Understanding Azure Active Directory Licensing (Free, Basic, P1, P2)

    Please see our updated Guide to Azure Active Directory Licensing

    The following blog is out of date with the retirement of AAD Basic in 2019. You can see all the features available in AAD in our new guide to AAD Licensing Free, Office 365, P1, and P2.

    Microsoft licensing, especially Azure Active Directory licensing, can be confusing for some businesses. As Microsoft continues to add various license options to establish themselves across industry verticals (e.g., F1 for first-line workers, GCC for governments, etc.), trying to figure out which licensing fits your specific business IT makeup is tricky.

    A core component of the modern IT infrastructure and security is identity management. You need to control which users have access to which resources across your cloud and on-site ecosystem. Also, you don’t want unprivileged accounts accessing privileged data and apps. It’s bad for business, and it’s certainly going to introduce you to compliance risk factors.

    Most businesses that utilize Microsoft at some level within their IT ecosystem should be using Azure Active Directory to help manage identity services. In fact, you may already be using Azure AD — it’s bundled with Microsoft 365 and Azure subscriptions.

    Microsoft has four Azure Active Directory editions that businesses can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.

    Microsoft has four Azure Active Directory editions that businesses can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.

    Microsoft has four Azure Active Directory editions that businesses can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.

    What is Active Directory?

    Active Directory (AD) helps businesses manage users, groups, and objects within their networks. So, you can assign users to groups, and assign each of those groups access to specific network resources, apps, and devices. This ability to control access at a variety of levels gives businesses the freedom to distribute resources to specific subgroups, which is critical for both resource management as well as compliance and regulation.

    Not all Active Directory services are built the same. While Active Directory services like Windows Server Active Directory help businesses manage in-house assets and user identities throughout the corporate network, Azure Active Directory is built with cloud services in mind.

    Understanding Azure Active Directory

    Azure Active Directory (or Azure AD) enables you to manage identity (users, groups, etc.) and control access to apps, devices, and data via the cloud. That means that both identity and access are managed entirely from the cloud, and all of your cloud apps and services will utilize Azure AD. It’s important to note that Azure AD is immediately valuable for Microsoft apps, but it can be used to power the identity and access controls of your entire organization. Many organizations build a hybrid AD system using both Azure AD and another on-premise AD (typically Windows Active Directory.)

    Azure AD vs Windows Active Directory

    Managing identity across Azure, Windows, and internet-connected apps requires Azure Active Directory. It’s best to think of Azure Active Directory as a service existing outside of the Windows Server Active Directory ecosystem. While Windows Server Active Directory provides domain services, lightweight directory services, federation services, etc. to handle identity, network policy, and servers on enterprise networks, Azure AD was built with web apps in mind.

    The value of Azure AD is immediate when we talk about cloud apps and resources. On-site Active Directory Services (think Windows Server Active Directory) are suitable for handling SSO, identity, etc. within your network, but they can’t handle the complexity identity for cloud apps. Azure AD will handle your cloud Active Directory while Windows Server AD will handle your on-premise Active Directory needs.

    So, they both have value, and you’ll likely use both of them to handle your user/group control and access. Azure AD is especially valuable for organizations that have already moved apps to the cloud and are dealing with multiple user/password issues due to their current Active Directory being unable to handle the migration.

    *It’s important to note that the enterprise protocol languages differ between Azure AD and Windows Server AD. While Windows Server AD uses Kerberos, LDAP, etc., Azure AD uses Rest APIs and OAuth 2.0 tokens. This means that apps need to be built from the ground-up with Azure AD in mind (which all Microsoft web apps are.)

    Different Azure Active Directory Licensing

    NOTE: Azure AAD licensing has changed. Please check out our 2022 Guide to Azure Active Directory Licensing

    Let’s take a look at some of Azure Active Directory licensing options. Before we begin, it’s important to note that Azure AD is already bundled into Office 365 licenses AND Azure licenses. However, Office and Azure clients can still purchase P1 and P2 versions for the additional benefits.

    So let’s jump into the different Azure Active Directory licensing choices.

    Free (Included in Azure Sub)

    • Limited to 500,000 Directory Objects
    • Identity management capabilities and device registration
    • Single Sign-On can be assigned to 10 apps per user
    • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
    • Self-service password change (cloud users)
    • Connect (syncs on-premise AD to Azure AD)
    • Basic security reports

    Basic ($1 per user per month)

    • Unlimited Directory Objects
    • Identity management capabilities and device registration
    • Single Sign-On can be assigned to 10 apps per user
    • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
    • self-service password change (cloud users)
    • Connect (syncs on-premise AD to Azure AD)
    • Basic security reports
    • Group-based access management and provisioning
    • Self-service password reset (cloud users)
    • Ability to brand logon pages
    • Service Level Agreement

    Premium P1 ($6 per user per month)

