Microsoft Entra ID for Small Business: Everything You Need to Know in 2025
If you’re a small business owner trying to understand Microsoft Entra ID for small business, you’re not alone. Microsoft’s rebrand from Azure Active Directory (Azure AD) to Microsoft Entra ID has created confusion, and many SME owners are wondering: “What is this? Do I need it? And how much will it cost?”
Here’s the straightforward answer: Microsoft Entra ID is your business’s digital identity and access management system. It controls who can access what in your Microsoft 365 environment and other cloud applications. For small businesses with 5+ employees, it’s becoming essential for security, but understanding when you need it—and which version—requires cutting through the marketing jargon.
This comprehensive guide explains Microsoft Entra ID in plain English, helping you determine if your small business needs it, what it costs, and how to implement it without getting overwhelmed by technical complexity.
What you’ll discover:
- What Microsoft Entra ID actually is (and why Microsoft changed the name)
- Whether your small business genuinely needs it
- Pricing tiers explained (Free vs. P1 vs. P2)
- Key features that matter for SMEs
- How to set it up for your business
- When to get professional help with implementation
- Real-world small business scenarios
Table of Contents
- What is Microsoft Entra ID?
- Why Did Microsoft Change from Azure AD to Entra?
- Microsoft Entra ID vs Azure AD: What’s Different?
- Do Small Businesses Need Microsoft Entra ID?
- Key Features for Small Businesses
- Microsoft Entra ID Pricing for Small Business
- Entra ID Free vs P1 vs P2: Which Do You Need?
- How Microsoft Entra ID Works with Microsoft 365
- Common Use Cases for Small Businesses
- How to Set Up Microsoft Entra ID
- Common Challenges for SMEs
- When to Get Professional Help
- Microsoft Entra ID Security Benefits
- Getting Started with Entra ID in Your Business
What is Microsoft Entra ID?
Microsoft Entra ID for small business is essentially your company’s digital identity system in the cloud. Think of it as a sophisticated security guard and administrator that manages who in your company can access what applications and data.
The Simple Explanation
In the simplest terms, Microsoft Entra ID:
✓ Manages user accounts – Creates and controls employee login credentials
✓ Controls access – Determines who can access which applications and files
✓ Enforces security – Adds extra protection layers like multi-factor authentication
✓ Provides single sign-on – Lets employees use one login for multiple applications
✓ Monitors activity – Tracks who’s accessing what and when
Real-world analogy: If your business were a building, Entra ID would be the combination of:
- The employee badge system (identity)
- The security desk (authentication)
- The access card readers (authorisation)
- The security camera system (monitoring)
- The building manager (administration)
All of this happens in the cloud, so it works whether employees are in your office, working from home, or accessing systems from their mobile devices.
The Technical Definition (For Those Who Want It)
Microsoft Entra ID is a cloud-based identity and access management (IAM) service. It provides:
- Identity management – Centralised user and group administration
- Authentication – Verifies users are who they claim to be
- Authorisation – Determines what authenticated users can access
- Single sign-on (SSO) – One login for multiple applications
- Multi-factor authentication (MFA) – Additional security beyond passwords
- Conditional access – Context-based access policies
- Identity protection – Threat detection and response
- Identity governance – Access lifecycle management
For most small businesses: You don’t need to understand all these terms. You just need to know that Entra ID keeps your business applications secure and makes life easier for your employees.
What Microsoft Entra ID is NOT
Common misconceptions:
❌ It’s not just for large enterprises – Small businesses benefit significantly from Entra ID’s security features
❌ It’s not a separate product you buy – If you use Microsoft 365, you already have basic Entra ID included
❌ It’s not only for Microsoft applications – It works with thousands of third-party cloud applications (Salesforce, Dropbox, Zoom, etc.)
❌ It’s not complicated to use – Whilst setup requires some technical knowledge, daily use is straightforward for employees
❌ It’s not optional for security – Modern cybersecurity essentially requires identity management for businesses with cloud applications
According to Microsoft’s 2024 Digital Defence Report, 99.9% of compromised accounts didn’t have multi-factor authentication enabled—a feature that Entra ID provides.
Why Did Microsoft Change from Azure AD to Entra?
If you’ve been confused by the name change from Azure Active Directory to Microsoft Entra ID, you’re not alone. Here’s what happened and why.
The Timeline
Before November 2022:
- Service was called “Azure Active Directory” or “Azure AD”
- Part of the broader Azure cloud platform
- Name suggested it was primarily for Azure services
November 2022:
- Microsoft announced the Entra product family
- Azure AD became “Microsoft Entra ID”
- Rebranding completed through 2023-2024
Today:
- Official name is Microsoft Entra ID
- Azure AD still appears in some documentation
- Both names refer to the same service
Why Microsoft Made the Change
1. Clearer Identity Focus
The Azure branding made it sound like the service was primarily for Azure cloud infrastructure. But most businesses use it for Microsoft 365, not Azure services. The Entra name clarifies it’s about identity management, not just cloud infrastructure.
2. Product Family Expansion
Microsoft now offers multiple “Entra” products:
- Microsoft Entra ID (formerly Azure AD) – Core identity service
- Microsoft Entra ID Governance – Advanced identity lifecycle management
- Microsoft Entra External ID – Customer/partner identity management
- Microsoft Entra Permissions Management – Multi-cloud permission control
- Microsoft Entra Verified ID – Decentralised identity solutions
3. Reduced Confusion
Many business owners thought Azure AD was:
- Only for Azure cloud services (false)
- Only for technical Azure developers (false)
- Separate from Microsoft 365 (false)
The Entra rebrand helps clarify the service is for all businesses using Microsoft cloud services.
What This Means for Your Small Business
The important part: If you were using Azure AD, you’re now using Microsoft Entra ID. Nothing changed except the name. Your settings, configurations, licences, and functionality remain exactly the same.
You don’t need to:
- Migrate to a new service
- Reconfigure anything
- Purchase new licences
- Learn a completely new system
You should know:
- Documentation now says “Entra ID” instead of “Azure AD”
- Support articles use the new terminology
- The Microsoft admin portal displays “Entra ID”
- Both names still work in conversation (people understand both)
Bottom line for SMEs: This is purely a naming change. Focus on understanding what the service does, not worrying about the rebrand.
Microsoft Entra ID vs Azure AD: What’s Different?
Let’s clear up the confusion once and for all.
The Short Answer
Microsoft Entra ID and Azure AD are the same service with a new name. Period.
Detailed Comparison
| Aspect | Azure AD (Old Name) | Microsoft Entra ID (New Name) |
|---|---|---|
| Core functionality | Identity & access management | Identical – identity & access management |
| Features | SSO, MFA, conditional access, etc. | Exactly the same features |
| Pricing tiers | Free, P1, P2 | Same three tiers with same pricing |
| Integration with M365 | Built-in | Built-in (unchanged) |
| Licensing | Included with Microsoft 365 | Included with Microsoft 365 (same) |
| Admin portal | Azure portal | Same portal, updated branding |
| Technical capabilities | Full IAM platform | Identical capabilities |
| Support | Microsoft support | Same Microsoft support |
There is literally no functional difference. It’s a rebrand, not a new product or upgrade.
Why the Confusion Exists
Common questions we hear:
Q: “Do I need to migrate from Azure AD to Entra ID?”
A: No. You’re already using Entra ID. Microsoft changed the name automatically.
Q: “Will my Azure AD licences become Entra ID licences?”
A: They already did. Same licences, new label.
Q: “Is Entra ID newer/better than Azure AD?”
A: It’s not newer—it’s the same service. The technology is continuously updated regardless of name.
Q: “Should I tell my IT provider we want Entra instead of Azure AD?”
A: Both terms are fine. Any competent IT provider understands they’re the same.
What You Should Call It
In 2025 and beyond:
- Official documentation: “Microsoft Entra ID”
- Microsoft support: “Entra ID”
- General conversation: Either name works
- Technical discussions: Increasingly “Entra ID”
Our advice: Start using “Microsoft Entra ID” to stay current, but don’t worry if you say “Azure AD”—everyone still understands.
Do Small Businesses Need Microsoft Entra ID?
This is the critical question. Microsoft Entra ID for small business isn’t a one-size-fits-all answer. Here’s how to determine if your business needs it.
You Already Have Entra ID (Basic) If…
If you use Microsoft 365, you already have Microsoft Entra ID Free tier. It’s automatically included with:
- Microsoft 365 Business Basic
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
- Any Microsoft 365 subscription
You’re already using Entra ID when you:
- Log into Microsoft 365
- Reset passwords through the Microsoft portal
- Add new users to your Microsoft 365 account
- Use OneDrive, Teams, Outlook, or SharePoint
So the real question isn’t “Do I need Entra ID?” but rather “Do I need the paid premium versions?”
When Small Businesses Should Upgrade to Paid Entra ID
You should consider Entra ID P1 or P2 if:
✓ You have 10+ employees
- Greater security risks with more users
- More complex access requirements
- Need for automated user management
✓ Employees work remotely or use mobile devices
- Requires conditional access policies
- Device management integration
- Location-based access controls
✓ You handle sensitive data
- Client information (legal, financial, healthcare)
- Financial records
- Intellectual property
- Compliance requirements (GDPR, industry regulations)
✓ You’ve had security incidents
- Previous breaches or near-misses
- Phishing attempts targeting staff
- Unauthorised access attempts
✓ You use multiple cloud applications
- Salesforce, Zoom, Dropbox, Adobe, etc.
