Blog Post

Microsoft Entra Blog
2 MIN READ

Microsoft Entra ID Governance licensing for business guests

kamurphy's avatar
kamurphy
Icon for Microsoft rankMicrosoft
Nov 03, 2023

Thousands of customers have tested or deployed Microsoft Entra ID Governance since it launched on July 1, 2023, seeing the value in governing the identities of their workforce. Many of those customers have asked about extending this governance to the identities of their business guests—contractors, partners, and external collaborators—to more fully follow least privilege access principles while still enabling seamless collaboration. 

 

I'm pleased to announce that we're helping organizations to more easily manage this situation by creating a new ID Governance for Microsoft Entra External ID meter for business guests. This add-on will operate on a monthly active usage (MAU) model. Customers will incur charges based on their actual business guest MAU. Learn more about Microsoft Entra External ID pricing at aka.ms/ExternalIDPricing. 

 

To help our customers expand least privilege access to their business guests, ID Governance for External ID will be priced at $0.75 per monthly governed identity, and we anticipate making it available in Fall 2024. While the feature remains in public preview, organizations that govern the identities of their employees with ID Governance can govern the identities of their business guests for no additional cost. 

 

Existing Azure AD External ID customers are grandfathered to continue using the subset of identity governance features that are included in Entra ID P1 and P2.

 

Why govern the identities of business guests? 

 

Business guests are external collaborators who need access to an organization’s resources and applications for a specific purpose and duration. Examples of business guests include contractors, consultants, vendors, or partners. Business guests pose unique challenges for identity governance, as they often have dynamic and unpredictable access needs, and they may not follow internal policies and standards. Without proper governance, business guests can introduce access risks, such as over-privileged accounts, orphaned accounts, or unauthorized access. 

 

Microsoft Entra ID Governance helps address these challenges by enabling you to: 

 

  • Define and enforce access policies for business guests, such as requiring sponsorship, approval, and attestation. 
  • Automate the provisioning and deprovisioning of business guest accounts, based on their project or contract duration. 
  • Monitor and audit the access activities and behaviors of business guests and detect and remediate any anomalies or violations. 
  • Provide a method for internal sponsors to review and approve their requests. 

 

With this step, our customers can ensure that all identities in their organization are governed. Thank you for partnering with us to help protect your digital estates. 

Kaitlin Murphy 

Director, Product Marketing 

  

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Updated Jun 11, 2024
Version 2.0
  • Steven--H's avatar
    Steven--H
    Copper Contributor

    I am annoyed at the choice to require a license for guest accounts and to have to calculate a MAU and make adjustments to my license quantity every month. It seems like this is annoying on purpose just so people will opt to aim high on the MAU. Drop the guest license requirement. We know it's not costing anywhere near $0.75 to include a guest user in the report/workflow that's largely built on data that is allowed to be queried, reporting, and dashboarded up to the throttling limit for free. Now it's just a barrier to entry for smaller orgs who now have to try and convince penny pinchers why the company should spend an additional $0.75/guest versus achieving a similar workflow a lot cheaper using Logic Apps.

  • TimLB's avatar
    TimLB
    Steel Contributor

    Throw in some features for disablement of business guest user accounts after a period of inactivity and the ability to self-service re-enable their accounts via approval of their sponsorship then this will be a well-rounded solution.

  • TimLB's avatar
    TimLB
    Steel Contributor

    Stephan G That requires the Entra ID Governance license. So, if disablement (without a review step) could be built into the license for business guest users governance/lifecycle to make it globally easy to set up it would make things less complicated. That's what I'm interpreting as the purpose of this license, to make guest user governance a separate product stream compared to corporate identity.

  • john66571's avatar
    john66571
    Brass Contributor

    JimmyWorkDid you figure it out ?
    It sounds really backwards to be that something that was previously free (random teams guest) now cost 0.75$ per guest if you want a access review of them.
    This can be done with 1 logic app and little KQL - for free.

    I understand that you want to have the reviewer covered, or a license active in your org - as its an org specific function.

     

    But maybe the vague information available regarding this is causing the confusion. Please enlighten us.

  • Stephan G's avatar
    Stephan G
    Brass Contributor

    TimLB 

    You can already do the first part of your request by creating a dynamic group with all your guests and perform an access review on this.

    My settings were (not anymore due to license restrictions): 60 days inactive, me as a reviewer and then when completed

     Does the following - the recommendation is to disable so i need to do nothing and after another 30 days delete.

    --

    But it does not run anymore due to license restrictions. 

  • JimmyWork's avatar
    JimmyWork
    Iron Contributor

    How exactly would a license scenario look like for using access reviews to find stale guest account?

    Would only the reviewer require the license or would all for example 500 stale guest accounts need a license?
    (These are not Business guest they are not using any entitle management or licenses, they where only invited to Teams channels etc)

  • Steven HOFF's avatar
    Steven HOFF
    Copper Contributor

    Hello,

    Just an update I saw in Microsoft Learn: page of external ID pricing FAQ was updated with some more details:

     

    • External ID core offer will be enforced starting 1st of july
    • New pricing for the more than 50k MAU starting may 2025
    • ID governance announced here is also officially listed in that FAQ and priced to 0.75$
      • For this point its telled that it's free while ID governance is in preview, which is not the case anymore so I would assume we will start seeing costs as of 1st of july about the Governance part...

    source: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#external-id-pricing

     

    Time to start checking for a logic app alternative imho.

     

    kind regards,

    Steven