I recently came across Microsoft’s upcoming changes to identity governance for guest licensing and wanted to share some insights on the potential impact to guest user management, along with best practices that can help reduce the cost impact. The new licensing model will be effective in Spring 2025 , in which Microsoft will move to a usage-based billing model for guest users who interact with Entra ID Governance features like access packages, access reviews or lifecycle workflows.
This update provides an opportunity to review organization external users policies, and implement governance best practices to maintain security and reduce cost. If you are managing Identity governance at your organization, these insights and practices may help you prepare more effectively.
The New Licensing Model
The new licensing model for Entra ID Governance for Guest Users will apply charges when guest users utilize particular governance capabilities, these users will now be tracked and billed based on usage.
Each governed guest user will cost $0.75 per month , according to Microsoft’s current pricing guidance.
Key Billing Principles
- Cost: Each governed guest user will cost $0.75 per month maximum.
- Billing Cap: A guest user is charged only once per month, regardless of how many governance actions are performed on them during that month.
- Usage-Based: You're only billed for guest users who actually have governance actions applied, not for simply existing in your tenant.
- Feature Scope: Only features specific to Microsoft Entra ID Governance trigger billing; standard P2 governance features will not incur additional charges.
Governance Features That Will Trigger Guest Licensing
The following Entra ID Governance capabilities can result in licensing costs when used by guest accounts:
Licensing Triggers for Guests
Best Practices to Stay Compliant and Reduce Licensing Costs
These licensing changes can incur significant costs for organization with large number of guest accounts. Following are some of the steps your organization can take to manage this change effectively and avoid unnecessary costs :
1. Apply Governance Features Selectively
Focus on prioritizing governance for external users who access sensitive data or systems (e.g., external IT admins, vendors with sensitive access), and avoid over-assigning these capabilities to low-risk collaborators (e.g., guest users with limited Teams or SharePoint access)
2. Review and Retire Unused Access Packages
Regularly review the access packages and retire that are no longer relevant or used by guests to prevent unnecessary guest activity that could trigger licensing.
3. Leverage Access Package Expiration Policies
If guest access is temporary, use access package expiration settings to automatically remove access after a certain period rather than relying on frequent manual reviews.
4. Avoid PIM for Guests When Not Needed
Only assign PIM to guests who require temporary elevated access. For most external users, standard group-based access is sufficient and avoids triggering licensing.
5. Minimize Workflow Usage for Low-Risk Guests
Evaluate whether lifecycle workflows are necessary for every guest scenario. For simple onboarding, consider manual steps or other automation alternatives such as Power Automate or PowerShell runbooks/scripts.
6. Review and Remove Inactive Guest Accounts
Review guest sign-in activity regularly and remove or block accounts that haven’t been used in 30 to 60 days using automation such as Power Automate or PowerShell runbooks/scripts.
7. Monitor Guest Usage with Microsoft’s License Reports
Use the License Usage report in the Microsoft 365 Admin Center to identify guests consuming governance features. This will help you to forecast potential licensing cost and allocate budgets and update the configurations accordingly.
Next Steps for Your Organization
To prepare for the upcoming changes:
- Monitor license usage by guest accounts in your tenant.
- Review and audit all Access Packages, Access Reviews, and Workflows involving guest users.
- Assess how guests are onboarded and determine whether governance features are necessary.
- Clean up inactive or unnecessary guest accounts.
- Coordinate with IAM teams and stakeholders that manage external access
Conclusion
Microsoft’s new approach to guest licensing is a significant change that offers both flexibility, by allowing you to pay only for the services used and an opportunity to enhance how your organization manages external identities through effective governance practices.
References