The Entra ID P2 license is just one among many products and services that Microsoft is making mandatory for users, but its identity access management features make it a big overall security plus.
Microsoft sometimes gets a little annoying in its zeal to push things — it’s pushing Windows 11 24H2 to unmanaged customers and pushing Copilot to Edge and Windows and to consumers as well. But there’s one thing it will be pushing out that as a security professional I don’t mind in the least, and that’s the Entra ID P2 license.
In fact, if you don’t have an Entra ID P2 license in place, or the licensing in order to support it, I’d highly recommend you push back on your C-suite to include it in the company budget. Why?
Entra ID P2 is offering a host of advanced features that support identity and access management, including risk-based conditional access and identity protection, privileged identity management (PIM), access reviews to ensure compliance and security, advanced security reporting and monitoring, and conditional access policies to control access to apps and resources based on conditions like user location, device state, and risk level.
I personally received notification that starting in mid-May I will receive “Microsoft-managed” conditional access policies and that they would be enabled in report-only mode. As Microsoft outlines in its notification, it will create a Microsoft-managed Conditional Access policy governing multifactor authentication (MFA) and reauthentication for risky sign-ins as part of its Secure Future initiative.
Entra ID P2’s conditional access is a good thing
“This policy will be created in report-only mode which won’t block access but will generate reports on how it will affect users when it is switched to the On state,” Microsoft says. “We’ll assign only eligible active users with multifactor authentication to a new security group and ensure the total users don’t exceed your Entra ID P2 licenses. This means that all users covered by the policy will be able to self-remediate with MFA, and no legitimate users will be blocked.”
The policy will activate after it has been in report-only mode for 90 days, automatically turning on during the week of May 12, 2025. “At that point, all users covered by it will need to have MFA.”
I’m a fan of the conditional access policy for risky sign-ins. This is a policy that will monitor the logins of your users and correlate with how they normally log in, where they are logging in from, and other triggers.
This is where artificial intelligence really shines and is useful. No one should be able to log in to a workstation in California and then within an hour attempt to log in from Australia. This is a behavior called “impossible travel,” and it’s one of several tests that the EntraID system is doing in the background to ensure that only those people who are valid users of the system are able to log in.
Entra monitors for suspicious activity
Entra monitors for activities that are more than likely being carried out by attackers. So, for example, the following actions are monitored:
- Users with leaked credentials.
- Sign-ins from anonymous IP addresses.
- Impossible travel to atypical locations.
- Sign-ins from infected devices.
- Sign-ins from IP addresses with suspicious activity.
- Sign-ins from unfamiliar locations.
You can set a threshold for how much or how little you want to monitor someone. Before this policy is rolled out, you need to ensure that all accounts are covered by MFA, which may require you to go back and review how your break-glass accounts are set up.
MFA is key to setting up Entra ID P2
Many years ago, the best practice was to set up some administrative accounts with merely a long, strong password as their authentication into EntraID. This allowed you to log into the system should some catastrophe occur and your normal multifactor authentication process was not working.
Now the best-practices recommendations are to ensure that your break-glass accounts have different MFA options than your normal one. So, if the Microsoft authenticator is your normal MFA app, ensure that you deploy a different MFA option for another administrator account.
Take the time to determine the impact to your organization by having an EntraID administrator review the impact via the Microsoft Entra admin center. While there, take the time to review your sign-in logs and consider what logging and SIEM monitoring you have in place. It’s always wise to review settings and policies when deploying new settings to ensure that all of your previous settings and policies will align with your new settings.
Before deploying this policy, you’ll want to ensure that you run a registration campaign to urge those who have not set up MFA to do so. This policy will allow you to urge — or rather push — users to set up MFA.
Determine if you want to let users snooze until later or snooze indefinitely. My recommendation is to not let your users snooze on this setting. In fact, it’s highly recommended to deploy phishing resistant MFA in your organization. Review a recent CISA document as to guidance on setting up such implementations.
Entra ID P2 is fundamental for Microsoft 365 users
As CISA points out, you’ll want IT leadership to point out the advantages of deploying such stronger technologies and secure the commitment of senior leadership to using such technologies. As we’ve seen too often in this environment, identities are too easily abused and attacked and reused passwords being harvested and available for reuse and included in attack sequences.
As humans, we get fatigued by our password reset policies and too often choose improper passwords that make it too easy for attackers to enter our systems. Ensuring that we have deployed something stronger is a key defense.
I consider the Entra ID P2 policy to be a foundational need if you use Microsoft 365 and you want to keep your business secure. This fundamental license is either available as a separate standalone license or as part of the Microsoft 365 E5 for enterprise licensing.
It also includes privileged identity management, self-service access for end users. If you work for a government agency, you may need to review whether you need supplemental Entra ID Governance service. These are available in the US Government community cloud (GCC), GCC-High, and Department of Defense cloud environments.
