Microsoft Entra ID Governance (formerly Azure AD Identity Governance) is the premium tier of Microsoft's identity management stack. It sits above Entra P2 and is sold as a separate add-on licence at approximately £7/user/month. For a 3,000-user enterprise purchasing Governance for all users, that is a £252,000 annual commitment on top of existing Entra P1 or P2 licences.
Like many Microsoft security add-ons, Entra ID Governance is frequently proposed for entire user populations when a targeted deployment for specific user groups is both commercially appropriate and technically sufficient. This guide explains precisely what Governance adds beyond Entra P2, which user populations genuinely need it, and how to negotiate the minimum compliant deployment in your EA.
The Entra Licence Hierarchy: P1, P2, and Governance
Understanding what you already have is the prerequisite for evaluating Governance. The Entra stack operates in three main tiers:
Entra ID Free / Entra ID P1 — included in M365 E1/E3/Business Premium. Covers core identity (SSO, basic MFA, Conditional Access, SSPR, hybrid identity). This is the baseline for all enterprise M365 deployments.
Entra ID P2 — adds Identity Protection (risk-based Conditional Access, risky user detection), Access Reviews (basic), and Privileged Identity Management (PIM) basics. Included in M365 E5 and available as a standalone add-on at approximately £8.40/user/month or as part of the EMS E5 suite.
Entra ID Governance — adds advanced identity lifecycle management capabilities beyond P2, specifically: advanced Entitlement Management, advanced Access Reviews, Lifecycle Workflows, and advanced PIM capabilities (PIM for Groups). Priced at approximately £7/user/month as an add-on to an existing P1 or P2 licence. This requires understanding whether your organisation already has P2 through E5, as Governance on top of P2 is a separate consideration from Governance on top of P1.
Entra ID Governance is an add-on that extends Entra P1 or P2. It does not replace either tier. If you are on M365 E5 (which includes Entra P2), you would purchase Governance as an additional add-on on top of P2 to access Governance-specific features. If you are on M365 E3 (Entra P1), some Governance features require P2 as a prerequisite — so the effective cost of Governance on an E3 base may be: P2 add-on + Governance add-on, which is approximately £15.40/user/month above your E3 licence for the users who need it.
What Entra ID Governance Actually Adds
The key differentiator between Entra P2 and Governance is the depth and automation of identity lifecycle management. Here is the feature-by-feature breakdown:
| Feature | Entra P1 | Entra P2 | Entra ID Governance |
|---|---|---|---|
| Basic Access Reviews | No | Yes | Yes (enhanced) |
| Multi-stage Access Reviews | No | No | Yes |
| Machine learning-assisted reviews | No | No | Yes |
| Basic Entitlement Management | No | Yes | Yes (advanced) |
| Custom extensions (Logic Apps) in access packages | No | No | Yes |
| Lifecycle Workflows (Joiner/Mover/Leaver automation) | No | No | Yes |
| PIM for Groups | No | No | Yes |
| Privileged Identity Management (PIM) | No | Yes (basic) | Yes (+ Groups) |
| Verified ID (decentralised identity) | Basic | Basic | Advanced (Face Check) |
Lifecycle Workflows: The Feature That Drives Most Governance Deployments
Lifecycle Workflows is the Governance feature with the broadest enterprise value proposition. It automates identity lifecycle processes at three key stages: joiner (new employee onboarding), mover (role change, transfer), and leaver (offboarding, termination).
Without Lifecycle Workflows, enterprises manage these transitions manually or through scripted processes (often in Azure Logic Apps, Power Automate, or third-party ITSM systems). The value Lifecycle Workflows delivers:
Joiner workflows automate pre-day-one tasks: sending welcome emails, provisioning temporary access packages, triggering HR system integration, generating temporary access passes for passwordless onboarding. For large organisations onboarding dozens of employees per week, the IT time saving is measurable — typically 45–90 minutes of IT administration per new joiner eliminated.
Mover workflows handle role transitions: revoking previous role memberships, assigning new access packages, triggering system access changes, notifying affected managers and IT owners. Role transitions are historically high-risk from an identity perspective — the period where a mover retains previous access while acquiring new access is a privileged access accumulation risk. Lifecycle Workflows closes this gap systematically.
Leaver workflows are the highest-value use case for most organisations. They automate the complete account lifecycle at termination: disable account, revoke sessions, remove group memberships, transfer manager access, schedule account deletion, generate compliance evidence. The 30-day compliance window for leaver evidence is a common SOC 2 and ISO 27001 audit requirement — Lifecycle Workflows provides audit-ready evidence automatically.
