Why You Might Need More Than Microsoft 365 Business Premium

Fred: "Hang on a second, dear - I spend £8.10 per user per month on Microsoft 365 Business Premium, and now you're telling me I need to spend even more on security?"

Well, Fred, you don't have to - but it's worth knowing what else is out there to better protect your business. That's what today’s post is all about: Microsoft Entra ID P2.

Before we dive in, a quick intro - my name is Jonathan Edwards, better known as The Bearded 365 Guy. I help businesses worldwide make the most of their Microsoft 365 subscriptions. You can find more about me at b365guy.com.

Now, I often talk about how Microsoft 365 Business Premium is a fantastic option for small businesses. It offers a great level of security right out of the box, and whenever my IT company takes on a new client, it's always our go-to recommendation. But part of my job is also to highlight additional security options that exist, should you choose to invest further - even if that means additional licensing costs.

One such product is Microsoft Entra ID P2, which delivers an extra layer of protection for your organisation.

Understanding Entra ID Licensing

Let's start by looking at licensing - because yes, Entra ID P2 does come with an additional cost.

Microsoft Entra ID P1 is £4.60 per user per month, but here’s the key takeaway: if you're already using Microsoft 365 Business Premium, you’re already covered for P1. It’s included in your subscription.

So, what’s the difference between P1 and P2?

Entra ID P2 is priced at £6.90 per user per month. If you want to upgrade from P1 to P2, you must pay the full £6.90 - there’s no discount for already having P1. It’s also worth noting that P2 is included in Microsoft 365 E5, which is a much pricier package at around £55 per user per month.

The key feature that P2 offers over P1 is Microsoft Entra ID Protection - and this is where things get really interesting.

Why is ID Protection Important?

Every time you log into Microsoft 365, you use a username, password, and (hopefully) Multi-Factor Authentication (MFA). This login process is where your most valuable business data sits - your emails, files, applications - and cybercriminals know that.

Cybercrime is a billion-dollar industry, and it revolves around stolen credentials. If an attacker can get hold of your username and password, and bypass MFA, they gain access to everything.

So, how does Entra ID Protection help? It introduces risk-based conditional access, which continuously monitors logins and flags suspicious activity before an attacker can gain control.

Risk-Based Conditional Access

Imagine Microsoft constantly watching your users' logins: their locations, devices, IP addresses, and even scanning the dark web for leaked credentials. If it detects something unusual - say, a login from an unknown country - it can block access or require additional authentication before allowing entry.

This is the core of risk-based conditional access.

Let’s break it down:

• Risky Sign-Ins - A single suspicious login, such as from an unusual location or a new device.
• Risky Users - A user flagged as high-risk due to multiple risky sign-ins or leaked credentials.

For example, if you log into Microsoft 365 from London, and five minutes later, another login appears from New York, Microsoft will flag this as Impossible Travel. If this happens repeatedly, that user is marked as a Risky User.

Setting Up Risk-Based Conditional Access

To take full advantage of Entra ID P2, you need to configure conditional access policies in your Microsoft Entra ID settings.

Sign-In Risk Policy

1. Go to Microsoft 365 Admin Centre > Identity Protection.
2. Create a New Conditional Access Policy.
3. Name it Sign-In Risk Policy.
4. Target All Users and All Resources.
5. Set Sign-In Risk Level to Medium and High.
6. Choose the appropriate action:
• Block Access (strictest)
• Require MFA (allows login after verification)
7. Set Sign-In Frequency to Every Time to enforce continuous monitoring.

User Risk Policy

1. Create another policy, this time called User Risk Policy.
2. Again, target All Users and All Resources.
3. Set User Risk Level to Medium and High.
4. Choose an action:
• Block Access immediately.
• Require Password Change (forces the user to reset their password to regain access).

These policies ensure that any compromised user accounts are instantly flagged and required to take further action before gaining access to company data.

Final Thoughts

Is Entra ID P2 worth it? It depends on your risk tolerance.

• If your business already uses Business Premium, you get P1 and conditional access, which is already a strong security layer.
• However, if your business handles sensitive data or is at higher risk of cyber threats, investing in Entra ID P2 adds an extra layer of intelligent security.
• With cybercrime evolving every day, the question isn't just “Is it worth the money?” but rather “Can your business afford not to have it?”

Want to learn more? Stay tuned for future posts where I’ll cover more about Microsoft Entra Suite and other advanced security features!