Microsoft Entra ID for MSPs: What You're Actually Licensing
If you still call it Azure AD, nobody in the room will be confused.
Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. The old name disappeared from the product shelf, but the MSP problem stayed the same: clients buy Microsoft 365 plans, admins configure identity controls, and the license tier quietly decides what actually works.
Business Standard does not include the Entra ID P1 rights needed for Conditional Access. Business Premium already includes P1, so a separate P1 add-on may be waste. Risk-based Conditional Access points at P2.
Quick answer: Microsoft Entra ID is the new name for Azure AD. Conditional Access needs Entra ID P1. Risk-based Conditional Access and full ID Protection need Entra ID P2. Business Premium and Microsoft 365 E3 include P1. Microsoft 365 E5 includes P2.
The rename did not change the license rights
Microsoft says the Azure AD rename did not interrupt usage, change existing deployments, or change licensing, pricing, support, or service terms. Azure AD Free, Azure AD Premium P1, and Azure AD Premium P2 became Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2.
So no, Entra ID is not a new directory to migrate to. It is the same identity service MSPs have been managing for years. The problem is quoting identity work without checking which tier the client owns.
The Entra ID licensing tiers MSPs actually need to explain
Start with the practical version.
| Tier | What it means in an MSP tenant | MSP pricing note |
|---|---|---|
| Entra ID Free | Basic identity included with Microsoft cloud subscriptions such as Microsoft 365 and Azure. Useful for directory basics and security defaults, but limited for managed identity services. | Do not sell a Conditional Access project assuming Free is enough. |
| Entra ID P1 | The baseline for most managed identity work. Includes Conditional Access, richer MFA controls, SSPR writeback, and other premium identity capabilities. | Included with Microsoft 365 Business Premium, Microsoft 365 E3, F1, F3, and EMS E3. Standalone pricing is listed by Microsoft at $6/user/month. |
| Entra ID P2 | P1 plus advanced risk and identity protection capabilities. This is where risk-based Conditional Access and full ID Protection become part of the conversation. | Included with Microsoft 365 E5 and EMS E5. Standalone pricing is listed by Microsoft at $9/user/month. |
| Entra ID Governance | Governance features such as entitlement management, access reviews, lifecycle workflows, and privileged identity work beyond the usual SMB baseline. | Treat as separate scope. Do not hide it inside generic M365 support. |
| Entra Workload ID Premium | Premium controls for workload identities such as service principals and enterprise apps. Microsoft lists Workload ID Premium at $3/workload identity/month. | Relevant when the client has app identities, automation, and privileged service principals worth governing. |
Which Microsoft 365 plans include which Entra tier?
This is the matrix MSPs need during discovery.
| Client plan | Entra ID rights to expect | Practical MSP interpretation |
|---|---|---|
| Microsoft 365 Business Basic | Entra ID Free | Fine for basic identity. Not enough for a real Conditional Access service. |
| Microsoft 365 Business Standard | Entra ID Free | Common trap. The client has Microsoft 365, but not P1. |
| Microsoft 365 Business Premium | Entra ID P1 | The SMB sweet spot for MSP identity work. Conditional Access can be in scope. |
| Microsoft 365 E3 | Entra ID P1 | Similar identity baseline to Business Premium for this discussion, with enterprise packaging. |
| Microsoft 365 E5 | Entra ID P2 | The plan that brings advanced risk and ID Protection closer to the default. |
| EMS E3 | Entra ID P1 | Often appears in older or enterprise-leaning client stacks. |
| EMS E5 | Entra ID P2 | Usually tied to advanced security and identity protection scope. |
Two quoting mistakes show up constantly. MSPs configure Conditional Access for Business Standard clients, then discover the client only has Entra ID Free. Or they add standalone P1 to users who already have Business Premium or E3. One creates a delivery gap. The other creates a billing leak wearing a security hat.
What Entra ID Free can and cannot do
Entra ID Free is not useless. It gives the tenant basic directory capability, security defaults, and baseline authentication support. For a tiny client with simple needs, that may be enough for a while.
But Free is a bad foundation for a managed identity service if the MSP is selling policy-based access control, exception handling, reporting, and client-ready security posture.
The most important gap is Conditional Access. Microsoft describes Conditional Access policies as if-then access rules: if a user wants a resource, then they must satisfy a control such as MFA, a compliant device, an approved app, a password change, or other conditions.