- Want single sign-on across all apps
- Need centralised access control
✓ Your industry has compliance requirements
- Legal practices (SRA regulations)
- Financial services (FCA requirements)
- Healthcare (CQC, data protection)
- Any regulated industry
✓ You’re growing and need scalability
- Adding employees regularly
- Expanding to new locations
- Need efficient user onboarding/offboarding
When Small Businesses Can Skip Premium Entra ID
The free tier is probably sufficient if:
❌ You have under 5 employees
❌ Everyone works in the same office
❌ You only use Microsoft 365 applications
❌ You have minimal sensitive data
❌ No compliance requirements
❌ Very limited budget for IT security
❌ Simple access needs (everyone has same permissions)
Honest assessment: Even if you meet these criteria, you should still enable basic MFA (multi-factor authentication) which is available in the free tier.
Decision Framework: Do You Need Premium Entra ID?
Ask yourself these questions:
| Question | If Yes… |
|---|---|
| Do you have remote employees? | Consider P1 (conditional access) |
| Do employees access work from personal devices? | Consider P1 (device policies) |
| Do you need to restrict access by location? | Consider P1 (conditional access) |
| Is your industry regulated? | Likely need P1 minimum |
| Do employees use risky/old passwords? | Consider P1 (password protection) |
| Have you had phishing attempts? | Consider P1 or P2 (identity protection) |
| Do you need detailed security reports? | Consider P2 (advanced reporting) |
| Is automated security response important? | Consider P2 (identity protection) |
Score:
- 0-2 “yes” answers: Free tier is probably fine (but enable MFA!)
- 3-5 “yes” answers: Strongly consider Entra ID P1
- 6+ “yes” answers: You should be using Entra ID P1 or P2
Real-World Small Business Scenarios
Scenario 1: 8-Person Accounting Firm in Chichester
Situation:
- Handle sensitive financial data
- FCA compliance requirements
- Staff work from home 2 days/week
- Use Microsoft 365 and cloud accounting software
Recommendation: Entra ID P1
- Conditional access ensures secure remote access
- Password protection prevents weak passwords
- Compliance reporting for audits
- Single sign-on to accounting applications
Cost: £37.60/month (8 users × £4.70)
Value: Compliance, security, reduced breach risk
Scenario 2: 15-Person Marketing Agency in Worthing
Situation:
- Fully remote workforce
- Use 10+ different cloud applications
- Handle client intellectual property
- Multiple freelancer/contractor logins
Recommendation: Entra ID P2
- Advanced identity protection for higher risk profile
- Conditional access for remote/mobile workforce
- Privileged identity management for admin access
- Guest access management for contractors
- Risk-based policies for suspicious behaviour
Cost: £106.50/month (15 users × £7.10)
Value: Advanced protection for high-risk remote setup
Scenario 3: 4-Person Local Retail Business
Situation:
- Work only from one location
- Use Microsoft 365 for email and file storage
- Minimal sensitive data
- Very tight budget
Recommendation: Entra ID Free (included with M365)
- Enable MFA for all accounts (free)
- Basic password policies (free)
- Standard access controls (free)
Cost: £0 (included)
Note: Still enable MFA—it’s the most important security control and it’s free
Learn more about comprehensive IT security for small businesses.
Key Microsoft Entra ID Features for Small Businesses
Understanding which Microsoft Entra ID for small business features actually matter helps you avoid paying for capabilities you’ll never use.
Features Every Small Business Should Use (Free Tier)
1. Multi-Factor Authentication (MFA)
What it is: Requires two forms of verification to log in (password + phone code, app approval, etc.)
Why it matters: Prevents 99.9% of account compromise attacks
How to use it:
- Enable for all user accounts
- Use Microsoft Authenticator app
- Require for all logins, especially remote access
Cost: Included free with Microsoft 365
2. Self-Service Password Reset
What it is: Employees can reset forgotten passwords without calling IT support
Why it matters:
- Reduces IT support burden
- Gets employees back to work faster
- Reduces helpdesk costs
Typical scenario: Employee forgets password on Monday morning, can reset immediately instead of waiting for IT support.
Cost: Free tier (basic), P1 (advanced features like password writeback)
3. User and Group Management
What it is: Centralised control over who has accounts and what groups they belong to
Why it matters:
- Easier onboarding/offboarding
- Consistent access policies
- Simplified administration
Example: New employee automatically gets access to all necessary applications when added to “Marketing Team” group.
Cost: Included free
4. Single Sign-On (SSO) – Basic
What it is: One login for multiple applications
Why it matters:
- Fewer passwords to remember
- Improved employee experience
- Better security (fewer password resets)
Free tier limitation: SSO for up to 10 applications
Example: Log into Microsoft 365, automatically logged into SharePoint, OneDrive, Teams without re-entering password.
Cost: Free (limited), P1 (unlimited apps)
Critical Features for Growing Small Businesses (P1 Tier)
5. Conditional Access Policies
What it is: Context-based access rules (if X, then require Y)
Why it matters: Allows secure remote work whilst blocking suspicious access
Example policies:
- “If logging in from outside UK, require MFA”
- “If using unmanaged device, block access to financial data”
- “If accessing from home, allow; if from coffee shop WiFi, require extra verification”
- “If login from impossible location (UK then China 1 hour later), block”
Real-world benefit: Employee travelling to Spain can still work, but attacker in Russia trying to access account gets blocked.
Cost: Entra ID P1 (£4.70/user/month)
6. Password Protection
What it is: Prevents use of weak, common, or compromised passwords
Features:
- Blocks commonly used passwords (“Password123”, “Summer2025”)
- Prevents company-name-based passwords (“ATSConnection2025”)
- Checks against known breached password lists
- Custom banned password lists
Why it matters: Weak passwords are the #1 entry point for hackers
Example: Employee tries to set password “ATSConnection123” → Blocked → Forced to use stronger password
Cost: Entra ID P1
7. Application Proxy
What it is: Secure remote access to on-premise applications without VPN
Why it matters: If you have any on-premise systems, provides secure remote access
Typical use: Accessing local server applications from home without complex VPN setup
Cost: Entra ID P1
8. Unlimited SSO Applications
What it is: Single sign-on for unlimited cloud applications
Why it matters: As you add more SaaS tools, no additional costs or limits
Example business: Uses Microsoft 365, Salesforce, Xero, Zoom, DocuSign, Adobe, Dropbox—all with one login
Cost: Entra ID P1
Advanced Features for High-Security Needs (P2 Tier)
9. Identity Protection
What it is: AI-powered threat detection and automated response
Capabilities:
- Detects risky sign-ins (unusual location, impossible travel, etc.)
- Identifies compromised credentials
- Assigns risk scores to users and sign-ins
- Automatically blocks high-risk attempts
- Requires password change if credential leak detected
Real-world scenario:
- Employee’s password found in dark web breach
- Entra ID detects this automatically
- Forces password change before attacker can use it
- Potentially saves company from ransomware attack
Cost: Entra ID P2 (£7.10/user/month)
10. Privileged Identity Management (PIM)
What it is: Temporary, just-in-time admin access instead of permanent admin rights
Why it matters: Reduces risk of compromised admin accounts
How it works:
- No one has permanent admin rights
- Request admin access when needed
- Granted for limited time (e.g., 2 hours)
- Automatically removed after time expires
- All admin actions logged and auditable
Example: IT technician needs admin access to fix server → Requests access → Gets 2 hours → Fixed → Admin rights automatically removed
Cost: Entra ID P2
11. Access Reviews
What it is: Periodic automated reviews of who has access to what
Why it matters: Prevents “access creep” where employees accumulate unnecessary permissions
How it works:
- Quarterly review prompt: “Should John still have access to Financial Drive?”
- Manager approves or removes access
- Automated enforcement of decisions
- Compliance reporting
Compliance benefit: Many regulations require periodic access reviews (GDPR, ISO 27001, etc.)
Cost: Entra ID P2
Feature Comparison Table: Free vs P1 vs P2
| Feature | Free (M365 Included) | P1 (£4.70/user) | P2 (£7.10/user) |
|---|---|---|---|
| MFA | ✅ Yes | ✅ Yes | ✅ Yes |
| SSO (limited apps) | ✅ 10 apps | ✅ Unlimited | ✅ Unlimited |
| Self-service password reset | ✅ Basic | ✅ Advanced | ✅ Advanced |
| Conditional access | ❌ No | ✅ Yes | ✅ Yes |
| Password protection | ❌ No | ✅ Yes | ✅ Yes |
| Application proxy | ❌ No | ✅ Yes | ✅ Yes |
| Dynamic groups | ❌ No | ✅ Yes | ✅ Yes |
| Identity protection | ❌ No | ❌ No | ✅ Yes |
| Privileged identity management | ❌ No | ❌ No | ✅ Yes |
| Access reviews | ❌ No | ❌ No | ✅ Yes |
| Risk-based conditional access | ❌ No | ❌ No | ✅ Yes |
Microsoft Entra ID Pricing for Small Business
Understanding Microsoft Entra ID for small business pricing helps you budget accurately and choose the right tier.
