I have a theory that Microsoft's licensing page for Entra ID was designed by someone who gets paid per confused customer. There is no other explanation for how this got so complicated.
If you have ever tried to figure out whether you need Entra ID P1, P2, Entra ID Governance, or some combination of all three, you are not alone. This is especially confusing if you are still running a hybrid setup with on-prem Active Directory and Entra Connect, because some features only matter in hybrid and some only apply to cloud-only. I talk to IT managers across Sweden and the Nordics every week who are either overpaying for licenses they do not use or missing features they assumed were included in what they already pay for.
Let me try to sort this out. Or at least make it less confusing.
The basics
Microsoft Entra ID comes in four tiers. Here is what each one actually gives you, in plain language.
Entra ID Free is included with any Microsoft 365 subscription. Basic user and group management, single sign-on for Microsoft apps, limited self-service password reset, and some security defaults. For a very small company with simple needs, this might be enough.
Entra ID P1 is where things get useful. Conditional access policies (rules like "require MFA when logging in from outside Sweden"), group-based license assignment, self-service password reset with writeback to on-prem AD, and dynamic groups. If you are running a company with 50+ people, you almost certainly need P1.
Important: P1 is included with Microsoft 365 Business Premium, which a lot of Nordic mid-market companies already have. Check your current licenses before buying P1 as a separate add-on. I have seen companies pay for P1 twice because nobody checked what Business Premium already included.
Entra ID P2 is everything in P1, plus Identity Protection (risk-based conditional access that detects suspicious sign-ins) and Privileged Identity Management (PIM), which gives you just-in-time admin access instead of permanent global admins sitting around. P2 also includes basic access reviews.
P2 costs roughly 7.50 EUR per user per month as a standalone add-on. For a 200-person company, that is 1,500 EUR per month. 18,000 EUR per year. Not a small number.
Entra ID Governance is the newest addition and the one that confuses everyone. It is a separate add-on that requires P1 or P2 as a prerequisite. Governance adds lifecycle workflows (automate onboarding/offboarding tasks), entitlement management (access packages), and more advanced access reviews.
Governance runs about 6 EUR per user per month, on top of P1 or P2. If you want the full stack (P2 + Governance), you are looking at roughly 13.50 EUR per user per month.
The per-user maths
Microsoft licenses Entra ID per user. Everyone who benefits from a feature needs a license. There are some exceptions for service accounts and room mailboxes, but the general rule is: 200 employees who need conditional access means 200 P1 licenses.
Here is what a 200-person company might spend:
Setup | Monthly | Annual
- P1 only (if not in Business Premium) | ~1,200 EUR | ~14,400 EUR
- P2 | ~1,500 EUR | ~18,000 EUR
- P1 + Governance | ~2,000 EUR | ~24,000 EUR
- P2 + Governance | ~2,700 EUR | ~32,400 EUR
These are approximate, based on European list pricing. Your actual costs depend on your Microsoft agreement and what is bundled into licenses you already have.
What you actually need (my honest take)
For most companies between 50 and 500 employees running Microsoft 365:
P1 is essential. Conditional access alone makes it worth it. If you are running hybrid with Active Directory, you also need P1 for password writeback, which lets users reset their cloud password and have it sync back to on-prem AD. Without it, you end up with password mismatches between AD and Entra ID, which is a support headache. If you have Business Premium, you already have P1. Verify before you spend.
P2 is worth considering if you have admin accounts that should not be permanently privileged (you probably do) or if you want risk-based sign-in policies. The Identity Protection features are genuinely useful and hard to replicate otherwise.
Governance is where I get sceptical for mid-market. The lifecycle workflows are more limited than the name suggests. The access reviews are better than P2's basic version, but they still need a lot of manual configuration. And entitlement management, while good in theory, assumes a level of access package design that most 200-person companies do not have the bandwidth for.
If you are buying Governance specifically for lifecycle automation (onboarding, offboarding, role changes), compare the cost against a dedicated tool that does this part better for less. At 6 EUR per user per month for Governance plus 7.50 for P2, you are spending 32,400 EUR per year on identity features alone for a 200-person company. There are purpose-built alternatives — including ours, but not only ours — that cost significantly less and handle the lifecycle piece better.
What Microsoft does not mention
Microsoft's incentive is to sell you the full stack. Every licensing comparison page nudges you upward. The feature tables are designed to make you feel like you are missing out if you are not on the top tier.
The reality for most Nordic mid-market companies: you need P1 (which you might already have), possibly P2 for admin security, and a focused tool for the lifecycle and governance piece.
You do not need to buy everything from one vendor. Especially when that vendor prices per user and the costs compound faster than you expect.
Bookmark this. Send it next time someone in your organisation asks "what Entra ID license do we actually need?"