Identity Governance

Microsoft Entra Identity Governance Pricing: What SMBs Pay for External Users

May 6, 2026
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

If you're running a hybrid on-prem AD and Entra ID environment with around 200 users and a mix of licensed employees and unlicensed B2B guest users, the Entra Identity Governance pricing structure has a catch that isn't obvious until you ask directly: the $12/user/month add-on applies to both your internal users and your external guest users.

Your M365 Business Premium employees already have a P1 license included. What they don't have — and what's needed for Lifecycle Workflows, Access Reviews, and Entitlement Management — is the Entra Suite or the standalone Identity Governance license on top. The guest users who are currently unlicensed B2B Collaboration users need to be licensed separately for governance features if you want to govern them through the same workflows.

Before committing to that cost, it's worth understanding exactly what you're buying and whether an alternative IGA platform makes more sense at your scale.

What Microsoft Entra Identity Governance Actually Costs

The Microsoft Entra Suite at $12/user/month is the bundle that includes Lifecycle Workflows, Access Reviews, Entitlement Management, and other features. As a Microsoft cloud consultant confirmed in the thread that prompted this article: external users need to be licensed too — they can't use governance features for free, and if they don't have the license in their home tenant, you need to license them.

For a 200-user SMB with a significant number of external contractors or B2B guests, this pricing structure can make the total cost significantly higher than the per-employee number suggests. Microsoft does have separate guidance for guest user licensing under Entra External ID pricing, which uses a monthly active user model rather than per-seat for some external identity scenarios — worth reading before assuming the flat $12/user applies uniformly to every external identity type. The Microsoft documentation linked by practitioners in this thread (learn.microsoft.com/en-us/entra/id-governance/microsoft-entra-id-governance-licensing-for-guest-users and learn.microsoft.com/en-us/entra/external-id/external-identities-pricing) has the current specifics, since Microsoft updates these pricing pages periodically.

The standalone Identity Governance license is also an option if you don't want the full Entra Suite. If Lifecycle Workflows, Access Reviews, and Entitlement Management are the specific features you need and the Suite includes products you're not interested in, the standalone license may be the more appropriate purchase — as one commenter noted, the Suite is overkill if you only want governance features.

Why External User Governance Is the Hard Part

The problem the OP described — external users falling through the cracks during offboarding because manual processes get skipped "for convenience" — is exactly the scenario where per-user licensing for guests creates a friction point.

If you have to pay the full governance license rate for every B2B guest to get them into your lifecycle workflows, the cost calculation changes depending on how many external users you have and how frequently they cycle in and out. For a company where external contractors are a small, stable population, the incremental cost may be manageable. For a company where external user headcount is unpredictable or high relative to internal users, it can make Entra Identity Governance substantially more expensive than the internal-user-only price implies.

The governance gap for external users is real regardless of pricing. Guest accounts that were never added to a lifecycle workflow don't get offboarded when the engagement ends. They accumulate in the directory, maintain access to the applications they were granted during the engagement, and show up as orphaned accounts in the next access review or audit. The fix is getting them into the same governance framework as your internal users — which requires either the licensing cost or an alternative platform that doesn't price governance per external identity.

What an Alternative IGA Platform Looks Like for a 200-User SMB

For SMBs that find Entra Identity Governance expensive at their scale — particularly when external user licensing is factored in — a dedicated next-gen IGA platform handles the same use cases without being tied to Microsoft's per-user pricing model.

Zluri integrates with both Entra ID via API and on-premises Active Directory via a lightweight Directory Agent deployed in your internal network. The agent creates an outbound-only LDAP/LDAPS connection to your AD server without requiring inbound firewall changes, so your hybrid environment is covered from a single platform rather than requiring separate tools for on-prem and cloud.

For external user visibility, Zluri categorizes identities into buckets — employees, externals, service accounts — based on email domain or directory attributes. This gives you an accurate count of how many contractors or B2B guests are active in your environment and lets you apply specific governance rules to each category. External users who leave an engagement can be offboarded through the same playbook framework as internal employees, rather than being excluded from lifecycle management because of their license type.

The onboarding and offboarding automation runs off your HR system or directory as the source of truth. When an external user is added with a defined engagement end date, Zluri can schedule the offboarding workflow to run automatically at that date — the scenario where manual processes get skipped for convenience is addressed by removing the human trigger entirely.

A Note on Verifying Current Pricing

Microsoft's licensing pages for Entra Identity Governance, the Entra Suite, and external identity pricing change periodically. The $12/user/month figure cited in this thread reflects the pricing at the time of that discussion — verify against the current Microsoft documentation before making a purchasing decision, as both the price and the licensing rules for guest users have been updated more than once. The Microsoft guidance pages linked by practitioners in this thread are the right starting point for current external user licensing specifics.

Frequently Asked Questions

Does Microsoft Entra Identity Governance require licenses for external guest users?

Yes. External B2B guest users who are not licensed in their home tenant need to be licensed separately to use Entra Identity Governance features like Lifecycle Workflows and Access Reviews. The Microsoft Entra Suite add-on applies to both internal and external users. Microsoft has separate guidance for external identity pricing under Entra External ID that uses a monthly active user model for some scenarios — check the current Microsoft documentation for the specific rules that apply to your guest user setup.

What is the difference between the Microsoft Entra Suite and the standalone Identity Governance license?

The Entra Suite is a bundle that includes Identity Governance alongside other Entra products. If you only need Lifecycle Workflows, Access Reviews, and Entitlement Management, the standalone Identity Governance license may be the appropriate purchase and avoids paying for Suite components you won't use. Confirm the current standalone pricing against Microsoft's licensing documentation before assuming the Suite is required.

What IGA alternatives exist for SMBs that find Entra Identity Governance too expensive?

For SMBs in the 200-user range — especially those with external contractors that would increase the Entra licensing cost significantly — dedicated next-gen IGA platforms like Zluri provide lifecycle workflow automation, access reviews, and external user governance without Microsoft's per-user add-on pricing structure. These platforms integrate with both Entra ID and on-premises AD, making them viable for hybrid environments without requiring a full Microsoft identity stack.

How do you automate offboarding for external users in a hybrid AD and Entra ID environment?

The approach is connecting your directory or HR system as the source of truth and triggering offboarding workflows from status changes or engagement end dates rather than relying on manual process. For external users specifically, this requires either Entra Identity Governance with guest user licenses or a third-party IGA platform that handles external identity categorization and lifecycle automation separately from your internal user workflows.

Explore IGA Options for Your SMB Environment

If you're evaluating whether Entra Identity Governance fits your 200-user hybrid environment — especially with external contractors in the mix — see how Zluri handles lifecycle automation and external user governance across both on-prem AD and Entra ID without per-external-user licensing costs.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

May 6, 2026
May 6, 2026

Building an IGA Portfolio With MidPoint: What to Document on GitHub

May 6, 2026
May 6, 2026

Entra ID for IGA: What It Actually Covers and Where It Falls Short

May 6, 2026
May 6, 2026

Identity Dark Matter: How to Find What Entra ID Can't See in Your Hybrid Environment

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
© 2026 Zluri, All Rights Reserved
MSA T&C
  -  
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms