In this module
IAM1.6 Licensing for Identity Governance
IAM1.5 assessed your delegation boundaries — and found none. This section examines the licensing model that determines which governance features are available to you. Identity governance in Entra ID is heavily gated by licensing tier. Lifecycle workflows, entitlement management, and advanced access reviews all require licenses beyond what most M365 E3 or even E5 subscriptions include. Understanding what's gated and what's available is the difference between designing a governance program that your organization can implement and one that requires a budget approval you haven't secured yet.
The licensing landscape for identity governance
Microsoft's identity licensing is layered. Each tier unlocks governance capabilities that the previous tier doesn't include. The confusion is that some governance features live in P2 (included in E5), some live in the Governance add-on (not included in any M365 plan except E7), and some live in separate SKUs that must be purchased independently regardless of your M365 plan. You can't design a governance program without knowing which features your current licenses unlock.
Six license tiers are relevant to IAM. Most organizations have P1 (through E3) or P2 (through E5). Few have the Governance add-on. Almost none have Workload ID Premium or Agent 365. This section maps every governance feature to its license tier, queries your tenant's current licensing, and calculates the cost gap between what you have and what the governance program requires.
Estimated time: 45 minutes.
Figure IAM1.6 — Licensing tiers for identity governance. Each tier adds capabilities. The Governance add-on (orange) unlocks the core course content — lifecycle workflows and advanced reviews. Workload ID and Agent 365 are separate purchases for non-human identity governance.
The organization pays for M365 E5 ($57/user/month) and assumes they have "everything." The CISO asks for lifecycle workflows. IT discovers lifecycle workflows require the Governance add-on — an additional $4/user/month on the E5 base. The budget request goes through a quarterly approval cycle. Governance deployment is delayed 3–6 months. Meanwhile, stale accounts accumulate, access reviews remain rubber-stamp, and the auditor returns the same findings from last year. The licensing gap isn't discovered during planning. It's discovered during deployment.
If your tenant has P2 but not the Governance add-on, the three governance pillars of this course — lifecycle workflows, entitlement management, and advanced access reviews — are partially or fully gated. P2 includes basic access reviews and basic entitlement management. Lifecycle workflows require the full Governance license. The "Without Governance Licensing" sections throughout the course provide Graph API and PowerShell workarounds that cover approximately 70% of capability. The 30% gap is documented as residual risk in each module's ADR. IAM0.6's Governance trial covers the course duration for lab work.
Your tenant's current license — check it first
Entra Admin Center
Identity → Overview → Tenant overview
The overview page shows your tenant's primary license tier. Look for "Microsoft 365 E5 Developer" (your lab tenant) or whatever your production plan is. This tells you the base tier but doesn't show add-ons.
For a detailed view: Identity → Billing → Licenses → All products
Or use the M365 admin center: admin.microsoft.com → Billing → Your products
Look for these license names: "Microsoft Entra ID P1", "Microsoft Entra ID P2", "Microsoft Entra ID Governance", "Microsoft Entra Suite", "Microsoft Entra Workload ID Premium". If you see "Microsoft 365 E5", P2 is included. If you see "Microsoft 365 E3", P1 is included. If you don't see the Governance add-on or Entra Suite, lifecycle workflows and entitlement management are gated.
