Azure Active DirectoryMicrosoft AzureAzure AD Premium P1 vs. P2: Which is Right for Your Business?

Avatar photo Grant Shepard1 month agon/a8 min

With over 6,000 Microsoft service offerings, licensing gets confusing. It’s challenging to determine what features are needed, how many licenses are necessary, and if these components will be included in your price range. It gets even more challenging when evaluating the security of your infrastructure.

When migrating to an identity and access management service like Azure Active Directory (Azure AD), you’ll have to factor in the costs and capabilities of each tier Microsoft offers to ensure you’ve got the coverage you need at a price you can afford. To help you make the right choice, let’s look at the differences between Azure AD Premium P1 and Azure AD Premium P2 licensing.

Licensing Overview

Before we go into the details, let’s talk about what licensing does at a high level. Azure’s Premium series licensing allows organizations to focus on identity and management needs and add additional capabilities to secure the infrastructure. Although Microsoft has different areas and services focused on security, the Premium series license focuses on hybrid scenarios and identity management. First, let’s dive into the features offered for both Azure AD P1 and P2.

Azure AD Premium P1 and P2 Features

Azure AD Premium P1 and P2 editions target enterprise-class environments that require advanced control capabilities. Learn more about the capabilities included in these licenses below:

Fraud Alert

Users can report fraud if they receive a two-step verification request that they didn’t initiate. In addition, users can submit fraud alerts, block users who register fraud, and enable a default code to report the scam over the phone.

Two-Step Verification for Fraud Alert

MFA Reports

Administrators can view the date, time, region, authentication type, and many other items when generating an MFA request. This helps keep tabs on the overall environment.

For example, Dynamic Consultants Group’s headquarters is located in Kansas City. Knowing that employees generally work out of Missouri allows the administrator to see quickly when a suspicious request comes from overseas at an uncommon time of day. In addition to viewing information around MFA requests, filtering is also available to narrow down the search in the portal.

Custom Greetings for Phone Calls

With P1 and P2 licenses, administrators can create custom greetings for MFA options with phone calls. The employees will be familiar with the greeting and note the link between the organization and the MFA call.

Custom Caller ID for Phone Calls

This feature grants a user the ability to use a custom number when requesting an MFA Phone Call Code. In addition, users can verify the number and know it is coming from a secure source. Currently, this is only allowed with U.S. phone numbers.

Trusted IPs

Trusted IP addresses let employees do different items at specific locations, whether at the office, at home, or traveling abroad.

For example, you can bypass MFA requirements if you log in from the office. You can also block or require MFA when traveling to other countries. This would also help prevent foreign countries from attempting to access the tenant if that country’s IP is blocked from signing in.

MFA for On-Premise Applications

Using MFA for on-premise applications helps increase the security of the workplace. You can add another layer of protection to your business from items such as FIDO2 Security Keys, Microsoft Authenticator, and Windows Hello.

Multi-Factor Authentication Methods Diagram

Conditional Access

Combining items such as MFA, locational awareness with trusted IPs, and behavioral items with apps allows an organization to pair multiple features into one policy. Conditional access also allows you to audit and see security information when a policy is bypassed or forced on a user. In addition, it provides a reporting mode to test the policy before implementation, enabling you to know precisely which users would be affected before the procedure is enforced. 

Overview on How Conditional Access Works

Azure AD Premium P2 Only

Azure AD P2 has all the same features as Azure AD P1, plus additional features. Azure AD P2 is a good fit for organizations in heavily regulated industries because there are more robust security features for identity protection and governance. Explore some of the additional capabilities below:

Risk-Based Contional Access

Most individuals have normal behavior regarding locations, sign-ins, or even the device they use. Enabling a Risk-Based Conditional Access Policy allows strange behaviors to require certain things, such as requiring MFA during a sign-in attempt. Enabling P2 Licensing allows you to add Risk-Based Conditional Access and automate user behavior flows daily with security. 

Requirements for MFA Sign-In Based on Medium or High Risk

Identity Protection (Risky Users)

Unfortunately, with the ease of using the same password over multiple platforms, it becomes increasingly easy for hackers to get into various accounts. As a result, Microsoft teams up with external sources to help review risky passwords and force changes in the environment to keep the users safe. These are called Risky Users.

Access Reviews

Organizations can recertify, test, or audit user accounts, both internal and guest, and what they might have access to with this feature.

For example, a user account might have been given temporary access to a SharePoint site as part of a project. Now that the project is complete, we can use access reviews to determine if that user still requires access to that site. This is an excellent tool for organizations of any size to utilize and makes Azure P2 Licensing even more relevant for this premium feature. 

Entitlements Management

New users, whether new to the organization or just a project, can go to a suitable place to request access to one object and gain access to all the resources that might be part of that object group, known as an access policy. The organization’s administrators also gain controls such as auditing, user scoping, required approval, and expiration dates. Automation such as Entitlement Management plays a critical role in Azure Active Directory P2 Licensing and is an excellent addition to an organization to streamline processes. 

Privileged Identity Mangement (PIM) and Just-In-Time Access

PIM permits users to control, manage, and monitor access to essential resources. You can provide just-in-time privileged access to resources and directories and assign time-bound access for resources using start and end dates. The control also allows for multiple approvals for resources that might be delicate or require multiple management style approvers. PIM also allows for justification of resource requests and an audit log for external/internal auditors.

Capability Comparision Based on License

The following comparison diagram includes a list of features available in various versions of Azure Active Directory – Azure AD Free, Office 365, Azure AD Premium P1, and Azure AD Premium P2.

Azure AD Licensing Comparison Diagram

Azure AD continues to gain new features and abilities regularly. However, to sum up the existing features associated with the licenses,  Premium P1 has several security features like MFA reports, custom greetings for phone calls, trusted IPs, and conditional access. Premium P2 has even richer security features, including additional management over privileged accounts, advanced monitoring and reporting, identity protection, and access reviews. The deal-breaker is deciding if you need that extra security cushion.

Still not sure what licensing is correct for your organization’s unique needs? Dynamic Consultants Group can help you find a suitable license for your business. We understand that Microsoft Licensing can be complex and expensive. DCG has the industry’s best team of licensing advisors to help you get optimized value at minimum cost for every Microsoft purchase and renewal. Contact one of our experts to learn more or submit for a free Microsoft Licensing Advisory.

Avatar photo

Grant Shepard

With nearly 10 years of experience in end-user and enterprise-level support across all M365 and Azure areas, Grant is an M365 Support Engineer at Dynamic Consultants Group.

Categories

© Dynamic Consultants Group - 2013 - 2021

FREE SUPPORT

Microsoft Dynamics 365

Our Dynamics 365 CRM/CE Support is tailored for organizations that are seeking additional Microsoft resources.

We are offering two free support tickets per month.