Active Directory Plans Pricing
Microsoft Entra ID (the cloud successor to Azure AD / on-prem Active Directory) is sold per user per month, with a Free edition bundled into Microsoft cloud subscriptions plus paid P1, P2, and Suite tiers and several standalone identity products. Programmatic access via Microsoft Graph is metered through directory throttling rather than additional per-call billing — pricing is the per-user Entra licence.
Plans
Included with Azure, Microsoft 365, Dynamics 365, Intune, and Power Platform subscriptions.
- Cloud user and group management
- Unlimited SSO across SaaS apps
- Multifactor authentication
- Self-service password change for cloud users
- Directory sync from on-prem AD (Entra Connect)
- Basic reporting
Premium identity tier with conditional access, advanced group management, and identity governance basics.
- Conditional access
- Self-service password reset / writeback
- Advanced group management
- Application proxy
- Microsoft Identity Manager
Adds risk-based conditional access and identity protection.
- All P1 features
- Identity Protection (risk-based conditional access)
- Privileged Identity Management
- Access reviews
Combines Entra ID P1, ID Governance, Internet Access, Private Access, and Verified ID. Requires P1 (or a bundle that includes P1).
- Entra ID Governance
- Entra Internet Access
- Entra Private Access
- Entra Verified ID
Identity governance, lifecycle workflows, entitlement management, and access reviews.
- Lifecycle workflows
- Entitlement management
- Access reviews
SSE / SWG component of Microsoft's Security Service Edge.
- Internet access security
- Web filtering
ZTNA replacement for legacy VPN / Application Proxy.
- ZTNA private access to internal apps
- Per-app conditional access
Per workload identity (service principal / managed identity) with conditional access and lifecycle management.
- Conditional access for workload identities
- Identity Protection signals for workload identities
- Access reviews for service principals