License requirements to use Privileged Identity Management

To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), a directory must have a valid license. Furthermore, licenses must be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management.

Valid licenses

You will need an Azure AD license to use PIM and all of it's settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles (Preview) with an Azure Active Directory Premium P2 edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements, see Compare generally available features of Azure AD.

Licenses you must have

Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:

  • Users assigned as eligible to Azure AD or Azure roles managed using PIM
  • Users who are assigned as eligible members or owners of privileged access groups
  • Users able to approve or reject activation requests in PIM
  • Users assigned to an access review
  • Users who perform access reviews

Azure AD Premium P2 licenses are not required for the following tasks:

  • No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.

For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.

Example license scenarios

Here are some example license scenarios to help you determine the number of licenses you must have.

Scenario Calculation Number of licenses
Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. Five licenses for the administrators who are eligible 5
Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. 14 licenses for the eligible roles + three approvers 17
Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six are not in administrator roles managed by PIM. 42 licenses for the eligible roles + five approvers + six reviewers 53

When a license expires

If an Azure AD Premium P2, EMS E5, or trial license expires, Privileged Identity Management features will no longer be available in your directory:

  • Permanent role assignments to Azure AD roles will be unaffected.
  • The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
  • Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.
  • Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.
  • Privileged Identity Management will no longer send emails on role assignment changes.

Next steps