Pricing Tiers (2025 UK Pricing)
| Tier | Price Per User/Month | What You Get |
|---|---|---|
| Entra ID Free | £0 (included with M365) | Basic identity services, MFA, limited SSO |
| Entra ID P1 | £4.70 | Conditional access, password protection, unlimited SSO, dynamic groups |
| Entra ID P2 | £7.10 | Everything in P1 + identity protection, PIM, access reviews |
Important: Prices are per user per month when billed annually. Monthly billing may cost slightly more.
Total Cost Calculator for Small Businesses
Example costs by business size:
| Business Size | Free Tier | P1 Annual Cost | P2 Annual Cost |
|---|---|---|---|
| 5 users | £0 | £282/year | £426/year |
| 10 users | £0 | £564/year | £852/year |
| 15 users | £0 | £846/year | £1,278/year |
| 25 users | £0 | £1,410/year | £2,130/year |
| 50 users | £0 | £2,820/year | £4,260/year |
Calculation: Users × £4.70 × 12 months (P1) or Users × £7.10 × 12 months (P2)
What’s Included vs What Costs Extra
Included in Entra ID pricing: ✅ All user licences ✅ Unlimited device registration ✅ Basic support ✅ Standard integrations ✅ All tier-specific features
What typically costs extra:
- ❌ Microsoft 365 licences (separate cost: £4.50-£20/user/month depending on plan)
- ❌ Advanced support plans
- ❌ Some premium SaaS application integrations
- ❌ Third-party identity tools
- ❌ Professional implementation services
Hidden Costs to Consider
1. Implementation Time/Cost
- DIY setup: 4-12 hours of internal time
- Professional setup: £500-£2,000 for SMB
- Ongoing management: 1-3 hours/month internal time
2. Training
- User training: 30-60 minutes per employee
- Admin training: 4-8 hours
- Possible training materials: £200-£500
3. Integration with Existing Systems
- Most integrations: Included
- Complex on-premise integrations: May need professional help (£500-£2,000)
4. Device Management (if needed)
- Intune (device management) is separate: £4.40/user/month
- Often bundled in Microsoft 365 Business Premium (£18.30/user/month)
ROI: Is Premium Entra ID Worth the Cost?
Cost-benefit analysis for 15-person business:
Entra ID P1 annual cost: £846/year
Potential savings/value:
| Benefit | Annual Value |
|---|---|
| Prevented data breach | £10,000-£100,000+ (avg small business breach cost: £25,000) |
| Reduced password reset support | £300-£600 (30 resets/year × £10-20 each) |
| Improved employee productivity | £1,000-£3,000 (SSO time savings, less downtime) |
| Avoided compliance fines | £1,000-£50,000+ (depends on regulations) |
| Reduced unauthorised access incidents | £500-£5,000 (per incident avoided) |
| Insurance premium reduction | £200-£800 (some cyber insurance discounts) |
Conservative estimate: £12,000-£25,000 in value/savings vs. £846 cost
ROI: 14:1 to 30:1 return on investment
Even if you prevent just ONE data breach, Entra ID P1 pays for itself many times over.
Licensing Simplification: Microsoft 365 Bundles
Entra ID P1 is included in:
- Microsoft 365 E3 (enterprise, likely too expensive for SMBs)
- Some EMS E3 bundles
Entra ID P2 is included in:
- Microsoft 365 E5 (enterprise)
- Microsoft 365 Business Premium includes many P1 features (but not full P1)
For most SMBs:
- Buy Microsoft 365 Business Standard or Premium
- Add Entra ID P1 or P2 separately if needed
- Simpler than enterprise bundles
Payment Options
Annual prepayment:
- Lower per-user cost
- One annual payment
- Commitment for full year
Monthly payment:
- Slightly higher cost
- More flexibility
- Can cancel anytime
Most small businesses choose: Annual prepayment for cost savings, unless testing or uncertain about needs.
Entra ID Free vs P1 vs P2: Which Tier Does Your Small Business Need?
Let’s cut through the confusion and help you choose the right Microsoft Entra ID for small business tier.
Quick Decision Tree
Start here: Do you use Microsoft 365?
↓ Yes → You already have Entra ID Free
→ Are you satisfied with basic security (MFA, simple policies)?
↓ No (want better security)
→ Do you have remote workers or need conditional access?
↓ Yes → You need at least Entra ID P1
→ Do you have high security requirements or compliance needs?
↓ Yes → You need Entra ID P2
Detailed Tier Recommendations
Choose FREE (included with M365) if:
✓ Under 5 employees
✓ Everyone works in same office
✓ Only use Microsoft applications
✓ Minimal sensitive data
✓ No compliance requirements
✓ Very limited IT budget
But still enable: MFA (it’s free and critical)
Limitations you’ll accept:
- No conditional access (can’t restrict by location, device, etc.)
- No password protection (weak passwords possible)
- Limited SSO (only 10 apps)
- Basic reporting only
Choose P1 (£4.70/user/month) if:
✓ 5-50 employees
✓ Remote or hybrid work
✓ Use multiple cloud applications
✓ Handle sensitive business data
✓ Want strong security without breaking budget
✓ Need location/device-based access control
✓ Want to prevent weak passwords
✓ Have basic compliance requirements
You gain:
- Conditional access policies (huge security improvement)
- Password protection
- Unlimited SSO applications
- Application proxy for on-premise apps
- Advanced self-service features
P1 is the “sweet spot” for most small businesses.
Choose P2 (£7.10/user/month) if:
✓ 10+ employees with high security needs
✓ Handle extremely sensitive data (financial, health, legal)
✓ Regulatory compliance required (FCA, SRA, ISO 27001)
✓ Previous security incidents
✓ Want AI-powered threat detection
✓ Need admin access controls
✓ Required access reviews for compliance
✓ Can justify additional £2.40/user/month (£360/year for 15 users)
You gain:
- Identity protection (AI threat detection)
- Privileged identity management
- Access reviews (compliance)
- Risk-based conditional access
- Advanced security analytics
P2 is for businesses that can’t afford security compromises.
Industry-Specific Recommendations
| Industry | Recommended Tier | Why |
|---|---|---|
| Legal practices | P2 | SRA requirements, client confidentiality, compliance audits |
| Accountants | P1 or P2 | Financial data sensitivity, client trust, potential compliance |
| Healthcare | P2 | Patient data protection, CQC standards, regulatory compliance |
| Financial services | P2 | FCA requirements, financial data, strict compliance |
| Retail (small) | Free or P1 | Lower sensitivity, conditional access useful for multi-location |
| Professional services | P1 | Remote work, client data, multi-app usage |
| Manufacturing | P1 | Operational data, remote access, moderate security needs |
| Marketing/Creative | P1 | Remote teams, many cloud apps, client intellectual property |
| General SME | P1 | Best balance of security and cost |
Cost vs Security Trade-off
Visual representation:
Security Level ↑
P2 [████████████] Highest security - AI protection, PIM, compliance
£7.10/user Best for: Regulated industries, high sensitivity
P1 [████████░░░░] Strong security - Conditional access, password protection
£4.70/user Best for: Most SMBs, remote work, growing businesses
Free [████░░░░░░░░] Basic security - MFA, limited SSO
£0 Best for: Very small, office-only, tight budget
Cost →Real Decision Examples
Example 1: 12-Person Architectural Firm
Needs:
- Remote work 3 days/week
- Client design files (intellectual property)
- Use Microsoft 365, Adobe, project management tools
- No specific regulatory requirements
Decision: Entra ID P1
- Conditional access for remote work
- Protect client IP with location policies
- SSO across multiple applications
- Cost: £564/year vs potential £20,000+ breach
Example 2: 8-Person Solicitor Practice
Needs:
- Extremely sensitive client data
- SRA compliance requirements
- Regular compliance audits
- Previous phishing attempts
- High-value targets for cyber criminals
Decision: Entra ID P2
- Identity protection catches sophisticated attacks
- PIM limits admin access
- Access reviews for compliance
- Risk-based policies
- Cost: £682/year vs £50,000+ compliance violation or breach
Example 3: 3-Person Local Shop
Needs:
- Email and basic file storage
- All work from shop location
- Minimal sensitive data
- Very tight budget
Decision: Entra ID Free
- Sufficient for basic needs
- Enable MFA (critical)
- No remote access needs
- Cost: £0 (already included in M365)
Can You Upgrade Later?
Yes! You can always upgrade:
Free → P1: Instant upgrade, start paying per user
P1 → P2: Instant upgrade, pay difference
P2 → P1: Downgrade at renewal
P1 → Free: Cancel premium, revert to free
Common path: Start with Free → Upgrade to P1 when you hire remote employees or grow past 10 people → Upgrade to P2 if compliance requires
No migration needed: It’s the same system, just enabling more features.
Learn about comprehensive IT security for small businesses
How Microsoft Entra ID Works with Microsoft 365
If your small business uses Microsoft 365, understanding how Microsoft Entra ID for small business integrates with it is essential.
