idpcost.com
Memo
To: IT / Security buyer evaluating Microsoft Entra ID
From
idpcost.com
Re
Microsoft Entra ID end-to-end cost analysis
Source
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

Microsoft Entra ID

live verifiedMicrosoft · Per-user. Free tier covers basic SSO; paid tiers add MFA, conditional access, governance.

Most companies already pay for Entra ID without realising — if you're on M365 E3 you have P1 included, E5 includes P2. Calculate the marginal cost of upgrading from Free to P1 / P2 only if you're not already on those M365 tiers.

1.Year-1 TCO breakdown

Representative buyer: 200 employees, 30 SaaS apps, full SAML + MFA + lifecycle automation, 90-day audit retention.

Licensing (200 seats)Free if already on M365 E1+ (SSO included). P1 add-on: 200 × $6/mo × 12 = $14,400/yr. P2 add-on: 200 × $9/mo × 12 = $21,600/yr
SAML taxFree tier includes SSO to SaaS apps. SSO to on-prem apps requires P1 ($6/user/mo). Conditional access requires P1.
Audit retentionFree tier: 7-day audit log retention. P1: 30-day. P2: 30-day + Identity Protection alerts. Long-term retention via Log Analytics workspace (separate Azure cost).
MFAFree MFA (limited to basic Authenticator). Conditional access MFA requires P1.
Year-1 TCO$0-$22K depending on M365 tier already paid. The M365 bundling math dominates.

2.The hidden cost category for this IdP

Hidden cost

**The M365 bundling math is the entire hidden cost story.** Most companies are paying for Entra ID without realising — M365 E3 includes Entra ID P1, M365 E5 includes P2. The decision isn't 'should I pay for Entra' but 'do I need to upgrade M365 tier'. For 200-employee buyers already on M365 E3, the marginal cost of full Entra ID P1 is $0; for those on M365 Business Standard, upgrading to E3 adds $22-36/user/mo (often $50K+ annually) — Entra is included but the cost is real.

3.Migration cost out of Microsoft Entra ID

Migrating off Entra is rare because most companies are locked into M365. When it happens (typically a security incident or merger forcing standardisation on Okta), the cost runs $50K-$150K for 200-employee deployments. SCIM provisioning to Azure AD apps must be rebuilt; conditional access policies don't migrate one-to-one to other IdPs.

4.The negotiation lever

M365 contract negotiation. Entra pricing isn't really negotiable as a standalone product — it's part of M365 EA (Enterprise Agreement) negotiation. Larger M365 commits trigger E3/E5 tier discounts that bring marginal Entra cost to zero. Customers under 500 seats have less leverage; over 1,000 seats can negotiate 15-25% off M365 list.

5.Vendor tier reference

TierPer-user (USD/mo)Features
Free$0SSO to SaaS apps included with any Microsoft 365 subscription
P1$6Conditional access, MFA, SSO to on-prem apps
P2$9Identity Protection, Privileged Identity Management
Suite$12P2 + Identity Governance + Verified ID + Internet Access
ID Governance (add-on)$7Standalone governance add-on if not on Suite

Source: https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing · Verified 2026-06-02 · For vendor-published comparison view: idppricing.com/idp/entra/

Other IdPs: Okta Workforce Identity · JumpCloud · Auth0 · OneLogin · Ping Identity · Duo (Cisco) · Authentik