Category: AI

Microsoft Entra ID P2 Entitlement Management: An Honest Assessment for SMBs

I used Claude with Copilot Researcher agent to generate this report. Provides an idea of the type and quality of the output.

———————————————

Executive Summary

Microsoft Entra ID P2 Entitlement Management is an advanced identity governance feature designed for managing identity and access lifecycle at scale [1]. Whilst powerful for large enterprises, the reality for SMBs is more nuanced. This report provides a candid assessment based on current market analysis and practical considerations for small businesses with 50-300 employees.

The bottom line: For most SMBs, the £32,400 annual investment (for 300 users) in Entra ID P2 solely for entitlement management features represents poor value when compared to alternatives like Microsoft 365 Business Premium (which includes Entra ID P1) or competing solutions from vendors like Okta and JumpCloud.

What is Entitlement Management?

Core Capabilities

Entitlement management introduces the concept of access packages – bundles of all resources with the access a user needs to work on a project or perform their task [1]. Key features include:

  • Multi-stage approval workflows for access requests [1]
  • Time-limited assignments that automatically expire [1]
  • Automatic user provisioning based on properties like department or cost centre [1]
  • External user management for partners and vendors [1]
  • Access reviews to ensure users don’t retain unnecessary access [1]
  • Delegated administration allowing non-IT staff to manage access for their departments [1]
Use Cases Microsoft Highlights

The platform addresses scenarios such as:

  • Users might not know what access they should have [1]
  • Users holding onto access longer than required for business purposes [1]
  • Managing external users from supply chain organisations or business partners [1]
  • Departments managing their own access policies without IT involvement [1]

Cost Analysis for SMBs

Entra ID P2 Pricing

£9/user/month

£108 per user annually

300-User Organisation

£32,400/year

Just for identity governance

Business Premium

£22/user/month

Includes productivity + security + Entra P1

Licensing Breakdown

According to Microsoft’s official pricing [2][3]:

Monthly Cost Annual Cost (300 users) What’s Included
Entra ID P2 standalone £9/user £32,400 Identity governance, PIM, advanced protection
Entra ID Governance add-on £7/user (requires P1/P2) £25,200 Entitlement management features only
M365 Business Premium £22/user £79,200 Full productivity suite + Entra P1 + Defender
Business Standard + Entra P1 £18.50/user £66,600 Productivity + basic identity management

Hidden Costs Often Overlooked

Beyond licensing, SMBs must consider:

  1. Implementation complexity: Initial setup can require significant IT resources or consultant fees [3]
  2. Training requirements: Staff need education on managing access packages and policies
  • Ongoing administration: Someone must regularly review and update access packages
  • Integration effort: Connecting all applications and resources to the system
    • Includes essential security: Defender for Business, Safe Links, Safe Attachments
    • Provides device management: Intune for policy enforcement across all devices
    • Offers data protection: Azure Information Protection for sensitive files
    • Simplifies licensing: One license for all users eliminates confusion
    • Enables cloud-first operations: Critical for businesses without on-premises servers [4]The reality: The cost of Microsoft Entra ID can escalate significantly, especially with the need for advanced features or for companies managing a large user base [3][3].

      Implementation Guide for SMBs

      • Phase 1: Prerequisites (Week 1-2)

        Ensure Entra ID P2 licensing and admin access

      • Phase 2: Catalog Creation (Week 3)

        Set up resource catalogs and define owners

      • Phase 3: Access Packages (Week 4-5)

        Create packages bundling resources for common roles

      • Phase 4: Policy Definition (Week 6-7)

        Configure approval workflows and time limits

      • Phase 5: Testing & Rollout (Week 8-10)