The Foundation: Entra ID Powers Microsoft 365
Microsoft Entra ID is not optional with Microsoft 365—it’s the underlying identity system.
Every time you or your employees use Microsoft 365, you’re using Entra ID:
✓ Logging into Outlook → Entra ID authenticates
✓ Accessing SharePoint → Entra ID authorises
✓ Opening Teams → Entra ID verifies identity
✓ Using OneDrive → Entra ID controls access
✓ Mobile device access → Entra ID manages
Think of it this way: Microsoft 365 is the applications (Outlook, Word, Excel, Teams), and Entra ID is the security guard that decides who gets in.
What’s Included with Microsoft 365 Subscriptions
With any Microsoft 365 Business subscription, you automatically get:
- Entra ID Free tier
- User account management
- Basic MFA (multi-factor authentication)
- Limited single sign-on (10 apps)
- Azure AD Join (for Windows devices)
- Self-service password reset (basic)
- Group management
You’re already using Entra ID if you:
- Add users in Microsoft 365 admin centre
- Set up MFA for email accounts
- Manage permissions in SharePoint
- Control Teams access
You DON’T automatically get with standard M365:
- Conditional access (requires P1)
- Password protection (requires P1)
- Identity protection (requires P2)
- Unlimited SSO (requires P1)
Microsoft 365 Plans and Entra ID
| Microsoft 365 Plan | Entra ID Included | Monthly Cost/User |
|---|---|---|
| Business Basic | Free tier | £4.50 |
| Business Standard | Free tier | £10.00 |
| Business Premium | Free + some P1 features* | £18.30 |
| E3 (Enterprise) | P1 included | £28.10 |
| E5 (Enterprise) | P2 included | £49.60 |
*Business Premium includes conditional access and some security features but not full P1.
For most SMBs: Business Standard (£10/user) + Entra ID P1 separately (£4.70/user) = £14.70/user total
Alternative: Business Premium (£18.30/user) includes some Entra features plus advanced threat protection
Integration Benefits
1. Seamless User Management
When you add a user in Microsoft 365 admin centre, you’re actually creating an Entra ID account. This account then works across:
- All Microsoft 365 apps
- Azure services (if you use them)
- Integrated third-party applications
- Windows device sign-in
One identity, everywhere.
2. Unified Security Policies
With Entra ID P1/P2, set policies that apply across all Microsoft 365 services:
Example policy: “Users accessing Outlook on mobile must use MFA”
- Applies to Outlook app
- Applies to Outlook Web Access
- Applies to Teams mobile
- Applies to all Microsoft 365 mobile apps
- One policy, everywhere
3. Device Management Integration
Entra ID works with Microsoft Intune (device management) for:
- Windows device management
- Mobile device policies
- Application protection
- Conditional access by device compliance
Example: “Only company-managed devices can access SharePoint”
4. Simplified Third-Party App Access
With Entra ID, employees use their Microsoft 365 login for:
- Salesforce
- Adobe Creative Cloud
- Zoom
- Slack
- Thousands of other business applications
No separate passwords for each app = better security and user experience.
Practical Example: A Day in the Life with Entra ID + M365
Sarah, Marketing Manager, starts her workday:
8:00 AM – Opens laptop
→ Signs in with Entra ID (Windows Hello)
→ Automatically logged into Microsoft 365
8:15 AM – Checks email in Outlook
→ No additional login needed (SSO via Entra ID)
9:00 AM – Joins Teams video call from coffee shop
→ Entra ID P1 conditional access: “Unusual location detected”
→ Requires additional MFA verification
→ Sarah approves on phone, gains access
→ Security maintained without disrupting legitimate work
10:30 AM – Needs to access Salesforce
→ Clicks Salesforce link
→ Entra ID SSO: automatically logged in
→ No password to remember
11:00 AM – Uploads client proposal to SharePoint
→ Entra ID checks permissions
→ Grants access based on security group
→ Seamless experience
2:00 PM – Accesses company files on mobile phone
→ Entra ID device compliance check
→ Requires MFA (mobile device)
→ Access granted after verification
Throughout the day:
- Entra ID monitors all activity
- Detects and blocks suspicious sign-ins
- Enforces security policies automatically
- Sarah works productively without thinking about IT security
That’s the power of Entra ID integration with Microsoft 365.
Common Integration Scenarios
Scenario 1: Secure Remote Access
Goal: Employees work from home securely
Entra ID + M365 solution:
- Conditional access policy: “From home office IP, allow; from public WiFi, require MFA”
- Employees access Outlook, Teams, SharePoint seamlessly
- Suspicious logins automatically blocked
- All activity logged for compliance
Scenario 2: Guest/Contractor Access
Goal: Give contractors temporary access to specific SharePoint folders
Entra ID + M365 solution:
- Create guest account in Entra ID
- Grant access to specific SharePoint sites
- Require MFA for guest access
- Set access expiration (30 days)
- Guest uses their own email to log in
- Access automatically expires
Scenario 3: Mobile Device Management
Goal: Employees use personal phones for work email safely
Entra ID + M365 + Intune solution:
- Entra ID device registration
- Conditional access: “Only compliant devices access email”
- Intune enforces: PIN requirement, encryption, no jailbroken devices
- Employee’s personal phone complies → gets access
- If device becomes non-compliant → access automatically revoked
Common Use Cases: Microsoft Entra ID for Small Businesses
Real-world examples of how Microsoft Entra ID for small business solves actual problems.
Use Case 1: Preventing Account Compromise
Problem: Employee clicked phishing link, entered password on fake Microsoft login page. Attacker now has credentials.
Without Entra ID Premium:
- Attacker logs in successfully
- Access all company email and files
- Potential data breach
- Cost: £10,000-£50,000+ to remediate
With Entra ID P2:
- Attacker tries to log in from Russia
- Entra ID identity protection detects: “Impossible travel” (UK to Russia in 2 hours)
- Automatically blocks login
- Alerts IT administrator
- Forces employee password reset
- Breach prevented
Outcome: £50,000 breach prevented by £85/year licence (£7.10 × 12 months)
Use Case 2: Simplifying Multi-App Access
Problem: Company uses Microsoft 365, Xero accounting, Salesforce CRM, Adobe Creative Cloud. Employees juggle 4 sets of credentials, frequently forget passwords.
Pain points:
- 10-15 password reset requests per month
- Employees write passwords down (security risk)
- IT spends 3-5 hours/month on password resets
- Employee frustration
With Entra ID P1 (SSO):
- One login for all applications
- Entra ID handles authentication
- Employees remember one strong password
- Password resets drop to 1-2/month
- IT time saved: 3-4 hours/month
ROI:
- Cost: £564/year (12 users × £4.70 × 12 months)
- IT time saved: 40 hours/year × £30/hour = £1,200
- Improved productivity: Immeasurable
- Better security: Fewer written-down passwords
Use Case 3: Secure Remote Work
Problem: 8-person solicitor practice. Staff working from home during COVID continued hybrid work. Concerned about accessing client files from home networks.
Security concerns:
- Home networks less secure than office
- Client confidentiality requirements
- SRA compliance obligations
- Potential unauthorised access
With Entra ID P1:
- Conditional access policy created:
- From office network: normal access
- From known home IPs: require MFA
- From unknown locations: block or require approval
- From risky locations (foreign countries): block
- Additional policy:
- Only company-managed devices can access sensitive files
- Personal devices blocked from client folders
- Result:
- Secure remote work enabled
- Compliance maintained
- Client data protected
- Staff productivity maintained
Compliance benefit: Can demonstrate to SRA that appropriate security controls are in place.
Use Case 4: Managing Contractor Access
Problem: Marketing agency uses 5 full-time staff plus 3-8 freelancers depending on projects. Freelancers need temporary access to specific client folders, but not company financials or other client work.
Challenges:
- Giving full access too risky
- Managing temporary accounts manually time-consuming
- Forgetting to remove access when project ends
- Contractors shouldn’t see confidential business info
With Entra ID P1:
- Guest accounts for contractors (free)
- Conditional access: Guests can only access specific SharePoint sites
- Access reviews every 90 days
- Automatic access expiration after project end date
- MFA required for all guest access
Implementation:
- Create guest account
- Assign to “Client X Project” security group
- Group has access only to Client X SharePoint folder
- Set expiration: Project end date + 7 days
- Automatic removal, no manual follow-up needed
Result:
- Secure contractor collaboration
- Automatic access control
- Reduced admin burden
- Better client data protection
Use Case 5: Preventing Weak Passwords
Problem: 15-person company had several accounts compromised via password guessing. Employees were using weak passwords like “CompanyName2024” and “Summer2025”.
Why it happened:
- No password complexity enforcement
- Employees chose easy-to-remember passwords
- No checking against known breached passwords
With Entra ID P1 (Password Protection):
- Custom banned password list created:
- Company name variations
- Location names
- Industry terms
- Common patterns
- Microsoft’s global banned password list enabled:
- Blocks 500+ common passwords
- Checks against known breach databases
- Employee tries to set “ATSConnection2025”:
- Blocked automatically
- Must choose stronger password
- Guided to better options
Outcome:
- Zero compromises via password guessing in 12 months
- Improved overall security posture
- Minimal user disruption (most users set stronger passwords first time)
Use Case 6: Audit and Compliance Reporting
Problem: Accountancy firm needs to demonstrate compliance with professional standards. Auditor asks: “Who has access to client files? How do you review this? Can you prove appropriate access controls?”
