Azure AD Premium P1 vs P2: Which One to Choose?


The Best WordPress plugins!

1. WP Reset

2. WP 301 Redirects

3. WP Force SSL

Microsoft’s Azure Active Directory (AD) is a comprehensive identity and access management service, which includes features such as single sign-on to websites and applications, directory synchronization with Microsoft Office 365 and the accompanying OneDrive for Business service. Two types of subscriptions are offered: P1 or P2. This article will break down their offerings in order to help you decide which one suits your needs best.

Azure AD Premium is a subscription service that offers features such as single sign-on, single sign-out, and advanced security. The two different subscriptions are Azure AD P1 and Azure AD P2. This article will compare the two services and help you decide which one to choose for your business.

Azure AD Premium P1 vs P2: Which One to Choose?

Microsoft 365 offers a diverse selection of licensing options. This post will surely interest you if you want to install some security features for your users in the cloud and compare Azure AD Premium P1 versus P2. Stay with us if you’re unsure about the distinctions between the Azure AD Premium P1 and P2 licenses.


Please make sure you meet the following requirements before viewing the services covered in this article.

Other Services Are Included

If you haven’t acquired the Azure AD Premium P1 and P2 licenses separately, you may already have them and be unaware of it. As mentioned below, these two licenses are bundled with other Microsoft 365 services.

Microsoft 365 Azure AD LicensesMicrosoft 365 Azure AD Licenses

The licenses Azure AD Premium P1 and Azure AD Premium P2 address enterprises’ sophisticated identity protection needs.

AAD Premium Plan 2 has all of the features of Plan 1, but it also includes additional security elements, such as:

  • Vulnerabilities and high-risk accounts are identified.
  • Management of Privy Identity (PIM)
  • Reviews of Access

If you’re considering P2 over P1, ask yourself these questions.

  • Do you want to see whether your renter has any dangerous accounts?
  • Would you want to be warned about threats like password spray assaults, unusual travel, and Leaked Credentials, among others?
  • Do the general conditional access rules meet your security requirements?
  • Would you prefer conditional access restrictions to be expanded to include the blocking of dangerous sign-ins as well?
  • Does MFA alone match your requirements for safeguarding Administrator accounts?
  • Or would you want to use ‘Privilege Identity Management’ to provide an extra degree of security?

These questions may be addressed if you have a firm grasp on what these security mechanisms can do for you and how you can use them to accomplish your objectives.

The remainder of this post will go through all of the different services that come with the P2 license.

Identifying High-Risk Accounts

If you’re willing to manually evaluate user sign-ins in Azure and take actions based on them, the Azure AD Premium P1 license is a good choice. If you want to, you can:

  • Create user account risk policies and related actions.
  • Use access controls that are conditional on hazardous sign-ins.
  • Examine the security report for Azure.

The Azure AD Premium P2 license would be appropriate for your scenario.

Let’s go through these advanced features one by one. Assuming you’re signed into the Azure portal, go to Identity Protection and look for the features listed below.


The AAD Premium P2 plan includes three different sorts of reports.

Report on Dangerous Users

This report will show you which user accounts are at risk of being hacked. Here’s an illustration:

Report on Dangerous UsersReport on Dangerous Users

An administrator may go over this report and determine what to do next. Low, medium, and high risk levels exist. The intensity of the levels is affected by several actions.

Admins have the ability to take action depending on risk criteria. You may ban the person, designate this as a false positive, or even confirm that the user account has been hijacked in the scenario below.

You may also look at the hazards and dangerous sign-ins that have been recognized.

Users at Risk DetailedUsers at Risk Detailed

Report on Dangerous Logins

Some sign-ins may be suspicious. With the Report on Dangerous Logins, you can easily spot them as shown below.

Report on Dangerous LoginsReport on Dangerous Logins

The screenshot below depicts the specifics of a user’s dangerous sign-in. This sign-in was judged high-risk and came with two dangers. The actions are the same as in the ‘risky users’ section.

s That Are DangerousSign-ins That Are Dangerous

Report on Risk Detection

The kind of danger that was found is shown in this report. It might be handy if you want to see what actions in your company are causing this sort of alert.

Report on Dangerous DetectionReport on Dangerous Detection

Policies for Identity Protection

If more advanced reports don’t tickle your fancy, perhaps a range of Policies for Identity Protection might.

Within Azure, you’ll find our different types of Policies for Identity Protection that are exclusively available in the AAD Premium P2 license.

Policy on User Risk

If you want to take some predetermined actions on those accounts classified as ‘risky,’ you must define the Policy on User Risk. This policy is enabled by default; however, you can modify it to suit your requirements.

