Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This following document discusses Microsoft Entra ID Governance licensing for employees. It's intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra ID Governance services for their organizations.
For licensing governance for guest users, see Microsoft Entra ID Governance licensing for guest users.
Types of licenses
The following licenses are available for use with Microsoft Entra ID Governance in the commercial and government clouds. The choice of licenses you need in a tenant depends on the features you're using in that tenant.
- Free - Included with Azure cloud subscriptions such as Azure, Microsoft 365, and others.
- Microsoft Entra ID P1 - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.
- Microsoft Entra ID P2 - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.
- Microsoft Entra ID Governance - Microsoft Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra ID Governance is available as six products Microsoft Entra ID Governance, Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2, Entra ID Governance Frontline Worker, Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, Microsoft Entra ID Governance for Government and Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government. These six products differ only in their prerequisites; they contain both the entitlement management, privileged identity management and access reviews capabilities that were in Microsoft Entra ID P2, and additional advanced identity governance capabilities. The following section goes into more detail on the different prerequisites of these products.
- Microsoft Entra Suite - Microsoft Entra Suite is a complete cloud-based solution for workforce access, available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra Suite brings together Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection, and Microsoft Entra Verified ID. The Microsoft Entra ID Governance portion provides the same identity governance capabilities as the Microsoft Entra ID Governance product. The difference is that they have different prerequisites.
Note
Some Microsoft Entra ID Governance scenarios can be configured to depend upon other features that aren't covered by Microsoft Entra ID Governance. These features might have additional licensing requirements. For more information on governance scenarios using other features, see the Identity Governance overview page.
Governance products and prerequisites
The Microsoft Entra ID Governance capabilities are currently available in six standalone products. These six products provide the same identity governance capabilities. The difference between the six products is that they have different prerequisites.
- A subscription to Microsoft Entra ID Governance or Microsoft Entra ID Governance for Government, listed in the product terms as the Microsoft Entra ID Governance (User SL) product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUMorAAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5 or Enterprise Mobility + Security E3/E5. - A subscription to Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2 or Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government, listed in the product terms as the Microsoft Entra ID Governance P2 product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P2, Microsoft 365 E5/A5/G5, Enterprise Mobility + Security E5, Microsoft 365 E5/F5 Security or Microsoft 365 F5 Security + Compliance. - A subscription to the Entra ID Governance Frontline Worker (User SL) product requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUMorAAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5, Enterprise Mobility + Security E3/E5 or Microsoft 365 F1/F3. - A subscription to Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, listed in the product terms as the Microsoft Entra ID Governance F2 or Microsoft Entra ID Governance Step-Up for Microsoft Entra ID F2 for Frontline Worker (User SL) product, requires that the tenant also have an active subscription to another product, one that contains the
AAD_PREMIUM_P2service plan. Examples of products meeting this prerequisite include Microsoft Entra ID F2.
Microsoft Entra ID Governance capabilities are also included in the Microsoft Entra Suite. The available Microsoft Entra Suite products include Microsoft Entra Suite (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID F2 for FLW (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID P2 (User SL), Microsoft Entra Suite Add-on for Microsoft Entra ID P2 EDU (User SL), Microsoft Entra Suite FLW (User SL), and Microsoft Entra Suite for EDU (User SL).
The product names and service plan identifiers for licensing lists additional products that include the prerequisite service plans.
Note
A subscription to a prerequisite for a Microsoft Entra ID Governance product must be active in the tenant. If a prerequisite isn't present, or the subscription expires, then Microsoft Entra ID Governance scenarios might not function as expected.
To check if the prerequisite products for a Microsoft Entra ID Governance product are present in a tenant, you can use the Microsoft Entra admin center or the Microsoft 365 admin center to view the list of products.
Sign into the Microsoft Entra admin center as a License Administrator.
Browse to Billing > Licenses.
In the Manage menu, select Licensed features. The information bar indicates the current Microsoft Entra ID license plan.
To view the existing products in the tenant, in the Manage menu, select All products.
Governance of guest users requires an Azure subscription be selected for guest billing. For more information, see: Microsoft Entra ID Governance licensing for guest users.
Microsoft Entra ID Governance features
The following table shows the licensing requirements for Microsoft Entra ID Governance features for member users. Microsoft Entra Suite includes all features of Microsoft Entra ID Governance. Licensing information and example license scenarios for Entitlement management, Access reviews, and Lifecycle Workflows are provided following the table.
Features by license
The following table shows what features associated with identity governance are available with each license. Not all features are available in all clouds.
Entitlement Management
Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users. Some capabilities within this feature can operate with a Microsoft Entra ID P2 subscription. Some capabilities within this feature require guest billing.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
| Scenario | Calculation | Number of licenses |
|---|---|---|
| An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees who can request the access packages | 2,000 |
| An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants All members of the Sales department (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages. | 350 employees need licenses. | 351 |
Access reviews
Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription. Some capabilities within this feature require guest billing.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
| Scenario | Calculation | Number of licenses |
|---|---|---|
| An administrator creates an access review of Group A with 75 member users and 1 group owner, and assigns the group owner as the reviewer. | 1 license for the group owner as reviewer, and 75 licenses for the 75 users. | 76 |
| An administrator creates an access review of Group B with 500 member users and 3 group owners, and assigns the 3 group owners as reviewers. | 500 licenses for users, and 3 licenses for each group owner as reviewers. | 503 |
| An administrator creates an access review of Group B with 500 member users. Makes it a self-review. | 500 licenses for each user as self-reviewers | 500 |
| An administrator creates an access review of Group C with 50 member users. Makes it a self-review. | 50 licenses for each user as self-reviewers. | 50 |
| An administrator creates an access review of Group D with 6 member users. Makes it a self-review. | 6 licenses for each user as self-reviewers. No additional licenses are required. | 6 |
Lifecycle Workflows
With Microsoft Entra ID Governance licenses for Lifecycle Workflows, you can:
- Create, manage, and delete workflows up to the total limit of 50 workflows.
