Microsoft Entra licensing

This article discusses licensing options for the Microsoft Entra product family. It is intended for security decision makers, identity and network access administrators, and IT professionals who are considering Microsoft Entra solutions for their organizations.

Entra licensing options

Microsoft Entra is available in several licensing options that allow you to choose the package best suited to your needs.

Note

The licensing options on this page are not comprehensive. You can get detailed information about the various options at the Microsoft Entra pricing page and at the Compare Microsoft 365 Enterprise plans and pricing page.

Microsoft Entra ID Free - Included with Azure cloud subscriptions such as Azure, Microsoft 365, and others.

Microsoft Entra ID P1 - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.

Microsoft Entra ID P2 - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.

Microsoft Entra Suite - The suite combines Microsoft Entra products to secure access for your employees. It allows administrators to provide secure access from anywhere to any app or resource whether cloud or on-premises, while ensuring least privilege access. A Microsoft Entra ID P1 subscription is required. The Microsoft Entra suite includes following products:

  • Microsoft Entra Private Access
  • Microsoft Entra Internet Access
  • Microsoft Entra ID Governance

Managed identities

There are no licensing requirements for using Managed identities for Azure resources. Managed identities for Azure resources provide an automatically managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. One of the benefits of using managed identities is that you don’t need to manage credentials, and they can be used at no extra cost. For more information, see What is managed identities for Azure resources?.

Microsoft Entra ID Governance

The following table shows the licensing requirements for Microsoft Entra ID Governance features. Microsoft Entra Suite includes all features of Microsoft Entra ID Governance. Licensing information and example license scenarios for Entitlement management and Access reviews are provided following the table.

Features by license

The following table shows what features are available with each license. Not all features are available in all clouds.

Feature Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
Conditional Access - Terms of use attestation
Entitlement management - Basic entitlement management
Entitlement management - Conditional Access Scoping
Entitlement management MyAccess Search
Entitlement management - Custom Extensions (Logic Apps)
Entitlement management - Auto Assignment Policies
Entitlement management - Directly Assign Any User (Preview)
Entitlement management - Guest Conversion API
Entitlement management - Manage the lifecycle of external users
My Access portal
Entitlement management - Microsoft Entra Roles (Preview)
Entitlement management - Sponsors Policy
Privileged Identity Management (PIM)
PIM For Groups
PIM CA Controls
Access Reviews - Basic access certifications and reviews
Access reviews - PIM For Groups
Access reviews - Inactive Users reviews
Access Reviews - Inactive Users recommendations
Access reviews - Machine learning assisted access certifications and reviews
Identity governance dashboard
Insights and reporting - Inactive guest accounts

Entitlement Management

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users. Some capabilities within this feature can operate with a Microsoft Entra ID P2 subscription.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. 2,000 employees who can request the access packages 2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. 2,000 employees need licenses. 2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants All members of the Sales department (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages. 350 employees need licenses. 351

Access reviews

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. 1 license for the group owner as reviewer, and 75 licenses for the 75 users. 76
An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. 500 licenses for users, and 3 licenses for each group owner as reviewers. 503
An administrator creates an access review of Group B with 500 users. Makes it a self-review. 500 licenses for each user as self-reviewers 500
An administrator creates an access review of Group C with 50 member users. Makes it a self-review. 50 licenses for each user as self-reviewers. 50
An administrator creates an access review of Group D with 6 member users. Makes it a self-review. 6 licenses for each user as self-reviewers. No additional licenses are required. 6

Microsoft Entra Connect

Using this feature is free and included in your Azure subscription.

Microsoft Entra Conditional Access

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

Microsoft Entra Suite includes all Microsoft Entra Conditional access features.

Other products and features that could interact with Conditional Access policies require appropriate licensing for those products and features.

When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated.

Security defaults help protect against identity-related attacks and are available for all customers.

Microsoft Entra Domain services

Microsoft Entra Domain Services usage is charged per hour, based on the SKU selected by the tenant owner.

Microsoft External ID

Microsoft Entra External ID core features are free for your first 50,000 monthly active users.

Microsoft Entra monitoring and health

The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.

Log / Report Roles Licenses
Audit logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Sign-in logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Custom security attribute audit logs* Attribute Log Administrator
Attribute Log Reader
All editions of Microsoft Entra ID
Health Reports Reader
Security Reader
Helpdesk Administrator
Microsoft Entra ID P1 or P2
Microsoft Graph activity logs Security Administrator
Permissions to access data in the corresponding log destination
Microsoft Entra ID P1 or P2
Usage and insights Reports Reader
Security Reader
Security Administrator
Microsoft Entra ID P1 or P2

*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.

Microsoft Entra Privileged Identity Management

To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:

Valid licenses for PIM

You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and more licenses might be required.

Licenses you must have for PIM

Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:

  • Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
  • Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
  • Users able to approve or reject activation requests in PIM
  • Users assigned to an access review
  • Users who perform access reviews

Example license scenarios for PIM

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
Woodgrove Bank has 10 administrators for different departments and 2 Privileged Role Administrators that configure and manage PIM. They make five administrators eligible. Five licenses for the administrators who are eligible 5
Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. 14 licenses for the eligible roles + three approvers 17
Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. 42 licenses for the eligible roles + five approvers + six reviewers 53

When a license expires for PIM

If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory:

  • Permanent role assignments to Microsoft Entra roles will be unaffected.
  • The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
  • Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
  • Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
  • Privileged Identity Management no longer sends emails on role assignment changes.

Microsoft Entra Workload ID

Microsoft Entra Workload ID supports application identities and service principles in Azure, requiring licenses per workload identity per month.

Multitenant organizations

In the source tenant: Using this feature requires Microsoft Entra ID P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Microsoft Entra ID Plans & Pricing.

In the target tenant: Cross-tenant sync relies on the Microsoft Entra External ID billing model. You also need at least one Microsoft Entra ID P1 license in the target tenant to enable autoredemption.

All multitenant organizations features are included as part of Microsoft Entra suite.

Role-based access control

Using built-in roles in Microsoft Entra ID is free. Using custom roles require a Microsoft Entra ID P1 license for every user with a custom role assignment. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Roles

Administrative units

Using administrative units requires a Microsoft Entra ID P1 license for each administrative unit administrator who is assigned directory roles over the scope of the administrative unit, and a Microsoft Entra ID Free license for each administrative unit member. Creating administrative units is available with a Microsoft Entra ID Free license. If you are using rules for dynamic membership groups for administrative units, each administrative unit member requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Restricted management administrative units

Restricted management administrative units require a Microsoft Entra ID P1 license for each administrative unit administrator, and Microsoft Entra ID Free licenses for administrative unit members. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Next steps