        Pilot with select departments before full deployment

      Step-by-Step Setup Process
      1. Enable Entitlement Management
      • Navigate to Microsoft Entra admin centre
      • Enable the entitlement management feature
      • Assign initial administrators
      2. Create Catalogs [1]
      • Establish containers for related resources
      • Designate catalog owners from business units
      • Define delegation permissions
      3. Add Resources to Catalogs
      • Microsoft Entra security groups [1]
      • Microsoft 365 Groups and Teams [1]
      • Enterprise applications (SaaS and custom) [1]
      • SharePoint Online sites [1]
      4. Design Access Packages [1]
      • Bundle resources needed for specific job functions
      • Create packages for common scenarios (new employee, contractor, project team)
      • Define resource roles within each package
      5. Configure Policies [1]
      • Set eligible requestors (internal users or partner organisations)
      • Define approval processes and approvers
      • Establish access duration and renewal requirements
      • Configure automatic assignment rules based on user attributes
      6. Test and Deploy
      • Run pilot with IT department
      • Gather feedback and refine packages
      • Roll out department by department
      • Monitor usage and adjust as needed
      Time and Resource Requirements

      For a 100-person SMB, expect:

      • Initial setup: 4-6 weeks with dedicated IT resource
      • Ongoing maintenance: 5-10 hours monthly
      • User training: 2-4 hours per department

      The Honest Truth: Is It Worth It for SMBs?

      ✅ When It Makes Sense

      Heavy compliance requirements, complex partner ecosystems, frequent staff changes, or multi-organisation collaboration needs

      ❌ When It’s Overkill

      Stable workforce, simple org structure, limited external collaboration, or existing solutions working well

      Where Entitlement Management Adds Value

      Legitimate use cases for SMBs include:

      1. Heavily regulated industries (healthcare, finance) requiring detailed access audit trails [1]
      2. High staff turnover scenarios where automation saves significant time
      3. Complex partner relationships with multiple external organisations needing controlled access [1]
      4. Project-based businesses with frequently changing team compositions [1]
      5. Compliance requirements demanding regular access reviews and certifications
      Where It’s Unnecessary Complexity

      For most SMBs, entitlement management is overkill because:

      1. Microsoft 365 Business Premium is sufficient: At £22/user/month, it includes Entra ID P1 with Conditional Access, MFA, and basic identity management – enough for most SMBs [4][4]
      2. Simpler alternatives exist: Solutions like JumpCloud offer all-in-one platforms for SSO, directory services, and device management at more SMB-friendly price points [5][5]
      3. Limited IT resources: Small businesses often lack dedicated identity governance teams. The initial setup learning curve can be steep [3]
      4. Manual processes work fine: For organisations under 150 users, manual access management with good documentation often suffices
      5. Business Premium provides essential security: Including Safe Links, Safe Attachments, Azure Information Protection, and Intune device management [4]
      Real-World Perspective

      According to recent market analysis, mid-sized companies (100-750 employees) with hybrid workforces often find better value in unified platforms like JumpCloud that combine identity and device management [5]. Even Okta, whilst potentially expensive at scale, offers 7,000+ pre-built app integrations with faster deployment than complex governance systems [5][5].

      The harsh reality: Microsoft Entra ID documentation can occasionally lag behind the rapid pace of feature updates, making implementation challenging for resource-constrained IT teams [3].

      Alternative Solutions Comparison

      Detailed Comparison Table
      Solution Best For Monthly Cost (100 users) Key Advantages Main Limitations
      M365 Business Premium Microsoft-centric SMBs £2,200 Integrated suite, includes productivity tools, Defender for Business Limited to 300 users
      JumpCloud Hybrid IT environments £800-1,200 Cross-platform support, device + identity management Lacks deeper governance features
      Okta SaaS-heavy organisations £1,200-1,800 7,000+ integrations, fast deployment Can get expensive at scale
      OneLogin Cloud-first SMBs £900-1,500 SmartFactor Authentication, AI-driven security Limited device management
      Why Business Premium Usually Wins

      For SMBs already in the Microsoft ecosystem, Business Premium at £22/user/month delivers better value than standalone Entra P2 because [4]:

    Recommendations by Business Size

    Decision Framework

    Ask these questions before investing in Entra P2:

    1. Do you have dedicated IT staff for identity governance? If no, the complexity isn’t worth it.
    2. Are you in a heavily regulated industry? If yes, the audit and compliance features may justify the cost.
    3. Do you frequently onboard/offboard contractors or partners? If yes, automation could save significant time.
    4. Is your organisation structure simple and stable? If yes, manual processes with Business Premium suffice.
    5. Are you already struggling with your current identity management? If no, don’t add complexity for complexity’s sake.

