The MSP License Ladder #3: The Identity Gap
You are onboarding a new customer and running through their configuration. Fifteen admin accounts, all with permanent Global Admin. No approval workflow, no activation window, no audit trail. The customer’s previous MSP set it up three years ago and nobody has touched it since. You know this is a risk, but on Entra ID P1 there is no mechanism to fix it without removing the role entirely.
The same customer has four Domain Controllers running on-prem. You check the Defender portal and there is nothing. No identity alerts, no lateral movement paths, no credential theft detections. Not because everything is fine, but because nothing is watching.
Two blind spots, one cloud and one on-prem. That is the identity gap, and the licensing path to closing both sides is usually the same bundle.
This post is part of The MSP License Ladder, a series on what Business Premium and E3 don’t give you, and how to build on top of them. Every post covers one gap: what’s missing from the base SKU, what it costs to close, and what you can actually build with it. Previous: #2, The Data Gap.
A few terms up front:
- PIM (Privileged Identity Management): just-in-time role activation with approval workflows and audit trails. Admins request elevation, use it, and it expires automatically.
- Identity Protection: Microsoft’s risk engine that scores every sign-in and user for anomalies (unfamiliar location, impossible travel, leaked credentials) and feeds those scores into Conditional Access.
- DfI (Defender for Identity): an identity threat detection solution that installs lightweight sensors on Domain Controllers to detect on-prem attacks like lateral movement, Kerberoasting, and DCSync.
- CA (Conditional Access): policy engine that controls access based on conditions like location, device compliance, group membership, and (with P2) risk level.
Table of Contents
- What you actually get today
- The concrete gaps: cloud identity
- The concrete gaps: on-prem identity
- The upgrade paths
- What you unlock
- When not to bother
- How to pitch it
- Conclusion
What you actually get today
Business Premium and Microsoft 365 E3 both include Entra ID P1. That gives you more than most customers realise:
- Conditional Access with conditions for location, device compliance, client app, and group membership
- MFA with all verification methods (Authenticator, phone, SMS, FIDO2, certificate-based)
- Self-service password reset with on-prem writeback
- Application Proxy for publishing on-prem web apps without a VPN
- Custom roles and Administrative Units for scoped delegation
- Hybrid identity via Entra Connect or Cloud Sync
For most customer conversations, P1 sounds like it covers identity. The gaps only show up when you need identity to react to risk (risk-based Conditional Access), govern privilege (PIM, Access Reviews), or see on-prem AD (Defender for Identity). All three sit behind upgrades.
And that last point is worth repeating: neither base SKU includes any on-prem identity visibility. Entra ID sees cloud sign-ins. If the customer has Domain Controllers, the entire on-prem identity layer is invisible to the Defender portal without Defender for Identity. Defender for Business, which ships with Business Premium, is an endpoint security solution (NGAV, basic EDR, ASR). It does not cover identity on Domain Controllers. That requires a separate product.
The concrete gaps: cloud identity
Four scenarios that come up on real customer calls and leave you reaching for something you do not have.
Risk-based Conditional Access
A user signs in from their regular laptop at 3am from a country they have never visited. On P1, you can write a CA policy that blocks that country entirely, but you cannot distinguish “same user, anomalous pattern” from “stolen credential on a compliant device.” Risk-based Conditional Access uses Identity Protection’s sign-in risk and user risk scores to make that distinction. The flexibility goes beyond just MFA:
- A medium-risk sign-in can trigger step-up MFA
- A high-risk user can be forced to reset their password
- A high-risk sign-in from an admin account can block access entirely
- You can combine risk with other conditions: block high-risk sign-ins to sensitive apps, require compliant devices for medium-risk, and let low-risk through with MFA
That last point matters. For admin accounts, you can write a CA policy that says “if the sign-in risk is high, block access, no exceptions.” That is a hard stop on compromised admin credentials. On Entra ID P1, those risk conditions do not exist in the CA policy editor.
Privileged Identity Management
Every admin account with permanent Global Admin, Exchange Admin, or Intune Admin has standing privilege 24/7. If an account is compromised, the attacker gets the role immediately and fully. PIM replaces standing privilege with just-in-time activation: an admin requests the role, optionally gets approval, activates it for a bounded window (say 4 hours), and then the role expires. Every activation is logged with justification, approver, and duration. On Entra ID P1, PIM does not exist. Every admin keeps their role permanently.