Without premium Entra ID:
- Manual spreadsheet of permissions
- Time-consuming to create
- Quickly outdated
- No automated reviews
- Difficult to prove ongoing compliance
With Entra ID P2 (Access Reviews):
- Automated quarterly access reviews:
- “Should these 8 people still access Client X financial files?”
- Sent to practice manager
- Manager approves or removes access
- Enforcement automatic
- Audit reporting:
- Complete access history
- Who accessed what and when
- Who approved access
- When reviews occurred
- Automatic compliance documentation
- Auditor visit:
- Generate report in 5 minutes
- Shows systematic access governance
- Demonstrates compliance
- Professional standards met
Compliance value: Can mean difference between clean audit and compliance issues. Peace of mind: Priceless.
How to Set Up Microsoft Entra ID for Your Small Business
A practical guide to implementing Microsoft Entra ID for small business without getting overwhelmed.
Before You Start: Prerequisites
You’ll need:
✓ Microsoft 365 subscription (any business plan)
✓ Global administrator access to Microsoft 365
✓ List of users who need accounts
✓ Organisational structure (departments, teams)
✓ 2-4 hours for initial setup
✓ Decision on which Entra ID tier (Free/P1/P2)
Optional but helpful:
- List of third-party applications to integrate
- Security policies document
- Device management requirements
- Compliance requirements list
Step 1: Access Entra ID Admin Centre
You’re already using Entra ID Free if you have M365. To configure it:
- Go to admin.microsoft.com (Microsoft 365 admin centre)
- Sign in with global administrator account
- In left menu, select Identity or Azure AD / Entra ID
- This opens Entra ID admin centre (entra.microsoft.com)
Or directly: Go to entra.microsoft.com and sign in
First time: Interface shows current users (imported from M365) and basic settings
Step 2: Enable Multi-Factor Authentication (Critical – Do This First!)
This is the single most important security step. It’s free and takes 15 minutes.
- In Entra ID admin centre, go to Users → All users
- At top, click Per-user MFA (or Multi-factor authentication)
- Select all users (or specific users)
- Click Enable in right panel
- Confirm enabling MFA
User experience:
- Next time users log in, prompted to set up MFA
- Choose method: Mobile app (recommended), SMS, phone call
- Takes 2-3 minutes per user
- Required for every login going forward
Pro tip: Enable for administrators first, then roll out to all users with advance notice.
Step 3: Organise Users into Groups (Foundation for Access Control)
Why groups matter: Instead of giving permissions to individuals, assign to groups. Much easier to manage.
Common group structure for small businesses:
- Go to Groups → All groups → New group
- Create security groups:
- All Staff (everyone)
- Management (directors, managers)
- Finance Team
- Sales Team
- IT Administrators
- etc.
- Add members to each group
- Use groups to:
- Assign application access
- Control SharePoint permissions
- Apply conditional access policies
- Simplify administration
Example: Instead of giving 8 people individual access to accounting software, add them to “Finance Team” group, give group access to application. New finance hire? Just add to group.
Step 4: Set Up Single Sign-On for Third-Party Apps (P1 Feature)
If you have Entra ID P1/P2 and use other business applications:
- Go to Enterprise applications → All applications
- Click New application
- Search for your application (Salesforce, Zoom, Adobe, etc.)
- Click the application, then Create
- Follow setup wizard:
- Configure single sign-on
- Assign users or groups
- Test SSO connection
Popular SME applications with Entra ID SSO:
- Salesforce
- Xero
- Adobe Creative Cloud
- Zoom
- Slack
- Dropbox Business
- DocuSign
- And 3,000+ others
Setup time: 10-15 minutes per application
Step 5: Configure Conditional Access Policies (P1 Feature)
If you have Entra ID P1 or P2, this is where the real security improvements happen.
Basic conditional access policy for small business:
Policy 1: Require MFA for Administrators
- Go to Protection → Conditional Access → New policy
- Name: “Require MFA for Admins”
- Assignments:
- Users: Select “IT Administrators” group
- Cloud apps: All cloud apps
- Conditions: Any
- Access controls:
- Grant access
- Require multi-factor authentication
- Enable policy: On
- Create
Policy 2: Block Access from Risky Locations
- New policy → Name: “Block High-Risk Countries”
- Assignments:
- Users: All users
- Cloud apps: All apps
- Conditions → Locations:
- Exclude: United Kingdom, trusted countries
- Include: All other locations (or specifically risky countries)
- Access controls:
- Block access
- Enable policy: On (or Report-only to test first)
Policy 3: Require MFA for Remote Access
- New policy → Name: “MFA for Remote Access”
- Assignments:
- Users: All users
- Cloud apps: Office 365
- Conditions → Locations:
- Exclude: Office IP address
- Include: Any location
- Access controls:
- Grant access
- Require multi-factor authentication
- Enable
Result: Office access normal, remote access requires MFA
Policy 4: Block Personal Devices from Sensitive Data (Advanced)
- New policy → Name: “Managed Devices for Sensitive Apps”
- Assignments:
- Users: All users
- Cloud apps: SharePoint, OneDrive (or specific sensitive sites)
- Conditions → Device state:
- Include: Any device
- Exclude: Device marked compliant (requires Intune)
- Access controls:
- Block access (or require device compliance)
- Enable
Note: Requires device management (Intune) to work properly
Step 6: Enable Password Protection (P1 Feature)
- Go to Protection → Authentication methods → Password protection
- Custom banned passwords:
- Add company name variations
- Add location names
- Add industry terms
- Add common local patterns Example: “ATSConnection”, “Arundel”, “Sussex”, “Worthing”, “Chichester”
- Enable Custom smart lockout (prevents brute force attacks)
- Enforce for Azure AD: Set to “Enforced”
- Save
Effect: Users cannot set weak or company-specific passwords. Stronger security immediately.
Step 7: Configure Self-Service Password Reset
Reduces IT support burden significantly.
- Go to Users → Password reset
- Self-service password reset enabled: Select “All” or specific groups
- Authentication methods: Require 2 methods:
- Mobile phone
- Security questions
- Registration: Require users to register on next sign-in
- Notifications: Enable notifications to users and admins
- Save
User experience:
- Employee forgets password
- Goes to password reset portal
- Verifies identity with 2 methods
- Resets password immediately
- Back to work in 2 minutes
Step 8: Set Up Monitoring and Alerts
Stay informed about security events:
- Go to Monitoring → Sign-ins
- Review who’s logging in and from where
- Look for suspicious activity
- Go to Security → Risky users (P2 feature)
- See users with detected risks
- Investigate and remediate
- Set up alerts:
- Go to Monitoring → Alerts
- Create alert rules for:
- Failed sign-in attempts (multiple)
- Risky sign-ins
- Admin activity
Step 9: Roll Out to Users (Communication is Critical)
Don’t just turn on features without warning users!
Communication plan:
1 week before:
- Email all staff explaining changes
- Benefits: Better security, easier access to applications
- What they need to do: Set up MFA, may need to re-authenticate
- When it happens
- Who to contact with questions
Day of rollout:
- Morning email: “Today is the day”
- IT support available
- Walk-through instructions
First week:
- Monitor for issues
- Quick support responses
- Gather feedback
Sample email:
Subject: Important Security Update – Multi-Factor Authentication Next Monday
Hi Team,
Next Monday, we’re implementing enhanced security for all our business applications. This means you’ll set up multi-factor authentication (MFA) – an extra security step that protects your account even if someone steals your password.
What you’ll do:
- Log in as normal on Monday
- Follow prompts to set up MFA on your mobile phone (takes 2 minutes)
- Going forward, you’ll approve logins on your phone app
Why we’re doing this:
- 99.9% better protection against account hacking
- Industry best practice
- Protects our business and client data
Questions? Reply to this email or call IT support.
Thanks,
[Your IT Team]
Step 10: Ongoing Management and Optimisation
Setup is just the beginning. Ongoing management:
Monthly tasks:
- Review sign-in logs for suspicious activity
- Check conditional access policy effectiveness
- Review any blocked sign-ins (legitimate or threats?)
- Update groups as staff join/leave
Quarterly tasks:
- Access reviews (P2 feature – who still needs access to what?)
- Policy optimisation (are policies too strict or too loose?)
- User feedback (is anything frustrating?)
