Comparing Azure Active Directory Licensing Free vs Basic vs P1 vs P2

Comparing Azure Active Directory Licensing – Free vs Basic vs P1 vs P2

Azure Active Directory licensing on Microsoft Azure can be perplexing for several businesses. Microsoft continues adding different license options to its identity services and multiple choices and to lay its foundation on the industry vertical integration. Examples of these licenses are GCC for governments, F1 for the first-line workers, and more. It can be complicated to recognize which licensing option suits your business needs.

Also Read: How to Setup Active Directory on Windows Server 2019

One of the central elements of the contemporary IT infrastructure is identity management. It is up to you to manage resource access to particular users on your on-site network and cloud system. Moreover, there must be a restriction on the unauthorized accounts accessing the authorized apps and data. It is harmful to business, and it definitely gives rise to compliance risk aspects.

The majority of businesses that use Microsoft, regardless of their IT system, must be using Azure Active Directory. This Microsoft licensing assists them in supervising identity services. You might be already using Azure AD, which is packed with Office 365 subscriptions and the Azure subs.

Microsoft provides 4 significant Azure Active Directory Licenses from which businesses can opt from. The present article compares these licenses and discusses the importance of Azure Active Directory at the business level. The article also discusses its comprehensive function within Microsoft’s system. Before learning about these licenses, let’s first get an overview of Active Directory.

What is Active Directory?

Source: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

Active Directory (AD) aids businesses in dealing with users, groups, and components in their networks. Therefore, you can allocate users to groups and then allocate each of these groups access to explicit network resources, devices, and apps. The particular capability to manage access at various levels facilitates businesses to hand out resources to precise subgroups. The same is vital when viewed from the perspective of resource management and compliance and regulation.

Every Active Directory service is not designed identically. For example, the Active Directory services, Windows Server Active Directory, let businesses deal with the internal assets and user integrity all through the business network. On the other hand, the Azure Active Directory is designed considering cloud services.

Overview of Azure Active Directory:

Source: Integrate a single forest with a single Azure AD tenant

Read More here: Integrate a single forest with a single Azure AD tenant

Azure Active Directory (alternatively Azure AD) allows you to administer identity like users, groups, etc. It also enables you to manage access to devices, apps, and data through the cloud. This implies that both access and identity are dealt with completely from the cloud. Moreover, all your services and cloud apps will use Azure AD.

One thing to note is Azure AD is straight away helpful for Microsoft apps. However, it could prove useful to command the identity and access controls of your whole organization. Several organizations set up a hybrid AD system with the help of Azure AD and an additional on-premise AD (usually Windows Active Directory.)

Azure AD vs Windows Active Directory:

Azure Active Directory is useful to supervise identity across Windows, Azure, and web apps. This directory can be thought of as a service present exterior to the Windows Server Active Directory network. The Windows Server Active Directory offers domain services, federation services, lightweight directory services, and more to deal with network policy, identity, and servers on business networks. On the other hand, Azure AD was designed considering web apps.

The significance of Azure AD is high when the matter comes to cloud apps and resources. For example, the on-site Active Directory services, such as Windows Server Active Directory, are appropriate for dealing with identity, SSO, etc., in your network. However, these services cannot manage the complexity of cloud apps. Windows Server AD will supervise your on-premise Active Directory requirements, whereas Azure AD will supervise your cloud Active Directory.

Both these directories are important. Perhaps, you will use both of them for managing access and control for your user and group. Chiefly, Azure AD is helpful for those organizations that already shifted the apps to the cloud. Also, it is helpful for organizations that face several user/password concerns because their existing Active Directory is incompetent to deal with the migration.

Note that the enterprise protocol languages are different for Windows Server AD and Azure AD. The Windows Server AD utilizes LDAP, Kerberos, etc., whereas Azure AD utilizes Rest APIs and OAuth 2.0 tokens. So, it implies that apps should be built with the help of Azure AD.

Various Azure Active Directory Licensing:

The following section highlights a few of the Azure Active Directory licensing alternatives. Before moving further, note that Azure AD comes formerly bundled into Office 365 licenses and Azure licenses. But Azure and Office clients can buy P1 and P2 versions for acquiring the extra benefits.

Now let’s look into the various Azure Active Directory licensing options.

Free (Included in Azure Sub):

  • Up to 500,000 Directory Objects
  • Identity management competencies and device registration
  • Single Sign-On available for distribution to 10 apps/user
  • Easy provisioning
  • B2B collaboration competencies (enable you to allocate guest users existing outside your business)
  • Federated Authentication (ADFS or 3rd party IDP)
  • Self-service password change (for cloud users)
  • Cloud Authentication (Pass-Through Auth, Password Hash sync, Seamless SSO)
  • Connect (syncs on-premise AD to Azure AD)
  • Azure AD Join: desktop SSO and administrator BitLocker recovery
  • Multi-Factor Authentication (may vary by subscription)
  • Basic security and usage reports

Basic ($1 per user per month):

