Microsoft Azure AD Premium

Every Microsoft 365 tenant contains an Azure AD free edition. The free version includes Core Identity and Access Management, and Business to Business Collaboration. Even though the free edition comes with many features like Multi-Factor Authentication (MFA), Password Protection, Azure AD Connect sync, and Single Sign-On (SSO), Microsoft offers two additional plans called Azure AD Premium P1 and P2.

This article will explain the differences between the two and take a more in-depth look into Azure AD Premium.

Azure AD Premium Features

The difference between Azure AD Premium P1 and P2 is Identity Protection and Identity Governance. But before we look at the features of Identity Protection and Identity Governance, let’s take a look at the premium features first.

The free version contains Password Protection, but it is not possible to use custom banned passwords. Custom banned passwords is one of the premium features. You can set a list of passwords that users cannot use as their password. Simple passwords like “Company Name” is not allowed. Password Protection for Windows Server Active Directory does the same as Password Protection, but for on-premises.

Self-service password reset eliminates the users to call the ServiceDesk to change their password. The user can change their password on a portal that does not need any support from the company. Azure AD Join makes it possible to auto-enroll your mobile device.

A noticeable feature in Azure AD Premium is Conditional Access. Conditional Access, as the name implies, grants, or block access to certain conditions. You can force MFA, block specific applications, block legacy authentication, etc.

Figure 1: Conditional Access Policies

Identity Protection and Identity Governance

An Azure AD Premium P2 feature not included in Azure AD Premium P1 is Identity Protection and Identity Governance. Identity Protection is a feature that detects risky accounts based on many indicators (atypical travel, malware linked IP address, and many more). Conditional Access uses these detections to allow or block an identity. Using Identity Protection makes it possible to mitigate an attack within seconds due to an automated response to a risky user.

Figure 2: Risky Users

Identity Governance contains Privileged Identity Management (PIM), Access Reviews, and Entitlement Management. PIM makes it possible to control, manage, and monitor access to essential resources in your organization. PIM provides Just-In-Time (JIT) access to Azure AD and Azure resources, assign time-bound access, asks for approval, and much more. Identity Governance also includes Access Review to review access regularly to make sure only the right people have continued access.

Conditional Access, Identity Protection, and Privileged Identity Management help organizations control their identities and definitely worth checking.


Azure AD Premium comes with Microsoft 365 E3, Microsoft 365 E5, or a separate license.

Figure 3: Licensing


With features like conditional access, Azure AD premium is a must.