License requirements to use Privileged Identity Management
To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management.
You will need an Azure AD license to use PIM and all of it's settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles (Preview) with an Azure Active Directory Premium P2 edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. Using this feature requires Azure AD Premium P2 licenses. To find the right license for your requirements, see Compare generally available features of Azure AD.
Licenses you must have
Ensure that your directory has Azure AD Premium P2 licenses for the following categories of users:
- Users with eligible and/or time-bound assignments to Azure AD or Azure roles managed using PIM
- Users with eligible and/or time-bound assignments as members or owners of privileged access groups
- Users able to approve or reject activation requests in PIM
- Users assigned to an access review
- Users who perform access reviews
Azure AD Premium P2 licenses are not required for the following tasks:
- No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.
For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
|Scenario||Calculation||Number of licenses|
|Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible.||Five licenses for the administrators who are eligible||5|
|Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations.||14 licenses for the eligible roles + three approvers||17|
|Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six are not in administrator roles managed by PIM.||42 licenses for the eligible roles + five approvers + six reviewers||53|
When a license expires
If an Azure AD Premium P2, EMS E5, or trial license expires, Privileged Identity Management features will no longer be available in your directory:
- Permanent role assignments to Azure AD roles will be unaffected.
- The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.
- Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.
- Privileged Identity Management will no longer send emails on role assignment changes.