PIM for Groups extends the same just-in-time model to security group and Microsoft 365 group membership. An engineer can be eligible for a group that grants access to a sensitive SharePoint site or an Azure Key Vault, and activate membership only when needed.
Access Reviews
Over time, group memberships drift. The contractor who joined the “Finance - Sensitive Data” group for a three-month project is still a member two years later. Access Reviews create periodic review workflows where group owners or managers confirm that each member still needs access. Members who are not confirmed are automatically removed. This works for group memberships, role assignments, app access, and guest accounts. On Entra ID P1, there is no mechanism for this. Membership cleanup is manual and ad-hoc.
Entitlement Management
A new team member needs access to four groups, two apps, and a SharePoint site. Today that is four separate requests through different channels. Entitlement Management bundles those into an access package: one request, one approval workflow, one expiration policy. Users can request access packages through the My Access portal, and the entire lifecycle (request, approval, assignment, expiration) is managed in one place. Basic Entitlement Management (access packages, multi-stage approvals, self-service requests) is included in Entra ID P2. Advanced features like auto-assignment policies, custom extensions via Logic Apps, and Lifecycle Workflows require the separate Entra ID Governance add-on. On Entra ID P1, none of this exists.
The concrete gaps: on-prem identity
If your customer has Domain Controllers, the on-prem identity layer is invisible to the Defender portal without Defender for Identity. Entra ID sees cloud sign-ins; it does not ingest DC events. Defender for Business (included in Business Premium) does not fill this gap either. Defender for Business is focused on endpoint protection: next-generation antivirus, attack surface reduction, and basic EDR. It does not deploy sensors on Domain Controllers and does not monitor Active Directory traffic. Here is what you are missing without DfI:
Reconnaissance detection
Before attackers move laterally, they map the environment. DfI detects account enumeration via LDAP, DNS zone transfer attempts, SAMR-based user and group discovery, and security principal reconnaissance that often precedes a Kerberoasting attack. It also triggers on any activity targeting honeytoken accounts you have configured as decoys.
Credential theft attacks
Kerberoasting (requesting service tickets for offline cracking), AS-REP roasting (targeting accounts without pre-authentication), and DCSync (requesting AD replication data to extract password hashes). DfI also detects brute force attacks over Kerberos and NTLM, DPAPI master key requests (used to decrypt saved credentials), DFSCoerce attacks, and shadow credential abuse. These are the attacks that turn a foothold into full domain compromise.
Lateral movement and domain dominance
Pass-the-hash, pass-the-ticket, and overpass-the-hash are the classic lateral movement techniques. DfI detects all three, plus NTLM relay attacks, PrintNightmare exploitation, SMB packet manipulation, and Exchange Server remote code execution attempts. For domain dominance, DfI covers Golden Ticket usage (five different detection methods, including encryption downgrade, time anomaly, and RBCD-based), DCShadow (rogue domain controller promotion and replication), Skeleton Key malware, and SID-History injection.
Active Directory infrastructure attacks
DfI monitors beyond user activity. It detects suspicious modifications to AdminSdHolder (the security descriptor that protects privileged accounts), AD Certificate Services abuse (ESC8 attacks, certificate database deletions, audit filter tampering), AD FS trust relationship modifications, and Resource-Based Constrained Delegation abuse. It also flags Group Policy tampering that disables Windows Defender, a common precursor to ransomware deployment.
Legacy protocol usage
NTLM authentication, LDAP cleartext binds, and SMBv1 are still active in 2026 more often than anyone likes to admit. DfI surfaces this usage through its identity security posture assessments in Microsoft Secure Score, so you can plan the remediation instead of discovering it during an incident.
On base Entra ID P1, none of this is visible. The Defender portal shows endpoint and email telemetry, but the on-prem side of the identity gap is a complete blind spot.
The upgrade paths
Three paths to close both gaps, depending on the customer’s base SKU and size.
| Path | Best for | Includes | List price | Main constraint |
|---|---|---|---|---|
| Defender Suite for Business Premium | BP customers under 300 users | Entra ID P2, DfI, MDE P2, MDO P2, DfCA | $10/user/mo | 300-user cap |
| Entra ID P2 + DfI standalone | Component-by-component buyers | Entra ID P2 + DfI only | $9 + $5.50/user/mo | No MDE P2, MDO P2, or DfCA |
| Microsoft Defender Suite (E5 Security) | M365 E3 customers | Everything in Defender Suite for BP + Defender for IoT | $12/user/mo | Larger upfront spend |
Prices are Microsoft list per user per month, as of May 2026. CSP, NCE, and Enterprise Agreement pricing differs; check with your licensing partner for the real customer number. Combined with Purview Suite for Business Premium (also $10), the bundle drops to $15/user/month for both Defender and Purview.