- Review audit logs for compliance
Annual tasks:
- Full security audit
- Update banned password lists
- Review and update all policies
- Training refresher for staff
Common Setup Mistakes to Avoid
❌ Enabling MFA without warning users
→ Causes confusion and support calls
❌ Creating overly restrictive policies immediately
→ Start with “Report-only” mode, monitor, then enforce
❌ Not testing policies before enabling
→ Test on small group first
❌ Forgetting to exclude break-glass admin account
→ Always have emergency admin account not subject to conditional access
❌ Not documenting policies and reasons
→ Future you (or your replacement) needs to know why policies exist
❌ Setting up SSO without user training
→ Users don’t understand how it works, frustrated
❌ No communication plan
→ Users resist changes they don’t understand
When to Call for Professional Help
DIY setup works for basic configurations, but consider professional help if:
✓ Over 50 users
✓ Complex compliance requirements
✓ Multiple office locations
✓ Hybrid (cloud + on-premise) environment
✓ Integration with legacy systems
✓ Previous security incidents
✓ Limited internal IT expertise
✓ You’re not confident in security configuration
Professional setup costs: £500-£2,000 for SMB implementation
What you get:
- Expert configuration
- Best practices applied
- Policy recommendations
- Documentation
- Training for admins
- Ongoing support
Get expert help with Microsoft Entra ID setup in West Sussex → (Internal link to services)
Common Microsoft Entra ID Challenges for Small Businesses
Implementing Microsoft Entra ID for small business isn’t always smooth sailing. Here are typical challenges and how to overcome them.
Challenge 1: User Resistance to MFA
The problem: Employees complain that MFA is “annoying,” “takes too long,” or “unnecessary.”
Why it happens:
- Change resistance
- Don’t understand security benefits
- Adds 10-15 seconds to login process
Solutions:
1. Communicate the “why”:
- Explain real breach risks
- Share industry statistics
- Make it personal: “Protects your work and paycheck”
2. Use easiest MFA method:
- Microsoft Authenticator app (tap to approve)
- Avoid SMS codes if possible (slower)
- Push notifications are fastest
3. Enable “remember this device”:
- MFA only required once per 90 days on trusted devices
- Reduces frequency of prompts
4. Lead by example:
- Management enables first
- IT staff enthusiastically adopts
- Normalise it quickly
Expected timeline: Complaints for 1-2 weeks, then becomes routine
Challenge 2: Conditional Access Policy Complexity
The problem: Creating policies that are secure but don’t block legitimate work.
Example mistake:
- Policy: “Block all access from outside UK”
- Employee goes on holiday to Spain
- Can’t access urgent email
- Frustrated employee, potential business impact
Solutions:
1. Start with Report-Only mode:
- See what would be blocked without actually blocking
- Analyse for 1-2 weeks
- Adjust before enforcing
2. Create exception processes:
- Travel notification system
- Temporary policy exemptions
- Emergency access procedures
3. Layer policies carefully:
- Start with most critical apps/data
- Expand gradually
- Test thoroughly
4. Document policies:
- Why each exists
- What it controls
- How to request exceptions
Best practice: Begin with overly permissive, tighten gradually based on actual usage patterns.
Challenge 3: Application Integration Issues
The problem: Third-party SaaS application doesn’t integrate smoothly with Entra ID SSO.
Common scenarios:
- Application not in Entra ID gallery
- Custom integration required
- Application requires specific configuration
- SSO partially works but breaks certain features
Solutions:
1. Check application documentation:
- Most SaaS applications have Entra ID integration guides
- Follow precisely (small misconfigurations cause issues)
2. Use gallery applications when possible:
- Pre-configured integrations
- Tested and reliable
- Simple setup wizards
3. For non-gallery apps:
- Use SAML or OpenID Connect standards
- May require vendor support
- Sometimes requires professional help
4. Fallback:
- If SSO too difficult, use password management tool
- Not ideal but functional
- Better than weak passwords
Professional help: Complex application integrations sometimes need MSP assistance (1-2 hours, £150-£300)
Challenge 4: Forgotten Passwords and Locked Accounts
The problem: Despite self-service password reset, users still get locked out.
Common reasons:
- Didn’t register recovery methods
- Changed phone number, didn’t update
- Recovery email no longer accessible
- Security questions forgotten
Solutions:
1. Force recovery method registration:
- Require at registration and periodically
- Verify methods actually work
- Prompt updates when methods change
2. Have admin reset process:
- Clear escalation path
- Fast admin response
- Temporary bypass for emergencies
3. User education:
- Password manager recommendations
- Importance of recovery method maintenance
- How to use self-service reset
4. Consider passwordless authentication (advanced):
- Windows Hello for Business
- FIDO2 security keys
- Reduces password issues entirely
Challenge 5: Monitoring and Alerts Overload
The problem: Too many alerts, can’t distinguish signal from noise.
Scenario:
- Enable all security alerts
- Receive 50+ alerts per day
- Most are false positives
- Real threats missed in noise
- Alert fatigue sets in
Solutions:
1. Start with critical alerts only:
- Admin account activity
- Impossible travel
- Multiple failed sign-ins
- Access from risky locations
2. Tune over time:
- Review alerts weekly
- Disable noisy, non-actionable alerts
- Refine thresholds
- Focus on actionable intelligence
3. Establish alert triage process:
- Who reviews?
- How quickly?
- What constitutes real incident?
- Escalation procedures
4. Consider security information and event management (SIEM):
- For larger businesses (30+ users)
- Aggregates and correlates alerts
- Reduces noise
- Part of advanced security services
Challenge 6: Licensing and Cost Management
The problem: Accidentally over-provisioning or under-provisioning licences.
Scenarios:
- Paying for P2 when P1 sufficient
- All users have premium licences, but only admins need them
- Paying for licences for departed employees
- Not enough licences when business grows
Solutions:
1. Right-size licensing:
- Review actual needs vs. licences purchased
- Not everyone may need premium tiers
- Admins and high-risk roles: P1 or P2
- General staff: Maybe Free tier sufficient
2. Licence management processes:
- Immediate removal when employee leaves
- Automated if possible
- Monthly licence audit
- Match licences to active users
3. Start conservative:
- Begin with what you definitely need
- Upgrade specific users as needs arise
- Easier to add than remove
4. Annual review:
- Are we using features we pay for?
- Have needs changed?
- Can we optimise?
Cost saving example:
- 20 users on P2: £1,704/year
- Optimise: 3 admins P2, 17 staff P1: (3 × £85.20) + (17 × £56.40) = £1,214/year
- Savings: £490/year
Challenge 7: Compliance Documentation
The problem: Need to prove Entra ID implementation for audits, but don’t have proper documentation.
What auditors want:
- Who has access to what
- How access is controlled
- Access review processes
- Security policy documentation
- Incident response logs
Solutions:
1. Document from the start:
- Policy purposes and justifications
- Configuration settings
- Access control decisions
- Review processes
2. Use built-in reporting:
- Entra ID provides numerous reports
- Sign-in logs
- Audit logs
- Access reviews (P2)
- Security dashboard
3. Regular compliance checks:
- Quarterly reviews
- Document reviews in writing
- Action items tracked
- Maintain history
4. Third-party compliance tools:
- For complex compliance (ISO 27001, SOC 2)
- Automate evidence collection
- Continuous compliance monitoring
Professional help: Compliance requirements often benefit from MSP support for proper documentation and processes.
When to Get Professional Help with Microsoft Entra ID
Whilst Microsoft Entra ID for small business can be set up by technical business owners, professional help often provides better security outcomes and saves time.
DIY vs Professional Help: When to Choose Each
DIY Setup Appropriate If:
✓ Under 15 users
✓ Simple Microsoft 365-only environment
✓ Someone internal has IT experience
✓ No compliance requirements
✓ Time to learn and implement
✓ Comfortable troubleshooting issues
✓ Just need basic MFA and policies
Estimated time commitment: 8-12 hours initial setup + 2-3 hours/month ongoing
Professional Help Recommended If:
✓ 15+ users
✓ Multiple cloud applications to integrate
✓ Complex security requirements
✓ Compliance obligations (GDPR, industry regulations)
✓ Hybrid environment (cloud + on-premise)
✓ Previous security incidents
✓ No internal IT expertise
✓ Want optimised, best-practice configuration
✓ Need documentation for audits
✓ Want ongoing managed services
What Professional Entra ID Services Include
Initial Implementation (One-Time):
Discovery and Planning:
- Security requirements assessment
- Current environment analysis
- Compliance requirements review
- Risk assessment
- Implementation roadmap
Configuration:
- Entra ID tier recommendation
- User and group structure
- MFA setup and rollout
- Conditional access policies
- Password protection configuration
- Application integration (SSO)
- Device management integration
- Security monitoring setup
Documentation:
- Configuration documentation
- Policy justifications
- User guides
- Admin procedures
- Compliance documentation
Training:
- Admin training (4-8 hours)
- User rollout support
- Best practices guidance
Testing and Optimisation:
- Policy testing
- User acceptance testing
- Performance optimisation
- Rollout support
Typical cost for SMB: £1,000-£3,000 depending on complexity
Ongoing Managed Services:
Monthly Management:
- Licence management
- User onboarding/offboarding
- Group management
- Policy monitoring
- Security alert review
- Performance optimisation
Quarterly Reviews:
- Access reviews
- Policy effectiveness assessment
- Security posture review
- Optimisation recommendations
- Compliance reporting
Incident Response:
- Security incident investigation
- Threat remediation
- User account recovery
- Policy adjustments
Typical cost: Included in managed IT services (£75-£110/user/month) or separate Entra ID management (£5-£15/user/month)
How to Choose an Entra ID Service Provider
Look for:
✓ Microsoft Partner status
- Verified expertise
- Access to Microsoft resources
- Certified technicians
✓ Relevant experience:
- Similar-sized business experience
- Your industry knowledge
- Demonstrated Entra ID implementations
✓ Security certifications:
- Cyber Essentials (minimum)
- Microsoft 365 certifications
- Security-focused credentials
✓ Clear service offerings:
- Transparent pricing
- Defined deliverables
- Service level agreements
✓ Local presence (for SMBs):
- In-person meetings
- Local support
- Understanding of UK regulations
Questions to Ask Potential Providers
- “How many Entra ID implementations have you completed for businesses our size?”
