Understanding Azure Active Directory Licensing (Free, Basic, P1, P2)

Microsoft licensing, especially Azure Active Directory licensing, can be confusing for some businesses. As Microsoft continues to add various license options to establish themselves across industry verticals (e.g., F1 for first-line workers, GCC for governments, etc.) So, trying to figure out which licensing fits your specific business IT makeup is tricky.

A core component of the modern IT infrastructure is identity management. You need to control which users have access to which resources across your cloud and on-site ecosystem. Also, you don’t want unprivileged accounts accessing privileged data and apps. It’s bad for business, and it’s certainly going to introduce you to compliance risk factors.

Most businesses that utilize Microsoft at some level within their IT ecosystem should be using Azure Active Directory to help manage identity services. In fact, you may already be using Azure AD — it’s bundled with Office 365 subscriptions and Azure subs.

Microsoft has four core Azure Active Directory Licenses that business can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.

What is Active Directory?

Active Directory (AD) helps businesses manage users, groups, and objects within their networks. So, you can assign users to groups, and assign each of those groups access to specific network resources, apps, and devices. This ability to control access at a variety of levels gives businesses the freedom to distribute resources to specific subgroups, which is critical for both resource management as well as compliance and regulation.

Not all Active Directory services are built the same. While Active Directory services like Windows Server Active Directory help businesses manage in-house assets and user identities throughout the corporate network, Azure Active Directory is built with cloud services in mind.

Understanding Azure Active Directory

Azure Active Directory (or Azure AD) enables you to manage identity (users, groups, etc.) and control access to apps, devices, and data via the cloud. That means that both identity and access are managed entirely from the cloud, and all of your cloud apps and services will utilize Azure AD. It’s important to note that Azure AD is immediately valuable for Microsoft apps, but it can be used to power the identity and access controls of your entire organization. Many organizations build a hybrid AD system using both Azure AD and another on-premise AD (typically Windows Active Directory.)

Azure AD vs Windows Active Directory

Managing identity across Azure, Windows, and internet-connected apps requires Azure Active Directory. It’s best to think of Azure Active Directory as a service existing outside of the Windows Server Active Directory ecosystem. While Windows Server Active Directory provides domain services, lightweight directory services, federation services, etc. to handle identity, network policy, and servers on enterprise networks, Azure AD was built with web apps in mind.

The value of Azure AD is immediate when we talk about cloud apps and resources. On-site Active Directory Services (think Windows Server Active Directory) are suitable for handling SSO, identity, etc. within your network, but they can’t handle the complexity identity for cloud apps. Azure AD will handle your cloud Active Directory while Windows Server AD will handle your on-premise Active Directory needs.

So, they both have value, and you’ll likely use both of them to handle your user/group control and access. Azure AD is especially valuable for organizations that have already moved apps to the cloud and are dealing with multiple user/password issues due to their current Active Directory being unable to handle the migration.

*It’s important to note that the enterprise protocol languages differ between Azure AD and Windows Server AD. While Windows Server AD uses Kerberos, LDAP, etc., Azure AD uses Rest APIs and OAuth 2.0 tokens. This means that apps need to be built from the ground-up with Azure AD in mind (which all Microsoft web apps are.)

Different Azure Active Directory Licensing

Let’s take a look at some of Azure Active Directory licensing options. Before we begin, it’s important to note that Azure AD is already bundled into Office 365 licenses AND Azure licenses. However, Office and Azure clients can still purchase P1 and P2 versions for the additional benefits.

So let’s jump into the different Azure Active Directory licensing choices.

Free (Included in Azure Sub)

Limited to 500,000 Directory Objects

Identity management capabilities and device registration

Single Sign-On can be assigned to 10 apps per user

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

Self-service password change (cloud users)

Connect (syncs on-premise AD to Azure AD)

Basic security reports

Basic ($1 per user per month)

Unlimited Directory Objects

Identity management capabilities and device registration

Single Sign-On can be assigned to 10 apps per user

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

Self-service password change (cloud users)

Connect (syncs on-premise AD to Azure AD)

Basic security reports

Group-based access management and provisioning

Self-service password reset (cloud users)

Ability to brand logon pages

Service Level Agreement

Premium P1 ($6 per user per month)

Unlimited Directory Objects

Identity management capabilities and device registration

Single Sign-On can be assigned to unlimited apps per user

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

Self-service password change (cloud users)

Connect (syncs on-premise AD to Azure AD)

Advanced reports

Group-based access management and provisioning

Self-service password reset (cloud users)

Ability to brand logon pages

Service Level Agreement

Application proxy

Dynamic groups, group creation, group naming policy, usage guidelines, etc.