Query your tenant's license state programmatically:
Connect-MgGraph -Scopes "Organization.Read.All"
$org = Get-MgOrganization
$subscribedSkus = Get-MgSubscribedSku -All
Write-Host "=== TENANT LICENSE AUDIT ==="
Write-Host "Tenant: $($org.DisplayName)"
Write-Host ""
$iamRelevantSkus = @(
"AAD_PREMIUM", # Entra ID P1
"AAD_PREMIUM_P2", # Entra ID P2
"IDENTITY_GOVERNANCE", # Entra ID Governance
"ENTRA_SUITE", # Entra Suite
"Microsoft_365_E3", # M365 E3 (includes P1)
"Microsoft_365_E5", # M365 E5 (includes P2)
"SPE_E3", # M365 E3 (alternate SKU name)
"SPE_E5", # M365 E5 (alternate SKU name)
"DEVELOPERPACK_E5" # M365 E5 Developer
)
foreach ($sku in $subscribedSkus) {
$relevant = $sku.ServicePlans | Where-Object {
$_.ServicePlanName -in $iamRelevantSkus -or
$_.ServicePlanName -like "*AAD_PREMIUM*" -or
$_.ServicePlanName -like "*IDENTITY_GOVERNANCE*"
}
if ($relevant -or $sku.SkuPartNumber -like "*E5*" -or $sku.SkuPartNumber -like "*E3*") {
Write-Host "SKU: $($sku.SkuPartNumber)"
Write-Host " Available: $($sku.PrepaidUnits.Enabled) Consumed: $($sku.ConsumedUnits)"
$relevant | ForEach-Object {
Write-Host " → Service plan: $($_.ServicePlanName) [$($_.ProvisioningStatus)]"
}
Write-Host ""
}
}=== TENANT LICENSE AUDIT ===
Tenant: NE Developer Lab
SKU: DEVELOPERPACK_E5
Available: 25 Consumed: 16
→ Service plan: AAD_PREMIUM [Success]
→ Service plan: AAD_PREMIUM_P2 [Success]Your developer tenant has P2 through the E5 developer license. It does not have the Governance add-on — that's the trial you activated in IAM0.6. In a production tenant, the output reveals whether P2 is bundled (through E5) or standalone, and whether Governance is present as an add-on.
The six tiers mapped to governance capabilities
Tier 1 — Entra ID P1 (included in M365 E3, $6/user/month standalone)
P1 is the minimum viable license for any identity governance. Without P1, you don't have Conditional Access, dynamic groups, or self-service password reset. With P1, you have the infrastructure — but not the governance.
What P1 enables for IAM: Dynamic group membership (attribute-based rules), administrative units, self-service group management, Conditional Access (not risk-based), Entra Connect sync, basic reporting.
What P1 does NOT include: Identity Protection risk policies, PIM, access reviews (any type), entitlement management, lifecycle workflows, workload identity CA policies. P1 alone is not sufficient for the governance program this course teaches. P1 is the base that governance add-ons require.
Tier 2 — Entra ID P2 (included in M365 E5, $9/user/month standalone)
P2 adds the security layer: Identity Protection with risk-based policies, and PIM for just-in-time privileged access. It also includes basic access reviews and basic entitlement management — but "basic" means the P2 versions, which are less capable than the Governance add-on versions.
What P2 adds for IAM: Identity Protection (sign-in risk, user risk policies), PIM (eligible role assignments with activation), basic access reviews (group and application reviews), basic entitlement management (access packages, catalogs).
What P2 does NOT include: Lifecycle workflows (any type), advanced access review features (AI recommendations, inactive user insights, custom review schedules), advanced entitlement management (custom extensions, verified ID integration), or the governance dashboard.
Entra Admin Center — Testing What's Available
Identity Governance (in the left nav sidebar)
If you can see Entitlement management, Access reviews, and Lifecycle workflows as menu items that open without a "requires license" error, your tenant has either P2 (for basic EM and reviews) or the Governance add-on/trial (for lifecycle workflows). If Lifecycle workflows shows "This feature requires a Microsoft Entra ID Governance license" when you click it, you have P2 but not Governance. If the entire Identity Governance section is missing, you have P1 only.
Tier 3 — Entra ID Governance add-on ($7/user/month on P1, $4/user/month on P2)
The governance add-on is where the lifecycle capabilities live. This is the license tier that unlocks the majority of what this course teaches — and the one most organizations don't have.
What Governance adds: Lifecycle workflows (joiner, mover, leaver automation), advanced entitlement management (custom extensions, connected organizations, verified ID), advanced access reviews (AI recommendations, inactive user insights, manager insights), up to 50 workflow definitions with custom task extensions via Logic Apps, and the Identity Governance dashboard.
