Learn about Microsoft Purview billing models
This feature is in preview.
Microsoft Purview is a unified security, governance, and compliance solution for Microsoft 365 and non-Microsoft 365 workloads and data systems. Microsoft Purview supports two complementary billing models to support this diverse environment:
- Per-user license for Microsoft 365 and Windows/macOS endpoint sources
- Pay-as-you-go model for non Microsoft 365 data sources
This article takes you through:
- An overview of the two billing models.
- An overview of the consent experience.
- Links to information on the solution specific capabilities.
Note
The pay-as-you-go billing model builds on the per-user licensing model. The two are complementary, not mutually exclusive.
The per-user licensing model is the familiar Microsoft 365 E3/E5/A5/F5/G5 model. It remains unchanged. This licensing model enables you to apply Microsoft Purview controls and protections to Microsoft 365 and Windows/macOS endpoint-based assets. It's described in the Microsoft Purview service description.
The pay-as-you-go billing model is a consumption billing model. It extends Microsoft Purview security, governance, and protections beyond Microsoft 365 and Windows/macOS based assets to environments like Microsoft Fabric, Azure SQL, Azure ADLS, Amazon Web Services (AWS), Google Cloud Platform (GCP), Box, and Dropbox.
In the pay-as-you-go model, you're charged on a monthly based on the number of Assets you protect and the number of Processing units you use throughout the month. The Azure bill is generated at the end of the month.
An asset is any non Microsoft 365 item which is being protected by a Microsoft Purview policy. They can be equated to a table for structured data or any file for unstructured data.
Here are some examples of assets and the protection policies that can be applied to them.
Cloud provider | Data source | Asset | Can be protected by |
---|---|---|---|
Azure | SQL | Tables which are labeled for structured data and in scope of a security policy | Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling |
Azure | ADLS | File or resource set | Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling |
Azure | Storage | - Tables which are labeled for structured data and in scope of a security policy - Files or resource groups which are labeled for unstructured data and in scope of a security policy |
Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling |
For details on data governance assets, see Microsoft Purivew data governance pricing concepts.
Pay-as-you-go enables protection of non-Microsoft 365 assets in the following locations:
Location | Current release state | Billing starts on |
---|---|---|
Azure SQL | Public preview | January 6, 2025 |
Azure storage | Public preview | January 6, 2025 |
A processing unit is a measure of the amount of compute resources used to process signals from workloads that are included in pay-as-you-go.
Data governance processing units: For more information on data governance processing units, see Data governance processing units explained.
Data security processing units: Microsoft Purview data security processing units are defined as the compute required to process user activities from non-Microsoft 365 data sources to generate insights. The number of units required can vary depending on the Purview solution and the complexity of the data being processed. Insider risk management (IRM) is a pay-as-you-go feature that uses a processing unit based meter. It includes pay-as-you-go indicators. For more information, see Configure policy indicators in insider risk management.
The pay-as-you-go billing model is based on the number of assets you protect and the number of processing units you use. They are measured differently.
Assets are counted based on the number of items that are in the scope of a policy. The asset doesn't have to match or trigger a policy to be counted, it just has to be in a location that's in the scope of a policy. An asset is only counted once, regardless of how many solutions or protection policies cover it.
Here are some examples:
Protection policy: A tenant has SQL server with 100 tables, out of which 50 have been labeled Confidential and 20 have been labeled General. The protection policy only applies to assets labeled with Confidential, as a result the asset count will be 50.
Auto-labeling policy: A tenant has 100 Azure SQL servers, each with 500 tables. An auto-labeling policy, based on its configureation, applies to 30 Azure SQL severs, then the asset count for that policy would be 15,000.
The number of processing units that are needed can vary depending on the Purview solution and the complexity of the data being processed.
For instance, Microsoft Purview Insider Risk Management processes user activities corresponding to the non-Microsoft 365 indicators selected in data theft and data leak policies to generate insights, alerts and cases. For IRM, a processing unit is defined as the compute required to process 10,000 such user activities. Billing is based on the number of processing units utilized. Microsoft Purview Insider Risk Management indicators that detect activity in cloud storage apps (Box, Dropbox, Google Drive), cloud services (AWS, Azure), and Microsoft Fabric (Power BI) are billed on data security processing units.