Petya Petrova - Fotolia
When deciding to move to an identity and access management service, you'll have to factor in the costs and the capabilities of each tier that Microsoft offers to make sure you've got the coverage you need at a price you can afford.
Microsoft released Azure Active Directory (Azure AD) to general availability in 2013, and many in IT are at least aware of it if they're not actively using it. There tends to be some confusion about this product due to its name; Azure AD is not Active Directory in the cloud. Both have identity management systems as a key component, but they're very different systems. Once you come to this realization, you'll then want to go a step further and do an Azure AD Premium P1 vs. P2 comparison.
Test Azure AD with a free version
Azure AD is a cloud-based identity management product that continues to grow and collect new features and abilities regularly. Azure AD provides a mix of user management (both internal and external users), application access management and account protection. Most companies will use both on-premises Active Directory and Azure AD to meet different system requirements, and both systems complement each other well.
You can test Azure AD at no cost by setting up a free Azure tenant if you don't already have one, then create a directory. You can then optionally install the Azure AD Connect client to sync your on-premises Active Directory objects.
This Azure AD Free tier is great for testing purposes, but not for a business's live environment. The free tier does not have essential security features such as multi-factor authentication (MFA), and putting identities in the cloud without that protection is a risky move. I would not put any service into a publicly accessible cloud for a business without MFA. A cursory online search finds a recent Black Hat conference session that discusses how easy it is to attack these Azure AD setups, so it's highly recommended to lock down your Azure AD tenant before you do anything else.
Microsoft offers a table to show the features on each Azure AD edition. Critical security features such as MFA and conditional access, which gives more granular controls and rules about MFA, are not on the free tier.
Azure AD Basic edition will not be an option for long
In a recent development, Microsoft plans to remove the Azure AD Basic offering. Organizations that currently have it can continue to use the license. The Azure AD Office 365 Apps edition has a few simple features that come with an Office 365 E3 license, which leaves the Free, Premium P1 and Premium P2 tiers. Premium used to be one tier, but Microsoft split it into two editions.
Azure AD Premium P1 comes as part of the Microsoft 365 E3 suite, and Azure AD Premium P2 in the Microsoft 365 E5 suite. Microsoft also offers the tiers as a separate purchase; Azure AD Premium P1 costs $6 user/month, while Azure AD Premium P2 is $9 user/month.
An Azure AD Premium P1 vs. P2 feature comparison
Now that you've got a basic understanding of what the Azure AD licenses, let's look at what you get with Azure AD Premium P1 vs. P2. There are three main reasons to choose Premium P2:
- The identity protection feature in Premium P2 gives an overview of questionable authentication attempts. It looks at logins and assesses how risky they might be, such as detecting an account sign-in from one country, then a different country 10 minutes later. Administrators can handle those suspicious authentication attempts automatically with policies that can force MFA or block access entirely. Identity protection is one of the best arguments for going to P2, as it greatly reduces many risks related to user access.
- Privileged Identity Management (PIM) is a set of controls to manage higher-level access accounts in Azure AD. It includes security features such as just-in-time access to temporarily grant rights and remove them with full logging and auditing. Workflows with justification and notifications can be triggered around activation of these privileges, too. If you have to contend with a lot of rogue changes in your environment, then PIM could help you regain control.
- The access reviews feature ensures that only the right staff can use specific resources. This is helpful when onboarding and offboarding staff, or when personnel change roles. You can also put checks on existing users to review their access to resources and push these decisions toward application owners. You can tailor recurring checks to meet business requirements or to fulfill compliance rules. It's a nice feature to give you more control to allow or block access to important resources without having to remember to do so.
Microsoft offers an even more wide-ranging security product
Another option worth your consideration is the Microsoft 365 Identity & Threat Protection bundle ($12 user/month), which has Azure AD Premium P2, Microsoft Cloud App Security and the Microsoft Threat Protection suite -- which includes Azure Sentinel, Azure Advanced Threat Protection (ATP), Microsoft Defender ATP and Office 365 ATP with Threat Intelligence. This combination provides a more expansive set of security benefits and doesn't cost much more than the Azure AD Premium P2 license.
There's a lot to consider about Azure AD Premium P2. Many companies might not be ready for it yet. Deciding what package to buy requires a lot of research and understanding to make sure you get the best value for your money spent. Don't buy the absolute best tier of license available until you know you'll use it.