MODIFIED docs/external-id/external-identities-pricing.md

Modified by Robert Lyon on Jun 19, 2026 8:46 PM
📖 View on learn.microsoft.com

+85 / -9 lines changed

Commit: [Entra External ID] Pricing and billing add-ons (#11737)

Changes:

Before

After

---
title: External ID Pricing
description: Learn about the pricing structure for Microsoft Entra External ID, along with steps for linking an external tenant to an Azure subscription.
ms.topic: concept-article
ms.date: 02/24/2026
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange
#customer intent: As a Microsoft Entra tenant administrator, I want to link my tenant to an Azure subscription so that I can take advantage of the monthly active users (MAU) billing model and activate MAU billing for guest user collaboration.
---
 
# Pricing structure and billing model for Microsoft Entra External ID
 
[!INCLUDE [applies-to-workforce-external](./includes/applies-to-workforce-external.md)]
 
This article outlines the pricing structure for Microsoft Entra External ID. It also describes how to link your tenant to an Azure subscription to ensure correct billing and feature access.
 
## Monthly active users (MAU) billing model
 
Billing for External ID is based on monthly active users (MAU); that is, the count of unique external users who authenticate to your tenants within a calendar month. To determine the total number of MAU, we combine active users from all workforce and external tenants that are linked to a subscription.
 

---
title: External ID Pricing
description: Learn about the pricing and billing structure for Microsoft Entra External ID, along with steps for linking an external tenant to an Azure subscription.
ms.topic: concept-article
ms.date: 06/22/2026
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange
#customer intent: As a Microsoft Entra tenant administrator, I want to link my tenant to an Azure subscription so that I can take advantage of the monthly active users (MAU) billing model and activate MAU billing for guest user collaboration.
---
 
# Microsoft Entra External ID pricing and billing overview
 
[!INCLUDE [applies-to-workforce-external](./includes/applies-to-workforce-external.md)]
 
This article outlines the pricing and billing structure for Microsoft Entra External ID. External ID uses a basic monthly active users (MAU) billing model with optional premium add-ons for advanced scenarios. It also describes how to link your tenant to an Azure subscription to ensure correct billing and feature access.
 
For the latest pricing details, see [External ID pricing](https://aka.ms/ExternalIDPricing).
 
## External ID billing model

MODIFIED docs/identity/users/users-revoke-access.md

Modified by Ken Withee on Jun 19, 2026 9:08 PM
📖 View on learn.microsoft.com

+29 / -16 lines changed

Commit: Add portal steps for user access revocation

Changes:

Before

After

description: How to revoke all access for a user in Microsoft Entra ID
ms.topic: how-to
ms.reviewer: yukarppa
ms.date: 04/02/2026
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
---
 
 
## Prerequisites
 
The PowerShell steps in this article require the following:
 
- [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true) installed. Install the required modules:
 
    ```PowerShell
    Install-Module Microsoft.Graph.Users
    Install-Module Microsoft.Graph.Users.Actions
    Install-Module Microsoft.Graph.Identity.DirectoryManagement
    ```
 

description: How to revoke all access for a user in Microsoft Entra ID
ms.topic: how-to
ms.reviewer: yukarppa
ms.date: 06/19/2026
ai-usage: ai-assisted
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
---
 
 
## Prerequisites
 
Sign in with an account that has the appropriate roles. Different steps require different roles:
 
- Disable user accounts: [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator) for non-admin users, or [Privileged Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#privileged-authentication-administrator) for admin accounts.
- Disable devices: [Cloud Device Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-device-administrator) at minimum.
 
