Licensing can be a bewildering task when you navigate through the vast array of Microsoft services offering. The task becomes more complex when you need to determine the number of licenses, factoring essential features, and considering budget constraints. Security aspects of the infrastructure baffles the organizations even more.
When businesses plan to migrate to access and identity management service such as Microsoft Azure AD (Azure Active Directory), expenses and capabilities of each tier Microsoft offers need to be factored upon. Make sure that your business is getting appropriate coverage of the requirements in your budget. In this blog, we have listed down a comparison between Microsoft Azure AD Premium P1 vs P2 licensing to aid you in making the perfect choice for your enterprise.
Before we get into comparison, let us clear some fundamentals.
What is Microsoft Azure Active Directory?
Microsoft Azure Active Directory, or popularly known as Microsoft Azure AD, is a cloud-native service that offers identity access and management control. Office 365 and Microsoft 365 subscriptions are bundled together with Azure AD. However, there are different editions of Azure AD from Microsoft if you wish to use diverse set of features. Microsoft Azure AD facilitates authentication and access control services, its main purpose is to cater to the requirements of cloud users and cloud applications.
Traditional Active Directory environments do not offer cloud-specific capabilities which are available in Microsoft Azure AD. For instance, Azure AD can seamlessly integrate with Microsoft Intune to enable efficient mobile device management. Moreover, Azure AD has broken the barriers of native non-Windows system support in Active Directory. It proffers wide range of resources through managed identities to Linux machines.
Microsoft Azure AD Licensing Overview
Microsoft offers four Azure AD licensing options, starting with the Free option. Smaller organisations can benefit from this license as it has limit of 500,000 directory objects. Along with its primary task of authentication and access control, it supports user provisioning and user management such as creation, deletion, and modification of user accounts. It includes support for Microsoft Azure AD Connect and pass-through cloud authentication. In the Free edition, federated authentication through Active Directory Federation Services (ADFS) or third-party identity providers can be done in addition to enabling single sign-on capabilities. Administrators can also generate basic security and usage reports to monitor the system’s performance and user activity in Free edition.
Second variant of Azure AD licensing is Office 365 Apps edition. It serves as the foundational directory service required for operating applications within the platform, such as Exchange Online for email and SharePoint Online for content management. Office 365 Apps editions has same features and capabilities as the Free version. Additionally, it sticks to a service-level agreement (SLA) of a 99.9% availability rate at all times. Furthermore, the Office 365 Apps edition supports two-way synchronization for device objects. This synchronization ensures that any changes made within Azure AD are propagated to the corresponding Active Directory environment in the organization’s data centre and vice versa.
Besides the Free and Office 365 Apps edition, Azure AD Premium P1 and Premium P2 are two premium variants by Microsoft. Both Azure AD Premium P1 vs P2 incorporate all the features of the Office 365 Apps edition. Along with those functionalities, additional functionalities that focus on hybrid identities, advanced group-based access management, and conditional access have been offered. Microsoft Identity Manager is also supported in these premium editions to enable the integration of data from on-premises human capital management software applications like Oracle PeopleSoft.
The Premium P2 version has the most comprehensive feature set. It emphasizes on protection and governance of identities within the Azure AD environment.
Microsoft Azure AD Premium P1 vs P2 features
Both Azure AD P1 vs P2 offer advanced control capabilities suitable for the enterprise-class environments. Following are the core functionalities of Azure Premium P1 vs P2:
Fraud Alert
Both Azure P1 vs P2 has a two-step verification process. Users can report instances of fraud when they have not initiated any request. Users can take proactive measures to identify and report potentially fraudulent activities.
Users can submit fraud alerts to notify administrators about suspicious incidents. Further users can block users who have been recognized as fraud and enable a default code that can be used to report scam over the phone.
MFA Reports
Administrators get detailed visibility into multi-factor authentication (MFA) requests in Azure AD Premium P1 and P2 editions. While administrators generate MFA request, they can access data, region, time, authenticate type along with other information.
For instance, let us consider a scenario of DynaTech Systems that operates from India. Since the employees usually operate from India, any potential fraudulent request can be identified if it originates from oversees or at an unusual hour. The Azure AD Premium editions offer filtering capabilities, enabling administrators to refine and narrow down their search for specific MFA requests within the portal.
Custom Greeting for Phone Calls
In Azure Premium P1 and P2, administrators can create customized greetings for multi-factor authentication (MFA) phone calls. This implies that when users receive an MFA phone call, they will hear a personalized greeting that helps users to recognize the legitimacy of the call.
Custom Caller ID for Phone Calls
This feature enables users to utilize a custom caller id when requesting an MFA phone call code. Users can specify a certain phone number that will be displayed as a caller id when they receive an MFA call. It assures users that the call is from a trusted and secure source. As of now, this functionality is available for the U.S.A. phone numbers.
Trusted IPs
Organizations can grant different permissions to employees based on their location through the Trusted IPs feature. Whether employees are accessing resources from the office, their home, or while traveling, customized access controls can be governed.
