Entra ID, the renamed Azure AD, is the identity layer underneath every Microsoft 365 deployment. The Admodum read on the Free, P1 and P2 entitlement boundaries, on the conditional-access and risk-based surface, on the Entra ID Governance overlay, and on the renewal-time disposition.
Entra ID Free is the directory-with-SSO tier. It carries up to 500,000 directory objects, basic single sign-on, basic group-management, basic user-and-group provisioning, basic application gallery integrations. It does not carry conditional access, dynamic groups, password write-back or MFA across the wider directory beyond a narrow MFA surface.
Entra ID Premium P1 carries the working-day identity surface. Conditional access is the principal entitlement: policies that gate access to applications by user, device, location, application, sign-in risk and grant-control. Dynamic groups is the second: group membership computed from directory attributes rather than manual assignment. Password write-back, self-service password reset on the directory, MFA across the directory, Microsoft Entra Connect Health, Cloud App Discovery, advanced application proxy and the wider Premium-tier identity surface sit at P1. The wider M365 suite that bundles P1 sits at the Microsoft 365 plans spoke.
Entra ID Premium P2 carries the risk-and-governance surface. Identity Protection (sign-in risk detections, user risk detections, risk-based conditional access), Privileged Identity Management (just-in-time admin role activation, time-bounded role assignment, approval workflows on role activation), Access Reviews on directory roles and groups, and the wider risk-and-governance surface. The P1-to-P2 upgrade is the central seat decision: a P2 seat on a user who does not exercise the P2 differentiators is a structurally-unused seat.
Conditional access at P1 is the policy-engine entitlement. A policy is a rule of the form: when (user-or-group + cloud-application + condition) then (grant-control + session-control). The conditions span sign-in risk (at P2), user risk (at P2), device compliance (with Intune), device platform, location, client application, authentication context, sign-in frequency, and the standard MFA grant-control.
The risk-based extension at P2 is the differentiator. Sign-in risk policies evaluate the risk of a single sign-in attempt against the Microsoft threat-intelligence signal (atypical travel, anonymous IP, unfamiliar sign-in properties, malware-linked IP); user risk policies evaluate the cumulative risk of a user's identity (leaked credentials, password spray detections, suspicious activity). The policy outputs are block, require MFA, require password change or require terms-of-use re-acceptance. The risk-based surface is the principal P1-to-P2 upgrade rationale.
The seat-assignment hygiene problem is the typical renewal-time issue. A buyer with P2 across the E5 estate often finds, in an access-review reading, that more than half the P2 seats do not exercise PIM, do not exercise access reviews and do not exercise risk-based conditional access. The buyer-side artefact is the seat-by-feature exercise rate; the wider seat-assignment framework sits at the seat assignment hygiene spoke.
Privileged Identity Management is the second-order P2 entitlement. PIM brings privileged roles (Global Administrator, Privileged Role Administrator, Security Administrator, Conditional Access Administrator) under just-in-time activation: the user holds the role assignment but does not hold the active privilege; activation is time-bounded and may require approval, justification and MFA.
The activation surface extends to Azure resource roles (subscription owner, contributor, reader, custom role) on the PIM-for-Azure-resources surface and to selected M365 admin centres (Exchange, SharePoint, Teams) on the PIM-for-groups surface. The audit-trail entitlement is the principal compliance differentiator: every activation is logged with the activator, the timestamp, the role, the justification and the approver.
Access reviews at P2 are the periodic-attestation entitlement. A review is a recurring (one-off, weekly, monthly, quarterly, semi-annually, annually) attestation that the assigned membership of a group, the assigned membership of a role, or the assigned access to a package is still appropriate. The reviewer is the user (self-attest), the manager (manager-attest), a selected approver, or a multi-approver chain. The wider governance overlay sits in the next section.
Entra ID Governance is the separate add-on above P2. It is licensed per user per month, and it bundles entitlement management (access packages), lifecycle workflows (joiner-mover-leaver automation), connected-organisation collaboration and the wider governance-and-compliance surface.
Entitlement management is the access-package entitlement: a bundle of group memberships, application assignments and SharePoint-site memberships, assignable to internal users and to external partners with policy controls (approval, expiration, access review). Lifecycle workflows are the joiner-mover-leaver automation: scheduled actions on hire date, on role change, on leave date, including provisioning, group membership, manager notification and the wider lifecycle surface.
The licensing posture is per user per month, separately from P2. The buyer-side decision is which user population carries the governance overlay: a small admin and partner-facing population usually meets the governance requirement at a fraction of the cost of a full-estate Governance assignment. The renewal-time read is the governance-population exercise rate; the wider conditional-access discussion sits at the Azure Hybrid Benefit and M365 plans spokes that sit on the same identity tier.
The renewal-time read on Entra ID is the seat-by-feature exercise rate against the assigned tier. The renewal-time arithmetic runs on four axes: the P1 seat-count (typically inside an M365 E3 suite), the P2 seat-count (typically inside an M365 E5 suite or as a standalone add-on), the Governance seat-count (typically a small admin and partner population), and the exercise rate of the differentiating entitlements against each tier.
The frequent waste pattern: an E5 buyer with P2 across the estate at a low PIM-and-access-review exercise rate is structurally over-assigned. The remediation pattern is twofold: either a step-down to E3 (with P1 carried inside the suite) on the wider population and a standalone P2 add-on on the security-admin and privileged-user population, or a step-up of the E5 estate's exercise rate by deploying PIM and access reviews against the high-privilege roles. The cost case for the first remediation usually carries an outsized renewal-time saving.
The wider M365 suite economics sit at the M365 plans spoke; the wider audit posture sits at the SAM audit anatomy spoke; the seat-assignment framework sits at the seat assignment hygiene spoke; the renewal cycle sits at the EA renewal cycle spoke. The wider editorial sits at the Microsoft pillar.
The buyer-side artefacts to hold against the Entra ID estate are: the per-user tier inventory (Free, P1, P2, Governance), the exercise-rate measurement against each tier's differentiating entitlements, the seat-assignment-hygiene report (the seats assigned that do not exercise the tier), the conditional-access policy inventory (the policies in place, the policies missing) and the renewal-time disposition.
The renewal-time conversation is then a negotiation against artefacts. The publisher's renewal proposal carries the Entra ID position across the M365 suite and standalone add-ons; the buyer's decision is per population, against the exercise-rate artefact; the P2 step-downs, the standalone P2 add-on against the privileged population, and the Governance footprint are taken on shared arithmetic.
The wider engagement sits in the Microsoft practice; the aggregated reading list sits in the Microsoft knowledge hub; active renewal moments route to the Renewal Programme; active audit moments route to Audit Defence. The wider EA framework sits at the Enterprise Agreement overview; the LSP-versus-direct decision against which the Entra ID order is placed sits at the LSP versus direct spoke.
The suite under which the P1 and P2 tiers most often sit, with the seat economics that drive the tier decision.
The exercise-rate framework that turns assigned-seat counts into a renewal-time disposition.
The maintenance overlay against which the Entra ID add-ons are co-termed at renewal.
A senior Admodum Microsoft advisor will read your per-user tier inventory, your conditional-access policy stack, your PIM and access-review exercise rate and your Governance footprint against your renewal posture on a private call. Active renewal moments route to the Renewal Programme.