In organisations without Lifecycle Workflows, the average leaver account remains partially active for 14–21 days post-termination. This is one of the most consistently cited findings in Microsoft security assessments. Lifecycle Workflows reduces average leaver account active window to under 4 hours when properly configured — a meaningful security control for any regulated sector.
Advanced Access Reviews: Who Needs the Governance Version
Entra P2 includes basic Access Reviews: periodic automated reviews of group memberships and application role assignments, sent to owners or resource managers for approval. This covers the core use case — quarterly access reviews for M365 groups, SharePoint site membership, Entra application access.
Entra ID Governance adds three capabilities beyond the P2 baseline that drive the use case for Governance-tier Access Reviews:
Multi-stage reviews allow a primary reviewer (typically the employee's manager) to be followed by a secondary reviewer (typically the resource owner or a compliance officer) before access is certified or revoked. This is required in regulated sectors where a single-reviewer approval is insufficient for compliance evidence. DORA, SOX IT controls, and FCA SYSC requirements often specify multi-level access certification.
Machine learning-assisted recommendations provide a signal on whether access should be approved or revoked based on usage patterns, last login dates, and peer group access comparisons. In large access review programmes with thousands of review decisions, ML-assisted recommendations significantly reduce rubber-stamping — where reviewers approve everything without consideration. This is a genuine quality improvement for mature access governance programmes.
Inactive guest access reviews specifically target guest (B2B) accounts in your tenant that have not been active for a configurable period. Guest sprawl is a persistent problem in organisations using Teams and SharePoint extensively — Governance-tier access reviews close this governance gap systematically.
PIM for Groups: Why It Matters for Zero Trust
Privileged Identity Management (PIM) in Entra P2 provides just-in-time privileged access to Entra roles — administrators request elevation, approve the request, execute the task, and access is revoked after the configured time window. This is a core Zero Trust control for Entra admin roles.
PIM for Groups (Governance-only) extends the same just-in-time principle to Microsoft 365 Groups and security groups. This is significant because a large proportion of privileged application access in enterprise M365 environments is controlled through group memberships — SharePoint owner groups, Teams owner roles, application admin groups, and more. PIM for Groups means these group memberships can be made eligible rather than permanent: users request elevation into the group, receive approval, execute their task, and membership is revoked. The Entra Governance vs P2 comparison covers this in more detail.
Who Genuinely Needs Entra ID Governance Licensing
Given the cost (~£7/user/month), Governance should be targeted precisely. Here is the user classification framework:
Privileged users (Tier 1): All Entra admin roles, Azure subscription owners, Exchange admins, SharePoint admins, security operators. These users benefit from PIM for Groups and advanced access reviews. Small population (typically 20–60 users in most enterprises), but justification is strong. Governance is clearly appropriate for this group regardless of organisation size.
IT and IAM operations (Tier 2): HR integration owners, identity lifecycle process owners, application owners, IT managers responsible for onboarding/offboarding. These users are the ones who configure and manage Lifecycle Workflows and Entitlement Management access packages. Small population (typically 10–30 users), but licence is required to administer Governance features — this is often missed in licence scoping discussions.
Regulated role population (Tier 3): In regulated sectors (financial services, healthcare, critical infrastructure), compliance and access recertification requirements may mandate multi-stage access reviews for a broader population — not just privileged users. This is the most variable population by industry. A financial services firm under DORA or SOX IT controls may need Governance-tier access reviews for 200–300 sensitive role holders. A technology company with limited regulatory obligations may need it only for Tier 1 and Tier 2.
General workforce (Tier 4): Standard end users with no privileged access and no compliance-sensitive role. Lifecycle Workflows benefits them operationally (faster onboarding, better offboarding), but the Governance licence requirement is tenant-wide for Lifecycle Workflows — meaning if you deploy Lifecycle Workflows for all employees, you need a Governance licence for all employees. This is the population most likely to be over-licensed in a tenant-wide Governance deployment.
Microsoft's documentation requires a Governance licence for each user who is the subject of a Lifecycle Workflow — not just for the administrators configuring the workflows. If you deploy joiner/mover/leaver workflows for your entire workforce, you need Governance licences for all employees, not just the privileged population. This is frequently not clearly communicated by account teams in initial Governance proposals. Before committing to Lifecycle Workflows for all users, confirm the per-user licensing requirement against your actual workflow scope.
