Azure AD Premium: Features and License Structure

What is Azure AD Premium?

Microsoft Azure Active Directory (AD) is a cloud software, building upon the popular on-premises Active Directory product. Azure AD provides the same security features as the traditional Active Directory, and can be used to manage access to cloud resources, or in tandem with on-premise AD, to enable a hybrid domain service.

The free version of Azure AD comes with Microsoft SaaS offerings such as Office 365 at no additional cost. However, Azure AD offers two paid, premium licenses called Azure AD Premium P1 and Azure AD Premium P2, which provide additional security features. These features include identity management, multi-factor authentication, privileged access management (PAM), and other advanced features that can help you implement zero-trust access in your organization.

In this article:

• Security Features in Azure AD
• What are Azure AD Licenses?
• How Is the Azure AD Premium Tier Priced?
• Azure AD Premium Key Features
• Azure AD Premium P1 vs P2
• Azure AD Premium with PathLock

Security Features in Azure AD Premium

One of the main reasons to upgrade to Azure AD Premium is its advanced security features. These include:

• Connecting users to SaaS products via single sign-on (SSO)—This feature enables each user to access applications without having to log in every time.
• Creating access tokens for devices—Azure AD stores access tokens locally on employee devices. You can assign expiration dates to tokens.
• Multi factor authentication (MFA)—Azure AD lets you set up MFA for important business resources.
• Security Defaults in Azure AD—enable this feature to block legacy authentication protocols, require MFA for users, admins, and important resources.

What are Azure AD Licenses?

When you use any Microsoft Online service, including Microsoft 365 and the Azure cloud, you automatically receive the free version of Azure AD. You can upgrade to a paid license to receive additional features. Here is the Azure AD license structure:

• Azure AD Free—provides user management, group management, synchronization with on-premise AD, self-service password changes for cloud users only, and single sign on (SSO) for Microsoft products and over 1200 other cloud services.
• Azure AD Premium P1—provides all Free features, and additional features including hybrid implementation (on-premise users able to access cloud resources and vice versa), self-service group management, dynamic groups, Microsoft Identity Manager, and self service reset for all users.
• Azure AD Premium P2—provides all P1 features, and additional features including Azure AD Identity Protection, Privileged Identity Management (PAM), advanced monitoring and reporting, access reviews, and entitlement management.

How Is the Azure AD Premium Tier Priced?

• Azure AD Premium P1 costs $6 / user / month, and is included in the Office 365 or Microsoft 365 E3 license
• Azure AD Premium P2 costs $9 / user / month, and is included in the Office 365 or Microsoft 365 E5 license

Azure AD Premium Key Features

Here are some of the primary features provided by the Azure AD Premium tier:

• SLA of 99.9%—Microsoft guarantees 99.9% availability of Azure AD when using the Premium tier.
• Forefront Identity Manager (FIM)—lets you use a FIM server in the on-premises data center to sync local user directories with Azure AD. If you need a Client Access License (CAL), CALs are offered based on your Azure AD license.
• Multi-factor authentication (MFA)—lets you enable MFA for cloud and on-premise users. When enabled, users are asked to add another verification method during their next login.
• Advanced security reports—identifies anomalies and inconsistencies in user access using machine learning, helping you identify security issues and respond to threats.
• Group-based access—lets you define groups of users and provide access on a group basis to Microsoft products, specific product functionality, or any of the 1200 SaaS applications integrated with Azure AD.
• Branding—lets you add your company’s logo and color scheme to the Azure AD authentication screens. You can also add localized versions of branding for different locations.
• Self-service password reset—enables any user, whether a remote cloud user or an on-premise user, to reset their password on their own without contacting the help desk. 

Azure AD Premium P1 vs P2

Here are the primary features offered in the P2 license, which are not available in P1. If you need one of these features, consider upgrading to P2:

• Identity Protection—identifies suspicious authentication attempts, inspecting logins to risk. For example, this feature can detect a login to the same account from two different countries in a short time span. You can automatically handle these attempts by enforcing MFA or using policies to block access entirely. This greatly reduces many of the risks associated with user access.
• Privileged Identity Management (PIM)—manages privileged access accounts. This includes security features such temporarily granting and revoking special access, with full logging and auditing for compliance purposes. You can trigger automated workflows with justifications and notifications based on special access requests. Learn more in our guide to Azure AD PIM (coming soon).
• Access reviews—ensures that only the right people use certain resources. This is useful when employees onboard and leave, or when employees change roles. This feature can check existing users to determine if they have appropriate access to resources, and this information can be passed to application owners. You can perform regular inspections to meet internal security policies or compliance rules.
• Entitlement management—enables automated credential governance, helping to manage credential lifecycle, access lifecycle, and privileged access processes. It provides controls that specify how internal and external users can grant access to organizational resources. This feature uses the concept of access packages, which bundle various resources related to the same job function. This makes it possible to grant access to an entire access package with one request process.

Azure AD with PathLock

Pathlock is the leader in Access Orchestration for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with a tight integration between the solutions.

Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:

• Coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
• Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
• Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
• Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations

Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!