- Look for: 10+ implementations
- “What Microsoft certifications do your technicians hold?”
- Look for: Microsoft 365 Certified, Security certifications
- “What’s your approach to conditional access policy configuration?”
- Look for: Balanced security and usability, testing methodology
- “How do you handle user rollout and training?”
- Look for: Structured communication plan, user support
- “What documentation do you provide?”
- Look for: Complete configuration docs, compliance documentation
- “What’s included in ongoing support?”
- Look for: Clear inclusions/exclusions, response times
- “Can you provide references from similar businesses?”
- Look for: Willingness to provide, satisfied clients
- “How do you stay current with Entra ID changes?”
- Look for: Ongoing training, Microsoft partnership
Cost-Benefit Analysis: Professional Help
DIY Approach:
- Cost: “Free” (internal time)
- Time: 12-20 hours initial + 2-3 hours/month
- Risk: Misconfigurations, security gaps
- Outcome: Functional but potentially not optimised
Professional Implementation:
- Cost: £1,500-£3,000 one-time
- Time: 2-4 hours of your time (meetings, approvals)
- Risk: Minimal (expert configuration)
- Outcome: Optimised, documented, compliant
Break-even scenario:
If your time is worth £30-50/hour:
- DIY time: 20 hours × £40 = £800 of your time
- Plus potential security gaps
- Plus learning curve delays
Professional setup at £2,000 provides:
- Expert configuration
- Time savings
- Better security outcomes
- Compliance documentation
- Peace of mind
For most businesses with 15+ users, professional help pays for itself.
ATS Connection’s Entra ID Services
We provide comprehensive Microsoft Entra ID implementation and management for West Sussex businesses:
Implementation Services: ✓ Security requirements assessment
✓ Entra ID P1/P2 implementation
✓ Multi-factor authentication rollout
✓ Conditional access policy configuration
✓ Application integration (SSO)
✓ User training and rollout support
✓ Complete documentation
✓ Compliance-ready configuration
Ongoing Management: ✓ Licence optimisation
✓ User management
✓ Security monitoring
✓ Policy optimisation
✓ Quarterly reviews
✓ Incident response
Why choose ATS Connection:
- 20+ years IT security experience
- Microsoft Partner
- Cyber Essentials certified
- Local West Sussex presence
- Fast response (2-4 hours)
- Transparent pricing
- Comprehensive managed IT services
Get expert help with Microsoft Entra ID
Microsoft Entra ID Security Benefits for Small Businesses
Understanding the concrete security improvements Microsoft Entra ID for small business provides helps justify the investment.
Threat Prevention: What Entra ID Stops
1. Credential Stuffing Attacks
The threat:
- Attackers use stolen username/password lists from other breaches
- Try credentials against your Microsoft 365
- If employee reuses passwords, gains access
How Entra ID stops it:
- MFA (Free tier): Even with correct password, attacker blocked without second factor
- Password protection (P1): Prevents use of known breached passwords
- Smart lockout (P1): Blocks brute force attempts
- Identity protection (P2): Detects and blocks sign-ins from known malicious IPs
Effectiveness: 99.9% reduction in account compromise
2. Phishing Attacks
The threat:
- Employee receives fake “Microsoft” email
- Clicks link, enters password on fake page
- Attacker captures credentials
How Entra ID stops it:
- MFA: Attacker can’t log in without second factor
- Conditional access (P1): Login from attacker’s location blocked
- Identity protection (P2): Detects suspicious sign-in patterns, forces re-authentication
Real example: Employee enters password on phishing site. Attacker tries to log in from Ukraine. Entra ID blocks immediately (impossible travel detection). Employee notified, changes password. Breach prevented.
3. Account Takeover
The threat:
- Attacker gains access to employee account
- Reads emails, steals data, spreads ransomware
How Entra ID stops it:
- Continuous monitoring: Detects unusual behaviour (different location, unusual IP, strange access patterns)
- Risk-based conditional access (P2): Forces re-authentication when suspicious
- Privileged identity management (P2): Limits damage even if admin account compromised
4. Insider Threats
The threat:
- Disgruntled employee or contractor
- Unauthorised data access
- Data exfiltration
How Entra ID controls it:
- Conditional access (P1): Limits what can be accessed from where
- Access reviews (P2): Regular verification of who should have access
- Activity monitoring: Tracks all access attempts
- Just-in-time access (P2): Admins only have privileges when needed, for limited time
5. Compromised Mobile Devices
The threat:
- Lost or stolen device
- Unauthorised access to company data
How Entra ID protects:
- Device-based conditional access (P1): Only managed devices access data
- Remote wipe capability: IT can remotely remove company data
- Conditional access based on device compliance: Non-compliant device blocked
Security Improvement Metrics
Before vs After Entra ID Premium Implementation:
| Security Metric | Before (Free Tier) | After (P1/P2) | Improvement |
|---|---|---|---|
| Account compromises | 2-3/year | 0/year | 100% |
| Successful phishing | 1-2/year | 0/year | 100% |
| Unauthorised access attempts | Unknown | Detected & blocked | N/A |
| Weak passwords | ~40% of accounts | 0% | 100% |
| Password resets (support) | 15/month | 3/month | 80% |
| Login friction | Low | Minimal increase | Good UX maintained |
| Compliance readiness | Poor documentation | Full documentation | Complete |
| Admin account security | Permanent access | Time-limited access (PIM) | Significantly improved |
Data source: Average ATS Connection client improvements over 12 months
Compliance Benefits
Entra ID helps meet requirements for:
GDPR (General Data Protection Regulation):
- Article 32: Technical security measures
- Access controls
- Audit trails
- Data protection by design
Cyber Essentials:
- Access control
- Malware protection (integrated)
- Security configurations
- Controlled admin privileges
ISO 27001:
- A.9 Access Control
- A.12.4 Logging and monitoring
- A.18.1 Compliance with legal requirements
Industry-specific:
- SRA (Solicitors): Client confidentiality controls
- FCA (Financial): Data security requirements
- CQC (Healthcare): Patient data protection
Audit evidence: Entra ID provides comprehensive logs and reports that demonstrate compliance.
Getting Started with Microsoft Entra ID for Your Small Business
Ready to implement Microsoft Entra ID for small business? Here’s your action plan.
Step 1: Assess Your Current State
Answer these questions:
- How many employees do you have? _____
- Do you use Microsoft 365? Yes / No
- Do employees work remotely? Yes / No / Sometimes
- What cloud applications do you use? _______________
- Have you had security incidents? Yes / No
- Do you have compliance requirements? Yes / No / Unsure
- What’s your IT security budget? £_____ per month
- Who manages IT currently? Internal / External / No one
- How technical is your team? High / Medium / Low
- What keeps you up at night about IT security? _______________
Based on your answers:
- 1-10 users, office-only, basic needs → Start with Free tier + MFA
- 10-25 users, remote work, multiple apps → Entra ID P1
- 25+ users, compliance, high security → Entra ID P1 or P2
- Regulated industry → Entra ID P2 + professional help
Step 2: Choose Your Tier
Quick decision guide:
Go with FREE (included) if:
- Very small team (under 5)
- No remote work
- Very tight budget
- Simple needs
But enable MFA immediately!
Go with P1 (£4.70/user/month) if:
- 5-50 employees
- Remote or hybrid work
- Multiple business applications
- Want strong security at reasonable cost
- This is the right choice for most SMBs
Go with P2 (£7.10/user/month) if:
- Compliance requirements
- Regulated industry
- High-value targets
- Want maximum security
- Can justify extra cost
Still unsure? Start with P1, upgrade to P2 if needed.