    Final Verdict

    The Bottom Line

    Microsoft Entra ID P2 Entitlement Management is a powerful tool solving real problems – just not problems most SMBs actually have. The complexity, cost, and administrative overhead rarely justify the investment for organisations under 300 users.

    For 95% of SMBs, the path forward is clear:

    1. Start with Microsoft 365 Business Premium (£22/user/month) for integrated security and productivity
    2. Implement the basics well: MFA, Conditional Access, device management via Intune
    3. Use simple processes: Document access procedures, regular reviews, clear onboarding/offboarding
    4. Reassess at growth milestones: Consider advanced governance only when complexity genuinely demands it

    Remember: Adding complexity doesn’t automatically mean adding security. A well-implemented, simple identity management system beats a poorly maintained complex one every time. For most SMBs, Business Premium provides the right balance of security, usability, and value [4].

    When to Reconsider

    Revisit the Entra P2 decision when:

    • Your organisation exceeds 300 users
    • You enter heavily regulated markets
    • External collaboration becomes core to your business
    • Manual processes consume more than 20 hours monthly
    • Audit failures highlight governance gaps

    Until then, invest in getting the basics right rather than adding advanced features you won’t fully utilise. Your budget, IT team, and users will thank you.

    References

    [1] What is entitlement management? – Microsoft Entra ID Governance | Microsoft Learn

    [2] Microsoft Entra Plans and Pricing | Microsoft Security

    [3] Microsoft Entra ID Review 2025: Key Features, Pricing & Alternatives

    [4] 365 Business Premium vs Business Standard & Entra ID P1

    [5] Top 10 IAM Solutions for Mid-size Companies (2025)

Unlock Anthropic AI in Microsoft Copilot: Step-by-Step Setup & Crucial Warnings!

In this video, I walk you through how to enable Anthropic’s powerful AI models—like Claude—inside Microsoft Copilot. I’ll show you exactly where to find the settings, how to activate new AI providers, and what features you unlock in Researcher and Copilot Studio. Plus, I share an important compliance warning you need to know before turning this on, so you can make informed decisions for your organization. If you want to supercharge your Copilot experience and stay ahead with the latest AI integrations, this guide is for you!

Video link = https://www.youtube.com/watch?v=Gxa9OrI6VJs

Get a copy of my Comparing AI Services Report

bp1

I’ve bundled up all my research into different AI services and had Copilot Research generate a report which you can now request via email by filling in this form:

https://forms.office.com/r/tGK2GZPLc1

The report covers my findings from a recent series of blog posts I wrote that culminated with:

https://blog.ciaops.com/2025/09/12/comparing-ai-services-an-objective-analysis/

but the downloadable report brings all The articles nicely together with some additional insights.

Robert.Agent has been upgraded

Screenshot 2025-09-19 174256

I have now upgraded Robert.Agent to use GPT5 deep reasoning as you can see above.

All you need to do is send an email to robert.agent@ciaops365.com with your M365 question in the BODY of the email and you should get a reply to that question in a few minutes. Remember, deep reasoning models take longer to products results.

It is also important to note with Robert.Agent:

1. Each email is treated as a separate conversation. Robert.Agent has no ‘memory’ of any previous email you may have sent. Thus, treat each email you send as a single unique response or session.

2. Robert.Agent has normal Exchange Online security protection. This means, if the email you send looks like spam (i.e. no subject, signature, bad grammar and spelling, etc) then you won’t get a response.

Try the upgraded Robert.Agent out and let me know what you think.

