Agile IT

Agile Insider Blog

Breaking down the Azure AD licensing types can help you find the best Azure solution for your team.

Understanding Azure Active Directory Licensing (Free, Basic, P1, P2)

Please see our updated Guide to Azure Active Directory Licensing

The following blog is out of date with the retirement of AAD Basic in 2019. You can see all the features available in AAD in our new guide to AAD Licensing Free, Office 365, P1, and P2.

Microsoft licensing, especially Azure Active Directory licensing, can be confusing for some businesses. As Microsoft continues to add various license options to establish themselves across industry verticals (e.g., F1 for first-line workers, GCC for governments, etc.) So, trying to figure out which licensing fits your specific business IT makeup is tricky.

A core component of the modern IT infrastructure is identity management. You need to control which users have access to which resources across your cloud and on-site ecosystem. Also, you don’t want unprivileged accounts accessing privileged data and apps. It’s bad for business, and it’s certainly going to introduce you to compliance risk factors.

Most businesses that utilize Microsoft at some level within their IT ecosystem should be using Azure Active Directory to help manage identity services. In fact, you may already be using Azure AD — it’s bundled with Office 365 subscriptions and Azure subs.

Microsoft has four core Azure Active Directory Licenses that business can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.

What is Active Directory?

Active Directory (AD) helps businesses manage users, groups, and objects within their networks. So, you can assign users to groups, and assign each of those groups access to specific network resources, apps, and devices. This ability to control access at a variety of levels gives businesses the freedom to distribute resources to specific subgroups, which is critical for both resource management as well as compliance and regulation.

Not all Active Directory services are built the same. While Active Directory services like Windows Server Active Directory help businesses manage in-house assets and user identities throughout the corporate network, Azure Active Directory is built with cloud services in mind.

Understanding Azure Active Directory

Azure Active Directory (or Azure AD) enables you to manage identity (users, groups, etc.) and control access to apps, devices, and data via the cloud. That means that both identity and access are managed entirely from the cloud, and all of your cloud apps and services will utilize Azure AD. It’s important to note that Azure AD is immediately valuable for Microsoft apps, but it can be used to power the identity and access controls of your entire organization. Many organizations build a hybrid AD system using both Azure AD and another on-premise AD (typically Windows Active Directory.)

Azure AD vs Windows Active Directory

Managing identity across Azure, Windows, and internet-connected apps requires Azure Active Directory. It’s best to think of Azure Active Directory as a service existing outside of the Windows Server Active Directory ecosystem. While Windows Server Active Directory provides domain services, lightweight directory services, federation services, etc. to handle identity, network policy, and servers on enterprise networks, Azure AD was built with web apps in mind.

The value of Azure AD is immediate when we talk about cloud apps and resources. On-site Active Directory Services (think Windows Server Active Directory) are suitable for handling SSO, identity, etc. within your network, but they can’t handle the complexity identity for cloud apps. Azure AD will handle your cloud Active Directory while Windows Server AD will handle your on-premise Active Directory needs.

So, they both have value, and you’ll likely use both of them to handle your user/group control and access. Azure AD is especially valuable for organizations that have already moved apps to the cloud and are dealing with multiple user/password issues due to their current Active Directory being unable to handle the migration.

*It’s important to note that the enterprise protocol languages differ between Azure AD and Windows Server AD. While Windows Server AD uses Kerberos, LDAP, etc., Azure AD uses Rest APIs and OAuth 2.0 tokens. This means that apps need to be built from the ground-up with Azure AD in mind (which all Microsoft web apps are.)

Different Azure Active Directory Licensing

Learn more about the different Azure Active Directory licensing options.


NOTE: Azure AAD licensing has changed. Please check out our 2022 Guide to Azure Active Directory Licensing

Let’s take a look at some of Azure Active Directory licensing options. Before we begin, it’s important to note that Azure AD is already bundled into Office 365 licenses AND Azure licenses. However, Office and Azure clients can still purchase P1 and P2 versions for the additional benefits.

So let’s jump into the different Azure Active Directory licensing choices.