Microsoft lists Entra ID P1 as the license requirement for Conditional Access. Risk-based Conditional Access needs P2 because it depends on Microsoft Entra ID Protection. So the sales rule is simple: managed Conditional Access starts at P1. Risk-based user and sign-in controls point at P2.
When to buy standalone Entra ID P1
Standalone P1 makes sense when the client is staying on a plan that does not include it, but the identity scope needs P1 features. That might be a Business Standard client that does not want Business Premium, a subset of users that needs P1-controlled access, or a mixed-plan tenant after acquisitions, role changes, or years of Microsoft admin drift.
But standalone P1 should not be the reflex. Business Premium often changes the math because it includes Entra ID P1, Intune Plan 1, Defender for Business, and other SMB security rights. If the client also needs endpoint management, security baselines, or device compliance, quoting Business Premium may be cleaner than adding identity one piece at a time.
This is where identity and endpoint work should meet. Conditional Access often depends on device state, and device state often means Intune. If you are quoting both, read our guide to Microsoft Intune pricing and scope for MSPs.
How to price Entra ID management as an MSP service
Do not sell Entra ID as a license resale line with a little admin time stapled to it.
Sell the work.
| Workstream | What is included | Pricing approach |
|---|---|---|
| Identity readiness assessment | License inventory, admin role review, MFA state, Conditional Access readiness, break-glass accounts, legacy auth exposure, and policy gaps. | Fixed fee. Small tenants can be lighter. Messy tenants need paid discovery. |
| Deployment project | Conditional Access baseline, MFA rollout, group targeting, report-only testing, named exclusions, break-glass validation, user communication, and documentation. | Fixed fee after assessment. Price by tenant complexity, not just seat count. |
| Monthly identity management | Policy reviews, exception handling, license drift checks, admin role changes, reporting, and QBR-ready findings. | Recurring line item. Name what is included and what is not. |
The boundary matters. A Conditional Access baseline is not ongoing exception handling. ID Protection review is not a monthly help desk ticket. If the client asks why identity management costs extra, use the Intune answer: the license is not the service.
How to audit clients for Entra ID under-licensing
Start with the mismatch: clients where the security expectation is higher than the license tier, or where the license tier is higher than the work being delivered.
Run this review:
- Export current Microsoft 365 licenses and assigned users.
- Identify tenants on Business Basic or Business Standard that have Conditional Access expectations.
- Identify Business Premium, E3, and E5 users with duplicate standalone Entra licenses.
- Review Conditional Access policies in report-only and enabled state.
- Check which policies depend on device compliance, user risk, sign-in risk, or workload identity controls.
- Separate user identity scope from workload identity scope.
- Turn the findings into a cleanup plan, upgrade recommendation, or managed identity service line.
Microsoft Graph can help here. The licenseDetails API returns licenses assigned directly and through licensed groups, including skuPartNumber and service plan details. That beats reconstructing identity licensing from invoice memory.
This is also where Scopable fits. Scopable's Microsoft 365 integration reads actual license assignments so the MSP can turn tenant findings into gap analysis, roadmap items, budget conversations, and quotes. Instead of manually hunting through admin centers before every QBR, you can see whether the mismatch is cleanup, upgrade, or project scope.
If you already run a quarterly license review, connect this to the M365 license audit every MSP should run. Entra ID is where a license audit becomes a security and revenue conversation, not just seat cleanup.
The practical rule
For MSPs, Entra ID licensing is not complicated because the product is mysterious. It is complicated because Microsoft 365 plans hide identity rights inside bundles, add-ons, and old tenant decisions.
Use this rule:
- Free is basic identity.
- P1 is the normal floor for managed Conditional Access.
- P2 is for risk-based identity protection.
- Governance and Workload ID Premium are separate scope, not background noise.
If the client wants identity security, audit the license first. Then quote the design, rollout, documentation, and monthly ownership like real work.
Want a cleaner way to turn Microsoft 365 license gaps into roadmap items and quotes? Join Scopable early access.
Sources
- Microsoft Learn: New name for Azure Active Directory
- Microsoft Learn: Microsoft Entra licensing
- Microsoft: Microsoft Entra plans and pricing
- Microsoft Learn: Microsoft Entra Conditional Access overview
- Microsoft Learn: Microsoft Entra ID Protection overview
- Microsoft Learn: Microsoft Entra Workload ID FAQ
- Microsoft Graph: List licenseDetails
