Entra ID: P2 vs Governance for Guests

Key insights

• Guests and external users add value but create a growing hidden security risk.
  Orphaned accounts and unused access accumulate over time, so audit guest access regularly.
• Compare P2 vs Entra ID Governance: P2 covers broad identity features while Entra ID Governance focuses on guest lifecycles and external identities.
  Use Entra ID Governance when you need streamlined guest management and lifecycle automation.
• Microsoft now offers a MAU-based billing model for guest governance that meters active guest usage.
  This model charges per monthly active guest (approx. $0.75/user) and helps control costs versus flat per-user licensing.
• Key governance tools include Entitlement Management, Access Reviews, Lifecycle Workflows, and the Sponsor concept.
  These features automate expirations, enforce review cadence, and assign accountability for guest access.
• Note the timeline: B2C P2 deprecation is planned (March 15, 2026), so plan license changes and migrations now.
  Ensure guests and work accounts have appropriate Entra licenses before the deprecation date.
• Simple, actionable next steps for admins: run an immediate Access Reviews, remove stale guests, assign Sponsors, and enable Lifecycle clean-up workflows.
  Track MAU usage, start small, and expand automation to reduce risk and control costs.

Overview of the YouTube discussion

In a recent YouTube video hosted by Merill Fernando, Microsoft’s Jeremy Conley, Principal Product Manager on the identity governance team, breaks down guest access challenges and governance options for Microsoft Entra environments. The conversation, framed as “The Great Debate: P2 vs. Entra ID Governance for Guests,” highlights how guest accounts quietly increase risk as they accumulate in a tenant. Importantly, Conley explains the practical differences between legacy P2 licensing and the newer Entra ID Governance model, and he outlines why organizations should rethink guest management now. Overall, the video aims to equip admins with both strategic guidance and immediate steps to reduce exposure.

Licensing changes and cost tradeoffs

Conley clarifies that Microsoft is shifting guest governance toward a metered, consumption-based approach, charging for active governance usage on a MAU basis rather than relying solely on flat per-user licenses. For many organizations, this change may lower costs when guest governance is intermittent, because you pay for actual activity instead of provisioning a license for every invited account. Conversely, high-volume environments that actively govern thousands of guests could see different cost outcomes, so teams must model spend under both flat-license and metered scenarios to find the best fit. Thus, the billing change introduces flexibility but also requires new monitoring and forecasting to avoid surprises.

Feature comparison: P2 versus Entra ID Governance

Both P2 and Entra ID Governance provide core tools like Entitlement Management and Access Reviews, yet Conley stresses that Entra’s newer governance features focus more tightly on external identities and lifecycle automation. Consequently, organizations that rely heavily on complex external collaborations may benefit from the streamlined workflows and sponsor-driven accountability that Entra offers. At the same time, some long-established tenants already invested in P2 features might face migration work and compatibility checks, which represent real operational tradeoffs when choosing to transition. Therefore, teams must weigh the value of modernized guest workflows against the costs and time needed to migrate existing governance processes.

New billing details and practical implications

The video spots a few billing nuances, including a publicly noted price point for the new guest model and the clarification around the old 1:5 ratio versus the new MAU billing logic. While the metered approach tends to be fairer for sporadic guest activity, Conley warns that admins must track which governance features actually trigger charges and how frequently guests become active. Also, organizations using Azure AD B2C should note that some legacy P2 constructs are being phased out by March 15, 2026, which requires planning for continuity. In short, the new model can cut costs and align spend to usage, but it also demands better telemetry and budget planning.

Governance practices, sponsor model, and lifecycle automation

Jeremy emphasizes practical controls such as assigning a sponsor for guest accounts, using lifecycle workflows to expire unused access, and running regular access reviews to remove stale guests. These controls help reduce the “hidden risk” of forgotten accounts that retain permissions long after they’re needed, and they integrate with Entra automation to scale governance without constant manual effort. Nevertheless, implementing these practices often exposes organizational challenges like unclear ownership, varied tenant configurations, and limited admin time, so teams should pilot automation gradually and define clear sponsor responsibilities. By starting small and measuring impact, IT groups can balance governance rigor with operational capacity.

Common admin mistakes and cleanup steps

Conley notes common mistakes such as over-inviting guests, assigning broad roles, and failing to revoke access when sponsors leave. To counter these issues, he recommends a few concrete first steps: identify and flag inactive guests, run targeted access reviews, and standardize guest join and sponsor assignment policies. Importantly, these cleanup actions reduce both surface area for attackers and future licensing costs under MAU billing, but they require coordination across teams to avoid blocking legitimate collaboration. Therefore, the cleanup process should pair technical scans with a communications plan so stakeholders understand why accounts are being removed or changed.

Migration challenges and strategic choices

Moving from legacy P2 setups to the newer Entra ID Governance model introduces technical and organizational work, such as mapping existing entitlement packages and updating conditional access policies to align with new automation. Furthermore, organizations must consider whether to centralize governance across tenants under a “one person, one license” philosophy or to keep tenant-level controls where business needs demand separation. Each approach has tradeoffs: centralization simplifies licensing and reporting, while decentralization may preserve local agility and compliance. Thus, decision-makers should align their licensing choice with broader identity architecture and business priorities.

Conclusions and next steps for admins

Merill Fernando’s video with Jeremy Conley serves as a timely primer on the changing landscape for guest governance in Microsoft Entra, offering both big-picture rationale and immediate advice. In response, admins should model costs under MAU billing, run an initial tenant cleanup, assign sponsors, and pilot lifecycle automation to see early benefits. As Microsoft phases older licensing models, planning and incremental adoption will reduce risk and keep governance costs predictable, which helps organizations maintain secure and efficient external collaboration.

Keywords

P2 vs Entra ID guest governance, Entra ID governance for guests, Azure AD P2 guest access, Entra guest access comparison, Microsoft Entra guest user management, Guest user governance best practices, Entra ID entitlement management guests, P2 guest access features