    • Unlimited Directory Objects
    • Identity management capabilities and device registration
    • Single Sign-On can be assigned to unlimited apps per user
    • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
    • Self-service password change (cloud users)
    • Connect (syncs on-premise AD to Azure AD)
    • Advanced reports
    • Group-based access management and provisioning
    • Self-service password reset (cloud users)
    • Ability to brand logon pages
    • Service Level Agreement
    • Application proxy
    • Dynamic groups, group creation, group naming policy, usage guidelines, etc.
    • On-premise writeback for Self-service reset, change, and unlock
    • Two-way sync between on-premise and ADD
    • Multi-factor authentication
    • Microsoft Identity Manager user CAL
    • Cloud App Discovery
    • Connect Health
    • Conditional Access based on health/location.
    • Automatic password rollover (for group accounts)
    • Ability to grant conditional access based on location, device state, and group
    • Integrations with 3rd party identity governance partners
    • ToU
    • Sharepoint limited access
    • OneDrive for Business (limited access)
    • Preview integration for 3rd party MFA partners
    • Cloud App Security Integration

    Premium P2 ($9 per user per month)

    • Everything offered in P1
    • Identity Protection
    • Privileged Identity Management
    • Access reviews

    Office 365 (Included In Office 365 Subs)

    • Everything included in the Free Tier
    • Unlimited Directory Objects
    • Multi-factor authentication

    Free vs. Basic vs. Office 365

    For those that want barebones Azure AD offerings, you’ll be looking at three tiers: free, basic, and Office 365. Let’s go over the primary differences between the three.

    Free vs. Office 365

    Typically, both of these Azure AD environments will be part of your existing license. So, if you only have an Azure license, you’ll use the free version. Also, if you only have an Office 365 license, you’ll use the Office 365 version.

    The Office 365 version has two advantages over the free version — multi-factor authentication and unlimited directory objects.

    Of course, having more than one layer of authentication is critical in today’s business environment, so these are not a small feature by any means. Unlimited Objects becomes a necessity for most businesses at a certain point, especially if you have over 20 employees OR you’re using lots of cloud apps. Typically, you won’t be selecting between these two. You’ll either have an Office 365 license or you won’t.

    Office 365 vs. Basic

    There are two differences between Basic and Office 365 versions.

    /1. Basic gives you access to application proxy. App proxy lets you bridge your on-site and cloud AD together through a single portal or external URL. /2. Office 365 gives you multi-factor authentication. Otherwise, they share the same features.

    P1 vs P2

    For those that are looking to upgrade into the P1 or P2 space for additional features, Azure AD resources become abundant. These two tiers start to offer some critical components that aren’t available in the other three versions — which are all extremely helpful for security, compliance, and identity management.

    What do P1 and P2 Share in Common?

    Both of these options include:

    • Provide unlimited directory objects
    • Give you identity management capabilities
    • Provide single sign-on for an unlimited amount of apps and unlimited users for those apps
    • Have B2B collab capabilities — which lets you grant access to guest users for collaborative abilities
    • Give self-service password change capabilities to users
    • Have Connect — which syncs Windows Server AD (or other on-premise AD) and Azure AD
    • Have advanced reports (see how apps are being utilized by users, see where risks exist, and troubleshooting capabilities)
    • Give you branding capabilities for portals/login pages
    • Have multi-factor authentication
    • Have app proxy
    • Include Group-based access management and provisioning
    • Have Microsoft Identity Manager user CAL
    • Come with a Service Level Agreement
    • Have Cloud App Discovery
    • Have Connect Health
    • Give you conditional access based on user location/devices
    • Have automatic password rollover
    • Give you the ability to integrate 3rd party identity governance partners and MFA partners
    • Have Terms of Use
    • Provide Sharepoint Limited Access
    • Give you limited access to OneDrive Business
    • Have CloudApp security integration

    What’s the Difference Between P1 and P2

    There are three core differences between P1 and P2. Firstly, P2 has Identity Protection, which lets you manage conditional access to apps (specifically, risk-based conditional access, like impossible travel and sign-ins from unfamiliar locations). Secondly, P2 gives you Privileged Identity Management (PIM). That means you with additional management over privileged accounts. Finally, you get Access Reviews.

    Azure AD Q&A

    Is Azure AD available for governments?

    Yes! Both Azure Government and GCC High come with Azure AD.

    Is Azure AD available for educational institutions?

    Yes! Azure AD Free is bundled into education licensing for Office 365.

    Are there any unique Azure AD features available for those with a Windows 10 License?

    Yes! Azure AD can be used with Windows 10 licenses. Also, it offers unique features like the ability to join a device to Azure AD, Windows Hello for Azure AD, and Administrator Bitlock recovery. *P1 and P2 also have MDM self-enrollment, Azure AD join, and Enterprise State Roaming.

    Final Thoughts

    Every business has unique needs when it comes to Active Directories. These are the four core Azure Active Directory licensing options that Microsoft offers to cater to companies of all shapes and sizes.

    Agile IT is a 4x Microsoft Partner of the year. Also, we hold 16 Gold Competencies across Microsoft services. We can help you set up your Active Directory services with Microsoft, and we can help you find the license that’s right for your hyper-specific business needs — whether you’re a small business, enterprise, government agency, or educational institution. So contact us today for a free quote!

    Published on: .

    This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.