Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This following document discusses Microsoft Entra ID Governance licensing. It's intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra ID Governance services for their organizations.
Types of licenses
The following licenses are available for use with Microsoft Entra ID Governance in the commercial and government clouds. The choice of licenses you need in a tenant depends on the features you're using in that tenant.
- Free - Included with Azure cloud subscriptions such as Azure, Microsoft 365, and others.
- Microsoft Entra ID P1 - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.
- Microsoft Entra ID P2 - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.
- Microsoft Entra ID Governance - Microsoft Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra ID Governance is available as six products Microsoft Entra ID Governance, Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2, Entra ID Governance Frontline Worker, Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, Microsoft Entra ID Governance for Government and Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government. These six products differ only in their prerequisites; they contain both the entitlement management, privileged identity management and access reviews capabilities that were in Microsoft Entra ID P2, and additional advanced identity governance capabilities.
- Microsoft Entra Suite - Microsoft Entra Suite is a complete cloud-based solution for workforce access, available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra Suite brings together Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection, and Microsoft Entra Verified ID. The Microsoft Entra ID Governance portion provides the same identity governance capabilities as the Microsoft Entra ID Governance product. The difference is that they have different prerequisites.
Note
Some Microsoft Entra ID Governance scenarios can be configured to depend upon other features that aren't covered by Microsoft Entra ID Governance. These features might have additional licensing requirements. For more information on governance scenarios using other features, see the Identity Governance overview page.
Governance products and prerequisites
The Microsoft Entra ID Governance capabilities are currently available in six standalone products. These six products provide the same identity governance capabilities. The difference between the six products is that they have different prerequisites.
- A subscription to Microsoft Entra ID Governance or Microsoft Entra ID Governance for Government, listed in the product terms as the Microsoft Entra ID Governance (User SL) product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUMorAAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5 or Enterprise Mobility + Security E3/E5. - A subscription to Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2 or Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government, listed in the product terms as the Microsoft Entra ID Governance P2 product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P2, Microsoft 365 E5/A5/G5, Enterprise Mobility + Security E5, Microsoft 365 E5/F5 Security or Microsoft 365 F5 Security + Compliance. - A subscription to the Entra ID Governance Frontline Worker (User SL) product requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUMorAAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5, Enterprise Mobility + Security E3/E5 or Microsoft 365 F1/F3. - A subscription to Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, listed in the product terms as the Microsoft Entra ID Governance F2 or Microsoft Entra ID Governance Step-Up for Microsoft Entra ID F2 for Frontline Worker (User SL) product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID F2.
Microsoft Entra ID Governance capabilities are also included in the Microsoft Entra Suite. The available Microsoft Entra Suite products include Microsoft Entra Suite (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID F2 for FLW (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID P2 (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID P2 EDU (User SL), Microsoft Entra Suite FLW (User SL), and Microsoft Entra Suite for EDU (User SL).
The product names and service plan identifiers for licensing lists additional products that include the prerequisite service plans.
Note
A subscription to a prerequisite for a Microsoft Entra ID Governance product must be active in the tenant. If a prerequisite isn't present, or the subscription expires, then Microsoft Entra ID Governance scenarios might not function as expected.
To check if the prerequisite products for a Microsoft Entra ID Governance product are present in a tenant, you can use the Microsoft Entra admin center or the Microsoft 365 admin center to view the list of products.
Sign into the Microsoft Entra admin center as a License Administrator.
In the Identity menu, expand Billing and select Licenses.
In the Manage menu, select Licensed features. The information bar indicates the current Microsoft Entra ID license plan.
To view the existing products in the tenant, in the Manage menu, select All products.
Privileged Identity Management
To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:
Valid licenses for PIM
You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant.
Licenses you must have for PIM
Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:
- Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
- Users able to approve or reject activation requests in PIM
- Users assigned to an access review
- Users who perform access reviews
Example license scenarios for PIM
Here are some example license scenarios to help you determine the number of licenses you must have.
| Scenario | Calculation | Number of licenses |
|---|---|---|
| Woodgrove Bank has 10 administrators for different departments and 2 Privileged Role Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
When a license expires for PIM
If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features are no longer available in your directory:
- Permanent role assignments to Microsoft Entra roles are unaffected.
- The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
- Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management no longer sends emails on role assignment changes.
API-driven provisioning
This feature is available with Microsoft Entra ID P1, P2, and Microsoft Entra ID Governance subscriptions. A subscription license is required for every identity that is sourced using the /bulkUpload API and provisioned to either on-premises Active Directory or Microsoft Entra ID.
License scenarios
| Customer License | Usage limits enforced at tenant level for API-driven provisioning |
|---|---|
| Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 100K user records (2000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 2 o Max 2 apps for API-driven provisioning to on-premises Active Directory. o Max 2 apps for API-driven provisioning to Microsoft Entra ID. |
| Microsoft Entra ID Governance alongside Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 300K user records (6000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 20 o Max 20 apps for API-driven provisioning to on-premises Active Directory. o Max 20 apps for API-driven provisioning to Microsoft Entra ID. |
Licensing FAQs
Do licenses need to be assigned to users to use Identity Governance features?
Users don't need to be assigned a Microsoft Entra ID Governance license, but there needs to be as many licenses to include all users in scope of, or who configures, the Identity Governance features.
How can I license usage of Microsoft Entra ID Governance features for business guests?
Microsoft Entra ID Governance utilizes Monthly Active User (MAU) licensing for guest users which is different than licensing for employees and requires an Azure subscription.
Under the guest billing model, guests are identified by a userType of Guest regardless of where the user authenticates. A userType of Guest is the default userType for all B2B invitation methods and can also be set by an Identity administrator. The bill for each month includes a record for each guest user with one or more governance actions in that month. See the Azure pricing page for pricing details.
What happens to PIM when a license expires?
If a Microsoft Entra ID P2 or Microsoft Entra ID Governance license expires or trial ends, Privileged Identity Management features will no longer be available in your directory. The following changes listed are applicable to PIM for Microsoft Entra roles, PIM for Azure resources, and PIM for Groups.
- Active permanent assignments aren't affected.
- Active time-bound assignments become active permanent, which means they'll no longer expire at a designated time.
- Eligible role assignments are removed, as users will no longer be able to activate privileged roles.
- Privileged Identity Management blades on Microsoft Entra admin center or Azure portal, API, and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate roles, manage assignments, or perform access reviews of privileged roles.
- Any ongoing access reviews of Microsoft Entra roles end, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management will no longer send emails on role assignment changes and PIM Alerts.
Will any IGA features and capabilities be added under the Microsoft Entra ID P2 License?
All currently Generally Available features in Microsoft Entra ID P2 will remain, but no new IGA features or capabilities will be added to the Microsoft Entra ID P2 SKU.