The Governance Add-On — What P2 Already Includes That Makes This Decision Hard
The Entra ID Governance add-on (~$7/user/month) sits above Entra P2 in the identity governance product line — but the boundary between P2 and Governance is more nuanced than Microsoft's marketing suggests, and the decision to purchase Governance on top of P2 is one of the most commonly over-committed identity licence decisions we see in enterprise EAs. The reason is simple: P2 already includes significant identity governance capabilities — Entitlement Management (access packages, approval workflows, access lifecycle), Access Reviews (periodic certification of access rights), and PIM (just-in-time privileged access). The Governance add-on extends these capabilities for specific advanced use cases, but for organisations whose governance requirements are met by P2, the $7/user/month Governance add-on is redundant spend.
For a 10,000-user enterprise with the Governance add-on applied to the full population, the cost is $840,000/year ($7 × 12 × 10,000) on top of P2. If the Governance use cases are only relevant for 800 users in lifecycle-managed workflows (IT, HR, compliance, legal), the correctly scoped Governance cost is $67,200/year — a saving of $772,800 per year. This is not an unusual finding in our EA reviews of large enterprises who have accepted Microsoft's identity governance bundle positioning without validating actual deployment scope.
What P2 Already Covers — The Governance Foundation
Before evaluating the Governance add-on, it is essential to understand precisely what Entra P2's Entitlement Management and Access Reviews capabilities cover, because most enterprises implementing identity governance for the first time will find P2 sufficient for their initial requirements.
Entra P2 Entitlement Management provides: access packages (bundled resource access — groups, applications, SharePoint sites — provisioned through a self-service or delegated request and approval workflow), access lifecycle policies (automatic expiry and renewal reminders for access package assignments), internal user access packages (employees requesting access to resources), and connected organisation access packages (B2B partner access to specific resource bundles). For organisations moving from manual IT-ticket-based provisioning to a governed self-service model, P2 Entitlement Management covers the core use case completely.
Entra P2 Access Reviews provides: periodic review campaigns for group membership, application access, and privileged roles; automated access removal for users whose reviewers certify access is no longer required; self-review option (users certify their own access); manager-driven reviews; multi-stage review processes; and integration with PIM for privileged role certification. For SOX, ISO 27001, SOC 2, and most regulatory compliance frameworks that require periodic user access certification, P2 Access Reviews meets the control requirement without the Governance add-on.
What the Governance Add-On Actually Adds Beyond P2
The Governance add-on extends the P2 governance foundation in three principal areas: Lifecycle Workflows, advanced Access Reviews capabilities, and machine learning-driven recommendations.
Lifecycle Workflows — The Primary Governance Add-On Differentiator
The most substantive addition in the Governance add-on is Lifecycle Workflows — a workflow engine that automates identity lifecycle tasks triggered by HR or directory events. Joiner workflows trigger on new user creation (from HR source provisioning — Workday, SAP SuccessFactors, or custom HR connectors): send welcome email, generate temporary access pass, add user to onboarding groups, trigger Teams notification to manager, run custom Logic App tasks. Mover workflows trigger on attribute changes (job title change, department transfer, location change): update group memberships to reflect new role, remove access to previous department resources, adjust licence assignments. Leaver workflows trigger on termination event: disable account, remove group memberships, revoke active sessions, transfer manager access to OneDrive/mailbox content, trigger offboarding tasks in connected systems. These workflows are configurable, extensible via Logic Apps and custom extensions, and integrate with ITSM systems (ServiceNow, Jira Service Management) for ticket-based lifecycle management.
The critical question for Governance add-on justification is whether your organisation currently manages joiner/mover/leaver workflows manually or through a fragmented set of scripts and ITSM processes. If so, Lifecycle Workflows provides a genuine automation capability that reduces IT operational burden, decreases access provisioning delays for new starters, and improves leaver account cleanup completeness (a significant security control — stale accounts with active access are a leading attack vector). The deployment population for Lifecycle Workflows is the user population managed through the workflow engine — for most enterprises, all corporate employees (full-population justification) or a defined subset (regulated functions, privileged roles). This is one of the rare Governance scenarios where full-population licencing may be commercially justified, because joiner/mover/leaver workflows are relevant to all employees.