Improved Windows Defender script

Recently, Microsoft updated Visual Studio code and Github Copilot to include the ability to auto detect which AI is best model to use when coding:

Screenshot 2025-09-15 081243

I therefore thought I’d take it for a spin and elected to use it to improve the script:

https://github.com/directorcia/Office365/blob/master/win10-def-get.ps1

which you now see the results for yourself. The script require escalation to local administrator to gather the information it needs.

Screenshot 2025-09-15 081733

Tests include:

– Attack Surface Reduction Rules

– Defender Settings

– Scanning Settings

– Latest Signature / Engine Versions

– Platform Security

and more. You will find the documentation at:

https://github.com/directorcia/Office365/wiki/Windows-Security-Audit-Script

which was also generated thanks to Github Copilot.

Let me know what you think and if you feel anything should be added.

Comparing AI services–an objective analysis?

bp1

If you have been following my articles about comparing AI services, you’d know that, through some ‘rule of thumb’ reasoning I was able to determine the following ranking of Ai services:

1. Deepseek

2. M365 Copilot

3. Copilot Researcher

4. Gemini

5. Copilot Studio

6. ChatGPT deep research

7. ChatGPT

The problem is that I used the same AI services to potentially evaluate the results that they in fact generated. Could that result in bias? Unsure, but I’d suggest probably, if you look at the results.

What I therefore decided to do was have the original articles evaluated by two AI services that were not on my original list, Claude and Grok. Here’s the result of jus these two:

AI Service Claude Grok Total
M365 Copilot 7 4 11
Gemini 3 7 10
Copilot Studio 5 5 10
Deepseek 6 2 8
Copilot Researcher 2 6 8
ChatGPT Deep Research 4 3 7
ChatGPT 1 1 2

If I now incorporate these results in the overall results I get the following:

AI Service Researcher Gemini ChatGPT Claude Grok Total
M365 Copilot 7 3 4 7 4 25
Deepseek 5 4 7 6 2 24
Gemini 4 7 2 3 7 23
Copilot Studio 2 5 5 5 5 22
Copilot Researcher 6 6 1 2 6 21
ChatGPT Deep Research 3 2 3 4 3 15
ChatGPT 1 1 6 1 1 10

That changes the ranking slightly to:

1. M365 Copilot

2. Deepseek

3. Gemini

4. Copilot Studio

5. Copilot Researcher

6. ChatGPT deep research

7. ChatGPT

with the average score being 20, which most services exceed. ChatGPT still lags, even after this! Interesting, huh?

I think my original conclusion remains valid – most AI services, except for ChatGPT, seem to produce very similar quality on average when prompted in the same way.

Comparing AI Services–the final analysis

bp1

I started out to provide an indication of the differences between different AI services here:

Testing the differences between AI services

I did a quick comparison here:

An analysis of how AI services vary

I then did a deep analysis of all the generated articles using:

Copilot Researcher

Gemini Deep Thinking

ChatGPT Deep Thinking

If you now take those three results and assign a score of 7 = highest and 1 = lowest recommendations of each and total them up, you end up with this ranking table:

AI Service Researcher Gemini ChatGPT Total Score
Deepseek 5 4 7 16
M365 Copilot 7 3 4 14
Copilot Researcher 6 6 1 13
Gemini 4 7 2 13
Copilot Studio 2 5 5 12
ChatGPT Deep Research 3 2 3 8
ChatGPT 1 1 6 8

 

The winner then appears to be, on average, Deepseek. However, you will note that most AI services tested, except ChatGPT have similar scores, with the ‘average’ score being 12, which most services, except again ChatGPT, scored at or above.

This analysis is far from perfect or ideal or for that matter without bias. There are so many variables that possibly come into play that it very difficult, if not impossible, to get a true ‘apples vs apples’ comparison of AI services. However, I think this result still does provide value if you are looking to answer the question of the ‘best’ AI service. That answer seems to largely be that most AI services, apart from ChatGPT, are pretty much the on par when it comes to prompting, so choosing from amongst these simply based on their response to prompts, doesn’t seem to matter all that much.

