Share via

Access Review Licensing Requirement -- Possible conflicting data

Danny Chung 20 Reputation points
2025-05-12T11:27:49.73+00:00

I am studying for the SC-300. I found conflicting info on licensing and I am very confused as to which one is the source of truth. Do the subjects of access reviews (not only the reviewers) need to have an Entra P2 license? I understand if you are self-reviewing, you need the P2 license, but what if you do not do any reviewing and just the subject of the review?

Source 1:

Link 1: https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals#example-license-scenarios-1

Access reviews

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Expand table

Scenario Calculation Number of licenses
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. 1 license for the group owner as reviewer, and 75 licenses for the 75 users. 76
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. 1 license for the group owner as reviewer, and 75 licenses for the 75 users. 76
An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. 500 licenses for users, and 3 licenses for each group owner as reviewers. 503
An administrator creates an access review of Group B with 500 users. Makes it a self-review. 500 licenses for each user as self-reviewers 500
An administrator creates an access review of Group C with 50 member users. Makes it a self-review. 50 licenses for each user as self-reviewers. 50
An administrator creates an access review of Group D with 6 member users. Makes it a self-review. 6 licenses for each user as self-reviewers. No additional licenses are required. 6

*Why are the 3 last scenarios the same, but yet it is split into 3? And then the last one says "No additional licenses are required." when the two scenarios are the same?

Source 2:

Link 2: https://learn.microsoft.com/en-us/training/modules/plan-implement-manage-access-review/2-plan-for-access-reviews --at the very bottom

How many licenses must you have?

Your directory needs at least as many Microsoft Entra ID Premium P2 licenses as the number of employees who will be performing the following tasks:

  • Member users who are assigned as reviewers
  • Member users who perform a self-review
  • Member users as group owners who perform an access review
  • Member users as application owners who perform an access review

For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Microsoft Entra ID Premium P2 usage:

  • Guest users who are assigned as reviewers
  • Guest users who perform a self-review
  • Guest users as group owners who perform an access review
  • Guest users as application owners who perform an access review

Microsoft Entra ID Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.

*There is no mention of license requirement for the subjects of being reviewed.

*Also, for guest users, does the 50K MAU license apply here? Or do they need a P2 from their home tenant? Or from my tenant?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

  1. Gudivada Adi Navya Sri 21,095 Reputation points Moderator
    2025-05-13T12:57:25.4833333+00:00

    Hi @Danny Chung

    Access reviews require Microsoft Entra ID Governance or Microsoft Entra Suite subscriptions. Microsoft Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers.

    To learn more about which identity governance features are available with each license, please refer to the following link: Microsoft Entra ID Governance Licensing Fundamentals

    Do the subjects of access reviews (not just the reviewers) need to have an Entra P2 license?

    Yes, they do need a P2 license even if they are only the subject of the review (i.e., their access is being evaluated).

    Why are the last three licensing scenarios the same, yet split into three? And why does the last one say "No additional licenses are required," even though the scenarios appear identical?

    It’s likely meant to illustrate multiple use cases across different scales of usage (e.g., small groups vs. large groups). The phrase "No additional licenses are required" simply means that no extra licenses beyond those users are needed. This applies to the other two scenarios as well, although it's not explicitly mentioned there. I'll reach out to my team and work on updating the documentation accordingly.

    The training module focuses more on who needs a license to perform tasks, but it unfortunately omits the licensing requirement for subjects of access reviews. While this doesn’t directly contradict the licensing guide, it is incomplete compared to the full guidance.

    All users who fall under the scope of Microsoft Entra ID Governance features including business guests such as contractors, partners, and external collaborators require a license. Guest user licensing operates under a Monthly Active User (MAU) model.

    The Microsoft Entra External ID core offering is free for the first 50,000 MAUs per month.

    Billing is based on the number of unique external users who authenticate to your tenant within a calendar month.

    Starting in June 2025, Microsoft will begin billing for guest user access reviews under Entra ID Governance based on active usage.

    As of now, a license is required for guest users in your tenant, not in the guest's home tenant. Existing subscriptions to Azure AD B2B collaboration under an External Identities P1/P2 SKU remain valid, and no migration is currently necessary. We'll communicate upgrade options when they become available.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.