Critical licensing detail: Governance licensing counts every user who could use the feature, not every user who does. If 810 employees can request access packages through entitlement management, you need 810 Governance licenses — even if only 150 employees actually request access. This is per the Microsoft product terms and is the most frequently misunderstood licensing constraint.
Cost for NE (810 users):
- On P1 base (E3): 810 × $7 = $5,670/month ($68,040/year)
- On P2 base (E5): 810 × $4 = $3,240/month ($38,880/year)
Tier 4 — Entra Suite ($12/user/month)
The bundled option. Entra Suite includes P2 + Governance + Internet Access + Private Access + Verified ID. For organizations that need multiple Entra capabilities, Suite is more cost-effective than buying each separately (the components purchased individually would cost $17+ on a P1 base).
Cost for NE (810 users): 810 × $12 = $9,720/month ($116,640/year)
M365 E7 ($99/user/month, GA May 2026) is the first M365 plan to include the complete Entra Suite. For most organizations, E7 is not cost-justified solely for identity governance.
Tier 5 — Workload ID Premium ($3/workload/month)
A separate license for non-human identity governance. Workload ID Premium adds Conditional Access for workload identities, Identity Protection risk signals for service principals, and access reviews for workload identities. It is NOT included in any M365 plan, NOT included in Entra Suite, and must be purchased separately for each workload identity that needs these protections.
Why this matters for IAM: Module 10 teaches Conditional Access for workload identities. If your organization has service principals that need location-based restrictions, risk-based blocking, or periodic access reviews, Workload ID Premium is required. Without it, workload identity governance is limited to manual Graph API queries and PowerShell scripts.
Tier 6 — Agent 365 ($15/user/month)
The AI agent governance license. Includes Entra Agent ID, agent blueprints, agent entitlement management, and agent access reviews. Module 11 teaches agent identity governance — and Agent 365 (or M365 E7) is required for the full feature set.
Agent governance features that are in preview as of May 2026 — agents in access packages, sponsor-based requests for agents, API permissions in access packages — are exclusive to Agent 365. No existing plan includes them.
The "Without Governance Licensing" analysis
Every module from M2 onward includes a "Without Governance Licensing" callout showing what you can achieve with Graph API and PowerShell when the Governance add-on isn't available. The workarounds cover approximately 70% of governance capability. The 30% gap — features that have no reasonable workaround — is documented as residual risk in each module's ADR. Here's the breakdown by module:
Lifecycle workflows (M2): Without Governance, you build the automation through PowerShell scripts triggered by Azure Automation runbooks or Windows Task Scheduler. You can replicate the core joiner/leaver actions: create user with populated attributes, assign group memberships, generate a Temporary Access Pass (Graph API POST /users/{id}/authentication/temporaryAccessPassMethods), send a welcome email (Graph API POST /users/{id}/sendMail), and disable accounts on departure. What you lose: the visual workflow designer with drag-and-drop task composition, the pre-built task library (25+ tasks), custom extensions via Logic Apps for calling external systems, execution condition scoping by employeeType and department, the execution monitoring dashboard with per-workflow success/failure tracking, and the pre-hire trigger that fires before employeeHireDate. The PowerShell approach works but requires you to build, test, and maintain the orchestration that the workflow engine provides natively.
Entitlement management (M4): Without Governance, you build access request workflows through Power Automate flows (if licensed), SharePoint lists with approval columns, or a custom Graph API application. You can implement self-service request with approval — the core user experience — but you lose access package bundling (grouping multiple resources into a single requestable unit), auto-assignment policies (granting access automatically when attributes match), time-bound access with automatic expiry and recertification, connected organizations for governed external access, incompatible access package enforcement (separation of duties), and the integration between entitlement management and access reviews that triggers a review when access expires.
Access reviews (M5): P2 includes basic access reviews — you can create reviews for group memberships and application assignments, route to managers or group owners, and configure auto-remediation. Without the Governance add-on, you lose three features that significantly improve review quality: AI-assisted recommendations (the system recommends deny for permissions unused in the last 90 days, reducing rubber-stamp approvals), inactive user insights (the review interface shows whether the identity has used the access recently, giving the reviewer context they'd otherwise lack), and advanced scheduling (recurring reviews with custom cadences, staggered start dates, and multi-stage review flows).
