IAM Pricing: The Bundling Problem
This article is part of the cybersecurity software pricing benchmarks series. Identity and access management pricing has become genuinely complex because the category's two dominant vendors — Okta and Microsoft — have fundamentally different commercial strategies. Okta sells IAM as a standalone product with transparent (though negotiable) per-user pricing. Microsoft bundles Entra ID into M365 and Azure, making the "true" per-user cost of IAM a function of how you allocate your Microsoft license costs.
Neither approach is inherently better for procurement — but they require different benchmark methodologies. For Okta, the question is simple: what is your per-user rate, and how does it compare to what similar organizations pay? For Microsoft, the question is: what is the incremental cost of Entra ID capabilities given your existing M365 commitment?
Okta Workforce Identity: Per-User Pricing Benchmarks
Okta's Workforce Identity Cloud is its enterprise product line for employee (and contractor) identity. The platform covers SSO, MFA, lifecycle management (provisioning/deprovisioning), PAM, identity governance, and related capabilities. Pricing is per-user per-month, with significant variation between tiers and based on which modules are included.
Okta SSO + MFA: Core Benchmark Data
| User Count | Product | List Price / User / Month | Benchmark Median | Best-in-Class |
|---|---|---|---|---|
| 500–2,499 | Workforce SSO + MFA | $9–$13 | $6.80 | $5.20 |
| 2,500–9,999 | Workforce SSO + MFA | $8–$12 | $6.20 | $4.80 |
| 10,000–24,999 | Workforce SSO + MFA | $7–$11 | $5.40 | $4.10 |
| 25,000–74,999 | Workforce SSO + MFA | $6–$10 | $4.60 | $3.40 |
| 75,000+ | Enterprise Platform | Negotiated | $3.80 | $2.80 |
Okta Full Platform: With Lifecycle Management
| User Count | Product Bundle | List Price / User / Month | Benchmark Median | Best-in-Class |
|---|---|---|---|---|
| 5,000–19,999 | Workforce + Lifecycle Mgmt | $14–$18 | $9.40 | $7.10 |
| 20,000–49,999 | Workforce + Lifecycle + PAM | $22–$30 | $14.20 | $10.80 |
| 50,000+ | Full Platform Bundle | Negotiated | $11.60 | $8.40 |
"Okta's biggest pricing lever is Microsoft. Every organization evaluating Okta renewal should first establish the true incremental cost of Entra ID P2 within their Microsoft EA. That number becomes the anchor for everything Okta will negotiate against."
Benchmark Your Okta Contract
See where your Okta per-user rate sits vs. real peer contracts. 48-hour turnaround, NDA-protected benchmark report.
Microsoft Entra ID: The "Included" Cost Reality
Microsoft Entra ID (formerly Azure Active Directory) is included in various M365 and Azure tiers:
- Entra ID Free: Basic directory services, SSO for SaaS apps. No MFA advanced features. Included in all M365 plans and Azure subscriptions.
- Entra ID P1: Conditional Access, MFA, hybrid identity, self-service password reset. Included in M365 E3, Microsoft 365 Business Premium, and EMS E3.
- Entra ID P2: All P1 features plus Privileged Identity Management (PIM), Identity Protection (risk-based CA), and Entitlement Management. Included in M365 E5, EMS E5, and Entra P2 standalone.
The "included" framing is accurate — if you're already on M365 E3 or E5, you have Entra ID P1 or P2 at no incremental license cost. The question is what you paid for M365 E3 or E5, and how much of that cost is attributable to Entra ID.
The M365 E3 vs E5 Cost Allocation for Entra
| M365 License | Entra ID Tier Included | Benchmark Rate / User / Month | Premium Delta vs E3 | Allocated Entra Cost |
|---|---|---|---|---|
| M365 E3 | Entra ID P1 | $28–$36/user/month | — | ~$3–5/user/month (P1) |
| M365 E5 | Entra ID P2 | $46–$58/user/month | +$14–22/user/month | ~$5–8/user/month (P2, allocated) |
| Entra ID P2 (standalone) | Entra ID P2 | $6–$9/user/month list | — | $3.80–5.20 benchmark median |
The standalone Entra ID P2 benchmark rate ($3.80–$5.20 per user per month) is lower than Okta's benchmark rate for comparable SSO + MFA functionality ($4.80–$6.20). But for most large enterprises, Entra ID P2 is accessed through M365 E5 rather than standalone — meaning the "cost" is the incremental premium of E5 over E3 allocated across all E5 features (Defender, Purview, Sentinel, Intune, Entra). This allocation analysis is the core of any honest Okta vs. Microsoft IAM cost comparison.