Entra ID Governance Deployment Scenarios and Costs
Using a 5,000-user organisation as a reference point, here is how three deployment scenarios compare (at approximately £4.50/user/month EA pricing for Governance, on top of existing M365 E3 or E5):
| Deployment Scenario | User Population | Annual Cost (EA) | Use Cases Covered |
|---|---|---|---|
| Privileged users only | 50 users | ~£2,700/year | PIM for Groups, advanced Access Reviews for admins |
| Targeted regulated roles | 300 users | ~£16,200/year | Multi-stage access reviews for compliance-sensitive roles + admin PIM |
| Full workforce Lifecycle Workflows | 5,000 users | ~£270,000/year | Automated joiner/mover/leaver + all access review + PIM capabilities |
The full workforce scenario is 100x the cost of the privileged-users-only scenario. Whether that 100x investment is justified depends entirely on whether Lifecycle Workflows is deployed for all users and whether the operational efficiency and compliance value of full automation justifies the premium over a targeted deployment with manual lifecycle processes for standard users.
Negotiating Entra ID Governance in Your EA
If your Governance requirement is determined, the negotiation strategy follows the same principles as other targeted security add-ons in the Microsoft security licensing stack.
Scope rigorously. Define the exact user population for each Governance feature: PIM for Groups users, Lifecycle Workflows subjects, multi-stage access review participants. Governance licences should be purchased for this defined population, not the entire tenant.
Use the E5 bundle comparison. Entra ID Governance at ~£7/user/month is a standalone add-on. If you are approaching E5 territory for your privileged population (Entra P2 + Governance = approximately £15.40/user/month above P1), compare this to M365 E5 at approximately £38/user/month, which includes a broader set of security and compliance tools including Entra P2 as a component. The per-user economics sometimes favour selective E5 deployment over Governance add-on if the user population also needs Defender XDR or E5 Compliance features.
Phase the deployment. Propose a phased Governance deployment: start with privileged user PIM for Groups in the first six months, extend to regulated role access reviews by month nine, evaluate Lifecycle Workflows for all employees by month twelve with a data-driven business case. This limits initial commitment while allowing the programme to demonstrate value before the full investment is committed. Frame this phased commitment during EA negotiations.
Reference third-party alternatives. SailPoint, Saviynt, and CyberArk Workforce Identity provide identity governance capabilities that compete with Entra ID Governance in enterprise environments. While the native M365 integration is a significant Governance advantage, referencing these alternatives signals commercial awareness and creates price flexibility in negotiations.
For the broader Entra P1 vs P2 licensing decision and the full Microsoft Entra ID licensing guide, see our dedicated articles. Governance is the third tier of the Entra stack — ensure P1 and P2 decisions are made correctly before evaluating Governance.
Frequently Asked Questions
Does Entra ID Governance replace Entra P2?
No. Governance is an add-on to P1 or P2. It extends either tier with advanced identity lifecycle and governance capabilities. Some Governance features (like advanced Access Reviews) build on P2 foundations. If you are on M365 E3 (which includes P1), you need to consider whether you need P2 as a prerequisite before adding Governance. If you are on M365 E5 (which includes P2), Governance is a direct add-on on top of your existing E5 licence.
Is Lifecycle Workflows included in Entra P2?
No. Lifecycle Workflows is an Entra ID Governance-exclusive feature. Entra P2 does not include automated joiner/mover/leaver workflows. P2 includes basic Entitlement Management (access packages) and basic Access Reviews, but the full lifecycle automation requires Governance.
Can I deploy Governance for privileged users only without tenant-wide licensing?
For PIM for Groups and advanced Access Reviews, yes — you can licence the specific users who are subject to those controls. For Lifecycle Workflows, the licensing requirement applies to users who are the subject of workflow tasks (not just the administrators). Confirm the current per-user licensing requirement with your account team and review the Entra ID Governance product terms, as this area has seen changes with product updates.
How does Entra ID Governance compare to SailPoint or Saviynt?
Third-party IAM platforms like SailPoint and Saviynt offer deeper identity governance capabilities for complex heterogeneous environments — particularly for applications not integrated with Entra ID. For organisations where M365 and Azure are the primary application estate, Entra ID Governance provides competitive functionality with native integration and no additional data connectors. For organisations with significant SAP, Oracle, or on-premises application estates, third-party IGA platforms typically provide broader coverage, though at higher total cost.
Where does Entra ID Governance fit in the broader Microsoft security investment?
Governance fits within the identity security pillar of a broader Zero Trust licensing strategy. The standard investment progression for most enterprises is: Entra P1 (Conditional Access foundation) → Entra P2 (Identity Protection and PIM) → Governance (lifecycle automation and advanced access controls) → Defender XDR integration. Each tier should demonstrate operational value before the next is committed. See our guide to rationalising Microsoft security licensing for the full framework.