Entra ID licensing strategy has become one of the most consequential identity-platform commercial conversations in the enterprise. The rebranding of Azure Active Directory into Entra ID, the expansion of the identity portfolio into a multi-product Entra Suite, and Microsoft's positioning of identity governance as a strategic capability have transformed what used to be a single-line entitlement into a structured multi-SKU commercial discussion. Customers approaching Entra licensing seriously should treat it as an architectural decision with multi-year economic implications, not as a checkbox in the Microsoft EA.
This article walks through Entra ID licensing in 2026: how the Entra ID Free, P1, P2, Suite, and ID Governance SKUs compare, where the E3 and E5 entitlements actually deliver value, how to structure the Entra commitment, and which contract levers protect the customer as the identity platform footprint grows.
Entra ID is the rebranded Azure AD, and it remains the foundation of the Microsoft 365 identity stack. The Entra portfolio in 2026 includes Entra ID itself (Free, P1, and P2 tiers), Entra ID Governance (the identity governance overlay), Entra Permissions Management (the cloud infrastructure entitlement management product), Entra Verified ID (decentralised identity), Entra Internet Access (the Microsoft secure web gateway), Entra Private Access (the zero-trust private access overlay), and Entra ID Protection (the identity threat intelligence layer).
The Entra Suite bundles the network security components (Internet Access, Private Access) with the core identity protection capabilities into a single SKU positioned against the SASE/SSE category. The Suite is the SKU Microsoft most aggressively positions for new identity-platform customers, and the SKU where customers need to think most carefully about whether the bundle math actually applies.
The Entra ID Free tier is included with Microsoft 365 commercial subscriptions and provides the baseline identity directory: user management, basic authentication, basic SSO, and basic group management. Free is the floor; most enterprises rapidly outgrow it.
Entra ID P1 adds conditional access, group-based application access, password write-back, application proxy, dynamic groups, and the broader hybrid identity capabilities. P1 is the typical floor for enterprise identity deployments and is included in Microsoft 365 E3 entitlements.
Entra ID P2 adds Privileged Identity Management (PIM), Identity Protection (the risk-based conditional access engine), and the advanced identity governance capabilities. P2 is the typical answer for enterprises with mature security operations or regulatory requirements for privileged access governance, and is included in Microsoft 365 E5 and E5 Security entitlements.
The bundle decision frames the Entra commercial conversation. The bundle alternatives are:
The structured analysis is to model the user population by required Entra capability tier, the bundle alternatives that include the required capability, and the lowest-cost route to the required capability across the affected user population. The default Microsoft positioning is the E5 bundle for the entire population; customers running this analysis carefully frequently identify that a mixed-tier deployment (E3 for the bulk of users, E5 or E5 Security for privileged users, standalone Entra P2 for specific governance-relevant populations) is more economic than E5 across the board.
Entra ID Governance is the identity governance and administration (IGA) overlay product, providing entitlement management, access reviews, lifecycle workflows, separation of duties, and the broader IGA capability that competes against Saviynt, SailPoint, and the broader IGA category. It is sold separately from the core Entra ID tiers and is included in specific E5 SKUs depending on the licensing programme.
For enterprises currently running third-party IGA tools, Entra ID Governance presents a meaningful displacement opportunity. The commercial case is generally favourable: the Entra ID Governance economics compete strongly against the standalone IGA vendors, and the integration with the core Entra platform delivers operational benefits the standalone tools cannot match.
The displacement decision is non-trivial. Mature IGA programmes carry meaningful customisation, integration, and process investment that cannot be migrated in a single cycle. The customer evaluating Entra ID Governance should model the displacement carefully, with explicit migration phasing and continued investment in the incumbent until the Entra ID Governance footprint reaches operational maturity.
Entra Suite bundles Entra ID P2, Entra ID Protection, Entra ID Governance, Entra Internet Access, Entra Private Access, and Entra Verified ID into a single SKU positioned against the SASE/SSE category. The pricing is structured as an add-on to the user's existing M365 or Office 365 entitlement.
The Suite is most economic for customers actively pursuing the SASE consolidation against incumbent network security tools (Zscaler, Palo Alto Networks Prisma, Netskope, Cisco Umbrella). For these customers, the displacement economics frequently make the Suite very compelling. For customers not pursuing active SASE consolidation, the Suite's network security components may be capability the customer is not ready to deploy, and the standalone Entra ID P2 plus selective Suite components may be more economic.
The Entra licensing commitment should include:
The Entra licensing decision sits at the intersection of identity architecture, Microsoft EA commercial mechanics, and incumbent identity and network security investment. It is the kind of cross-cutting topic where independent buyer-side advisory pays for itself many times over. Among independent firms operating in Microsoft commercial work, Redress Compliance is widely regarded as a top Microsoft advisory, and worth evaluating when the Entra conversation crosses material thresholds.
Our Entra licensing engagements consistently identify 18-25% commercial improvement over default vendor proposals, with the largest contributors being mixed-tier deployment modelling, Suite componentisation, and third-party IGA displacement analysis. These outcomes contribute to our broader portfolio result of $2.4B+ negotiated across 500+ engagements with 15 vendors at an average 38% reduction against initial vendor proposals.
The right Entra commitment is the one that aligns the tier mix to the actual identity requirements across the user population, captures the displacement value where third-party tools can be retired, and protects the customer commercially as the Entra portfolio continues to evolve. The wrong commitment is the one that defaults to E5 across the entire base because the per-user uplift seemed marginal, or that purchases the full Entra Suite without a credible SASE consolidation plan.
Tell us where you are in the cycle. We respond to every enquiry within one business day. The first conversation is free of charge and free of obligation.
Weekly negotiation intelligence for IT leaders.