This article discusses licensing options for the Microsoft Entra product family. It is intended for security decision makers, identity and network access administrators, and IT professionals who are considering Microsoft Entra solutions for their organizations.
Entra licensing options
Microsoft Entra is available in several licensing options that allow you to choose the package best suited to your needs.
Microsoft Entra ID Free - Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.
Microsoft Entra ID P1 - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small to medium businesses.
Microsoft Entra ID P2 - Microsoft Entra ID P2 is available as a standalone product or included with Microsoft 365 E5 for enterprise customers.
Microsoft Entra Suite - The suite combines Microsoft Entra products to secure access for your employees. It allows administrators to provide secure access from anywhere to any app or resource whether cloud or on-premises, while ensuring least privilege access. A Microsoft Entra ID P1 subscription is required. The Microsoft Entra suite includes five products:
Microsoft Entra Private Access
Microsoft Entra Internet Access
Microsoft Entra ID Governance
Microsoft Entra ID Protection
Microsoft Entra Verified ID (premium capabilities)
App provisioning
Microsoft Entra application proxy requires Microsoft Entra ID P1 or P2 licenses. For more information about licensing, see Microsoft Entra pricing.
Authentication
The following table lists features that are available for authentication in the various versions of Microsoft Entra ID. Plan out your needs for securing user sign-in, then determine which approach meets those requirements. For example, although Microsoft Entra ID Free provides security defaults with multifactor authentication, only Microsoft Authenticator can be used for the authentication prompt, including text and voice calls. This approach might be a limitation if you can't make sure that Authenticator is installed on a user's personal device.
Feature
Microsoft Entra ID Free - Security defaults (enabled for all users)
Microsoft Entra ID Free - Global Administrators only
Office 365
Microsoft Entra ID P1
Microsoft Entra ID P2
Protect Microsoft Entra tenant admin accounts with MFA
✅
✅ (Microsoft Entra Global Administrator accounts only)
✅
✅
✅
Mobile app as a second factor
✅
✅
✅
✅
✅
Phone call as a second factor
✅
✅
✅
SMS as a second factor
✅
✅
✅
✅
Admin control over verification methods
✅
✅
✅
✅
Fraud alert
✅
✅
MFA Reports
✅
✅
Custom greetings for phone calls
✅
✅
Custom caller ID for phone calls
✅
✅
Trusted IPs
✅
✅
Remember MFA for trusted devices
✅
✅
✅
✅
MFA for on-premises applications
✅
✅
Conditional Access
✅
✅
Risk-based Conditional Access
✅
Self-service password reset (SSPR)
✅
✅
✅
✅
✅
SSPR with writeback
✅
✅
Managed identities
There are no licensing requirements for using Managed identities for Azure resources. Managed identities for Azure resources provide an automatically managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. One of the benefits of using managed identities is that you don’t need to manage credentials, and they can be used at no extra cost. For more information, see What is managed identities for Azure resources?.
Microsoft Entra ID Governance
The following table shows the licensing requirements for Microsoft Entra ID Governance features. Microsoft Entra Suite includes all features of Microsoft Entra ID Governance. Licensing information and example license scenarios for Entitlement management, Access reviews, and Lifecycle Workflows are provided following the table.
Features by license
The following table shows what features are available with each license. Not all features are available in all clouds; see Microsoft Entra feature availability for Azure Government.
Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users. Some capabilities within this feature can operate with a Microsoft Entra ID P2 subscription.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
Scenario
Calculation
Number of licenses
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages.
2,000 employees who can request the access packages
2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants All members of the Sales department (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages.
350 employees need licenses.
351
Access reviews
Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
Scenario
Calculation
Number of licenses
An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer.
1 license for the group owner as reviewer, and 75 licenses for the 75 users.
76
An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers.
500 licenses for users, and 3 licenses for each group owner as reviewers.
503
An administrator creates an access review of Group B with 500 users. Makes it a self-review.
500 licenses for each user as self-reviewers
500
An administrator creates an access review of Group C with 50 member users. Makes it a self-review.
50 licenses for each user as self-reviewers.
50
An administrator creates an access review of Group D with 6 member users. Makes it a self-review.
6 licenses for each user as self-reviewers. No additional licenses are required.
6
Lifecycle Workflows
With Microsoft Entra ID Governance licenses for Lifecycle Workflows, you can:
Create, manage, and delete workflows up to the total limit of 50 workflows.
Trigger on-demand and scheduled workflow execution.
Manage and configure existing tasks to create workflows that are specific to your needs.
Create up to 100 custom task extensions to be used in your workflows.
Using this feature requires Microsoft Entra ID Governance subscriptions for your organization's users.