The workaround for inactive user insights is a PowerShell pre-processing script: before each review cycle, query signInActivity for all identities in scope, generate a report showing last sign-in date per group membership, and email it to reviewers alongside the review notification. This gives reviewers the context they need — but it's a manual process that runs outside the review interface.
# Workaround: generate inactive user report for review context
$groupId = "YOUR_GROUP_ID"
$members = Get-MgGroupMember -GroupId $groupId -All
$reviewContext = $members | ForEach-Object {
$user = Get-MgUser -UserId $_.Id -Property displayName, signInActivity
[PSCustomObject]@{
Name = $user.DisplayName
LastSignIn = if ($user.SignInActivity.LastSuccessfulSignInDateTime) {
$user.SignInActivity.LastSuccessfulSignInDateTime.ToString("yyyy-MM-dd")
} else { "NEVER" }
DaysSince = if ($user.SignInActivity.LastSuccessfulSignInDateTime) {
((Get-Date) - $user.SignInActivity.LastSuccessfulSignInDateTime).Days
} else { 999 }
Recommend = if (-not $user.SignInActivity.LastSuccessfulSignInDateTime) { "REMOVE" }
elseif (((Get-Date) - $user.SignInActivity.LastSuccessfulSignInDateTime).Days -gt 90) { "REVIEW" }
else { "KEEP" }
}
}
$reviewContext | Sort-Object DaysSince -Descending | Format-Table -AutoSize
$reviewContext | Export-Csv -Path "review-context-$groupId.csv" -NoTypeInformation
Write-Host "Exported review context to review-context-$groupId.csv"
Write-Host "Share with reviewer alongside the access review notification."This script produces the inactive user insight that the Governance add-on provides natively inside the review interface. It's the same data, delivered through a different channel. The Governance license integrates it into the reviewer's workflow. The workaround requires the reviewer to open a spreadsheet alongside the review.
Entra Admin Center — Governance Feature Check
Identity Governance → Lifecycle workflows
If this page loads and shows a "Create workflow" button, you have the Governance license (or an active trial). If it shows a license requirement message, you don't. Test each section: Entitlement management → Catalogs (should load), Access reviews → Definitions (should load). Any section that blocks with a license message represents a governance capability gated behind the add-on.
Also check: Identity Governance → Dashboard. The governance dashboard — showing pending access reviews, lifecycle workflow execution health, and access package usage — requires the Governance add-on. If it loads, you have full Governance capabilities.
Which modules work with which license
The practical question: if you have P2 but not Governance, which modules can you complete with full features and which require workarounds?
P1 only (M365 E3): M0 (completed), M1 (completing now), M3 (group architecture — dynamic groups require P1), IAM1.5 (AUs require P1 for admins). Modules M2, M4, M5, M7 have no access to lifecycle workflows, entitlement management, access reviews, or PIM. The course is largely inaccessible at P1 alone. Upgrade to P2 or activate the Governance trial.
P2 (M365 E5): Full features for M0, M1, M3 (dynamic groups), M7 (PIM), M8 (delegation + AUs), M9 (service principal governance — manual), M10 (workload identity — manual without Workload ID Premium), M12 (monitoring — KQL queries don't require Governance). M2 (lifecycle workflows) requires Governance. M4 (entitlement management) works at basic level — access packages and catalogs available, but no custom extensions, no verified ID integration, no advanced auto-assignment. M5 (access reviews) works at basic level — reviews run but without AI recommendations or inactive user insights. M13 (compliance evidence) can generate evidence from P2 features but misses the Governance dashboard metrics.
P2 + Governance add-on (or Governance trial): Full features for every module except M10 (Workload ID Premium needed for workload CA policies) and M11 (Agent 365 needed for agent governance features still in preview). This is the target license configuration for the course.
Entra Suite or M365 E7: Full features for everything including Workload ID Premium and Agent 365 (E7 only). The comprehensive option, but the cost ($12/user/month for Suite or $99/user/month for E7) is justified only if you need Internet Access, Private Access, and agent governance alongside identity governance.