CyberArk PAM: Privileged Access Benchmark Data
CyberArk dominates the Privileged Access Management sub-category with its Core PAS (Privileged Access Security) platform and newer SaaS offering (Privilege Cloud). Pricing differs from general IAM — it's based on privileged account vaulting, session recording, and privileged session management capacity rather than total user count.
| Deployment | Metric | List Price Range | Benchmark Median | Best-in-Class |
|---|---|---|---|---|
| CyberArk Core PAS (on-prem) | Per vault + per account tier | $180K–$280K/yr (midsize) | $124K | $92K |
| CyberArk Privilege Cloud | Per privileged user/month | $100–$180/priv user/yr | $68/priv user/yr | $50/priv user/yr |
| CyberArk Secrets Mgmt | Per vault/year | $36K–$72K/vault/yr | $24K | $18K |
CyberArk's primary competitive threat in privileged access management is increasingly from BeyondTrust and HashiCorp Vault (for secrets management). Microsoft also has Entra PIM for privileged role management within the Azure/M365 ecosystem. For organizations where privileged access is primarily cloud-based (Azure, AWS, GCP), the Entra PIM + AWS IAM combination can replace standalone PAM at significantly lower cost. For organizations with significant on-premise infrastructure and complex PAM requirements, CyberArk maintains a genuine capability advantage that justifies its pricing premium relative to alternatives.
Okta vs. Entra: Negotiation Strategy
The mechanics of Okta negotiation have shifted significantly as Microsoft has become a more credible identity platform. Before 2022, Microsoft Entra ID (then Azure AD) was widely seen as weaker than Okta on SSO breadth and configuration flexibility. That gap has narrowed, and organizations that can credibly threaten an Okta-to-Entra migration now have substantially more negotiating leverage than they did two years ago.
How to Establish Real Microsoft Leverage Against Okta
- Calculate your true Entra ID P2 incremental cost honestly — this gives you a hard anchor number for the Okta conversation
- Run a technical assessment of Entra ID P2 coverage for your specific application portfolio (key question: what percentage of your SSO-integrated apps work with Entra vs. requiring Okta's broader integration catalog?)
- Identify your Microsoft EA renewal timing — if you're heading into an M365 EA renewal, the bundling leverage increases substantially
- Share the results of your Microsoft assessment with Okta in the commercial negotiation. "Our analysis shows Entra P2 covers 85% of our requirements at $4.80/user/month all-in; we need Okta to be commercially competitive with that" is a much stronger negotiating position than a vague competitive threat
IAM Benchmark Before Renewal
We benchmark Okta, Entra ID, CyberArk, and Ping Identity against real peer contract data. Get your report before the next renewal conversation.
Okta Module Expansion: The True-Up Trap
Okta's commercial model has the same module expansion problem seen with other major security vendors. Organizations that start with SSO + MFA progressively activate Lifecycle Management, Privileged Access, Identity Governance, and API Access Management. Each module has its own per-user or per-integration pricing. By the time of the second renewal, the effective per-user cost has grown substantially — often without clear visibility into why.
Our benchmark data shows that organizations that conduct a module-level review before Okta renewal (rather than accepting the bundle renewal quote) consistently identify 15–25% in modules either not being used or duplicating functionality in other parts of the security stack. This review process is a core part of our renewal benchmarking methodology.
- Okta SSO + MFA standalone benchmark median: $4.60–$6.20/user/month (5K–25K users)
- Entra ID P2 standalone benchmark median: $3.80–$5.20/user/month
- Entra ID P2 via M365 E5 (allocated cost): $5–8/user/month — comparable to Okta, but bundles additional M365 capabilities
- Okta full platform (lifecycle + PAM): $9–14/user/month benchmark median; best-in-class $7–10
- CyberArk PAM (standalone): $50–68/privileged user/year benchmark median
- Okta best discount timing: End-of-quarter + active Microsoft evaluation running simultaneously
- Entra ID best deal structure: As part of M365 EA renewal with dedicated security workload allocation
The IAM Benchmark Bottom Line
Identity is one of the few security categories where Microsoft has built a genuinely competitive alternative to the market leader — not just a checkbox product. For organizations already on M365, the Entra ID P2 option is worth an honest cost analysis before every Okta renewal. Our benchmark data shows the price gap between Okta at best-in-class rates and Entra P2 has narrowed to the point where the decision is often driven by non-price factors: integration breadth, Okta's deeper third-party app catalog, or organizational preference for best-of-breed vs. platform consolidation.
For any organization not running this analysis, they're almost certainly leaving money on the table — either in Okta discounts unlocked by credible Microsoft leverage, or in potential savings from a partial or full Entra migration. The benchmark data starts that conversation.
For the full cybersecurity pricing landscape, see our Cybersecurity Software Pricing Benchmarks pillar, and download our Cybersecurity Pricing Report for the complete vendor benchmark dataset.
Related Articles
More cybersecurity pricing benchmarks