Free (Included in Azure Sub)

  • Limited to 500,000 Directory Objects
  • Identity management capabilities and device registration
  • Single Sign-On can be assigned to 10 apps per user
  • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
  • Self-service password change (cloud users)
  • Connect (syncs on-premise AD to Azure AD)
  • Basic security reports

Basic ($1 per user per month)

  • Unlimited Directory Objects
  • Identity management capabilities and device registration
  • Single Sign-On can be assigned to 10 apps per user
  • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
  • Self-service password change (cloud users)
  • Connect (syncs on-premise AD to Azure AD)
  • Basic security reports
  • Group-based access management and provisioning
  • Self-service password reset (cloud users)
  • Ability to brand logon pages
  • Service Level Agreement

Premium P1 ($6 per user per month)

  • Unlimited Directory Objects
  • Identity management capabilities and device registration
  • Single Sign-On can be assigned to unlimited apps per user
  • B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
  • Self-service password change (cloud users)
  • Connect (syncs on-premise AD to Azure AD)
  • Advanced reports
  • Group-based access management and provisioning
  • Self-service password reset (cloud users)
  • Ability to brand logon pages
  • Service Level Agreement
  • Application proxy
  • Dynamic groups, group creation, group naming policy, usage guidelines, etc.
  • On-premise writeback for Self-service reset, change, and unlock
  • Two-way sync between on-premise and ADD
  • Multi-factor authentication
  • Microsoft Identity Manager user CAL
  • Cloud App Discovery
  • Connect Health
  • Conditional Access based on health/location.
  • Automatic password rollover (for group accounts)
  • Ability to grant conditional access based on location, device state, and group
  • Integrations with 3rd party identity governance partners
  • ToU
  • Sharepoint limited access
  • OneDrive for Business (limited access)
  • Preview integration for 3rd party MFA partners
  • Cloud App Security Integration

Premium P2 ($9 per user per month)

  • Everything offered in P1
  • Identity Protection
  • Privileged Identity Management
  • Access reviews

Office 365 (Included In Office 365 Subs)

  • Everything included in the Free Tier
  • Unlimited Directory Objects
  • Multi-factor authentication

Free vs. Basic vs. Office 365

For those that want barebones Azure AD offerings, you’ll be looking at three tiers: free, basic, and Office 365. Let’s go over the primary differences between the three.

Free vs. Office 365

Typically, both of these Azure AD environments will be part of your existing license. So, if you only have an Azure license, you’ll use the free version. Also, if you only have an Office 365 license, you’ll use the Office 365 version.

The Office 365 version has two advantages over the free version — multi-factor authentication and unlimited directory objects.

Of course, having more than one layer of authentication is critical in today’s business environment, so these are not a small feature by any means. Unlimited Objects becomes a necessity for most businesses at a certain point, especially if you have over 20 employees OR you’re using lots of cloud apps. Typically, you won’t be selecting between these two. You’ll either have an Office 365 license or you won’t.

Office 365 vs. Basic

There are two differences between Basic and Office 365 versions.

  1. Basic gives you access to application proxy. App proxy lets you bridge your on-site and cloud AD together through a single portal or external URL.
  2. Office 365 gives you multi-factor authentication.

Otherwise, they share the same features.

P1 vs P2

For those that are looking to upgrade into the P1 or P2 space for additional features, Azure AD resources become abundant. These two tiers start to offer some critical components that aren’t available in the other three versions — which are all extremely helpful for security, compliance, and identity management.

What do P1 and P2 Share in Common?

Both of these options:

  • Provide unlimited directory objects
  • Give you identity management capabilities
  • Provide single sign-on for an unlimited amount of apps and unlimited users for those apps
  • Have B2B collab capabilities — which lets you grant access to guest users for collaborative abilities
  • Give self-service password change capabilities to users
  • Have Connect — which syncs Windows Server AD (or other on-premise AD) and Azure AD
  • Have advanced reports (see how apps are being utilized by users, see where risks exist, and troubleshooting capabilities)
  • Give you branding capabilities for portals/login pages
  • Have multi-factor authentication
  • Have app proxy
  • Include Group-based access management and provisioning
  • Have Microsoft Identity Manager user CAL
  • Come with a Service Level Agreement
  • Have Cloud App Discovery
  • Have Connect Health
  • Give you conditional access based on user location/devices
  • Have automatic password rollover
  • Give you the ability to integrate 3rd party identity governance partners and MFA partners
  • Have Terms of Use
  • Provide Sharepoint Limited Access
  • Give you limited access to OneDrive Business
  • Have CloudApp security integration