If you activated the Governance trial in IAM0.6, you have the full feature set for the course duration. The trial provides 90 days of Governance functionality. With active feature usage, the trial is typically extendable. Plan to complete at least through Module 5 (access reviews) before the trial expires — that's the point where the governance program produces measurable value that supports the budget request for permanent licensing.
The budget conversation
The IAM program requires Governance licensing for full functionality. The budget conversation happens in Module 13, but the data you collect here informs it. Calculate the cost for your organization:
$licensedUsers = ($subscribedSkus | Where-Object {
$_.SkuPartNumber -like "*E5*" -or $_.SkuPartNumber -like "*E3*"
} | Measure-Object -Property ConsumedUnits -Sum).Sum
Write-Host "=== GOVERNANCE LICENSING COST MODEL ==="
Write-Host "Licensed users: $licensedUsers"
Write-Host ""
Write-Host "Governance add-on on E3 base: $licensedUsers x `$7 = `$$($licensedUsers * 7)/month (`$$($licensedUsers * 7 * 12)/year)"
Write-Host "Governance add-on on E5 base: $licensedUsers x `$4 = `$$($licensedUsers * 4)/month (`$$($licensedUsers * 4 * 12)/year)"
Write-Host "Entra Suite (includes everything): $licensedUsers x `$12 = `$$($licensedUsers * 12)/month (`$$($licensedUsers * 12 * 12)/year)"
Write-Host ""
Write-Host "Compare: consulting firm IAM implementation: `$50,000-`$150,000 (one-time)"
Write-Host " The consulting engagement builds it. Your team can't maintain it."
Write-Host " This course teaches your team to build AND maintain it."The comparison that resonates with leadership: Governance licensing for 810 users costs $38,880–$68,040/year and builds permanent organizational capability. A consulting firm's IAM implementation costs $50,000–$150,000 as a one-time engagement and delivers a configuration the internal team can't extend, modify, or maintain when requirements change. The licensing is an operating expense. The capability is an asset.
At Northgate Engineering: Rachel Okafor runs the license audit. NE has M365 E5 (P2 included) but no Governance add-on. The cost for Governance: 810 × $4 = $3,240/month ($38,880/year). The Entra Suite alternative: 810 × $12 = $9,720/month ($116,640/year) — overkill for NE's current needs since they don't require Internet Access or Private Access. Rachel's budget request focuses on the Governance add-on: $38,880/year to unlock lifecycle workflows, entitlement management, and advanced access reviews. She frames it against the audit findings: the 0.6% deny rate on access reviews (IAM0.3), the 80% missing employeeHireDate blocking lifecycle automation (IAM1.3), and the 67 ownerless groups with no review mechanism (IAM1.4). The Governance license doesn't fix those problems. It unlocks the tools that fix them. The IAM program this course teaches is the plan for using those tools. Rachel also notes that Microsoft announced E3 and E5 price increases effective July 2026 (both increase by $3/user/month). The Governance add-on price is unchanged — but the total M365 + Governance cost increases, making the budget conversation time-sensitive.