The bundle story is strong here. Buying Entra ID P2 ($9) and DfI ($5.50) standalone costs $14.50/user/month and only covers identity. For $10/user/month the Defender Suite for BP gives you both plus MDE P2, MDO P2, and DfCA. Unless the customer specifically cannot take the other Defender components (rare), the bundle is the better path.
The grey-area licensing caveat
Entra ID P2 features follow a per-user-covered licensing model, not per-tenant-enabled. This matters:
- Identity Protection risk engine activates tenant-wide once a single P2 license is present. Risk-based CA policies evaluate all sign-ins, not just licensed users. Compliance-wise, Microsoft requires a P2 license for every user whose sign-ins are evaluated by risk policies.
- PIM activates tenant-wide. Compliance-wise, every user with eligible or time-bound role assignments, every approver, and every reviewer needs P2. If the license expires, eligible assignments are removed and PIM becomes unavailable.
- Access Reviews follow the same pattern: every user being reviewed and every reviewer needs the license.
This is the same grey area covered in Post #2 for Purview. The features work with fewer licenses than compliance requires. Do not let a customer assume one P2 license turns it on for the tenant.
Entra ID Governance: a separate SKU
If the customer’s governance needs go beyond basic PIM and Access Reviews, there is a separate Entra ID Governance add-on (~$7/user/month on top of P1 or P2). It adds:
- Lifecycle Workflows: automated onboarding and offboarding (pre-hire provisioning, day-one group assignment, leaver account cleanup). This is the “joiner-mover-leaver” automation that P2 does not cover.
- Advanced Access Reviews: includes ML-assisted recommendations that analyze user-to-group affiliation patterns and flag members who are outliers compared to their peers, so reviewers can focus on the memberships that are most likely stale instead of reviewing every entry manually. Also adds scoping to inactive users and Access Reviews for PIM for Groups.
- Advanced Entitlement Management: auto-assignment policies (assign access packages based on department or cost center without a request), custom extensions via Logic Apps, Verified ID integration, and separation of duties enforcement.
Microsoft has explicitly stated: no new Identity Governance and Administration features will be added to the P2 SKU. Current P2 features (PIM, basic Access Reviews, basic Entitlement Management) stay, but everything new goes into the Governance add-on. If a customer is building a full identity governance program, budget for it.
For more detail, see the Entra ID Governance licensing fundamentals.
What you unlock
With Entra ID P2 and Defender for Identity in place, outcomes across both domains:
| Capability | What changes |
|---|---|
| Risk-based Conditional Access | Sign-in risk and user risk as CA conditions. Step-up MFA for medium risk, password reset for high-risk users, full access block for high-risk admin sign-ins. |
| PIM for roles and groups | Just-in-time activation for Entra roles, Azure roles, and group membership. No standing privilege. Full audit trail. |
| Access Reviews | Periodic review workflows for group membership, role assignments, app access, and guest accounts. Automatic removal of unconfirmed members. |
| Entitlement Management | Access packages with request, approval, and expiration workflows. Self-service via My Access portal. |
| Identity Protection signals | Risky users report, risky sign-ins report, risk detections, weekly digest, and Graph API access to all risk data. |
| DfI on-prem detections | 40+ detection types across reconnaissance, credential theft, lateral movement, and domain dominance. |
| Unified incidents | On-prem identity alerts from DfI correlate with cloud identity and endpoint signals in Defender XDR. One incident, full story. |
| Lateral movement path mapping | DfI builds a map of how an attacker could traverse the environment from a compromised account to sensitive targets. |
| Identity posture assessments | DfI feeds identity security recommendations into Microsoft Secure Score, surfacing legacy protocols and risky configurations. |
The practical difference: the admin accounts from the opening of this post activate Global Admin through PIM for 2 hours with approval and justification, then the role expires. Access Reviews run quarterly to confirm who still needs admin eligibility. The DCs now have DfI sensors, and a pass-the-hash attempt triggers an alert in the Defender portal within minutes, correlated with the endpoint telemetry from MDE. You see both the cloud and on-prem sides of identity in one place.