Example license scenarios
Scenario
Calculation
Number of licenses
A Lifecycle Workflows Administrator creates a workflow to add new hires in the Marketing department to the Marketing teams group. 250 new hires are assigned to the Marketing teams group via this workflow once. Other 150 new hires are assigned to the Marketing teams group via this workflow later the same year.
1 license for the Lifecycle Workflows Administrator, and 400 licenses for the users.
401
A Lifecycle Workflows Administrator creates a workflow to pre-offboard a group of employees before their last day of employment. The scope of users who will be pre-offboarded are 40 users once. We offboard 40 licensed users. Now, we can re-assign these 40 licenses and assign 10 more licenses later in the year to pre-offboard 50 more users.
50 licenses for users, and 1 license for the Lifecycle Workflows Administrator.
51
Microsoft Entra Connect
Using this feature is free and included in your Azure subscription.
Microsoft Entra Suite includes all Microsoft Entra Conditional access features.
Other products and features that could interact with Conditional Access policies require appropriate licensing for those products and features.
When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated.
Security defaults help protect against identity-related attacks and are available for all customers.
Microsoft Entra Domain services
Microsoft Entra Domain Services usage is charged per hour, based on the SKU selected by the tenant owner.
Microsoft External ID
Microsoft Entra External ID core features are free for your first 50,000 monthly active users. More licensing information is available at the External ID FAQ
The required licenses vary based on the monitoring and health capability.
Capability
Microsoft Entra ID Free
Microsoft Entra ID P1 or P2 / Microsoft Entra Suite
Audit logs
Yes
Yes
Sign-in logs
Yes
Yes
Provisioning logs
No
Yes
Custom security attributes
Yes
Yes
Health
No
Yes
Microsoft Graph activity logs
No
Yes
Usage and insights
No
Yes
Microsoft Entra Permissions management
Permissions Management supports all resources across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform but only requires licenses for billable resources.
To use Microsoft Entra Privileged Identity Management, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses:
Valid licenses for PIM
You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Microsoft Entra ID, resource roles with a Microsoft Entra ID P2 or users with Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and more licenses might be required.
Licenses you must have for PIM
Ensure that your directory has Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses for the following categories of users:
Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed using PIM
Users with eligible and/or time-bound assignments as members or owners of PIM for Groups
Users able to approve or reject activation requests in PIM
Users assigned to an access review
Users who perform access reviews
Example license scenarios for PIM
Here are some example license scenarios to help you determine the number of licenses you must have.
Scenario
Calculation
Number of licenses
Woodgrove Bank has 10 administrators for different departments and 2 Privileged Role Administrators that configure and manage PIM. They make five administrators eligible.
Five licenses for the administrators who are eligible
5
Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations.
14 licenses for the eligible roles + three approvers
17
Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM.
42 licenses for the eligible roles + five approvers + six reviewers
53
When a license expires for PIM
If a Microsoft Entra ID P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory:
Permanent role assignments to Microsoft Entra roles will be unaffected.
The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
Privileged Identity Management no longer sends emails on role assignment changes.
Microsoft Entra Verified ID
Microsoft Entra Verified ID is included with any Microsoft Entra ID subscription, including Microsoft Entra ID free, at no extra cost. Core Verified ID functionality help organizations:
Verify and issue organizational credentials for any unique identity attributes.
Empower end-users with ownership of their digital credential and greater visibility
Reduce organizational risk and simplify the audit process
Create user-centric, serverless apps that use Verified ID credentials.
Microsoft Entra Verified ID also provides Face Check as a premium feature available as an add-on and included in the Microsoft Entra Suite (limited to 8 Face Checks per user per month).
Microsoft Entra Workload ID
Microsoft Entra Workload ID supports application identities and service principles in Azure, requiring licenses per workload identity per month.
Multitenant organizations
In the source tenant: Using this feature requires Microsoft Entra ID P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see Microsoft Entra ID Plans & Pricing.
In the target tenant: Cross-tenant sync relies on the Microsoft Entra External ID billing model. To understand the external identities licensing model, see MAU billing model for Microsoft Entra External ID. You also need at least one Microsoft Entra ID P1 license in the target tenant to enable autoredemption.
All multitenant organizations features are included as part of Microsoft Entra suite.
Using administrative units requires a Microsoft Entra ID P1 license for each administrative unit administrator who is assigned directory roles over the scope of the administrative unit, and a Microsoft Entra ID Free license for each administrative unit member. Creating administrative units is available with a Microsoft Entra ID Free license. If you are using rules for dynamic membership groups for administrative units, each administrative unit member requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.
Restricted management administrative units
Restricted management administrative units require a Microsoft Entra ID P1 license for each administrative unit administrator, and Microsoft Entra ID Free licenses for administrative unit members. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.
Features in preview
Licensing information for any features currently in preview is included here when applicable. For more information about preview features, see Microsoft Entra ID preview features.