Frequently asked questions about Microsoft Entra Workload ID license plans

Microsoft Entra Workload ID is now available in two editions: Free and Workload Identities Premium. The free edition of workload identities is included with a subscription of a commercial online service such as Azure and Power Platform. The Workload Identities Premium offering is available through a Microsoft representative, the Open Volume License Program, and the Cloud Solution Providers program. Azure and Microsoft 365 subscribers can also purchase Workload Identities Premium online.

For more information, see what are workload identities?

Note

Workload Identities Premium is a standalone product and isn't included in other premium product plans. All subscribers require a license to use Workload Identities Premium features.

Learn more about Workload Identities pricing.

What features are included in Workload Identities Premium plan and which features are free?

Capabilities Description Free Premium
Authentication and authorization
Create, read, update, delete workload identities Create and update identities for securing service to service access Yes Yes
Authenticate workload identities and tokens to access resources Use Microsoft Entra ID to protect resource access Yes Yes
Workload identities sign-in activity and audit trail Monitor and track workload identity behavior Yes Yes
Managed identities Use Microsoft Entra identities in Azure without handling credentials Yes Yes
Workload identity federation Use workloads tested by external Identity Providers (IdPs) to access Microsoft Entra ID protected resources Yes Yes
Conditional Access
Conditional Access policies for workload identities Define the condition in which a workload can access a resource, such as an IP range Yes
Lifecycle Management
Access reviews for service provider-assigned privileged roles Closely monitor workload identities with impactful permissions Yes
Application authentication methods API Allows IT admins to enforce best practices for how apps in their organizations use application authentication methods. Yes
Identity Protection
Identity Protection for workload identities Detect and remediate compromised workload identities Yes

What is the cost of Workload Identities Premium plan?

Check the pricing for the Microsoft Entra Workload ID Premium plan.

How do I purchase a Workload Identities Premium plan?

You need an Azure or Microsoft 365 subscription. You can use a current subscription or set up a new one. Then, sign into the Microsoft Microsoft Entra admin center with your credentials to buy Workload Identities licenses.

Through what channels can I purchase Workload Identities Premium plan?

You can purchase the plan through Enterprise Agreement (EA)/Enterprise Subscription (EAS), Cloud Solution Providers (CSPs), or Web Direct.

Where can I find more feature details to determine if I need a license(s)?

Microsoft Entra Workload ID has three premium features that require a license.

  • Conditional Access: Supports location or risk-based policies for workload identities.

  • Identity Protection: Provides reports of compromised credentials, anomalous sign-ins, and suspicious changes to accounts.

  • Access Reviews: Enables delegation of reviews to the right people, focused on the most important privileged roles.

What do the numbers in each category on the Workload identities - Microsoft Entra admin center mean?

Category definitions:

  • Enterprise apps/Service Principals: This category includes multi-tenant apps, gallery apps, non-gallery apps and service principals.

  • Microsoft apps: Apps such as Outlook and Microsoft Teams.

  • Managed Identities: An identity for applications for connecting resources that support Microsoft Entra authentication.

How many licenses do I need to purchase? Do I need to license all workload identities including Microsoft and Managed Service Identities?

All workload identities - service principles, apps and managed identities, configured in your directory for a Microsoft Entra Workload ID Premium feature require a license. Customers don’t need to license all the workload identities. You can find the right number of Workload ID licenses with the following guidance:

  1. Customer will need to license enterprise applications or service principals ONLY if they set up Conditional Access policies or use Identity Protection for them.
  2. Customers don't need to license applications at all, even if they are using Conditional Access policies.
  3. Customers will need to license managed identities, only when they set up access reviews for managed identities. You can find the number of each workload identity type (enterprise apps/service principals, apps, managed identities) on the product landing page at the Microsoft Entra admin center.

Do these licenses require individual workload identities assignment?

No, license assignment isn't required.

Can I get a free trial of Workload Identities Premium?

Yes. you can get a 90-day free trial. In the Modern channel, a 30-day only trial is available. Free trial is unavailable in Government clouds.

Is the Workload Identities Premium edition available on Government clouds?

Yes, it's available.

Is it possible to have a mix of Microsoft Entra ID P1, Microsoft Entra ID P2 and Workload Identities Premium licenses in one tenant?

Yes, customers can have a mixture of license plans in one tenant.