Of course, there are plenty of other factors, aside from prompt results, that should be considered. The quality of the generated results also is greatly affected by the actual prompts used and I am sure that also varies across the AI services as well.

What I’ll now be interested to see is what the ‘click’ rate is on each article after a period of time. Will the Google AI service generate more article ‘hits’ than the other articles? Time will tell and I’ll report back once enough time has elapsed. These results also make a good benchmark to potentially test again down the track to see if things have changed at all and the progress these AI agents have made.

Interesting time ahead.

Comparing AI services – a third analysis

bp1

Recently, I have been analysing the results produced from the same prompt in carious AI services. After having the various AI services generate answers I compared their value using Copilot Researcher and Gemini. To provide a final alternate analysis of the articles I used ChatGPT Deep Research and received the following analysis, summarised here:

————————–

Rankings (Value to SMB Owner): Based on clarity, practicality, and depth of recommendations, we rank the articles as follows (1 = most valuable):

  1. Deepseek (Aug 31) – Provides a step-by-step guide on replacing firewall functions with M365 features, with concrete examples (Safe Links, web filtering, Conditional Access) and even a cost comparison. Its clear bullet format and action-oriented advice make it highly accessibleblog.ciaops.comblog.ciaops.com.

  2. ChatGPT (Sep 2) – Gives an ultra-concise Q&A answer summarizing the essentials. The “Answer in short” explicitly states that for most SMBs a basic firewall suffices and expensive NGFWs add little compared to built-in M365 protectionsblog.ciaops.com. Its brevity makes it very easy to digest (2‑minute read), though it is simple.

  3. Copilot Studio (Aug 30) – A bullet-point summary that quickly lists the key protections in M365 (endpoint EDR, email filtering, conditional access, DLP, etc.)blog.ciaops.comblog.ciaops.com. Its Q&A style (“Short answer”) is user-friendly and covers the main points succinctly.

  4. M365 Copilot (Sep 3) – Offers a short answer plus a configuration blueprint (steps to enforce MFA, Intune baselines, Defender settings, etc.) focused on identity/device security. This balances brevity with practical steps. It clearly states that for remote-first SMBs, a basic router is enough and effort should go into Intune/M365 policiesblog.ciaops.comblog.ciaops.com.

  5. ChatGPT (Aug 28) – A traditional blog-style article with multiple sections on built-in security, Zero Trust, host firewalls, etc. It thoroughly covers many features of Business Premiumblog.ciaops.comblog.ciaops.com. While detailed, its long paragraphs (7‑min read) and technical tone may be harder for a busy non-expert to quickly follow.

  6. Gemini (Sep 1) – A formal, research-style analysis (13‑min) with executive summary, threat modeling, TCO, and compliance discussionblog.ciaops.comblog.ciaops.com. It is extremely comprehensive (notably covering things like PCI DSS) but in heavy academic tone. This depth is impressive but likely more than a typical SMB owner needs.

  7. Copilot Researcher (Aug 29) – An exhaustively detailed report (20‑min) with an executive summary, configuration guide, feature comparisons, and cost analysisblog.ciaops.comblog.ciaops.com. While it contains valuable info, its length and technicality make it the hardest to consume. It also concludes (like the others) that M365 BP can often replace expensive firewallsblog.ciaops.com, but the sheer volume can overwhelm small teams.

In summary, the shorter Q&A and bullet-list articles (Deepseek, ChatGPT Sep2, Copilot Studio, M365 Copilot) score highest for SMB owners because they deliver clear guidance quickly. The longer, more technical write-ups (Gemini, Copilot Researcher) score lower despite depth.

Overall Best: Deepseek’s article stands out as the most practical: it clearly explains why and how to use M365 features instead of buying pricey firewalls, with concrete steps and examplesblog.ciaops.comblog.ciaops.com. This level of clarity makes it particularly valuable for a small-business owner deciding on cost-effective security.