When not to bother
No Domain Controllers? Skip Defender for Identity. If the customer is pure-cloud, Defender for Identity does nothing. No DCs, no sensors, no detections. The identity gap for cloud-only tenants is entirely Entra ID P2. If DfI comes along as part of the Defender Suite bundle, fine, but never sell it standalone to a cloud-only customer.
DfI standalone is almost never the right buy. At $5.50/user/month it covers one gap. The Defender Suite for BP at $10/user/month covers five. Pitch the bundle.
How to pitch it
Focus on addressing the customer’s specific risks rather than listing features.
Post-audit finding. “Your current setup has fifteen accounts with permanent Global Admin and no review process. PIM replaces standing privilege with just-in-time activation: the admin requests the role, it’s approved, and it expires in four hours. Access Reviews run quarterly to confirm who still needs eligibility. Every activation and review decision is logged. That closes the audit finding and gives you an ongoing governance trail.”
Regulatory driver. “NIS2 Article 21 requires access control measures including privilege management. DORA Article 9 requires identity and access management. ISO 27001 A.9 covers privileged access. Risk-based CA and PIM satisfy all three. The audit artefact is the PIM activation log and the Identity Protection risk report.”
On-prem identity. “You have four DCs. Right now, a Kerberoasting attempt or a DCSync attack generates zero signal in the Defender portal. Defender for Identity puts lightweight sensors on those DCs and feeds alerts into the same incident view as your endpoint and email telemetry. It detects over 40 attack types, from reconnaissance all the way to domain dominance. It’s the cheapest visibility upgrade on the entire ladder.”
Price it as a managed identity service, not a licence passthrough. The $10/user/month Defender Suite for BP is the floor. The value is the PIM configuration, the CA policies tuned to risk, the DfI deployment across customer DCs, and the triage capacity behind the alerts.
Conclusion
Entra ID P1 covers the fundamentals: Conditional Access, MFA, hybrid identity. It is a solid baseline. But three gaps remain:
- It cannot react to risk. Sign-in anomalies, leaked credentials, and impossible travel generate no signal in P1. Risk-based Conditional Access in P2 closes this gap, with the flexibility to step up MFA, force password resets, or block access entirely depending on the risk level and the user’s role.
- It cannot govern privilege. Every admin keeps their role permanently. PIM in P2 replaces standing privilege with just-in-time activation. Access Reviews add periodic confirmation that memberships and role assignments are still justified.
- It cannot see on-prem AD. Domain Controllers are invisible to the Defender portal without Defender for Identity. DfI adds 40+ detection types covering the full attack chain from reconnaissance through domain dominance.
Both the cloud and on-prem identity gaps usually get closed with the same purchase. The Defender Suite for Business Premium ($10/user/month) and the E5 Security add-on ($12/user/month) both include Entra ID P2 and Defender for Identity alongside the other Defender components.
Start with one customer tenant. Deploy PIM for the admin accounts, enable a risk-based CA policy in report-only mode, install DfI sensors on the DCs, and run an Access Review on the most sensitive groups. Review the output for a week. Then scale out.
| Resource | What it covers |
|---|---|
| Entra ID licensing overview | P1 vs P2 vs Governance feature matrix |
| Identity Protection overview | Risk detections, risk policies, and remediation |
| PIM overview | Just-in-time role activation, approval workflows |
| PIM for Groups | Just-in-time group membership and ownership |
| Defender for Identity overview | On-prem identity detection capabilities |
| DfI security alerts reference | Full list of 40+ detection types by attack phase |
| Defender Suite for Business Premium | Bundle contents and pricing |
| Entra ID Governance licensing | P2 vs Governance add-on scope |
| Securing Your Enterprise Application via PIM | Deep dive on PIM setup from this blog |
Part of The MSP License Ladder series. Previous: #2, The Data Gap.
Last verified: May 2026
Related
- The MSP License Ladder #1: The Hunting Gap – what Defender for Endpoint Plan 2 unlocks for proactive threat hunting across your customer fleet.
- The MSP License Ladder #2: The Data Gap – what Purview Suite unlocks over base Business Premium and E3 for DLP, Insider Risk, and eDiscovery.
- How to Secure Your Enterprise Application via PIM – detailed walkthrough of PIM configuration for enterprise apps.