- Trigger on-demand and scheduled workflow execution.
- Manage and configure existing tasks to create workflows that are specific to your needs.
- Create up to 100 custom task extensions to be used in your workflows.
Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users. Some capabilities within this feature require guest billing.
Example license scenarios
| Scenario | Calculation | Number of licenses |
|---|---|---|
| A Lifecycle Workflows Administrator creates a workflow to add new hires in the Marketing department to the Marketing teams group. 250 new hire member users are assigned to the Marketing teams group via this workflow once. Other 150 new hire member users are assigned to the Marketing teams group via this workflow later the same year. | 1 license for the Lifecycle Workflows Administrator, and 400 licenses for the users. | 401 |
| A Lifecycle Workflows Administrator creates a workflow to pre-offboard a group of employees before their last day of employment. The scope of users who will be pre-offboarded are 40 users once. We offboard 40 licensed users. Now, we can re-assign these 40 licenses and assign 10 more licenses later in the year to pre-offboard 50 more users. | 50 licenses for users, and 1 license for the Lifecycle Workflows Administrator. | 51 |
Privileged Identity Management
To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:
Valid licenses for PIM
You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant.
Licenses you must have for PIM
Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:
- Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
- Users able to approve or reject activation requests in PIM
- Users assigned to an access review
- Users who perform access reviews
Example license scenarios for PIM
Here are some example license scenarios to help you determine the number of licenses you must have.
| Scenario | Calculation | Number of licenses |
|---|---|---|
| Woodgrove Bank has 10 administrators for different departments and 2 Privileged Role Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
When a license expires for PIM
If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features are no longer available in your directory:
- Permanent role assignments to Microsoft Entra roles are unaffected.
- The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
- Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management no longer sends emails on role assignment changes.
API-driven provisioning
This feature is available with Microsoft Entra ID P1, P2, and Microsoft Entra ID Governance subscriptions. A subscription license is required with enough seats for every identity that is sourced using the /bulkUpload API and provisioned to either on-premises Active Directory or Microsoft Entra ID.
License scenarios
| Customer License | Usage limits enforced at tenant level for API-driven provisioning |
|---|---|
| Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 100K user records (2000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 2 o Max 2 apps for API-driven provisioning to on-premises Active Directory. o Max 2 apps for API-driven provisioning to Microsoft Entra ID. |
| Microsoft Entra ID Governance alongside Microsoft Entra ID P1 or P2 | Daily usage quota (number of user records that can be uploaded over 24-hour period): 300K user records (6000 /bulkUpload API calls with each request containing max of 50 records). Max number of API-driven provisioning jobs for each flow: 20 o Max 20 apps for API-driven provisioning to on-premises Active Directory. o Max 20 apps for API-driven provisioning to Microsoft Entra ID. |
Licensing FAQs
Do licenses need to be assigned to users to use Identity Governance features?
Users don't need to be assigned a Microsoft Entra ID Governance license, but there needs to be as many licenses to include all member users in scope of, or who configures, the Identity Governance features. In addition, the guest billing model must be enabled if there are guest users to be governed, as described in the next answer.
How can I license usage of Microsoft Entra ID Governance features for business guests?
Microsoft Entra ID Governance utilizes Monthly Active User (MAU) licensing for guest users which is different than licensing for employees and requires an Azure subscription.
Under the guest billing model, guests are identified by a userType of Guest regardless of where the user authenticates. A userType of Guest is the default userType for all B2B invitation methods and can also be set by an Identity administrator. The bill for each month includes a record for each guest user with one or more governance actions in that month. See the Azure pricing page for pricing details.
For more information, see: Microsoft Entra ID Governance licensing for guest users.
What happens to PIM when a license expires?
If a Microsoft Entra ID P2 or Microsoft Entra ID Governance license expires or trial ends, Privileged Identity Management features will no longer be available in your directory. The following changes listed are applicable to PIM for Microsoft Entra roles, PIM for Azure resources, and PIM for Groups.
- Active permanent assignments aren't affected.
- Active time-bound assignments become active permanent, which means they'll no longer expire at a designated time.
- Eligible role assignments are removed, as users will no longer be able to activate privileged roles.
- Privileged Identity Management blades on Microsoft Entra admin center or Azure portal, API, and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate roles, manage assignments, or perform access reviews of privileged roles.
- Any ongoing access reviews of Microsoft Entra roles end, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management will no longer send emails on role assignment changes and PIM Alerts.
Will any IGA features and capabilities be added under the Microsoft Entra ID P2 License?
All currently Generally Available features in Microsoft Entra ID P2 will remain, but no new IGA features or capabilities will be added to the Microsoft Entra ID P2 SKU.