Microsoft Entra ID P2 is the top standalone tier of Microsoft's identity and access management platform (the product formerly called Azure AD Premium P2). It is the licence that unlocks the governance and risk-detection features most Australian organisations reach for once basic single sign-on and multifactor authentication are bedded down. This is a single-product deep dive: what P2 is, what it actually does, what it costs in Australian dollars, and who genuinely needs it.
If you are still deciding between P1 and P2, we cover that head-to-head separately. Here we assume you have landed on P2 as the candidate and want to understand the product on its own terms before you commit budget.
What Entra ID P2 actually adds
Everything in Entra ID P1 — conditional access, self-service password reset, group-based licensing, hybrid identity — is included in P2. P2 then layers four capabilities on top that you cannot buy in any cheaper tier. These are the reasons to pay for it.
- Privileged Identity Management (PIM): just-in-time, time-boxed, approval-gated admin access. Instead of leaving accounts standing as Global Administrator all year, admins activate the role only when they need it, often with MFA and an approver in the loop.
- Identity Protection and risk-based Conditional Access: Microsoft scores every sign-in and user for risk (impossible travel, leaked credentials, anonymous IPs, unfamiliar behaviour) and lets you write policies that respond automatically — force MFA on a risky sign-in, block a risky user, require a password change.
- Access reviews: scheduled, auditable recertification of who has access to what. Reviewers tick or revoke on a cadence you set, which is exactly the evidence an auditor or cyber-insurer asks for.
- Entitlement management: package access into 'access packages' with built-in approval workflows and automatic expiry — useful for onboarding, contractors and guest access at scale.
The short version: P1 controls how people sign in. P2 governs who should have access at all, detects when an identity has likely been compromised, and reins in standing privilege. It is the difference between an access policy and an actual identity governance posture.
Why the privileged-access piece matters most
If we had to single out one feature that justifies P2, it is PIM. Standing administrative access is the single most exploited weakness we see. An attacker who phishes one credential that happens to sit in a permanent privileged role has effectively won. PIM removes the standing target: the role is dormant until activated, the activation is logged, and it can require justification, MFA and sign-off.
What Entra ID P2 costs in Australia
Microsoft prices Entra ID P2 as a standalone add-on at USD $9.00 per user per month (annual commitment) on its global pricing page. Australian customers are billed in Australian dollars, and Microsoft sets local list pricing that does not move with the daily exchange rate — so treat any AUD figure as indicative until you see it on your own quote.
As a planning number, the standalone P2 add-on lands in the order of AUD $13–$15 per user per month, ex GST — indicative AUD list, confirm at purchase. Charges appear on your Microsoft invoice exclusive of GST; GST is then added at 10% for Australian billing. Volume agreements, CSP partner pricing and not-for-profit rates can all change what you actually pay, so the real figure is whatever your licensing channel quotes.
How P2 is licensed: standalone vs suites
There are three common ways to end up with Entra ID P2, and the cheapest path depends entirely on what you already own.
- 1Standalone add-on: buy P2 per user on top of whatever base plan you have (for example Microsoft 365 Business Premium or an E3 estate). This is the route for organisations that want the P2 features without jumping to a full E5 suite.
- 2Bundled inside Microsoft 365 E5 or Enterprise Mobility + Security E5: both suites include the full Entra ID P2 entitlement. If you already pay for E5, you already have P2 — you do not need to buy it separately, and you should make sure you have actually switched the features on.
- 3Entra Suite / Entra ID Governance: Microsoft has carved some advanced governance features into separate Governance and Entra Suite SKUs. For most customers, classic PIM, Identity Protection, access reviews and entitlement management sit in P2; the newer governance SKUs add lifecycle workflows and broader, multi-cloud entitlement management on top.
One licensing rule trips people up constantly: Entra ID is licensed per user who benefits from a feature, not per administrator. If you run an access review or a risk policy that covers 400 staff, you need P2 for those 400 users — not just for the handful of admins configuring it. We see organisations under-license here and then get caught in a true-up. Scope your P2 count to the population the governance and risk features will actually touch.
Who actually needs Entra ID P2
P2 is not for everyone, and we will say so plainly. A small team with a handful of admins, low regulatory exposure and no compliance reporting obligations can often run safely on P1 plus disciplined conditional access. The features that justify P2 are governance and automated risk response, so the case gets stronger as headcount, privileged accounts and audit pressure grow.
You probably do need P2 if any of the following are true: you carry cyber-insurance or regulatory obligations that demand evidence of access reviews and least-privilege; you have more than a few standing admin accounts; you onboard contractors or external guests regularly; or you want sign-in risk handled automatically rather than chased manually. For Australian organisations in finance, health, government-adjacent work or anything touching the Essential Eight's restrict-admin-privileges control, P2's PIM and access reviews map directly onto controls you are already expected to demonstrate.
Common ways P2 is wasted
The most expensive mistake is buying P2 and never configuring it. Bought-but-dormant is the norm we walk into: the licences are on the bill, but admin roles are still permanently assigned, Identity Protection is off, and no access review has ever run. P2 delivers nothing by sitting in your tenant — it earns its keep only once the features are switched on and tuned.
The second mistake is over-buying: putting P2 across an entire workforce when only a defined population needs the governance features. Microsoft's licensing lets you target P2 to the users a feature touches, so a precise scope can meaningfully cut the bill without weakening your posture. Getting the count right is part licensing exercise, part risk decision — which is exactly the conversation worth having before you sign the order.