Advanced Access Reviews — Governance vs P2
The Governance add-on extends Access Reviews with machine learning recommendations (ML-based suggestions to remove access based on usage patterns, sign-in history, and peer group analysis — recommendations assist reviewers rather than auto-removing access), inactive user reviews (automated identification and review of users who have not signed in for a defined period), and advanced review history and audit logs. For organisations with compliance requirements that specifically mandate AI-assisted access certification or inactive user identification, the Governance add-on extensions are relevant. For standard SOX/ISO/SOC 2 access certification use cases, P2 Access Reviews without these extensions meets the compliance requirement.
Entra ID Governance and the Entra Suite
The Governance add-on is also packaged within the Entra Suite (~$12/user/month) alongside Entra P2, Entra Verified ID, and Entra Global Secure Access (SSE). If Microsoft is positioning the Entra Suite at renewal, the Governance capability comes bundled — but the $12/user/month Suite is only commercially justified if the combination of P2, Governance, Verified ID, and Global Secure Access all have active deployment use cases. Purchasing the Suite primarily to access Governance, when Global Secure Access and Verified ID have no deployment plan, produces a $3/user/month premium over standalone P2+Governance for capabilities that will not be deployed. Our Entra ID complete licensing guide covers the full Suite economics.
| Capability | P2 Included? | Governance Add-On? | Commercial Significance |
|---|---|---|---|
| Entitlement Management (access packages, approval workflows) | Yes — P2 core | Extended by Governance (Lifecycle Workflows) | P2 covers initial governance deployment |
| Access Reviews (periodic certification, multi-stage) | Yes — P2 core | ML recommendations, inactive user reviews in Governance | P2 meets most compliance requirements |
| Privileged Identity Management (PIM) | Yes — P2 core | No incremental addition in Governance | P2 fully covers PIM — no Governance needed for PIM |
| Lifecycle Workflows (joiner/mover/leaver automation) | No — Governance only | Yes — primary Governance differentiator | High value if JML manual today; full-population justifiable |
| ML-based access review recommendations | No — Governance only | Yes | Low standalone value; secondary to Lifecycle Workflows |
| Inactive user access reviews | No — Governance only | Yes | Medium value for large stale-account environments |
| Identity protection (sign-in / user risk) | Yes — P2 core | No addition in Governance | P2 fully covers Identity Protection |
The Governance Decision Framework
Deploy P2 First, Govern to Governance Add-On
The most commercially sound approach to Entra identity governance is to deploy P2 first and validate whether P2 capabilities are sufficient before committing to the Governance add-on. For most organisations implementing Entra identity governance for the first time — moving from manual provisioning to Entitlement Management access packages, deploying Access Reviews for SOX certification, implementing PIM for privileged accounts — P2 provides a full 12–18 months of governance programme maturation before hitting the ceiling that requires the Governance add-on. The Lifecycle Workflows ceiling (when manual JML is the documented pain point and the HR source integration is ready) is the primary trigger for the Governance add-on commercial discussion.
In EA terms, this means the correct structure is: P2 for the governance population at current deployment scope, with a right-to-expand at committed pricing for Governance add-on activation when Lifecycle Workflows deployment is ready. This prevents the pattern of committing Governance add-on licences three years in advance of Lifecycle Workflows deployment — paying for automation capability that is not yet deployed, consuming $840K/year that produces no security or operational improvement.
Scoping the Governance Population — Who Needs Lifecycle Workflows?