What’s the Difference Between P1 and P2

There are three core differences between P1 and P2. Firstly, P2 has Identity Protection, which lets you manage conditional access to apps. Secondly, P2 gives you Privileged Identity Management (PIM). That means you with additional management over privileged accounts. Finally, you get Access Reviews.

All of these features are typically reserved for enterprises, and small businesses probably won’t require any of these features.

Azure AD Q&A

Is Azure AD available for governments?

Yes! Both Azure Government and GCC High come with Azure AD.

Is Azure AD available for educational institutions?

Yes! Azure AD Free is bundled into education licensing for Office 365.

Are there any unique Azure AD features available for those with a Windows 10 License?

Yes! Azure AD can be used with Windows 10 licenses. Also, it offers unique features like the ability to join a device to Azure AD, Windows Hello for Azure AD, and Administrator Bitlock recovery.

*P1 and P2 also have MDM self-enrollment, Azure AD join, and Enterprise State Roaming.

Final Thoughts

Every business has unique needs when it comes to Active Directories. These are the four core Azure Active Directory licensing options that Microsoft offers to cater to companies of all shapes and sizes.

Agile IT is a 4x Microsoft Partner of the year. Also, we hold 16 Gold Competencies across Microsoft services. We can help you set up your Active Directory services with Microsoft, and we can help you find the license that’s right for your hyper-specific business needs — whether you’re a small business, enterprise, government agency, or educational institution. So contact us today for a free quote!


  • Konstantin says:

    I’m still confused by the licenses “per user” addition. Does this mean all my users need this licence or only the users who need to access the edit page?
    Will buying one license for example enable the P1 plan for the whole tenant but all edits are limited to the one user who has the license assigned to?

    To be more precise, I have 15 users. 1 user with Business Essential, 14 with Exchange Online (P1) and want to use group policies and custom user roles. Will one license assigned to myself enable me to assign custom roles to all my users or only to myself?

    Either I misread it or the article doesn’t give a good enough explaination to answer my question.

    Kind regards,

  • Shaun says:

    AAD Basic licensing is no longer available.

    • Sean Spicer says:

      You are correct, Shaun. Additionally Microsoft has moved a ton of features from P2 down into P1 since we published this last year. We’ve been doing some really cool work internally on tracking license features and will be updating the blog soon.

  • Di Cortado says:

    We are in a similar situation as Konstantin, and are non-profit. We have a number of users that are local, that have Microsoft 365 E3 licenses. A second set of users with Microsoft 365 Apps for enterprise (i.e. old Office 365 ProPlus). We also have users with no licensing using an older MFA system that remote in to a specific server that we want to transition to using Azure AD MFA. We know we can use Azure multi-factor authentication with the users in the E3 licensing categories. The remote users with Microsoft 365 Apps for enterprise licensing we want to use Azure MFA to connect via RDS, same with those that have no licensing. Seems like we need to purchase p1 licenses for those users that don’t have the E3 licensing. Am I going in the correct direction?

    Thank you!
    Di C.

  • Stuart says:

    Thanks for the breakdown Sean.

    So what would happen if you had a Premium P1 AD (via O365) and then you buy a Azure subscription.
    Would Azure AD be affected / dumbed down or would you need to select which flavor to use?



  • venkata says:

    Hi Team,

    i have 3000 users , we have basic license of Azure AD, now we want to integrate 30 applications (SAML, Oauth & Open ID) if i take 4 AD P2 license can i integrate the applications and my users are able to access the applications with SSO if i enable password hash sync in ad connect or do i need to buy equal license?. Please guide me

Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a meeting with us today!

Schedule a Meeting

Connect with Agile IT