VaultFuzionVaultFuzionBY KAPARDYN
Pricing07 May 2026 · 5 min read

Entra ID protection pricing: why MSPs pay $250 a month per tenant — and what SA-resident vendors charge instead

Identity threat detection, drift, license analytics, conditional-access What-If. The global price is broken; SA-resident pricing is roughly a third of that.

— VaultFuzion Product Team

The advanced tier of identity threat protection for Microsoft Entra ID — the layer above Microsoft's built-in Entra ID Identity Protection — is sold by global vendors at roughly $200-300 per tenant per month. The price covers capability that is genuinely valuable: identity threat detection beyond the Defender baseline, drift detection between snapshots, conditional-access What-If simulation, license-waste analytics, AI-assisted compliance copilot.

For an SA MSP managing twenty tenants, the global stack is $4,000-6,000 USD per month — roughly R74,000-R111,000 ZAR equivalent at current rates, before VAT. SA-resident vendors offering equivalent capability sit at roughly a third of that figure. The gap is real and it is structural, not promotional.

What's bundled in Microsoft Entra ID P1/P2

Microsoft's own Entra ID licensing has three tiers: free, P1 (typically $6/user/month), and P2 (typically $9/user/month). P1 ships Conditional Access, Microsoft Identity Protection at the baseline level, and self-service password reset. P2 adds Privileged Identity Management (PIM) and Identity Protection at the enhanced level. These are per-user prices, not per-tenant.

For a tenant with 100 users on P2, that is $900/user/month — approximately R16,650 ZAR — for Microsoft's own identity protection layer. Third-party vendors that build on top of P1/P2 are pricing the additional capability above the Microsoft baseline.

Third-party Entra protection — global pricing benchmarks

Public marketing pages for the major third-party Entra protection vendors put advanced-tier pricing at roughly $200-300 per tenant per month, with capability bundles covering: drift detection across snapshots, conditional-access What-If, identity threat detection beyond the baseline (token replay, federated-domain spoofing, mass deletion), license-waste analytics, AI compliance copilot. The exact bundle differs per vendor; the price band is roughly consistent.

At a representative midpoint of $250 per tenant per month and an MSP managing twenty tenants, the bill is $5,000/month — approximately R92,500 ZAR before VAT, R106,375 with 15% VAT. Per the IBM Cost of a Data Breach Report 2025 the average SA breach is R44.1 million (IBM, 2025), so the spend pays for itself if it prevents one breach in eight years. The capability is worth it; the question is whether $250/tenant/month is the right number.

The "global infrastructure premium"

A USD-denominated vendor's $250/tenant price covers global data centres, USD-denominated engineering salaries, and global 24/7 support — none of which an SA MSP's SA tenants are particularly benefitting from. The price reflects what the vendor needs to charge globally, not what the SA tenant's value-of-service is.

SA-resident pricing comparison

SA-resident vendors offering equivalent four-tier Entra ID protection — backup, intelligence, orchestration, advanced — sit at roughly R650 to R4,600 per tenant per month depending on tier (representative public ZAR pricing across the SA-resident market). The advanced tier at the top end is roughly a third of the global vendors' equivalent advanced tier in ZAR-equivalent terms.

The capability comparison is feature-for-feature: drift detection, conditional-access What-If, eleven identity-threat detector classes, license-waste analytics, AI compliance copilot, cross-tenant correlation, break-glass account vault, configuration-as-code via Git. The capability gap between the SA-resident "advanced" and the global "advanced" is small to zero. The price gap is large.

The capability gap at lower price points

It is worth being honest about where the global vendors' premium does buy something. Two areas: the global support footprint (24/7, multi-language, multi-region) and the integration depth with non-Microsoft identity providers (Okta, Ping, Auth0). For SA tenants that operate primarily on Microsoft Entra, neither is consumed; for tenants that have a mixed-IdP estate, the global vendors' price covers real engineering work.

For the SA MSP segment specifically — which skews heavily toward Microsoft-only or Microsoft-primary identity estates — the global premium funds capabilities the buyer does not consume. SA-resident vendors that focus on Microsoft Entra without trying to cover the full multi-IdP universe deliver more relevant capability per rand.

POPIA implications

Identity protection is part of the POPIA Section 19 "appropriate, reasonable technical and organisational measures" obligation (Republic of South Africa, 2013). The advanced detector classes — token replay, mass deletion, federated-domain spoofing — are increasingly the baseline expectation in regulator post-incident reviews for tenants holding sensitive personal information. An MSP cannot defend a posture without these by claiming they were too expensive; affordable SA-resident options exist.

References

IBM (2025) Cost of a Data Breach Report 2025. IBM Security. Available at: https://www.ibm.com/reports/data-breach (Accessed: 8 May 2026).

Microsoft (2024) Microsoft Entra ID pricing and feature comparison. Microsoft Learn. Available at: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id-pricing (Accessed: 8 May 2026).

Republic of South Africa (2013) Protection of Personal Information Act, No. 4 of 2013. Government Gazette of the Republic of South Africa.

See what's shipping

Each article is paired with a release. For what's currently live, release notes. For what's in the pipeline, coming next.