Blog Post

Microsoft Entra Blog
4 MIN READ

Microsoft Entra ID Governance licensing clarifications

kamurphy's avatar
kamurphy
Icon for Microsoft rankMicrosoft
Jun 19, 2024

In the past few weeks, we’ve announced the general availability of Microsoft Entra External ID and Microsoft Entra ID multi-tenant collaboration. We’ve received requests for more detail from some of you regarding licensing, so I’d like to provide additional clarity for both of these scenarios.

 

One person, one license

 

Included in the first announcement of more multi-tenant organization (MTO) features to enhance collaboration between users, we stated that only one Microsoft Entra ID P1 license is required per employee per multi-tenant organization. Expanding on that, the term “multi-tenant organization” has two descriptions: an organization that owns and operates more than one tenant; and a set of features that enhance the collaboration experience for users between these tenants. However, your organization doesn’t have to deploy those capabilities to take advantage of the one person, one license philosophy. An organization that owns and operates multiple tenants only needs one Entra ID license per employee across those tenants. The same philosophy applies to Entra ID Governance: the organization only needs one license per person to govern the identities of these users across these tenants.

 

Note that this philosophy includes administrative accounts. In some organizations, administrators use standard user accounts for day to day tasks, and separate administrator accounts for privileged access. A person with a standard user account and an administrator account only needs one Entra ID Governance license for both identities to be governed. Of course, they could also leverage Entra ID Governance’s Privileged Identity Management (PIM) to temporarily elevate the access rights of a single account, instead of maintaining two accounts.

 

To illustrate this scenario, let’s consider an organization called Contoso, which owns ZT Tires and Tailspin Toys. Mallory is hired by Contoso, which uses Lifecycle Workflows in Entra ID Governance to onboard her user account and grant her access to the resources she needs for her job. Her account receives an access package with an entitlement to ZT Tires’ ERP app, and she requests access to Tailspin Toys inventory management app. Because Mallory has an Entra ID Governance license in the Contoso tenant, her identity can be governed in the ZT Tires and Tailspin Toys tenants with no additional governance licenses – one person, one license.

 

Diego is an identity administrator whose user account is in the ZT Tires tenant. He uses a separate administrator account for privileged access tasks in Contoso, Tailspin Toys, and ZT Tires tenants. Because Diego has an Entra ID Governance license in the ZT Tires tenant, both his user and administrator identities can be governed in all three tenants with no additional governance licenses – again, one person, one license.

 

Entra ID Governance in Microsoft Entra External ID

 

The other announcement covered Entra External ID, Microsoft’s solution to secure customer and business collaborator access to applications. In November, I blogged about the licensing model to govern the identities of business guests in the B2B scenario for Entra External ID and shared that pricing would be $0.75 per actively governed identity per month. Because metered, usage-based pricing to govern the identities of business guests is a different model than the existing, licensed-based pricing model to govern the identities of employees, I’d like to share more detail.

 

A business guest identity in Entra External ID will accrue a single $0.75 charge in any month in which that identity is actively governed, no matter how many governance actions are taken on that identity. For example: 

 

A Contoso employee named Gerhart collaborates with Pradeep of Woodgrove Bank to produce Contoso’s quarterly financial statements. Contoso has deployed Entra External ID for its business partners such as Woodgrove Bank. In April, Pradeep accesses Contoso’s Microsoft Teams where Gerhart stores his quarterly reporting documents, but his Entra External ID has no identity governance actions taken on them, so it doesn’t accrue any charges.

 

In May, Pradeep receives an access package with an entitlement to Contoso’s accounting system, and Gerhart reviews Pradeep’s existing access to Contoso’s inventory management database, as well as to the Teams with the quarterly reporting documents. Because Pradeep’s identity in Entra External ID had identity governance actions taken on it, Contoso will accrue a $0.75 charge. Note that the charge is applied once, even though there were three identity governance actions taken during the month. Once that Entra External ID identity was governed in May, additional identity governance actions do not generate additional charges for that identity in May.

 

To learn more about Microsoft Entra ID Governance licensing, visit the Licensing Fundamentals page.

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

 

Updated Aug 05, 2024
Version 4.0
  • Hi Warren212 - yes, for the most part.  Note that I referenced this license philosophy is applicable to Microsoft Entra ID Governance, as well.

  • Hi Mikko -

     

    We don't actually detail every licensing scenario in Microsoft Learn.  This blog should be considered as word from Microsoft about acceptable usage.  Please let me know if you have any further questions or concerns.

     

    Thanks -

    Steve

  • ToHe77's avatar
    ToHe77
    Copper Contributor

    tkirwan Based on my experience, the interpretation of licensing requirements may vary depending on the individual representative from Microsoft with whom you consult. Unofficially, some representatives may suggest that a single license is sufficient. However, it would be beneficial to obtain an authoritative statement on this matter.

  • Hi tkirwan and ToHe77 --

     

    From an Entra ID P1 or P2, or Entra ID Governance perspective, the above blog is meant to provide that definitive statement regarding one person/human/employee, one license.  Note that other Microsoft products and services may have different license requirements for these scenarios.

     

    Thanks--

    Steve

  • Mikko_L's avatar
    Mikko_L
    Copper Contributor

    StConn-MSFT This is great information. However, it appears to be found only in this blog post, which I understand is not official Microsoft documentation. Could you or someone point out where this can be found in the Microsoft Learn docs and confirm the interpretation that the multitenant configuration is not required? I can only find partial information about this as part of the guide on how to implement multi-tenant configuration.

  • roottree's avatar
    roottree
    Copper Contributor

    Question - Guest users that are invited to your tenant that don't use Entra P1 or higher on there tenant:

    What if I have invited a guest to my tenant who does not use Entra ID P1 or higher and does not use conditional access but only the old ‘per user MFA portal’ on his tenant, does his guest account on my tenant have to get an Entra P1 licence or higher at my expense so that he can use conditional access on my tenant? StConn-MSFT kamurphy 

     

    I don't think it is meant that I as a CSP or administrator in an organisation have to know or administrate the licensing on the guest side... 

  • jrennefeld's avatar
    jrennefeld
    Copper Contributor

    How does that work technically?

    Some features are not usable without having at least one license in a tenant.
    Assume my users are all P2 licensed in one tenant and now I create a 2nd tenant and want to use PIM in the 2nd tenant.
    Without having at least one P2 license in the 2nd tenant the PIM feature will not be available.
    So I would have to buy at least P2 license in the 2nd tenant and reduce the number of licenses in the 1st one by one?

  • ModernPractice's avatar
    ModernPractice
    Copper Contributor

    StConn-MSFT Does this extend to Intune + Windows licensing for admin account in privilege access workstations scenarios? 

    What about the services that require the admin account to have a product license assigned - like Viva?

  • Hi ModernPractice --

     

    The licensing scenarios above cover the Microsoft Entra products in question.  Other Microsoft products and services may have similar or different licensing requirements.

     

    Thanks--

    Steve

  • JoeH45's avatar
    JoeH45
    Iron Contributor

    Note that this philosophy includes administrative accounts. In some organizations, administrators use standard user accounts for day to day tasks, and separate administrator accounts for privileged access. A person with a standard user account and an administrator account only needs one Entra ID Governance license for both identities to be governed.

    This is a fairly big change in terms of licensing.  Why isn't it being made more widely known?  Unless I missed it, the Licensing Fundimentals page makes no mention of it.