The Azure Active Directory Premium P1 license, do we need it?

  • Post author:
  • Post category:Main
  • Post last modified:September 10, 2023
  • Reading time:7 mins read

The Azure Active Directory Premium P1 license provides additional identity management capabilities over the free tier that is included with your Microsoft 365 subscription. In this article, we are going to help you discover whether you need to invest in the Azure Active Directory Premium P1 license and why.

Overview of Azure Active Directory licensing

Azure Active Directory Free

Let us start with the basic or ‘free’ tier that is included with your Microsoft 365 subscription. If you have a Microsoft 365 subscription, your user identities within Microsoft 365 are built on top of Azure Active Directory, instantly providing you with basic license access. Before we go on if you would like to know more about the fundamentals of Azure Active Directory, check out this post here: What is Azure Active Directory?

But what does the free license give us access to? Well with the free tier you have access to do the following:

  • Create up to 500000 directory objects, including creating and managing users and groups
  • Utilise single sign-on
  • Enable self-service password reset for cloud only users
  • Enable MFA for your user accounts
  • Provide reports on security and usage within your environment (Microsoft 365 apps license is also required)
  • Customise your company branding for your Office 365 login pages (Microsoft 365 apps license is also require)
  • Enable two-way synchronisation for Azure Active Directory with Azure AD Connect. You can find more on using Azure AD Connect here
  • Join your workstation to Azure AD with single sign-on

Azure Active Directory Premium P1

Now let’s take a look at the Azure Active Directory Premium P1 license and what it has to offer your organisation. Firstly you should know how much it costs right? Well as of 2021, the price is $6 per user, per month. Or in Great British Pounds, £4.50 per user, per month. If you are reading this post and it is not 2021, check out the Microsoft pricing page to get the most accurate pricing information

What does Azure Active Directory Premium P1 give us access to?

Firstly you get access to all the features available in the free tier. As well as this you can do the following:

  • Use Conditional Access policies
  • There is no directory object limit for Azure Active Directory
  • Create a password protection policy, including banned password lists
  • Self service password reset with on-premise Active Directory write-back when you are using Azure AD Connect.
  • Group access management, such as: dynamic group memberships, group naming and expiration policies, group creation permission delegation and usage guidelines
  • Azure AD Join with automatic MDM enrolment and local admin policy customisation
  • Self-service bitLocker recovery for Azure AD joined machines
  • Advanced Security and usage reports

Why do I need an Azure Active Directory Premium P1 License?

There are many reasons why you may need an Azure Active Directory Premium P1 license. Let us start by explaining who needs to be licensed… The official Microsoft documentation states that if a user will benefit from the features contained within that license, then they must be assigned the license.

The reason for this explanation is that, if you add a single Azure Active Directory Premium P1 license to your tenant, then the premium features become accessible and useable for all users. However, if a user is benefitting from having them features enabled in the tenant, they must have a license assigned to them. Without having the required license assigned, you are in breach of the Microsoft licensing agreement.

With that being said, the easiest way to explain why you need the Azure Active Directory Premium P1 license is with some examples.

Example 1

You have a Microsoft 365 tenant with the custom domain All users are assigned M365 business-standard licenses. Their devices are joined to Azure Active Directory and run the latest version of Windows 10 Pro. Your company want to deploy a 3rd party multi-factor authentication solution that forces the use of MFA on login to all online cloud services.

In this example, you the IT team, suggest the use of conditional access to meet the requirement of having to use MFA on each login. Currently, in the example, users only have Azure Active Directory Free licenses that are included with their M365 business-standard subscription. In order to use the conditional access features in Azure AD, Azure Active Directory Premium P1 licenses are needed.

Example 2

You have a Microsoft 365 tenant with the custom domain Your company is going through a period of making a high number of acquisitions. During these company acquisitions, all new existing employees will be created in the tenant. You need to streamline the process of user creation by creating automatic assignments of permissions and licenses.

In this example, you can meet the requirement by using dynamic group memberships to automatically assign user licenses and security permissions to users, based on their group membership. An Azure Active Directory Premium P1 license should be assigned to each user affected by dynamic group membership.

Taking advantage of the Azure Active Directory Premium P1 license

It goes without saying that you should be taking advantage of your new Premium P1 licensing. Many organisations do not, and it truly baffles me… but maybe it is because they are not familiar with how this wealth of new features can be applied to their organisation.

Let’s talk about how you can start taking advantage of your investment in the Azure Active Directory Premium P1 license.

  1. Use conditional access policies! This is probably the biggest additional feature you will receive from this license. Ensure you are using conditional access policies to protect your user identities! You can enforce the use of multi-factor authentication, require devices to be Azure AD joined, block logins for specific locations and even block risky sign-in attempts.
  2. Allow users to reset their password in the cloud if you are using Azure AD Connect with an on-premise Active Directory. If you are running a hybrid environment, they may be scenarios where users are out of the office and cannot log in to their 365 account. They cannot reset their password as their account is synced with their on-premise organisation. With Azure Active Directory Premium P1 you can enable self-service password reset with on-premise directory write back.
  3. Ban common passwords! You should be creating a banned password list to ensure no common or easy to guess passwords are being used by users in your organisation. With built-in complexity checking across your password list you can ensure that the words you choose and the complex variants of such words cannot be used by your staff.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply