Azure AD Premium P1 vs P2: Which One to Choose?

Vignesh Mudliar

Read more posts by this author.

Microsoft 365 provides a myriad range of licenses to choose from. If you are planning to deploy some protection features for your users in the cloud and do a comparison of Azure AD Premium P1 vs P2 this article will undoubtedly interest you. If you’re confused about the differences between the Azure AD Premium P1 and P2 licenses, stick around.

Prerequisites

To view all of the services discussed in this article, please ensure you have the following prerequisites met ahead of time.

Included with Other Services

If you haven’t purchased the Azure AD Premium P1 and Azure AD Premium P2 licenses specifically, you may already have them and just not know it. These two licenses are actually included with other Microsoft 365 services as shown below.

Azure AD Licenses in Microsoft 365
Azure AD Licenses in Microsoft 365

Azure AD Premium P1 and Azure AD Premium P2 are the licenses that cater to organizations’ advanced identity protection requirements.

AAD Premium Plan 2 has all the features of P1; however, it does add more security features, namely:

  • Vulnerabilities and risky accounts detection
  • Privileged Identity Management (PIM)
  • Access Reviews

Ask yourself these questions if you’re up for going with P2 over P1.

  • Do you wish to detect risky accounts in your tenant?
  • Would you like to be notified about risks such as password spray attacks, atypical travel, Leaked Credentials, etc.?
  • Are your security requirements fulfilled with the general conditional access policies?
  • Or would you like the conditional access policies to be extended to block access for risky sign-ins too?
  • Does MFA alone meet your needs as far as securing Administrator accounts is concerned?
  • Or would you like to add another layer of protection via ‘Privilege Identity Management’?

These questions can be answered once you have a fair understanding of what these security mechanisms provide and how you can utilize them to achieve your goals.

Throughout the rest of this article, you’re going to learn all of the various services you receive with the P2 license.

Detecting Risky Accounts

If you are ok to review users’ sign-ins in Azure and then take actions manually based on those, you might as well opt for the Azure AD Premium P1 license. However, if you wish to:

  • Create risk policies and associated actions for user accounts
  • Use conditional access policies based on risky sign-ins
  • Review the Azure security report

Azure AD Premium P2 would be the correct license for your environment.

Let’s run through these advanced features. Assuming you’re logged into the Azure portal, go to Identity Protection where you’ll find all of the below features.

Reporting

There are three types of reports available in the AAD Premium P2 plan.

Risky Users Report

This report will display those user accounts which may be in danger of being compromised. An example is shown here:

Risky Users Report
Risky Users Report

An admin can review this report and then decide the next course of action. Risk levels can be low, medium, and high. Different activities contribute to the severity of the levels.

Admins can take actions based on risk factors. In the example below, you can block the user, mark this as a false positive, or even confirm that the user account is compromised.

You also have the option of further reviewing the risks detected and the risky sign-ins.

Risky Users Detailed
Risky Users Detailed

Risky Sign-ins Report

Some sign-ins may be suspicious. With the Risky sign-ins report, you can easily spot them as shown below.

Risky Sign-ins Report
Risky Sign-ins Report

The following screenshot shows the details of a user’s risky sign-in. This sign-in was deemed as high risk with two risks attached to it. You have the same actions here as in the ‘risky users’ section.

Risky Sign-ins Detailed
Risky Sign-ins Detailed

Risk Detections Report

This report displays the type of risk that was detected. It can be useful if you wish to view the activities triggering this type of alert in your organization.

Risky Detection Report
Risky Detection Report

Identity Protection Policies

If more advanced reports don’t tickle your fancy, perhaps a range of identity protection policies might.

Within Azure, you’ll find our different types of identity protection policies that are exclusively available in the AAD Premium P2 license.

User Risk policy

If you want to take some predetermined actions on those accounts classified as ‘risky,’ you must define the user risk policy. This policy is enabled by default; however, you can modify it to suit your requirements.

User Risk Policy Example
User Risk Policy Example

In this screenshot above, you will notice a policy that’s applied to all the users. The policy is applicable only when the risk level is ‘high’ and the action is to block access. Other options like allowing access and requiring a password reset are also available.

Sign-in Risk Policy

A default policy is available to decide your actions for users with risky sign-ins. In the example here, you will notice that the policy is applied to a group. It also states that it will become useful for user accounts with sign-in risk level as medium and above. Finally, the action is to enforce MFA.

Sign-in Risk Policy Example
Sign-in Risk Policy Example

MFA Registration Policy

If you’d like to require MFA registration for one or more of your accounts, you can set this requirement via the MFA registration policy as shown below. You can enable MFA for all the users or a set of users with this policy.

MFA Registration Policy Example
MFA Registration Policy Example

Custom Conditional Access Policies

If you wish to exert a granular level of access control perhaps applying policies to some users and not others, you must use a custom conditional access policy.

Perhaps you notice several users with sign-in risks and users listed as risky due to multiple logins into their ActiveSync profiles. You also see that almost all of these attempts have been made from three specific countries.

You can create a conditional policy to enforce MFA whenever there are users classified as highly risky, and when the sign-in risk is also high. Another condition added here is that the policy should affect when an ActiveSync connection originates from those three countries.

Identity Protection Alerts

If you need to be notified about risky sign-ins regularly, another handy feature that comes with the P2 license is identity protection alerts.

Users at Risk Alerts

These alerts are configured by default in tenants with AAD Premium P2 licenses. Alerts are sent to global admins, security admins, and security readers by default. The risk level can be set as needed.

The email is received in the format shown below:

User at risk notification email
User at risk notification email

Weekly Digest Email

This report is also sent to the same admins, as mentioned in the previous section. The email includes new risky users and risky sign-ins. It also provides information about admin role assignments made outside privileged identity management. We will cover the PIM in the next section.

Weekly Digest Notification Email
Weekly Digest Notification Email

Azure AD Privileged Identity Management (PIM)

Securing admin accounts is critical. Azure AD PIM is a feature that enhances the security cover.

There are several reasons to consider this feature from the standpoint of security. PIM does the following:

  • Can be used to provide approval based access to resources.
  • Access can be timebound, meaning the access will automatically expire after a certain amount of time.
  • Admins need to provide the reason to activate the specific roles.
  • MFA would be enforced while activating a role.
  • Global admins and security admins would be notified via email whenever any role is activated via PIM.

Adding a user to PIM is as shown below:

  • Access the PIM blade in Azure.
  • Click on “Azure AD Roles.”
  • Select “Roles.”
  • Click on “Privileged Role Administrator.”
  • Select ‘Add Assignments’ and select the user on whom you wish to activate PIM and go Next.
  • On the next page, confirm whether you want this to be a permanent” role or an “eligible” one.
Adding User to PIM
Adding User to PIM

PIM is a powerful tool to control access to critical resources in the tenant.

Access Reviews

If you want to ensure that onboarding and offboarding of employees also results in their admin account roles being reviewed, then Access Reviews will certainly help you here.

Access reviews can be created for groups and admin roles. These reviews help us in understanding if the existing admin s still need the role in question. For instance I have created an access review to check the lobal admin role.

Access Review
Access Review

Now from here, you can decide whether the access review result is approved or denied. Also, there are post-completion settings.

Post Completion Actions
Post Completion Actions
Access Review Overview
Access Review Overview

Summary

Azure AD Premium Plan 1 and Plan 2 are similar in many ways. The AAD Premium P1 license packs a lot of punch with several security features like Password Protection; Self-service password reset, Conditional Access, and Hybrid Identities, among others. In my experience, this license should suffice many organizations.

However, the areas where the AAD Premium P2 license scores over P2 are pretty significant as far as security is concerned. And this is precisely why the verdict here leans towards it.

Major differences between AAD Premium P1 and P2 are as follows:

Major differences between AAD Premium P1 and P2
Major differences between AAD Premium P1 and P2

Azure AD Premium Plan 2 has richer security features; however, they do come at an additional cost compared to Azure AD Premium Plan 1. Hence, you must weigh the pros and cons before deciding which one to choose.

Further Reading

You may refer the following links to delve deeper into this topic:

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!