Petya Petrova - Fotolia
When deciding to move to an identity and access management service, you'll have to factor in the costs and the capabilities of each tier Microsoft offers to make sure you've got the coverage you need at a price you can afford.
Microsoft released Azure Active Directory (Azure AD) to general availability in 2013, and many in IT are at least aware of it if they're not actively using it. There tends to be some confusion about this product due to its name; Azure AD is not Active Directory in the cloud. Both have identity management systems as a key component, but they're very different systems. Once you come to this realization, you'll then want to go further and perform an Azure AD Premium P1 vs. P2 comparison.
What is Active Directory?
Active Directory is the Microsoft directory service designed to run on premises on the Windows Server operating system that controls access to the organization and its resources. Part of Active Directory is the Active Directory Domain Services server role, also known as the domain controller, that incorporates the functionality to store data in the directory, such as user passwords, and performs the authorization and authentication tasks on the domain. The directory structure uses objects, which can be computer accounts, servers or printers -- essentially, any device or user who connects to the organization's network.
You can install Active Directory Domain Services onto several Windows Server deployments, which then take on the role of domain controllers within the Active Directory forest, which is the top-most level in the directory hierarchy. Active Directory provides authentication, access control and security (Group Policy) services for resources within the forest.
What is Azure Active Directory?
Azure Active Directory, which is more commonly referred to as Azure AD, is a cloud-based identity access and management control service. It is included with Office 365 and Microsoft 365 subscriptions, but Microsoft also sells other Azure AD editions with varying levels of functionality. Like Active Directory, Azure AD provides authentication and access control services but has been specifically designed to support the unique needs of cloud users and cloud apps.
Although there are many similarities between Active Directory and Azure AD, Azure AD is not simply Active Directory in the cloud. Azure AD offers cloud-specific functionality that does not exist in a traditional Active Directory environment. For example, Active Directory does not offer a way to domain join mobile devices, but Azure AD integrates with Microsoft Intune to manage mobile devices. Similarly, Active Directory does not natively support non-Windows systems, but Azure AD allows Linux machines to access various resources using managed identities. You can find more information about the differences between Active Directory and Azure AD at this documentation link from Microsoft.
How does Azure AD work with on-premises Active Directory?
Although both Active Directory and Azure AD can exist as independent directory environments, it is common for organizations to create hybrid directories that work with both on-premises domain controllers and Azure AD.
Microsoft provides a free tool called Azure AD Connect to join these two environments. Azure AD Connect replicates Active Directory user accounts to Azure AD, allowing a user to have a single identity capable of accessing both local and cloud-based resources.
What types of Azure AD licenses does Microsoft offer?
Microsoft currently sells four options for Azure AD licensing. The first is the Free option, which is recommended for smaller organizations and has a limit of 500,000 directory objects. It is primarily intended as an authentication and access control mechanism and supports user provisioning and basic user management functions such as creating, deleting and modifying user accounts. These users can take advantage of self-service password change, and admins can create global lists of banned passwords or require multifactor authentication (MFA).
Azure AD's Free tier also supports advanced features, including support for Azure AD Connect and pass-through cloud authentication. Additionally, the Azure AD Free edition allows for Active Directory Federation Services-based or third-party federated authentication, as well as single sign-on functionality. Administrators can create basic security and usage reports in the Free version.
Microsoft includes Azure AD with Office 365 and Microsoft 365 -- specifically, the E1, E3, E5, F1 and F3 subscriptions -- as the underlying directory service required to operate the applications on the platform, such as Exchange Online for email and SharePoint Online for content management.
Microsoft calls this the Office 365 Apps edition of Azure AD. It has the same features and capabilities as the Free version, but it also adheres to a service-level agreement (SLA) of 99.9% availability. The Free edition has no SLA.
The Office 365 Apps edition also allows for various customizations, such as company branding. Perhaps more importantly, the Office 365 Apps version supports two-way synchronization for device objects. This means changes made within Azure AD propagate to the Active Directory environment in the organization's data center and vice versa.
In addition to the free and Office 365 Apps edition of Azure AD, Microsoft also offers two premium versions known as Premium P1 and Premium P2. (Premium used to be one tier, but Microsoft split it into two editions.) The premium versions include everything that is included in the Office 365 Apps edition and additional features that revolve around hybrid identities, advanced group-based access management and conditional access. The premium editions also include support for Microsoft Identity Manager to pull in records from on-premises human capital management software applications, such as Oracle PeopleSoft.
The P2 version has the most features and includes functionality geared toward identity protection and identity governance.