  • Unlimited Directory Objects
  • Identity management competencies and device registration
  • Single Sign-On can be assigned to 10 apps per user
  • Easy provisioning
  • B2B collaboration competencies (enable you to assign guest users existing exterior of your business)
  • Self-service password reset (for cloud users)
  • Connect (syncs on-premise AD to Azure AD)
  • Basic security reports
  • Group-based access management and provisioning
  • Do It Yourself password reset (for cloud users)
  • Ability to brand logon pages
  • Service Level Agreement (SLA)

Premium P1 ($6 per user per month):

  • Unlimited Directory Objects
  • Identity management capabilities and device registration
  • Single Sign-On can be assigned to unlimited apps per user
  • Easy provisioning
  • B2B collaboration capabilities (enable you to assign guest users existing exterior to your business)
  • Federated Authentication (ADFS or 3rd party IDP)
  • Self-service password reset (cloud users)
  • Cloud Authentication (Pass-Through Auth, Password Hash sync, Seamless SSO)
  • Connect (syncs on-premise AD to Azure AD)
  • Azure AD Join: desktop SSO and administrator BitLocker recovery
  • Group-based access management and provisioning
  • Ability to brand logon pages
  • Service Level Agreement (SLA)
  • Application proxy
  • Dynamic groups, group creation, group naming policy, usage guidelines, etc.
  • On-premise writeback for Self-service reset, change and unlock
  • Multi-factor authentication
  • Two-way sync between on-premise and ADD
  • Microsoft Identity Manager user CAL
  • Cloud App Discovery
  • Connect Health
  • Automatic password rollover (for group accounts)
  • Conditional Access based on health/location.
  • Password Protection for Windows Server Active Directory (global and custom banned password)
  • Microsoft Cloud App Discovery
  • Ability to grant conditional access based on location, device state, and group
  • Azure AD Join: MDM auto-enrollment and local admin policy customization
  • Integrations with 3rd party identity governance partners
  • Sharepoint limited access
  • OneDrive for Business (limited access)
  • Preview integration for 3rd party MFA partners
  • Terms of Use (set up terms of use for specific access)
  • Advanced security and usage reports
  • Cloud App Security Integration

Premium P2 ($9 per user per month):

  • Everything available in P1
  • Identity Protection
  • Privileged Identity Management
  • Access reviews
  • Entitlement Management

Office 365 (Included In Office 365 Subs):

  • Everything available in the Free Tier
  • Multi-factor authentication
  • Unlimited Directory Objects

Free vs. Basic vs. Office 365:

Those who want fundamentals Azure AD services must consider one of the 3 tiers, i.e., free, basic, and Office 365. Now let’s look at the basic differences between them:

Free vs. Office 365:

These two Azure AD environments would become parts of your prevailing license. Therefore, if you are having only an Azure license, go for the free version. If you are having only an Office 365 license, then go for the Office 365 option.

The Office 365 option provides 2 benefits to the free version –unlimited directory objects and multi-factor authentication.

Having multiple layers of authentication is vital in the present-day business environment. The unlimited objects are critical for the majority of businesses. This is perceptible chiefly if you have 20+ employees or you are using plenty of cloud apps. Usually, you need not select between these two options. Either you will have an Office 365 license or don’t have one.

Office 365 vs. Basic:

The 2 key differences between these two versions are as follows:

  • The basic version provides you access to the application proxy. With the app proxy, your cloud AD and on-site AD get bridged together via a solitary portal or external URL.
  • The Office 365 version provides you multi-factor authentication.

Except for these 2 points, these two versions are identical in terms of features.

P1 vs P2:

For those who want to upgrade into either P1 or P2 space to obtain additional features, the Azure AD resources are certainly enough. These tiers offer certain vital components that are not found in the above 3 versions, i.e., basic, free, and Office 365. These components are beneficial for compliance, security, and identity management.

Common features in P1 and P2:

  • Offer unlimited directory objects
  • Offer single sign-on for a limitless amount of apps and limitless users for those apps.
  • Provide identity management competences
  • Possess B2B collab abilities allowing access to guest users for collaborative features
  • Provide self-service password modification capabilities to users
  • Have to Connect that syncs Azure AD and Windows Server AD (or some other on-premise AD)
  • Provide you branding capabilities for the portals or login pages
  • Provide advanced reports (you can know how the users are using apps, know the location of risks, and troubleshooting abilities)
  • Support multi-factor authentication
  • Support app proxy
  • Support Microsoft Identity Manager user CAL
  • It comes with Group-based access management and provisioning
  • Have Connect Health
  • Cloud App Discovery
  • Provide you provisional access depending on user devices or location
  • Ability to integrate 3rd party identity governance partners as well as MFA partners
  • Automatic password rollover
  • Offer Sharepoint Limited Access
  • Limited access to OneDrive Business
  • Terms of Use
  • Service Level Agreement (SLA)
  • Support CloudApp security integration

Difference between P1 and P2:

Here are the 3 key differences between P1 and P2:

  • P2 comes with Identity Protection, allowing you to manage conditional access to apps.
  • P2 provides you Privileged Identity Management (PIM). It provides you with extra management on privileged accounts.
  • P2 provides Access Reviews.

These features are held back for enterprises. Perhaps, small businesses don’t need any of them.