If the Governance add-on is justified by Lifecycle Workflows, the correct scoping question is: which users will be managed through joiner/mover/leaver workflows? For most corporate environments, the answer is all employees provisioned from the HR system — making full-population Governance licensing correct for this use case. The commercial offset is that Lifecycle Workflows replaces manual IT provisioning time, ServiceNow ticket volume for access requests, and security risk from stale leaver accounts. The ROI calculation for Lifecycle Workflows is best expressed as: (hours/year of manual JML provisioning work) × (hourly IT labour cost) + (estimated risk value of leaver access cleanup improvement) = annual saving that should exceed the $7/user/month × population cost. For a 5,000-user enterprise with 800 joiners/year and current average provisioning time of 4 hours per joiner, the 3,200 hours × $75/hour = $240,000/year labour saving vs $420,000/year Governance cost ($7 × 12 × 5,000) does not close. At $7 × 12 × 1,500 managed users = $126,000/year, the ROI becomes positive. This is why population segmentation matters even for Lifecycle Workflows.
The Entra ID governance discussion connects directly to the P1 vs P2 segmentation methodology — in both cases, the commercial discipline is to license the deployment population rather than the full enterprise headcount. Our security licensing guide provides the broader context for how identity governance investment fits within the full security stack commercial framework.
Deploy P2 first if: Governance programme is starting, Entitlement Management and Access Reviews are the primary use cases, Lifecycle Workflows has no imminent HR integration deployment plan.
Consider Governance add-on if: Manual JML provisioning is a documented pain point (measured in IT hours/year), HR source system (Workday/SAP SF) integration is ready or in progress, leaver account cleanup failures are a documented security finding.
Scope Governance to: Users managed through Lifecycle Workflows (typically all employees from HR source provisioning), not additional populations requiring only P2 Access Reviews or Entitlement Management.
Challenge full-population Governance if: Lifecycle Workflows is not deployed or planned, the Governance proposal is driven by the Entra Suite bundle rather than standalone Governance requirements.
EA Negotiation — Three Governance Add-On Tactics
1. Require Deployment Roadmap Before Committing Governance
Microsoft's EA commercial motion increasingly proposes Governance add-on (or Entra Suite) as the standard identity governance commitment alongside P2 at renewal. Before accepting, require a deployment roadmap with milestones as a condition of commitment. If the roadmap shows Lifecycle Workflows deployment in months 18–24 of a 36-month EA term, negotiate the Governance add-on as a step-up commitment: P2 for the full term, Governance add-on activating at the deployment milestone with a commitment date tied to the HR integration readiness date. This is a standard EA amendment mechanism available in Microsoft EA structures and eliminates paying for Governance through the pre-deployment period.
2. Use SailPoint / Saviynt as Competitive Alternatives
SailPoint Identity Security Cloud and Saviynt Enterprise Identity Cloud provide identity governance capabilities that overlap significantly with Entra Governance — Lifecycle Workflows, Access Reviews, access certification, and entitlement management — with multi-directory support (non-Azure environments, non-Entra identity stores). For organisations with complex multi-cloud or multi-directory environments (AWS, GCP, on-premises AD alongside Entra), SailPoint/Saviynt provide governance across all identity stores while Entra Governance is bounded to Entra-managed identities. A formal competitive evaluation of SailPoint or Saviynt alongside Entra Governance generates meaningful discount authority on the Governance add-on — 15–25% in our experience — even in pure Azure/Entra environments. The competitive pressure in EA negotiations framework applies directly to identity governance add-on lines.
3. Validate M365 E5 Governance Inclusion
M365 E5 does not include the Entra Governance add-on — E5 includes Entra P2 (and EMS E5 includes Entra P2), but the Governance add-on is a separate SKU above E5. This is frequently misrepresented in enterprise EA proposals where "E5 covers all identity governance" is stated or implied. If your account team references E5 as covering Governance, request written confirmation of the inclusion — which Microsoft's licensing documentation does not support. The distinction matters commercially because organisations on E5 who are told Governance is included may not challenge a standalone Governance add-on line at renewal until a licence reconciliation surfaces the double-payment. Our M365 E3 vs E5 comparison maps the exact E5 inclusions against the Entra product line to clarify this boundary.