Reusable script — the licensing audit from this section:
# IAM1.6 — License Audit for Governance
Connect-MgGraph -Scopes "Organization.Read.All"
$org = Get-MgOrganization
$subscribedSkus = Get-MgSubscribedSku -All
Write-Host "=== LICENSE AUDIT: $($org.DisplayName) ==="
# Identify base tier
$hasP1 = $false; $hasP2 = $false; $hasGov = $false; $hasSuite = $false
foreach ($sku in $subscribedSkus) {
$plans = $sku.ServicePlans.ServicePlanName
if ($plans -contains "AAD_PREMIUM_P2") { $hasP2 = $true; $hasP1 = $true }
elseif ($plans -contains "AAD_PREMIUM") { $hasP1 = $true }
if ($plans -like "*IDENTITY_GOVERNANCE*") { $hasGov = $true }
if ($sku.SkuPartNumber -like "*ENTRA_SUITE*") { $hasSuite = $true }
}
Write-Host "Entra ID P1: $(if ($hasP1) { 'YES' } else { 'NO' })"
Write-Host "Entra ID P2: $(if ($hasP2) { 'YES' } else { 'NO' })"
Write-Host "Governance add-on: $(if ($hasGov) { 'YES' } else { 'NO' })"
Write-Host "Entra Suite: $(if ($hasSuite) { 'YES' } else { 'NO' })"
# Feature availability
Write-Host "`n=== GOVERNANCE FEATURE AVAILABILITY ==="
Write-Host "Dynamic groups: $(if ($hasP1) { 'Available' } else { 'Requires P1' })"
Write-Host "Administrative units: $(if ($hasP1) { 'Available' } else { 'Requires P1' })"
Write-Host "Conditional Access: $(if ($hasP1) { 'Available' } else { 'Requires P1' })"
Write-Host "Identity Protection: $(if ($hasP2) { 'Available' } else { 'Requires P2' })"
Write-Host "PIM: $(if ($hasP2) { 'Available' } else { 'Requires P2' })"
Write-Host "Basic access reviews: $(if ($hasP2) { 'Available' } else { 'Requires P2' })"
Write-Host "Lifecycle workflows: $(if ($hasGov -or $hasSuite) { 'Available' } else { 'Requires Governance add-on' })"
Write-Host "Advanced EM: $(if ($hasGov -or $hasSuite) { 'Available' } else { 'Requires Governance add-on' })"
Write-Host "AI review recommendations:$(if ($hasGov -or $hasSuite) { ' Available' } else { ' Requires Governance add-on' })"
Write-Host "Workload ID CA: Requires Workload ID Premium (`$3/workload)"
Write-Host "Agent governance: Requires Agent 365 (`$15/user)"Decision-point simulation
Scenario 1. NE has 810 E5 licenses. The Entra ID Governance add-on costs $7/user/month on P1, but E5 includes P2 — so the add-on is $4/user/month. For 810 users, that's $3,240/month ($38,880/year). Phil Greaves says the budget isn't available this fiscal year. Can you still build the IAM program?
Yes — with limitations. Without Governance licensing, you lose access reviews (automated), lifecycle workflows (joiner/mover/leaver automation), and entitlement management (self-service access packages). But the Graph API and PowerShell workarounds documented in each module's Budget Callout cover approximately 70% of the capability: custom scripts for access review notifications, scheduled tasks for lifecycle state changes, and approval workflows through Logic Apps. The program design is the same — the implementation uses scripts instead of platform features. Document the workaround as a risk register entry with the licensing upgrade as the remediation.
Scenario 2. The CFO asks why NE needs both E5 ($57/user/month) and the Governance add-on ($4/user/month) when "E5 was supposed to include everything." How do you explain the gap?
E5 includes Entra ID P2, which covers Conditional Access, Identity Protection, PIM, and basic access reviews. The Governance add-on adds lifecycle workflows, entitlement management, and advanced access review features (ML recommendations, multi-stage reviews, auto-remediation). Microsoft separated these capabilities because identity governance is an operational discipline, not a security feature — not every E5 customer needs automated JML workflows. The business case: the Governance add-on at $38,880/year replaces manual identity lifecycle management that currently costs the IT team approximately 15 hours/week in manual provisioning, deprovisioning, and access review administration.
Scenario 3. You discover that 12 contractors have E5 licenses ($57/user/month = $684/month) when they only need email and Teams access. The E3 license ($36/user/month) covers their requirements. Should you downgrade them?
Yes — if the contractors don't need any E5-only identity features (PIM, Identity Protection, advanced CA). Downgrading 12 contractors from E5 to E3 saves $252/month ($3,024/year). But verify first: are any contractors using PIM-enabled roles? Do any CA policies target E5-only grant controls for contractor accounts? If not, downgrade and reassign the freed E5 licenses. The savings partially offset the Governance add-on cost from Scenario 1.
You're reading the free modules of Identity and Access Management in Microsoft 365
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.