Microsoft removes Azure AD Basic edition
Microsoft had offered another Azure AD tier called Basic but removed this edition in late 2019. Organizations that subscribed to Azure AD Basic before this change can continue to use the license. This tier had the same feature set as the Azure AD Office 365 Apps edition with one exception: It lacked multifactor authentication.
Choosing an Azure AD license
As previously noted, there are four Azure AD options. The Free version is best suited for small organizations and dev/test environments, while the Office 365/Microsoft 365 version comes with added features to work with the functionality on the Microsoft collaboration platform, but nothing more.
The Azure AD Premium P1 and P2 editions target enterprise-class environments that require advanced access control capabilities. Azure AD Premium P2 is a good fit for organizations in heavily regulated industries, such as government or healthcare, or for those that require the strongest possible security.
An Azure AD Premium P1 vs. P2 feature comparison
Now that you've got a basic understanding of Azure AD and its four editions, let's look at what you get with Azure AD Premium P1 vs. P2. There are four main reasons to choose Premium P2:
1. The identity protection feature in Premium P2 gives an overview of questionable authentication attempts. It looks at logins and assesses how risky they might be, such as detecting an account sign-in from one country, then a different country 10 minutes later. Administrators can handle those suspicious authentication attempts automatically with policies that can force MFA or block access entirely. Identity protection is one of the best arguments for going to P2, as it greatly reduces many risks related to user access.
2. Privileged Identity Management (PIM) is a set of controls to manage higher-level access accounts in Azure AD. It includes security features such as just-in-time access to temporarily grant rights and remove them with full logging and auditing. Workflows with justification and notifications can be triggered around activation of these privileges, too. If you have to contend with a lot of rogue changes in your environment, PIM could help you regain control.
3. The access reviews feature ensures only the right staff can use specific resources. This is helpful when onboarding and offboarding staff, or when personnel change roles. You can also put checks on existing users to review their access to resources and push these decisions toward application owners. You can tailor recurring checks to meet business requirements or to fulfill compliance rules. It's a nice feature to give you more control to allow or block access to important resources without having to remember to do so.
4. Entitlement management is an identity governance feature that uses automation to manage identity lifecycles, access lifecycles and privileged access. It provides controls to give access to the organization's resources, such as groups and applications, for both internal and external users. Entitlement management uses an access package that bundles the assorted resources, such as SharePoint Online sites and cloud app access rights, used in the request process.
Azure AD Premium P1 vs. P2 pricing comparison
Azure AD Premium P1 comes as part of the Office 365/Microsoft 365 E3 suite, and Azure AD Premium P2 is included with the Office 365/Microsoft 365 E5 suite. Microsoft also offers the tiers as a separate purchase; Azure AD Premium P1 costs $6 per user, per month, while Azure AD Premium P2 is $9 per user, per month.
Microsoft offers different pricing on the P1 and P2 editions for a monthly active user (MAU) -- someone who signs in or performs an identity-related activity on the tenant. There is no charge for the first 50,000 MAUs. Beyond that, Microsoft charges $0.00325 per MAU on the P1 edition and $0.01625 per MAU on the P2 edition.
Another option worth considering is the Microsoft 365 Identity and Threat Protection bundle ($12 per user, per month), which has Azure AD Premium P2, Microsoft Cloud App Security and Microsoft 365 Defender -- formerly called Microsoft Threat Protection -- that provides Azure Sentinel, Microsoft Defender for Identity (formerly Azure Advanced Threat Protection), Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) and Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection). This combination provides a more expansive set of security benefits and doesn't cost much more than the Azure AD Premium P2 license.
Deciding which package to buy requires a lot of research and understanding to make sure you get the best value for your money. Don't buy the absolute best tier of license available until you know you'll use it.
Test Azure AD with the Free edition
Azure AD continues to grow and collect new features and abilities regularly. Among Azure AD's identity management capabilities is a mix of user management for both internal and external users, application access management and account protection. Most companies will use both on-premises Active Directory and Azure AD to meet different system requirements, and both systems complement each other well.
You can try Azure AD at no cost by setting up a free Azure tenant if you don't already have one, then create a directory. You can then optionally install the Azure AD Connect client to sync your on-premises Active Directory objects.
This Azure AD Free tier is great for testing purposes but not for a business's live environment. The Free edition does not have essential security features such as conditional access and MFA. You want to avoid putting identities in the cloud without MFA protection. A cursory online search finds a recent Black Hat conference session that discusses how easy it is to attack these Azure AD setups, so it's highly recommended to lock the Azure AD tenant down before you start experimenting.