Microsoft Entra ID licensing

This article discusses Microsoft Entra services' licensing. It is intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra services for their organizations. This article isn't intended for end users.

Important

For licensing information on services not listed here, refer to the service's documentation or the Microsoft Entra ID pricing page.

App provisioning

Microsoft Entra application proxy requires Microsoft Entra ID P1 or P2 licenses. For more information about licensing, see Microsoft Entra pricing.

Authentication

The following table lists features that are available for authentication in the various versions of Microsoft Entra ID. Plan out your needs for securing user sign-in, then determine which approach meets those requirements. For example, although Microsoft Entra ID Free provides security defaults with multifactor authentication, only Microsoft Authenticator can be used for the authentication prompt, including text and voice calls. This approach might be a limitation if you can't make sure that Authenticator is installed on a user's personal device.

Feature Microsoft Entra ID Free - Security defaults (enabled for all users) Microsoft Entra ID Free - Global Administrators only Office 365 Microsoft Entra ID P1 Microsoft Entra ID P2
Protect Microsoft Entra tenant admin accounts with MFA ✅ (Microsoft Entra Global Administrator accounts only)
Mobile app as a second factor
Phone call as a second factor
SMS as a second factor
Admin control over verification methods
Fraud alert
MFA Reports
Custom greetings for phone calls
Custom caller ID for phone calls
Trusted IPs
Remember MFA for trusted devices
MFA for on-premises applications
Conditional Access
Risk-based Conditional Access
Self-service password reset (SSPR)
SSPR with writeback

Managed identities

There are no licensing requirements for using Managed identities for Azure resources. Managed identities for Azure resources provide an automatically managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. One of the benefits of using managed identities is that you don’t need to manage credentials, and they can be used at no extra cost. For more information, see What is managed identities for Azure resources?.

Microsoft Entra ID Governance

The following table shows the licensing requirements for Microsoft Entra ID Governance features. Licensing information and example license scenarios for Entitlement management, Access reviews, and Lifecycle Workflows are provided following the table.

Features by license

The following table shows what features are available with each license. Not all features are available in all clouds; see Microsoft Entra feature availability for Azure Government.

Feature Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance
API-driven provisioning
HR-driven provisioning
Automated user provisioning to SaaS apps
Automated group provisioning to SaaS apps
Automated provisioning to on-premises apps
Conditional Access - Terms of use attestation
Entitlement management - Basic entitlement management
Entitlement management - Conditional Access Scoping
Entitlement management MyAccess Search
Entitlement management with Verified ID
Entitlement management + Custom Extensions (Logic Apps)
Entitlement management + Auto Assignment Policies
Entitlement management - Directly Assign Any User(Preview)
Entitlement management - Guest Conversion API
Entitlement management - Grace Period(Preview)
My Access portal
Entitlement management - Microsoft Entra Roles (Preview)
Entitlement management - Sponsors Policy
Privileged Identity Management (PIM)
PIM For Groups
PIM CA Controls
Access Reviews - Basic access certifications and reviews
Access reviews - PIM For Groups(Preview)
Access reviews - Inactive Users reviews
Access Reviews - Inactive Users recommendations
Access reviews - Machine learning assisted access certifications and reviews
Lifecycle Workflows (LCW)
LCW + Custom Extensions (Logic Apps)
Identity governance dashboard (Preview)
Insights and reporting - Inactive guest accounts(Preview)

Entitlement Management

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users. Some capabilities within this feature can operate with a Microsoft Entra ID P2 subscription.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. 2,000 employees who can request the access packages 2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. 2,000 employees need licenses. 2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants All members of the Sales department (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages. 350 employees need licenses. 351

Access reviews

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. 1 license for the group owner as reviewer, and 75 licenses for the 75 users. 76
An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. 500 licenses for users, and 3 licenses for each group owner as reviewers. 503
An administrator creates an access review of Group B with 500 users. Makes it a self-review. 500 licenses for each user as self-reviewers 500
An administrator creates an access review of Group C with 50 member users. Makes it a self-review. 50 licenses for each user as self-reviewers. 50
An administrator creates an access review of Group D with 6 member users. Makes it a self-review. 6 licenses for each user as self-reviewers. No additional licenses are required. 6

Lifecycle Workflows

With Microsoft Entra ID Governance licenses for Lifecycle Workflows, you can:

  • Create, manage, and delete workflows up to the total limit of 50 workflows.
  • Trigger on-demand and scheduled workflow execution.
  • Manage and configure existing tasks to create workflows that are specific to your needs.
  • Create up to 100 custom task extensions to be used in your workflows.

Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users.