Step 3: Get Buy-In
Stakeholders to involve:
- Business owner/directors (budget approval)
- IT lead (implementation)
- Department heads (policy input)
- Users (acceptance and training)
Business case template:
Proposal: Implement Microsoft Entra ID Premium
Current situation:
- [Number] employees using Microsoft 365
- [Issues: e.g., weak passwords, remote access concerns, compliance requirements]
- Current security posture: [Describe]
Proposed solution:
- Implement Microsoft Entra ID P1 for all users
- Enable MFA, conditional access, password protection
- Integrate existing applications with SSO
Benefits:
- 99%+ reduction in account compromise risk
- Simplified user experience (single sign-on)
- Compliance readiness
- Reduced IT support burden
Costs:
- Entra ID P1: £[calculation] per year
- Implementation: £[if using professional help] one-time
- Total first year: £[total]
- Ongoing: £[annual licence cost] per year
ROI:
- Average data breach cost: £25,000+
- Prevented breach value: Significantly exceeds cost
- IT time savings: [hours/month]
- Compliance value: [if applicable]
Timeline:
- Week 1-2: Planning and setup
- Week 3: Pilot with IT team
- Week 4: Full rollout
Decision needed: Approve budget and implementation timeline
Step 4: Implementation Plan
Option A: DIY Implementation
Week 1:
- Purchase Entra ID P1/P2 licences
- Read implementation documentation
- Plan policies and groups
Week 2:
- Configure basic settings
- Set up groups
- Enable MFA for pilot group
Week 3:
- Create conditional access policies
- Test with pilot group
- Refine based on feedback
Week 4:
- Roll out to all users
- Provide support
- Monitor and adjust
Ongoing:
- Monthly reviews
- Policy optimisation
- User support
Option B: Professional Implementation
Week 1:
- Select provider
- Initial consultation
- Requirements gathering
Week 2:
- Provider configures Entra ID
- Policy creation
- Testing
Week 3:
- Admin training
- Pilot rollout
- Refinements
Week 4:
- Full user rollout
- User training
- Documentation delivery
Ongoing:
- Managed service (if chosen)
- Regular reviews
- Optimisation
Step 5: Launch and Communicate
User communication template:
Subject: Important Security Update – Better Protection, Easier Access
Dear Team,
We’re implementing enhanced security for all our business applications starting [DATE]. This improves our security whilst making your work easier.
What’s changing:
- Multi-factor authentication for all accounts
- Single sign-on for multiple applications
- Better protection against cyber threats
What you need to do:
- [DATE]: Set up multi-factor authentication (5-minute process)
- Keep your mobile phone handy for approvals
- Contact IT support if you have issues
Benefits for you:
- One login for multiple applications
- Better protection for your work account
- Faster password resets
- Enhanced security for remote work
Support:
- Training session: [DATE/TIME]
- Step-by-step guide: [LINK]
- IT support: [CONTACT INFO]
Thank you for your cooperation in keeping our business secure.
[Name]
Step 6: Measure Success
Track these metrics:
Security metrics:
- Account compromise attempts (should drop to near zero)
- Successful phishing attacks (should be zero)
- Unauthorised access attempts blocked
- Password strength improvement
Operational metrics:
- Password reset requests (should decrease 60-80%)
- IT support time on access issues
- User satisfaction with login experience
Compliance metrics:
- Audit readiness
- Access review completion
- Policy compliance rate
Review monthly for first 3 months, then quarterly.
Step 7: Optimise and Improve
After 90 days, review:
- Are policies too strict or too loose?
- Adjust based on user feedback and security logs
- Are we using all features we’re paying for?
- Maximise value from licences
- Have security incidents decreased?
- Measure effectiveness
- Is user experience acceptable?
- Balance security and usability
- Do we need to upgrade/downgrade?
- Right-size licensing
Continuous improvement is key to maximising Entra ID value.
Conclusion: Is Microsoft Entra ID Right for Your Small Business?
Microsoft Entra ID for small business provides enterprise-grade security at SME-friendly pricing. For most businesses with 5+ employees using Microsoft 365, the answer is clear: Yes, you should be using at least Entra ID P1.
Key takeaways:
✅ You’re already using Entra ID Free if you have Microsoft 365
✅ Enable MFA immediately – it’s free and critical
✅ Most SMBs benefit from P1 (£4.70/user/month) for conditional access and password protection
✅ Regulated industries should use P2 (£7.10/user/month) for identity protection and compliance features
✅ Professional help often provides better outcomes for 15+ user businesses
✅ ROI is clear: One prevented breach pays for years of Entra ID licensing
The real question isn’t whether you can afford Entra ID Premium—it’s whether you can afford NOT to have it.
Get Expert Microsoft Entra ID Implementation in West Sussex
ATS Connection specialises in Microsoft 365 security and Entra ID implementation for West Sussex small businesses.
Our Entra ID Services:
✓ Security assessment – Identify your specific requirements
✓ Right-sized recommendations – Free/P1/P2 guidance based on your needs
✓ Professional implementation – Expert configuration following best practices
✓ User training and rollout – Smooth deployment with minimal disruption
✓ Ongoing management – Licence optimisation, policy management, security monitoring
✓ Compliance documentation – Audit-ready reports and documentation
✓ Local support – Fast response across West Sussex
Why ATS Connection:
✓ 20+ years IT security experience
✓ Microsoft Partner
✓ Cyber Essentials certified
✓ Based in Arundel, serving Chichester to Worthing
✓ Transparent pricing, no hidden fees
✓ Proven track record with West Sussex SMBs
Ready to improve your security with Microsoft Entra ID?
Call us: 01903 255159
Serving businesses throughout West Sussex including Chichester, Worthing, Arundel, Bognor Regis, Littlehampton, and surrounding areas.
Learn more about our Microsoft 365 security services
Frequently Asked Questions
Q: Is Microsoft Entra ID the same as Azure AD?
A: Yes, they are identical. Microsoft rebranded Azure Active Directory to Microsoft Entra ID in 2022-2023. It’s the same service with a new name—no migration needed, no feature changes.
Q: Do I already have Microsoft Entra ID?
A: If you use Microsoft 365, yes. Every Microsoft 365 subscription includes Entra ID Free tier automatically. You’re using it every time you log into Microsoft 365.
Q: How much does Microsoft Entra ID cost for a small business?
A:
- Free tier: Included with Microsoft 365 (£0)
- Entra ID P1: £4.70 per user per month (£56.40/user/year)
- Entra ID P2: £7.10 per user per month (£85.20/user/year)
For a 15-person business: P1 costs £846/year, P2 costs £1,278/year.
Q: Do small businesses really need Microsoft Entra ID Premium (P1 or P2)?
A: Most small businesses with 5+ employees, remote workers, or sensitive data benefit significantly from at least P1. The cost (£4.70/user/month) is minimal compared to potential breach costs (£10,000-£100,000+). Free tier provides basic security, but lacks conditional access and password protection—features that prevent most attacks.
Q: What’s the difference between Entra ID Free, P1, and P2?
A:
- Free: Basic identity, MFA, limited SSO (10 apps)
- P1: + Conditional access, password protection, unlimited SSO, dynamic groups (£4.70/user/month)
- P2: + Identity protection (AI threat detection), privileged identity management, access reviews (£7.10/user/month)
Most SMBs find P1 is the “sweet spot” for security and cost.
Q: Can I set up Microsoft Entra ID myself or do I need professional help?
A: Basic setup (MFA, groups) can be DIY if you’re technically inclined. Professional help recommended for:
- Conditional access policies (easy to misconfigure)
- Application integration (SSO setup)
- Compliance requirements
- 15+ users
- Complex security needs
DIY time: 12-20 hours. Professional setup: £1,000-£3,000 typically.
Q: How does Microsoft Entra ID improve security for small businesses?
A: Key security improvements:
- MFA: 99.9% reduction in account compromise
- Conditional access: Blocks suspicious logins automatically
- Password protection: Prevents weak/breached passwords
- Identity protection (P2): AI-powered threat detection
- Monitoring: Visibility into all access attempts
- Just-in-time admin access (P2): Reduces admin account risks
Q: Does Microsoft Entra ID work with applications other than Microsoft 365?
A: Yes! Entra ID integrates with 3,000+ business applications including:
- Salesforce
- Adobe Creative Cloud
- Zoom
- Dropbox Business
- Xero
- DocuSign
- Slack
- And many more
Single sign-on (SSO) works across all integrated applications.
Q: What is conditional access and why do I need it?
A: Conditional access creates “if-then” security rules:
- “If logging in from outside UK, require MFA”
- “If using unmanaged device, block access to sensitive files”
- “If impossible travel detected (UK then China 1 hour later), block”
It’s the most powerful security feature in Entra ID P1/P2—allows secure remote work whilst blocking suspicious activity.
Q: Can Microsoft Entra ID help with GDPR or other compliance?
A: Yes. Entra ID provides:
- Access controls (GDPR Article 32)
- Audit logs (compliance evidence)
- Access reviews (demonstrate ongoing governance)
- Security policies (data protection by design)
- Identity governance (right people, right access, right time)
P2 tier includes access reviews required by many compliance frameworks (ISO 27001, SOC 2, etc.).
Q: How long does it take to implement Microsoft Entra ID?
A:
- Basic setup (Free/MFA): 2-4 hours
- P1 implementation (DIY): 8-15 hours over 2-3 weeks
- P1 implementation (professional): 2-3 weeks with ~4 hours of your time
- Full P2 with complex policies: 3-4 weeks
User rollout typically takes 1 week with proper communication.
Q: Will Microsoft Entra ID slow down my employees or make work harder?
A: Initial adjustment period (1-2 weeks) as users adapt to MFA. After that:
- MFA: Adds 5-10 seconds per login (but “remember device” reduces frequency)
- SSO: Actually saves time—one login for multiple applications
- Self-service password reset: Faster than calling IT support
Net result: Slight initial friction, then improved experience for most users.
Q: What happens if an employee loses their phone (with MFA app)?
A: Multiple recovery options:
- Backup authentication method (second phone, security questions, backup codes)
- Admin reset: IT can temporarily disable MFA to allow re-registration
- Self-service: If recovery methods registered, user can reset themselves
Best practice: Require multiple authentication methods at setup.