Let us take a scenario. Employees can bypass the requirement for MFA while they log in from the office as they are in a trusted location. On the contrary, if the employee is traveling to a foreign country, organizations can decide whether to grant or block access to resources. Is possible, organizations can enforce MFA as an additional security measure.
Predominantly, this feature is helpful to prevent unauthorized access attempts from foreign locations by blocking sign-ins from particular IP addresses associated with those regions.
MFA for On-Premises Applications
To enhance workplace security, implement multi-factor authentication (MFA) in on-premises applications which incorporates supplementary layers of protection. Microsoft Authenticator, FIDO2 Security Keys, and Windows Hello are the safeguards that help in achieving this security. Fortify your defenses and mitigate potential security risks by comprising MFA into your business operations.
Conditional Access
With the integration of MFA, behavioral factors with applications, and location awareness with trusted IPs, organizations are able to build all-inclusive policies through conditional access. Multiple features can be combined into a single policy with this approach. Furthermore, conditional access facilitates auditing of security where a policy is bypassed or enforced on a user. Also, in the reporting mode, testing can be carried out prior to its implementation. Gain insights into the specific users who would be impacted by the policy before it is enforced via reporting mode.
Features Available in Azure AD Premium P2
Azure AD P2 consists of all the similar features as Azure AD Premium P1. Additionally, it has extra functionalities which can benefit organizations operating in heavily regulated industries as these features offer robust security for identity governance and protection. These additional features are:
Risk-based Conditional Access
The majority of people exhibit regular behavior when it comes to their locations, sign-ins, and device usage. If Risk-based conditional access is in place, unusual behaviors trigger certain requirements, such as the necessity for MFA during a sing-in attempt. Enabling P2 licensing empowers you to integrate risk-based conditional access and automate daily user behavior patterns that result in heightened security measures.
Identity Protection
Microsoft has collaborated with external sources to assess and identify risky passwords, to address the growing concern of using the same password across multiple platforms. To ensure the safety of users, Microsoft implements measures to enforce password changes within the environment thru this partnership. These users who are identified with vulnerable passwords are often referred as “Risky Users”.
Access Reviews
Leverage access reviews to recreate, test, or audit user accounts of both internal and guest accounts. Organizations can evaluate their access permission through access reviews. Enterprises can assess whether a user account still requires access to explicit resources, such as SharePoint site that was granted for a particular project. Access review assures organizations that user access aligns with their present requirements and security concerns. Businesses of all sizes can benefit and enhance their security measures with this particular feature of Azure Active Directory Premium P2 licensing.
Entitlements Management
This feature simplifies the access provision process for the users. New users can conveniently request access to a single object and gain access to all associated resources within that object group. It does not matter whether the new user is joining the organization or any specific project. Along with this, administrators can control auditing, user scoping, required approval, and expiration dates. Entitlements management is a crucial component of Azure AD P2 Licensing to efficiently streamline access management.
Privileged Identity Management, Just-In-Time Access
Users can control, manage, and access critical resources by utilizing Privileged Identity Management. It also facilitates the provision to Just-in-time privileged access to resources and directories. Users can assign time-limited access with specified start and end dates. Sensitive resources where multiple management-style approvals necessitate could benefit from this feature. The ability to provide justifications for resource requests and maintain an audit log is possible in PIM. These capabilities aid both internal and external auditors in reviewing access activities.
Compatibility Comparison According to License Type
| Feature | Azure AD Free | Azure AD Office 365 | Azure AD Premium P1 | Azure AD Premium P2 |
| Protect Azure AD tenant admin accounts with MFA | ✓ | ✓ | ✓ | ✓ |
| Mobile app as second factor | ✓ | ✓ | ✓ | ✓ |
| Phone call as second factor | ✓ | ✓ | ✓ | |
| SMS as a second factor | ✓ | ✓ | ✓ | |
| Admin control over verification methods | ✓ | ✓ | ✓ | |
| Fraud alert | ✓ | ✓ | ||
| MFA reports | ✓ | ✓ | ||
| Custom greeting for phone calls | ✓ | ✓ | ||
| Custom caller ID for phone calls | ✓ | ✓ | ||
| Trusted IPs | ✓ | ✓ | ||
| Remember MFA for trusted devices | ✓ | ✓ | ✓ | |
| MFA for on-premises apps | ✓ | ✓ | ||
| Conditional Access | ✓ | ✓ | ||
| Risk-based conditional access | ✓ | |||
| Identity protection | ✓ | |||
| Access reviews | ✓ | |||
| Entitlements management | ✓ | |||
| Privileged Identity Management (PIM), just-in-time access | ✓ |
Conclusion
In summary, Azure AD Premium P1 offers security features such as MFA reports, conditional access, trusted IPs, and customized caller id for phone calls. Whereas Azure AD Premium P2 provides more intricate and comprehensive security features, consisting of management of privileged accounts, identity protection, and access reviews. Choosing the right license depends on whether your organization requires an additional security cushion.
Microsoft Licensing can be complex and costly, and our team at DynaTech is dedicated to help you in optimizing the value of your Microsoft purchase while minimizing expenses. Feel free to reach out to one of our experts to learn more about our services.