Policy on User Risk ExamplePolicy on User Risk Example

You’ll see a policy that applies to all users in the screenshot above. When the risk level is ‘high,’ and the action is to deny access, the policy applies. There are more choices such as permitting access and demanding a password reset.

Risk Policy for Sign-in

You may use a default policy to determine what to do with users who sign in using hazardous credentials. You’ll see that the policy is applied to a group in this case. It also indicates that it will be beneficial for user accounts with a medium or higher sign-in risk level. Finally, MFA must be implemented.

Risk Policy for Sign-in ExampleRisk Policy for Sign-in Example

Policy on MFA Registration

If you’d like to require MFA registration for one or more of your accounts, you can set this requirement via the Policy on MFA Registration as shown below. You can enable MFA for all the users or a set of users with this policy.

Policy on MFA Registration ExamplePolicy on MFA Registration Example

Customized Access Control Policies

You must use a custom conditional access policy if you want to enforce granular access control, such as applying rules to certain users but not others.

You could see that some users have sign-in concerns and are flagged as dangerous owing to repeated ActiveSync profile logins. You’ll also notice that practically all of these attempts came from three nations.

When there are people rated as very dangerous and the sign-in risk is likewise high, you may construct a conditional policy to enforce MFA. Another criteria is that the policy should apply when an ActiveSync connection originates from one of the three nations.

Identity Theft Warnings

If you need to be notified about risky sign-ins regularly, another handy feature that comes with the P2 license is Identity Theft Warnings.

Alerts for Users at Risk

In tenants with AAD Premium P2 licenses, these notifications are enabled by default. By default, global administrators, security admins, and security readers get alerts. The amount of risk may be adjusted as required.

The following is the format of the email:

Email to users who are at dangerEmail to users who are at danger

Email Weekly Digest

As noted in the preceding section, this report is likewise forwarded to the same administration. New dangerous users and risky sign-ins are included in the email. It also shows which admin roles were assigned outside of privileged identity management. The PIM will be discussed in the next section.

Email Notification of Weekly DigestEmail Notification of Weekly Digest

Azure AD Management of Privy Identity (PIM)

It’s crucial to keep admin accounts safe. Azure AD PIM is a security feature that improves security.

From a security aspect, there are various reasons to consider this functionality. PIM performs the following tasks:

  • Can be used to provide resource access depending on approval.
  • Access might be time-limited, which means it will expire after a particular period of time.
  • Admins must justify why certain roles should be activated.
  • When a position is activated, MFA is required.
  • When a role is enabled using PIM, global administrators and security admins will get an email notification.

The procedure for adding a user to PIM is as follows:

  • In Azure, go to the PIM blade.
  • Then choose “Azure AD Roles.”
  • Choose “Roles.”
  • “Privileged Role Administrator” should be selected.
  • Select ‘Add Assignments,’ then choose the person you want to enable PIM for and click Next.
  • Confirm whether you want this to be a “permanent” or a “eligible” job on the following page.

PIM User AdditionPIM User Addition

PIM is a strong tool for controlling access to essential tenant resources.

Reviews of Access

If you want to ensure that onboarding and offboarding of employees also results in their admin account roles being reviewed, then Reviews of Access will certainly help you here.

Reviews of Access can be created for groups and admin roles. These reviews help us in understanding if the existing admin s still need the role in question. For instance I have created an Review of Access to check the lobal admin role.

Review of AccessReview of Access

Now from here, you can decide whether the Review of Access result is approved or denied. Also, there are post-completion settings.

Actions Following CompletionActions Following Completion

Review of Access OverviewReview of Access Overview


In many aspects, Azure AD Premium Plan 1 and Plan 2 are comparable. Password Protection, Self-service password reset, Conditional Access, and Hybrid Identities are just a few of the security features included in the AAD Premium P1 license. This license, in my opinion, should be sufficient for many enterprises.

In terms of security, however, the areas where the AAD Premium P2 license outperforms P2 are rather important. And it is for this reason that the decision here favors it.

The following are the main changes between AAD Premium P1 and P2:

AAD Premium P1 and P2 have significant variances.AAD Premium P1 and P2 have significant variances.

Although Azure AD Premium Plan 2 provides more security features than Azure AD Premium Plan 1, it does so at a higher cost. As a result, you must balance the benefits and drawbacks before selecting.

Additional Reading

To learn more about this subject, click on the following links:

The “azure ad premium p2 features” is a question that will help determine which Azure AD Premium P1 or P2 to choose. There are many features that are different between the two, and they both have their pros and cons.

Related Tags

  • azure ad premium p1 features
  • azure active directory premium p2
  • azure active directory premium p1
  • how many azure ad premium licenses do i need
  • azure ad premium p1 pricing

Table of Content