Example license scenarios

Scenario Calculation Number of licenses
A Lifecycle Workflows Administrator creates a workflow to add new hires in the Marketing department to the Marketing teams group. 250 new hires are assigned to the Marketing teams group via this workflow. 1 license for the Lifecycle Workflows Administrator, and 250 licenses for the users. 251
A Lifecycle Workflows Administrator creates a workflow to pre-offboard a group of employees before their last day of employment. The scope of users who will be pre-offboarded are 40 users. 40 licenses for users, and 1 license for the Lifecycle Workflows Administrator. 41

Microsoft Entra Connect

Using this feature is free and included in your Azure subscription.

Microsoft Entra Connect Health

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Microsoft Entra Conditional Access

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

Risk-based policies require access to Identity Protection, which is a Microsoft Entra ID P2 feature.

Other products and features that could interact with Conditional Access policies require appropriate licensing for those products and features.

When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated.

Security defaults help protect against identity-related attacks and are available for all customers.

Microsoft Entra ID Protection

Using this feature requires Microsoft Entra ID P2 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Capability Details Microsoft Entra ID Free / Microsoft 365 Apps Microsoft Entra ID P1 Microsoft Entra ID P2
Risk policies Sign-in and user risk policies (via Identity Protection or Conditional Access) No No Yes
Security reports Overview No No Yes
Security reports Risky users Limited Information. Only users with medium and high risk are shown. No details drawer or risk history. Limited Information. Only users with medium and high risk are shown. No details drawer or risk history. Full access
Security reports Risky sign-ins Limited Information. No risk detail or risk level is shown. Limited Information. No risk detail or risk level is shown. Full access
Security reports Risk detections No Limited Information. No details drawer. Full access
Notifications Users at risk detected alerts No No Yes
Notifications Weekly digest No No Yes
MFA registration policy No No Yes

Microsoft Entra monitoring and health

The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance.

Log / Report Roles Licenses
Audit Reports Reader
Security Reader
Security Administrator
Global Reader
All editions of Microsoft Entra ID
Sign-ins Reports Reader
Security Reader
Security Administrator
Global Reader
All editions of Microsoft Entra ID
Provisioning Reports Reader
Security Reader
Security Administrator
Global Reader
Security Operator
Application Administrator
Cloud App Administrator
Microsoft Entra ID P1 or P2
Custom security attribute audit logs* Attribute Log Administrator
Attribute Log Reader
All editions of Microsoft Entra ID
Usage and insights Reports Reader
Security Reader
Security Administrator
Microsoft Entra ID P1 or P2
Identity Protection** Security Administrator
Security Operator
Security Reader
Global Reader
Microsoft Entra ID Free
Microsoft 365 Apps
Microsoft Entra ID P1 or P2
Microsoft Graph activity logs Security Administrator
Permissions to access data in the corresponding log destination
Microsoft Entra ID P1 or P2

*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.

**The level of access and capabilities for Identity Protection varies with the role and license. For more information, see the license requirements for Identity Protection.

Microsoft Entra Privileged Identity Management

To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:

Valid licenses for PIM

You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and more licenses might be required.

Licenses you must have for PIM

Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:

  • Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
  • Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
  • Users able to approve or reject activation requests in PIM
  • Users assigned to an access review
  • Users who perform access reviews

Example license scenarios for PIM

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. Five licenses for the administrators who are eligible 5
Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. 14 licenses for the eligible roles + three approvers 17
Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. 42 licenses for the eligible roles + five approvers + six reviewers 53

When a license expires for PIM

If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory:

  • Permanent role assignments to Microsoft Entra roles will be unaffected.
  • The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
  • Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
  • Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
  • Privileged Identity Management no longer sends emails on role assignment changes.

Microsoft Entra Verified ID

Microsoft Entra Verified ID is currently included with any Microsoft Entra subscription, including Microsoft Entra ID Free, at no extra cost. For information about Verified ID and how to enable it, see Verified ID overview.

Multitenant organizations

In the source tenant: Using this feature requires Microsoft Entra ID P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Microsoft Entra ID Plans & Pricing.

In the target tenant: Cross-tenant sync relies on the Microsoft Entra External ID billing model. To understand the external identities licensing model, see MAU billing model for Microsoft Entra External ID. You also need at least one Microsoft Entra ID P1 license in the target tenant to enable autoredemption.

Role-based access control

Using built-in roles in Microsoft Entra ID is free. Using custom roles require a Microsoft Entra ID P1 license for every user with a custom role assignment. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Roles

Administrative units

Using administrative units requires a Microsoft Entra ID P1 license for each administrative unit administrator who is assigned directory roles over the scope of the administrative unit, and a Microsoft Entra ID Free license for each administrative unit member. Creating administrative units is available with a Microsoft Entra ID Free license. If you are using dynamic membership rules for administrative units, each administrative unit member requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Restricted management administrative units

Restricted management administrative units require a Microsoft Entra ID P1 license for each administrative unit administrator, and Microsoft Entra ID Free licenses for administrative unit members. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Features in preview

Licensing information for any features currently in preview is included here when applicable. For more information about preview features, see Microsoft Entra ID preview features.

Next steps