On-premise writeback for Self-service reset, change, and unlock

Two-way sync between on-premise and ADD

Multi-factor authentication

Microsoft Identity Manager user CAL

Cloud App Discovery

Connect Health

Conditional Access based on health/location.

Automatic password rollover (for group accounts)

Ability to grant conditional access based on location, device state, and group

Integrations with 3rd party identity governance partners

ToU

Sharepoint limited access

OneDrive for Business (limited access)

Preview integration for 3rd party MFA partners

Cloud App Security Integration

Premium P2 ($9 per user per month)

Everything offered in P1

Identity Protection

Privileged Identity Management

Access reviews

Office 365 (Included In Office 365 Subs)

Everything included in the Free Tier

Unlimited Directory Objects

Multi-factor authentication

Free vs. Basic vs. Office 365

For those that want barebones Azure AD offerings, you’ll be looking at three tiers: free, basic, and Office 365. Let’s go over the primary differences between the three.

Free vs. Office 365

Typically, both of these Azure AD environments will be part of your existing license. So, if you only have an Azure license, you’ll use the free version. Also, if you only have an Office 365 license, you’ll use the Office 365 version.

The Office 365 version has two advantages over the free version — multi-factor authentication and unlimited directory objects.

Of course, having more than one layer of authentication is critical in today’s business environment, so these are not a small feature by any means. Unlimited Objects becomes a necessity for most businesses at a certain point, especially if you have over 20 employees OR you’re using lots of cloud apps. Typically, you won’t be selecting between these two. You’ll either have an Office 365 license or you won’t.

Office 365 vs. Basic

There are two differences between Basic and Office 365 versions.

Basic gives you access to application proxy. App proxy lets you bridge your on-site and cloud AD together through a single portal or external URL. Office 365 gives you multi-factor authentication.

Otherwise, they share the same features.

P1 vs P2

For those that are looking to upgrade into the P1 or P2 space for additional features, Azure AD resources become abundant. These two tiers start to offer some critical components that aren’t available in the other three versions — which are all extremely helpful for security, compliance, and identity management.

What do P1 and P2 Share in Common?

Both of these options:

Provide unlimited directory objects

Give you identity management capabilities

Provide single sign-on for an unlimited amount of apps and unlimited users for those apps

Have B2B collab capabilities — which lets you grant access to guest users for collaborative abilities

Give self-service password change capabilities to users

Have Connect — which syncs Windows Server AD (or other on-premise AD) and Azure AD

Have advanced reports (see how apps are being utilized by users, see where risks exist, and troubleshooting capabilities)

Give you branding capabilities for portals/login pages

Have multi-factor authentication

Have app proxy

Include Group-based access management and provisioning

Have Microsoft Identity Manager user CAL

Come with a Service Level Agreement

Have Cloud App Discovery

Have Connect Health

Give you conditional access based on user location/devices

Have automatic password rollover

Give you the ability to integrate 3rd party identity governance partners and MFA partners

Have Terms of Use

Provide Sharepoint Limited Access

Give you limited access to OneDrive Business

Have CloudApp security integration

What’s the Difference Between P1 and P2

There are three core differences between P1 and P2. Firstly, P2 has Identity Protection, which lets you manage conditional access to apps. Secondly, P2 gives you Privileged Identity Management (PIM). That means you with additional management over privileged accounts. Finally, you get Access Reviews.

All of these features are typically reserved for enterprises, and small businesses probably won’t require any of these features.

Azure AD Q&A

Is Azure AD available for governments?

Yes! Both Azure Government and GCC High come with Azure AD.

Is Azure AD available for educational institutions?

Yes! Azure AD Free is bundled into education licensing for Office 365.

Are there any unique Azure AD features available for those with a Windows 10 License?

Yes! Azure AD can be used with Windows 10 licenses. Also, it offers unique features like the ability to join a device to Azure AD, Windows Hello for Azure AD, and Administrator Bitlock recovery.

*P1 and P2 also have MDM self-enrollment, Azure AD join, and Enterprise State Roaming.

Final Thoughts

Every business has unique needs when it comes to Active Directories. These are the four core Azure Active Directory licensing options that Microsoft offers to cater to companies of all shapes and sizes.

Agile IT is a 4x Microsoft Partner of the year. Also, we hold 16 Gold Competencies across Microsoft services. We can help you set up your Active Directory services with Microsoft, and we can help you find the license that’s right for your hyper-specific business needs — whether you’re a small business, enterprise, government agency, or educational institution. So contact us today for a free quote!