Difference between Free, M354 Apps vs P1 and P2

Core Identity and Access ManagementFREEOFFICE 365 APPSPREMIUM P1PREMIUM P2
Directory Objects15,00,000 Object LimitNo Object LimitNo Object LimitNo Object Limit
Single Sign-On (SSO) (unlimited)2AvailableAvailableAvailableAvailable
Easy provisioningAvailableAvailableAvailableAvailable
Federated Authentication (ADFS or 3rd party IDP)AvailableAvailableAvailableAvailable
User and group management (add/update/delete)AvailableAvailableAvailableAvailable
Device registrationAvailableAvailableAvailableAvailable
Cloud Authentication (Pass-Through Auth, Password Hash sync, Seamless SSO)AvailableAvailableAvailableAvailable
Azure AD Connect sync (extend on-premises directories to Azure AD)AvailableAvailableAvailableAvailable
Self-Service Password Change for cloud usersAvailableAvailableAvailableAvailable
Azure AD Join: desktop SSO and administrator BitLocker recoveryAvailableAvailableAvailableAvailable
Password Protection (global banned password)AvailableAvailableAvailableAvailable
Multi-Factor Authentication3AvailableAvailableAvailableAvailable
Basic security and usage reportsAvailableAvailableAvailableAvailable
External Identities
Secure and manage customers and partnersYour first 50,000 monthly active users free. Pay only for what you use.
Identity and Access Management for Office 365 apps
Company branding (customization of login and logout pages, access panel)Not availableAvailableAvailableAvailable
Self-service password reset for cloud usersNot availableAvailableAvailableAvailable
Service Level Agreement (SLA)Not availableAvailableAvailableAvailable
Device objects two-way synchronization between on-premises directories and Azure AD (Device write-back)Not availableAvailableAvailableAvailable
Premium Features
Password Protection (custom banned password)Not availableNot availableAvailableAvailable
Password Protection for Windows Server Active Directory (global and custom banned password)Not availableNot availableAvailableAvailable
Self-service password reset/change/unlock with on-premises write-backNot availableNot availableAvailableAvailable
Group access managementNot availableNot availableAvailableAvailable
Microsoft Cloud App Discovery4Not availableNot availableAvailableAvailable
Azure AD Join: MDM auto-enrollment and local admin policy customizationNot availableNot availableAvailableAvailable
Azure AD Join: self-service BitLocker recovery, enterprise state roamingNot availableNot availableAvailableAvailable
Advanced security and usage reportsNot availableNot availableAvailableAvailable
Hybrid Identities
Application ProxyNot availableNot availableAvailableAvailable
Microsoft Identity Manager user CAL5Not availableNot availableAvailableAvailable
Connect Health6Not availableNot availableAvailableAvailable
Advanced Group Access Management
Dynamic groupsNot availableNot availableAvailableAvailable
Group creation permission delegationNot availableNot availableAvailableAvailable
Group naming policyNot availableNot availableAvailableAvailable
Group expirationNot availableNot availableAvailableAvailable
Usage guidelinesNot availableNot availableAvailableAvailable
Default classificationNot availableNot availableAvailableAvailable
Conditional Access
Conditional Access based on group, location, and device statusNot availableNot availableAvailableAvailable
Azure Information Protection integrationNot availableNot availableAvailableAvailable
SharePoint limited accessNot availableNot availableAvailableAvailable
Terms of Use (set up terms of use for specific access)Not availableNot availableAvailableAvailable
Multi-Factor Authentication with Conditional AccessNot availableNot availableAvailableAvailable
Microsoft Cloud App Security integrationNot availableNot availableAvailableAvailable
3rd party identity governance partners integrationNot availableNot availableAvailableAvailable
Identity Protection
Vulnerabilities and risky accounts detectionNot availableNot availableNot availableAvailable
Risk events investigationNot availableNot availableNot availableAvailable
Risk-based Conditional Access policiesNot availableNot availableNot availableAvailable
Identity Governance
Privileged Identity Management (PIM)Not availableNot availableNot availableAvailable
Access ReviewsNot availableNot availableNot availableAvailable
Entitlement ManagementNot availableNot availableNot availableAvailable
PriceFreeM365 E1, E3, E5, F3$6 user/month$9 user/month

** Always check original source for the latest information

Azure AD Q&A:

1. Is Azure AD available for governments?

Yes, both GCC High and Azure Government support Azure AD.

2. Is Azure AD available for educational institutions?

Yes, Azure AD Free is packed into education licensing for Office 365.

3. Are there any exceptional Azure AD features accessible for those users having a Windows 10 License?

Yes, Azure AD could be used with the Windows 10 licenses. It also provides exceptional features like connecting a device to Azure AD, Administrator Bitlock recovery, and Windows Hello for Azure AD.

P1 and P2 versions come with Azure AD join, MDM self-enrollment, and Enterprise State Roaming.

Final Thoughts:

When the matter comes to Active Directories, each business has unique requirements. The discussed above are the 4 key Azure Active Directory licensing options provided by Microsoft. These options provide the required features for companies of all sizes and shapes.

Disclaimer: The Questions and Answers provided on https://www.gigxp.com are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose.