Over the past several months, Microsoft has implemented major changes to how identity security capabilities are licensed across its Microsoft 365 and Entra ID product lines. These changes have created confusion among IT leaders and security professionals who are now discovering that capabilities they believed were included in their current licensing may no longer be accessible.
This blog provides clarity on what has changed, why it matters, and what organizations should consider as they evaluate their identity security posture going forward.
Microsoft has not removed foundational security controls from Microsoft 365 Business Premium or Entra ID P1. Core capabilities including multi-factor authentication (MFA), basic Conditional Access policies, device management through Intune, and Microsoft Defender for Business remain available at these licensing tiers.
What has shifted is the licensing boundary for advanced identity protection and governance capabilities. Features that provide deeper visibility, automated threat response, and privileged access management now require Microsoft Entra ID P2 licensing or are included in the Microsoft 365 E5 suite.
Specifically, the following capabilities now require Entra ID P2 or E5 licensing:
For organizations operating on Business Premium or Entra ID P1, these capabilities are no longer available. This represents a meaningful reduction in visibility of identity threats and in automated response capability.
Contrary to popular belief, most breaches don’t begin with sophisticated zero-day exploits. They start with simple human behaviors:
In the Cost of a Data Breach Report, IBM found that malicious insiders and phishing were among the most costly attack vectors, often resulting in higher overall breach costs.
This pattern is why cybersecurity fundamentals like training, access controls, monitoring, remain essential.
The threat landscape has fundamentally shifted. Modern attacks predominantly begin with compromised identities rather than malware-based exploitation. Credential theft, MFA bypass techniques, session token hijacking, and privilege escalation are now the primary attack vectors.
Without advanced identity protection capabilities, organizations lack:
These gaps are not theoretical. They represent the difference between detecting an attack in progress and discovering a breach weeks or months after initial compromise.
Based on current threat patterns and the evolution of Microsoft's licensing model, we recommend that organizations take the following approach:
Baseline Recommendation: Entra ID P2 for All Users
For most organizations, standardizing on Microsoft Entra ID P2 provides the most cost-effective path to restoring advanced identity protection capabilities. At approximately $9.45 per user per month (annual commitment), P2 licensing enables:
This investment directly addresses the most common attack vectors and provides security teams with the visibility and automation necessary for effective defense.
For larger organizations, regulated industries, or those with complex security requirements, Microsoft 365 E5 may represent the better long-term investment. E5 includes Entra ID P2 capabilities plus comprehensive protections across:
The decision between P2 and E5 should be based on organizational risk tolerance, regulatory obligations, and the maturity of existing security controls.
Licensing advanced capabilities is a necessary but insufficient step. Security tooling requires ongoing operational support to deliver value.
Even with Entra ID P2 or E5 in place, organizations must:
For many organizations, internal IT teams lack the bandwidth or specialized expertise to manage these responsibilities effectively. This is where Managed Detection and Response (MDR) or Extended Detection and Response (XDR) services become critical.
MDR and XDR services provide:
Identity security cannot operate in isolation. Effective defense requires correlation of identity signals with endpoint, email, and cloud application telemetry—precisely what modern MDR and XDR platforms deliver.
Organizations should take the following actions:
Microsoft's licensing changes are not arbitrary. They reflect the increasing sophistication of identity-based attacks and the growing complexity of defending against them.
Organizations that continue operating on Business Premium or Entra ID P1 without advanced identity protection are accepting measurable risk. That risk may be acceptable for some organizations, but it should be a deliberate decision informed by a clear understanding of what capabilities are no longer available.
The path forward requires both appropriate licensing and operational commitment. With the right investments in technology and expertise, organizations can achieve a stronger identity security posture than was previously possible.
Understanding Microsoft's licensing landscape and determining the right security investments for your organization doesn't have to be complicated or overwhelming.
As a direct Microsoft Cloud Solution Provider (CSP) partner, iCorps is uniquely positioned to help you evaluate your current licensing, identify gaps in your security posture, and align your Microsoft investments with your actual business needs and risk profile.
We provide:
Unlike traditional resellers focused solely on license sales, our approach is grounded in decades of experience in security operations. We help you make informed decisions based on real-world threat patterns, regulatory obligations, and operational capacity, not vendor roadmaps or feature checklists.
Want to get started? Reach out to learn more today.