Entra ID features you pay for and never turn on

Think about the last time you opened the Microsoft Entra admin center. You went in to add a user, reset someone's access, or chase a sign-in that looked off. You did the one thing you came to do, and you left. The dozens of other blades in that console, the ones with names like password protection, access reviews, and authentication methods, scrolled past in your peripheral vision the way the unread settings in any app do. You know they are there. You have never had a reason to stop.

Here is the part that should bother you a little: a lot of those blades are not locked behind an upsell. They are features your current license already includes, switched off, waiting for someone to spend an afternoon turning them on. A few years ago a company your size would have bought separate products to get this stuff. Now it ships inside the identity platform you log into twice a year, and most of it has never been touched.

This is the quiet shape of identity security at a small company. The capability is bought. The configuration is not. What you are missing was never in the catalog.

Most small teams running Microsoft 365 are sitting on Microsoft Entra ID P1, which comes bundled with Business Premium and several mid-tier M365 plans. P1 is not the bare free tier, and it is not the top one. It is the middle, and the middle carries more identity capability than the average two-person IT team ever switches on.

A few of the features that come with P1, sitting in the admin center right now:

• Entra Password Protection with a custom banned password list, which lets you block your company name, your products, and your local sports team from showing up in user passwords. The global banned list applies to every tenant for free; the custom list you control needs P1, per Microsoft's Entra Password Protection licensing.
• Self-service password reset, the feature that lets a user recover their own account through a verified flow without pinging you at 7 p.m. Microsoft documents how to enable self-service password reset in the same console.
• Conditional Access, the if-then policy engine that decides whether a sign-in should proceed based on who, what, and where, available with P1 per Microsoft's Conditional Access overview.

None of those is an add-on. They came with the seats you already pay for every month. The question at renewal is not what to buy. It is what you already bought and never switched on.

If these features are this useful and already paid for, the honest question is why they sit idle. The answer is not that you do not know they exist. It is that switching them on safely is operational work, and operational work needs hours you do not have.

Take self-service password reset. Turning it on means picking which verification methods you trust, deciding whether to enforce registration, and writing the short note that tells your team what changed before the first person panics that their account is being phished. That is an hour of setup and a week of light support, and it competes with every other fire on your desk. So it waits. Password protection is the same: a real custom list takes thought about which terms attackers will guess for your company, not a generic example you copied from a tutorial.

A control you own but never enable is not protection. It is a line item you are paying to leave switched off.

This is the pattern across the whole console. The capability is licensed, documented, and one configuration screen away. What is missing is the person with the time and the context to enable it, watch what it does to real users, and keep it tuned as the team changes. Identity security at a small company is an operating problem, not a shopping problem.

We run Entra environments, so here is the line the product pages skip. P1 does not cover everything you might eventually want, and pretending otherwise helps no one.

Privileged Identity Management, the feature that turns a standing Global Admin into just-in-time access with approvals and an expiry, requires Entra ID P2 or Entra ID Governance, not P1, per Microsoft's PIM licensing fundamentals. Access reviews, the scheduled checks that confirm people still need the access they have, carry the same P2 or Governance requirement, per Microsoft's access reviews license requirements.

That matters because the goal is not to oversell the tier you already own. P2 features are worth the upgrade for some teams, and worth naming plainly for the rest. What the included P1 tier does cover is most of the everyday identity risk for a company under a few hundred people, if someone configures it. You probably do not need to buy more tomorrow. You need the hours to run what you have.

Go back to that console you open twice a year. The blades you scroll past are not scrolling past because you decided against them. They are dormant because turning each one on safely takes setup, a test against real sign-ins, a note to your team, and the attention to keep it working as people come and go. A license cannot do that. A person has to own it.

That is the whole shape of identity security for a small team. The features inside Entra ID are good, and you already pay for them. The constraint is not the catalog; it is that the one person who could enable and tend them is also resetting passwords, chasing sign-in alerts, and rebuilding the offboarding script. Buying another license does not add an hour to that person's week.

So before the next renewal, here is the question to sit with: if the identity controls you need are already switched off in a console you own, what would change if someone whose actual job was keeping them on?