PIM) — just-in-time activation of admin roles. The Essential Eight Maturity Level 2 control for privileged access.
2. 2Microsoft Entra ID Protection — risk-based Conditional Access decisions using sign-in risk and user risk signals from Microsoft's threat graph. Without P2, Conditional Access can't read risk signals; it can only make static decisions.
3. 3Access reviews — periodic confirmation of user entitlements (groups, app assignments, role assignments). Required for IGA evidence.
4. 4Entitlement management — basic — package access, time-bound assignments, request workflows. (Advanced entitlement management is in the separate Entra ID Governance SKU.)
5. 5Risk-based Conditional Access policies — block, MFA, password reset based on sign-in risk or user risk. The signal flows from Identity Protection.
6. 6Lifecycle workflows — basic joiner/mover/leaver automation. (Advanced lifecycle workflows are in Entra ID Governance.)
7. 7Authentication strength — granular control of which authentication methods satisfy a Conditional Access policy (e.g., 'must be phishing-resistant'). Available in P2 only.

AUD pricing in 2026

Entra ID P1 standalone is $9 AUD per user per month. Entra ID P2 standalone is $13.50 AUD per user per month. Inside Microsoft 365 bundles: P1 ships in Business Premium ($35.20 AUD), E3 ($59.40 AUD) and EMS E3. P2 ships in M365 E5 ($89.60 AUD) and EMS E5. Standalone P2 add-on is available for E3 tenants at $4.50 AUD per user per month (the difference between standalone P1 and standalone P2).

When P2 pays back

The break-even for P2 in an AU mid-market is rarely about the licence cost — it's about the alternative cost of meeting the controls another way. Five common scenarios where P2 wins:

• Essential Eight Maturity Level 2 — without PIM, satisfying the privileged access control requires manual processes that don't scale. P2 is the practical answer.
• APRA CPS 234 obligations — paragraph 17 expects access review evidence; P2 access reviews provide this without third-party tooling.
• Insider risk and offboarding evidence — P2 lifecycle workflows automate the leaver process and produce the audit trail.
• Identity-driven security model — without P2's risk signals, Conditional Access decisions are coarse. With them, the same policy can let a low-risk login through unchallenged while requiring MFA + device compliance on a medium-risk one.
• Authentication strength enforcement — when you want to require phishing-resistant MFA for specific apps, you need P2's authentication strength control.

When P2 doesn't pay back

Three patterns where staying on P1 is the right call. First, your admin team is two people and lives on PIM-less standing roles for now because the operational cost of PIM activation outweighs the risk. Second, you don't have a privileged access management problem because you're a 30-person tenant with controlled admin assignments and a tight Conditional Access ruleset. Third, you've decided to invest in third-party PAM (CyberArk, Delinea) for both cloud and on-premises — P2's PIM is then partially redundant.

The realistic upgrade path

Most AU mid-market organisations end up on M365 E5 within 24 months of Microsoft 365 standardisation, which delivers P2 by default. The standalone P2 add-on to E3 is more expensive per-user when you're also paying for standalone Defender for Endpoint and Sentinel and MCAS — by the time you're paying for those, the E3 + Security E5 or E3 + E5 maths usually favours the bundle.