Microsoft Entra ID Governance licensing fundamentals
This following document discusses Microsoft Entra ID Governance licensing. It's intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra ID Governance services for their organizations.
Types of licenses
The following licenses are available for use with Microsoft Entra ID Governance in the commercial cloud. The choice of licenses you need in a tenant depends on the features you're using in that tenant.
- Free - Included with Azure cloud subscriptions such as Azure, Microsoft 365, and others.
- Microsoft Entra ID P1 - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.
- Microsoft Entra ID P2 - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.
- Microsoft Entra ID Governance - Microsoft Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers, as two products Microsoft Entra ID Governance and Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2. These products contain the basic identity governance capabilities that were in Microsoft Entra ID P2, and additional advanced identity governance capabilities.
Note
Some Microsoft Entra ID Governance scenarios can be configured to depend upon other features that aren't covered by Microsoft Entra ID Governance. These features might have additional licensing requirements. See the Identity Governance overview for more information on governance scenarios that rely on additional features.
Governance products and prerequisites
The Microsoft Entra ID Governance capabilities are currently available in two products in the commercial cloud. These two products provide the same identity governance capabilities. The difference between the two products is that they have different prerequisites.
- A subscription to Microsoft Entra ID Governance, listed in the product terms as the Microsoft Entra ID Governance (User SL) license, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUMorAAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5, Enterprise Mobility + Security E3/E5 or Microsoft 365 F1/F3. - A subscription to Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2, listed in the product terms as the Microsoft Entra ID Governance P2 license, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P2, Microsoft 365 E5/A5/G5, Enterprise Mobility + Security E5, Microsoft 365 E5/F5 Security or Microsoft 365 F5 Security + Compliance.
The product names and service plan identifiers for licensing lists additional products that include the prerequisite service plans.
Note
A subscription to a prerequisite for a Microsoft Entra ID Governance product must be active in the tenant. If a prerequisite is not present, or the subscription expires, then Microsoft Entra ID Governance scenarios might not function as expected.
To check if the prerequisite products for a Microsoft Entra ID Governance product are present in a tenant, you can use the Microsoft Entra admin center or the Microsoft 365 admin center to view the list of products.
Sign into the Microsoft Entra admin center as a global administrator.
In the Identity menu, expand Billing and select Licenses.
In the Manage menu, select Licensed features. The information bar indicates the current Microsoft Entra ID license plan.
To view the existing products in the tenant, in the Manage menu, select All products.
Privileged Identity Management
To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:
Valid licenses for PIM
You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and more licenses might be required.
Licenses you must have for PIM
Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:
- Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
- Users able to approve or reject activation requests in PIM
- Users assigned to an access review
- Users who perform access reviews
Example license scenarios for PIM
Here are some example license scenarios to help you determine the number of licenses you must have.
| Scenario | Calculation | Number of licenses |
|---|---|---|
| Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
When a license expires for PIM
If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory:
- Permanent role assignments to Microsoft Entra roles will be unaffected.
- The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
- Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management no longer sends emails on role assignment changes.
API-driven provisioning
This feature is available with Microsoft Entra ID P1, P2, and Microsoft Entra ID Governance subscriptions. A subscription license is required for every identity that is sourced using the /bulkUpload API and provisioned to either on-premises Active Directory or Microsoft Entra ID.
License scenarios
| Customer License | Usage limits enforced at tenant level for API-driven provisioning |
|---|---|
| Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 100K user records (2000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 2 o Max 2 apps for API-driven provisioning to on-premises Active Directory. o Max 2 apps for API-driven provisioning to Microsoft Entra ID. |
| Microsoft Entra ID Governance alongside Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 300K user records (6000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 20 o Max 20 apps for API-driven provisioning to on-premises Active Directory. o Max 20 apps for API-driven provisioning to Microsoft Entra ID. |
Licensing FAQs
Do licenses need to be assigned to users to use Identity Governance features?
Users don't need to be assigned a Microsoft Entra ID Governance license, but there needs to be as many license seats to include all users in scope of, or who configures, the Identity Governance features.
How can I license usage of Microsoft Entra ID Governance features for business guests?
All users who are in scope of Microsoft Entra ID Governance features, including business guests such as contractors, partners, and external collaborators, need a license. We're creating a new Microsoft Entra ID Governance license for business guests. This license operates on a monthly active usage (MAU) model. Customers are able to acquire licenses matching their anticipated business guest MAU.
We anticipate making these licenses available in spring 2024. In the interim, organizations that govern the identities of their employees with Microsoft Entra ID Governance can govern the identities of their business guests for no additional cost. At this time, existing customers of Microsoft Entra ID P1 or P2 with Microsoft Entra External ID can continue using the subset of features that are included in P1 or P2 with their business guests through their Microsoft Entra External ID license.
For more information, see: Microsoft Entra ID Governance licensing for business guests.
What happens when a PIM license expires?
If a Microsoft Entra ID P2 or Microsoft Entra ID Governance license expires or trial ends, Privileged Identity Management features will no longer be available in your directory. The changes discussed below are applicable to PIM for Microsoft Entra roles, PIM for Azure resources, and PIM for Groups.
- Active permanent assignments aren't affected.
- Active time-bound assignments become active permanent, which means they'll no longer expire at a designated time.
- Eligible role assignments are removed, as users will no longer be able to activate privileged roles.
- Privileged Identity Management blades on Microsoft Entra admin center or Azure portal, API, and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate roles, manage assignments, or perform access reviews of privileged roles.
- Any ongoing access reviews of Microsoft Entra roles end, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management will no longer send emails on role assignment changes and PIM Alerts.
Will any IGA features and capabilities be added under the Microsoft Entra ID P2 License?
All currently Generally Available features in Microsoft Entra ID P2 will remain, but no new IGA features or capabilities will be added to the Microsoft Entra ID P2 SKU.