Microsoft Entra ID, formerly Azure Active Directory, is the identity and access platform that authenticates every user and conditions access to every workload across the Microsoft estate. A free tier ships with any Microsoft cloud subscription. The paid value sits in two premium tiers, P1 and P2, both of which are also bundled inside Microsoft 365 E3 and E5 and the Enterprise Mobility and Security suites that most organizations already hold. Above the tiers sit newer governance and identity protection add ons sold per user. The recurring exposure is identity bought twice: standalone P1 or P2 purchased for users who already carry the same entitlement through a suite, P2 deployed to the whole population for features only a fraction needs, and governance add ons stacked on top before anyone confirms the base tier was even required. Entra is where identity gets paid for through three doors at once, and where the premium tier is sold as a blanket when the need is selective.
Entra ID is a per user identity platform with a free base and two paid tiers, and almost every paid tier also ships inside a suite. Knowing which door you already own it through is the foundation of any identity licensing decision.
The free tier of Entra ID is included with any Microsoft cloud subscription and covers core directory, single sign on for cloud apps, and basic security defaults. For many smaller estates the free tier carries more than buyers assume. The paid decision is not whether to license identity at all, it is whether the premium controls justify the per user premium, and through which entitlement they are reached.
P1 adds conditional access, self service password reset, and hybrid identity. P2 adds identity protection, risk based conditional access, and privileged identity management. Both are sold standalone per user and both are bundled into the suites: P1 inside M365 E3 and EMS E3, P2 inside M365 E5 and EMS E5. The tier you need rarely matches the tier you bought across every owner.
The Entra line is built from a small number of SKUs, but each can be reached through a standalone purchase or a suite entitlement. The same capability acquired through two paths is the structural cause of the duplication.
Entra ID P1 sold per user delivers conditional access, self service password reset, and hybrid join. It is the right tier for organizations that need enforcement without the full risk and governance stack. Bought standalone for users already on M365 E3 or EMS, it duplicates an entitlement the suite already carries.
Entra ID P2 adds identity protection, risk based policy, and privileged identity management. It is genuinely needed by administrators and high risk populations, and rarely by every employee. Deployed across the whole base for features a fraction uses is the classic over deployment of the premium identity tier.
Entra ID Governance and the broader Suite add on extend lifecycle, access reviews, and identity protection beyond the base tiers, priced per user on top of P1 or P2. The value is real for regulated and complex estates and absent for most. Stacking governance before confirming the base tier was needed compounds the spend on identity that was never used.
Entra produces three recurring exposures. The first is standalone P1 or P2 bought for users already covered by a suite. The second is P2 deployed to the whole population for features only administrators use. The third is governance add ons stacked before the base requirement is confirmed.
A security team stands up standalone P1 or P2 to enforce conditional access quickly, while those same users already hold the identical tier inside M365 or EMS procured by a different owner. Both lines bill. The duplication persists because the suite entitlement and the standalone purchase sit in separate budgets, and no one reconciles the identity licenses against the suites the same users carry.
Entra ID P2 gets bought across the whole user base because it is simpler than separating the administrators and high risk users from the rest. Identity protection and privileged identity management matter to a defined population, not to every employee. Paying the per user P2 premium for a base that never touches the advanced controls is over deployment applied to the identity line.
The governance and Suite add ons get layered on top because they appear in the same proposal as a recommended bundle. Access reviews and lifecycle management deliver value in regulated and complex estates and sit idle elsewhere. Stacking the add on before confirming that the base P1 or P2 tier was even required is how identity spend compounds across layers nobody mapped.
Entra responds to two levers. The entitlement map eliminates the standalone duplication against the suites. The tier and add on review confines P2 and governance to the populations that use them, so identity is paid for once and at the right tier.
The first move maps every Entra P1 and P2 license against the M365 and EMS entitlements the same users already hold. The standalone purchases that overlap with bundled capability are eliminated, and the line collapses to the populations genuinely not covered by a suite. This is the largest single recovery on the identity line and the one most often left untouched across the suite and standalone tracks.
The reconciled position then feeds the broader suite negotiation at the EA renewal.
Entra ID P2 is confined to the administrators and high risk users who use identity protection and privileged identity management, rather than deployed across the whole base, so the premium is paid only where it returns value.
The governance and Suite add ons are tested against the regulated and complex requirements that justify them and removed where they sit idle, closing the spend on identity layers the estate never exercises.
The engagement is an entitlement and tier diagnostic, a population model for P2 and the governance add ons, and the integration of the reconciled position into the broader identity and suite negotiation. The output is an Entra line free of duplication and matched to the population that uses each tier.
We map every Entra P1 and P2 license against the M365 and EMS entitlements the same users hold, surface the standalone duplication, test P2 against the administrators and high risk users who exercise the advanced controls, and test the governance add ons against the requirements that justify them. The output is a defensible picture of true coverage, the duplication to eliminate, and where each premium tier earns its place.
We eliminate the standalone duplication against the suite entitlement, confine P2 to the population that uses it, remove the governance add ons that sit idle, and fold the clean position into the broader identity stack and suite negotiation. We secure the rates and lock multi year protection. The output is an Entra line counted once, set at the right tier, and defensible through the term.
The Entra diagnostic maps every P1 and P2 license against the M365 and EMS entitlement the same users hold, eliminates the standalone duplication, confines the protection tier to the population that uses it, tests the governance add ons against real requirements, and brings the clean position into the identity stack negotiation. The result is an identity line counted once and set at the right tier.