If you already understand the gap between Entra ID P1 and P2, the next question landing on our desk is a newer one: should you stay on Entra ID P2, or step up to the Microsoft Entra Suite? The Suite arrived as a bundle that wraps identity protection, governance and a pair of network-access services into a single per-user licence, and the pricing looks deceptively close to P2 on paper. The honest answer depends less on the headline number and more on whether you intend to actually use the network-access pieces. Here is how we walk Australian clients through it.
The two licences are not the same kind of thing
Entra ID P2 is an identity licence. It gives you everything in P1 — Conditional Access, self-service password reset, group-based licensing — plus the premium identity-security layer: risk-based Conditional Access, Identity Protection sign-in and user risk policies, and Privileged Identity Management (PIM) for just-in-time admin elevation. It is, fundamentally, about who your people are and how safely they sign in.
The Entra Suite is a bundle that sits on top of that identity foundation and adds two categories most teams have historically bought elsewhere: identity governance (access reviews, entitlement management, lifecycle workflows) and Security Service Edge — Microsoft's Internet Access and Private Access products that can stand in for a traditional VPN and a secure web gateway. It also folds in Verified ID Premium for verifiable credentials. So you are not choosing between two tiers of the same product; you are deciding whether to add network and governance capability to your identity stack.
The pricing, and the à la carte trap
At Microsoft's public list level, the relevant building blocks look roughly like this (these are indicative AUD list figures converted from Microsoft's USD list prices — confirm at purchase, and remember AU pricing and your EA/CSP discount will both move the number):
- Entra ID P2 — around $9 per user/month (indicative AUD list — confirm at purchase)
- Entra ID Governance add-on — around $7 per user/month (indicative AUD list — confirm at purchase)
- Entra Internet Access (standalone) — around $5 per user/month (indicative AUD list — confirm at purchase)
- Entra Private Access (standalone) — around $5 per user/month (indicative AUD list — confirm at purchase)
- Entra Suite (the bundle) — around $12 per user/month (indicative AUD list — confirm at purchase)
Run the maths. If you wanted P2's identity-security layer plus governance plus both network-access services as separate SKUs, you are stacking roughly $9 + $7 + $5 + $5 — comfortably into the $17–$26 per-user range before any discounting. The Suite delivers that same capability set for around $12. That is the whole commercial argument: bought à la carte the components cost far more than the bundle, so the moment you genuinely need two or more of the add-ons, the Suite stops being an upsell and becomes the cheaper path.
Where the Suite earns its money: the VPN-replacement angle
The most compelling reason an Australian organisation moves to the Suite is to retire a legacy VPN. Entra Private Access is Microsoft's identity-centric Zero Trust Network Access (ZTNA) service — it publishes internal applications to staff without dropping them onto the corporate network, so a compromised laptop cannot laterally roam the LAN the way it can once a full-tunnel VPN connects. Entra Internet Access adds a secure web gateway with Conditional Access reaching all the way to Microsoft 365 and the open internet, which is the piece that closes token-theft and unmanaged-egress gaps.
Together these two are Microsoft's Security Service Edge (SSE) play, and they pair naturally with Global Secure Access. If you have already read our take on Global Secure Access versus a traditional VPN, the Suite is simply the licensing wrapper that makes those services affordable. For a team paying for a separate VPN concentrator, a third-party ZTNA tool, or a standalone SWG, consolidating onto the Suite often nets out cost-neutral or cheaper once you count the kit and the renewal you stop paying for.
Where P2 alone is still the right call
Not everyone needs the network half. If your remote-access story is already handled — staff live entirely in Microsoft 365 and a handful of SaaS apps, you have no legacy on-premises line-of-business application that needs publishing, and you are not running a VPN you want to kill — then the SSE modules in the Suite are shelfware for you. In that scenario P2 gives you the identity-security controls (risk-based Conditional Access, PIM, Identity Protection) that genuinely matter, and the extra spend on the Suite buys capability you will not switch on.
Likewise, if governance is your only driver — you need access reviews and joiner-mover-leaver automation but nothing network-related — the standalone Entra ID Governance add-on on top of P2 may land close enough to the Suite price that the decision comes down to whether you want the optionality of the SSE modules sitting there for later.
Don't forget the E5 question
Before anyone buys anything, check what you already own. Microsoft 365 E5 includes Entra ID P2 as part of the bundle, so E5 customers are paying for P2 whether or not they realise it. The Suite, however, is a separate add-on even for E5 tenants — E5 does not include Internet Access, Private Access, or the full governance feature set. So the real comparison for an E5 shop is not P2 versus Suite; it is 'what we already have via E5' versus 'E5 plus the Suite add-on for the network and governance capability'. That reframing changes a surprising number of business cases.
What we'd actually do
Our default sequence with a client is blunt: first, confirm whether you have a VPN or third-party ZTNA/SWG spend you want to eliminate, because that single fact decides most of this. If yes, price the Suite against what you currently pay for that kit and its renewal — it usually wins, and you get governance thrown in. If no, stay on P2 (or the P2 you already get inside E5) and add the standalone Governance SKU only if and when access reviews become a real audit requirement.
Then we run a short proof: stand up Private Access for one internal application and Internet Access for a pilot group, measure the experience for a fortnight, and only then commit the wider rollout. Identity and network changes have a habit of surfacing edge cases — legacy auth, split-tunnel assumptions, printer and file-share access — that no spreadsheet predicts. Buying the licence is the easy part; the value is in deploying the modules you paid for, which is exactly where the Suite's economics either pay off or quietly evaporate.