Skip to content

licensing-governance.md

Latest commit

 

History

History
138 lines (118 loc) · 18 KB

licensing-governance.md

File metadata and controls

138 lines (118 loc) · 18 KB
title include file
description include file
author owinfreyATL
ms.service entra-id
ms.topic include
ms.date 12/19/2025
ms.author owinfrey
ms.custom include file

The following table shows the licensing requirements for Microsoft Entra ID Governance features for member users. Microsoft Entra Suite includes all features of Microsoft Entra ID Governance. Licensing information and example license scenarios for Entitlement management, Access reviews, and Lifecycle Workflows are provided following the table.

Features by license

The following table shows what features associated with identity governance are available with each license. For more information on other features, see Microsoft Entra plans and pricing. Not all features are available in all clouds; see Microsoft Entra feature availability for Azure Government.

Feature Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
Provisioning
API-driven provisioning
HR-driven provisioning
Automated user provisioning to SaaS apps
Automated group provisioning to SaaS apps
Automated provisioning to on-premises apps
Cross-tenant user synchronization (same cloud)
Cross-cloud synchronization
Lifecycle Workflows (LCW) Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
Lifecycle Workflows
LCW + Custom Extensions (Logic Apps)
Access reviews (AR) Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
AR - Capabilities previously generally available in Microsoft Entra ID P2
AR - PIM For Groups (Preview)
AR - Reviews scoped to inactive users without active users in the review
AR - Reviews scoped to active and inactive users with review decision helpers for inactive users for the reviewer
AR - Machine learning assisted access certifications and reviews
AR - Catalog Access Reviews (Preview)
AR - Custom data provided resource (Preview)
AR Agent (Preview)
Entitlement management (EM) Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
EM - Capabilities previously generally available in Microsoft Entra ID P2
EM - Users assigned to access packages
EM - Agents and service principals assigned to access packages - in preview as part of Microsoft Agent 365
EM - Users request access for themselves
EM - Admins directly assign a user - selecting existing users in your directory (including guests)
EM - Admins directly assign any user (Preview) - via email address for users not yet in your directory
EM - Managers requesting on behalf of employees
EM - Owners and sponsors request access on behalf of their agents or service principals - in preview as part of Microsoft Agent 365
EM - Supported resources Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
EM - Groups and teams in access packages
EM - Eligible group ownerships and memberships in access packages (PIM for Groups)
EM - Applications in access packages
EM - SharePoint sites in access packages
EM - Microsoft Entra Roles (Preview)
EM - SAP Identity Access Governance (IAG) business roles (Preview)
EM - API permissions in access packages - in preview as part of Microsoft Agent 365
EM - Approval options Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
EM - Multi-stage approvals with alternate approvers if no action is taken
EM - Specific approvers
EM - Managers as approvers
EM - Internal sponsors as approvers (from assignees' connected organizations)
EM - External sponsors as approvers (from assignees' connected organizations)
EM - Sponsors as approvers (from assignees' user profile)
EM - Externally determine approval requirements using custom extensions
EM - Collect additional requestor information for approval
EM - Lifecycle Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
EM - Expiration of access package assignments
EM - Manage the lifecycle of external users
EM - Mark guest as governed
EM - Additional capabilities Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
EM - Separation of duties
EM - Custom Extensions (Logic Apps)
EM - Auto Assignment Policies
EM - Verified ID integration
EM - Microsoft Entra ID Protection integration
EM - Microsoft Purview Insider Risk Management integration
EM - Conditional Access Scoping
My Access Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
My Access portal
EM - My Access Search
EM - Suggested access packages in My Access
EM - Configure whether requestors can see approver details in My Access (Preview)
EM - Delegate approvals in My Access (Preview)
Privileged Identity Management (PIM) Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
Privileged Identity Management (PIM)
PIM For Groups
PIM Conditional Access Controls
Other Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance Microsoft Entra Suite
Identity governance dashboard
Insights and reporting - Inactive guest accounts
Conditional Access - Terms of use attestation

Entitlement Management

Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users. Some capabilities within this feature can operate with a Microsoft Entra ID P2 subscription. Some capabilities within this feature require guest billing.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. 2,000 employees who can request the access packages 2,000
An Identity Governance Administrator at Woodgrove Bank creates initial catalogs. They create an auto-assignment policy that grants All members of the Sales department (350 employees) access to a specific set of access packages. 350 employees are auto-assigned to the access packages. 350 employees need licenses. 351

Access reviews

Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users, including for all employees who are reviewing access or having their access reviewed. Some capabilities within this feature might operate with a Microsoft Entra ID P2 subscription. Some capabilities within this feature require guest billing.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
An administrator creates an access review of Group A with 75 member users and 1 group owner, and assigns the group owner as the reviewer. 1 license for the group owner as reviewer, and 75 licenses for the 75 users. 76
An administrator creates an access review of Group B with 500 member users and 3 group owners, and assigns the 3 group owners as reviewers. 500 licenses for users, and 3 licenses for each group owner as reviewers. 503
An administrator creates an access review of Group B with 500 member users. Makes it a self-review. 500 licenses for each user as self-reviewers 500
An administrator creates an access review of Group C with 50 member users. Makes it a self-review. 50 licenses for each user as self-reviewers. 50
An administrator creates an access review of Group D with 6 member users. Makes it a self-review. 6 licenses for each user as self-reviewers. No additional licenses are required. 6

Lifecycle Workflows

With Microsoft Entra ID Governance licenses for Lifecycle Workflows, you can:

  • Create, manage, and delete workflows up to the total limit of 50 workflows.
  • Trigger on-demand and scheduled workflow execution.
  • Manage and configure existing tasks to create workflows that are specific to your needs.
  • Create up to 100 custom task extensions to be used in your workflows.

Using this feature requires a Microsoft Entra ID Governance subscription for your organization's member users. Some capabilities within this feature require guest billing.

Example license scenarios

Scenario Calculation Number of licenses
A Lifecycle Workflows Administrator creates a workflow to add new hires in the Marketing department to the Marketing teams group. 250 new hire member users are assigned to the Marketing teams group via this workflow once. Other 150 new hire member users are assigned to the Marketing teams group via this workflow later the same year. 1 license for the Lifecycle Workflows Administrator, and 400 licenses for the users. 401
A Lifecycle Workflows Administrator creates a workflow to pre-offboard a group of employees before their last day of employment. The scope of users who will be pre-offboarded are 40 users once. We offboard 40 licensed users. Now, we can re-assign these 40 licenses and assign 10 more licenses later in the year to pre-offboard 50 more users. 50 licenses for users, and 1 license for the Lifecycle Workflows Administrator. 51