The PowerShell steps in this article also require the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). Install the required modules:
 
```PowerShell
Install-Module Microsoft.Graph.Users

MODIFIED docs/global-secure-access/how-to-source-ip-restoration.md

Modified by Alexander Pavlovsky on Jun 19, 2026 9:39 PM
📖 View on learn.microsoft.com

+7 / -11 lines changed

Commit: Revise source IP restoration guidance and roles (#2011)

Changes:

Before

After

- It improves the accuracy of risk detection in [Microsoft Entra ID Protection risk detections](/entra/id-protection/concept-identity-protection-risks).
- It elevates your threat detection and response by recording accurate source IP in [Microsoft Entra sign-in logs](/azure/active-directory/reports-monitoring/concept-all-sign-ins) and in [Microsoft Entra audit logs](/entra/identity/monitoring-health/concept-audit-logs).
 
> [!NOTE]
> To achieve source IP restoration for non-Microsoft apps, you must also configure Conditional Access policies and ensure traffic flows through a compliant network. For more information, see [Enable compliant network check with Conditional Access](/entra/global-secure-access/how-to-compliant-network#protect-your-resources-behind-the-compliant-network).
 
## Prerequisites
 
- Administrators who interact with **Global Secure Access** features must have both of the following role assignments depending on the tasks they're performing:
   - The [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference) role to manage the Global Secure Access features.
   - The [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) to create and interact with Conditional Access policies.
- The product requires Microsoft Entra ID P1 licenses. For details, see the licensing section of [What is Global Secure Access](overview-what-is-global-secure-access.md). If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
- You must enable the [Microsoft Traffic Profile](concept-microsoft-traffic-profile.md) to use Source IP restoration.
 
### Known limitations
 
[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
## Enable Global Secure Access signaling for Conditional Access
 

- It improves the accuracy of risk detection in [Microsoft Entra ID Protection risk detections](/entra/id-protection/concept-identity-protection-risks).
- It elevates your threat detection and response by recording accurate source IP in [Microsoft Entra sign-in logs](/azure/active-directory/reports-monitoring/concept-all-sign-ins) and in [Microsoft Entra audit logs](/entra/identity/monitoring-health/concept-audit-logs).
 
## Prerequisites
 
- Administrators who configure source IP restoration settings must have one of the following role assignments:
   - The [Global Secure Access Administrator role](/azure/active-directory/roles/permissions-reference)
   - The [Global Administrator role](/azure/active-directory/roles/permissions-reference)
- The product requires Microsoft Entra ID P1 licenses. For details, see the licensing section of [What is Global Secure Access](overview-what-is-global-secure-access.md). If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense).
- You must enable the [Microsoft Traffic Profile](concept-microsoft-traffic-profile.md) to use source IP restoration.
 
### Known limitations
 
[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
<a name="enable-global-secure-access-signaling-for-conditional-access"></a>
## Enable Global Secure Access signaling for Microsoft Entra ID and Microsoft Graph
 
> [!NOTE]
> Source IP restoration is now enabled by default for new tenants. If you enabled Global Secure Access features in your tenant before June 2025, you might need to explicitly enable source IP restoration.

MODIFIED docs/identity/role-based-access-control/permissions-reference.md

Modified by Faith Moraa Ombongi on Jun 19, 2026 9:21 PM
📖 View on learn.microsoft.com

+16 / -1 lines changed

Commit: [Entra roles] Add Purview roles (#13571)

Changes:

Before

After

title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 05/21/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | [Printer Technician](#printer-technician) | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
> | [Privileged Authentication Administrator](#privileged-authentication-administrator) | Can access to view, set and reset authentication method information for any user (admin or non-admin).<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
> | [Privileged Role Administrator](#privileged-role-administrator) | Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | e8611ab8-c189-46e8-94e1-60213ab1f814 |
> | [Reports Reader](#reports-reader) | Can read sign-in and audit reports. | 4a5d8f65-41da-4de4-8968-e035b65339cf |
> | [Search Administrator](#search-administrator) | Can create and manage all aspects of Microsoft Search settings. | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
> | [Search Editor](#search-editor) | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
 
[!INCLUDE [privileged-role-administrator](includes/privileged-role-administrator.md)]
 
## Reports Reader
 
[!INCLUDE [reports-reader](includes/reports-reader.md)]
 

title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 06/19/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | [Printer Technician](#printer-technician) | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
> | [Privileged Authentication Administrator](#privileged-authentication-administrator) | Can access to view, set and reset authentication method information for any user (admin or non-admin).<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
> | [Privileged Role Administrator](#privileged-role-administrator) | Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | e8611ab8-c189-46e8-94e1-60213ab1f814 |
> | [Purview Workload Content Administrator](#purview-workload-content-administrator) | Manage or purge data from Microsoft 365 when accessing from the Microsoft Purview portal. | 3f04f91a-4ad7-4bd3-bcfa-49882ea1a88a |
> | [Purview Workload Content Reader](#purview-workload-content-reader) | Read data from Microsoft 365 when accessing from the Microsoft Purview portal. | e07494ad-1654-4dd2-922e-6f81a71bf00f |
> | [Purview Workload Content Writer](#purview-workload-content-writer) | Read and edit data from Microsoft 365 when accessing from the Microsoft Purview portal. | 02d5655b-c1cf-4e5f-98da-5fb919085bf6 |
> | [Reports Reader](#reports-reader) | Can read sign-in and audit reports. | 4a5d8f65-41da-4de4-8968-e035b65339cf |
> | [Search Administrator](#search-administrator) | Can create and manage all aspects of Microsoft Search settings. | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
> | [Search Editor](#search-editor) | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
 
[!INCLUDE [privileged-role-administrator](includes/privileged-role-administrator.md)]
 
## Purview Workload Content Administrator

MODIFIED docs/global-secure-access/tutorial-internet-access-introduction.md

Modified by Jeffrey Bley on Jun 19, 2026 6:05 PM
📖 View on learn.microsoft.com

+8 / -0 lines changed

Commit: Add prerequisites section to Internet Access tutorial

Changes:

Before

After

 
This series of exercises covers the fundamentals of Internet Access. The exercises assume that you follow them in order. If you skip around, you might miss a step. For example, in the baseline web-filtering tutorial, you create a security profile and assign it to a Microsoft Entra Conditional Access policy. Subsequent labs instruct you to assign the new policy to this existing security profile rather than creating a new security profile and Conditional Access policy each time.
 
## Learning progression
 
Each lab builds on the previous one and follows a logical progression.

 
This series of exercises covers the fundamentals of Internet Access. The exercises assume that you follow them in order. If you skip around, you might miss a step. For example, in the baseline web-filtering tutorial, you create a security profile and assign it to a Microsoft Entra Conditional Access policy. Subsequent labs instruct you to assign the new policy to this existing security profile rather than creating a new security profile and Conditional Access policy each time.
 
## Prerequisites
 
To complete this tutorial series, you need the following:
 
- Microsoft Entra ID tenant with P1 and either Microsoft Entra Internet Access or Microsoft Entra Suite licenses.
- Either Global Admin role or both of the following roles: Global Secure Access Admin, Security Admin.
- A Windows 11 device (must be Entra joined or hybrid joined) with internet access.
 
## Learning progression
 
Each lab builds on the previous one and follows a logical progression.

MODIFIED docs/fundamentals/how-subscriptions-associated-directory.md

Modified by Ken Withee on Jun 19, 2026 9:32 PM
📖 View on learn.microsoft.com

+6 / -1 lines changed

Commit: Clarify subscription directory relationship

Changes:

Before

After

title: Add an existing Azure subscription to your tenant
description: Instructions about how to add an existing Azure subscription to your Microsoft Entra tenant.
ms.topic: how-to
ms.date: 04/02/2025
ms.reviewer: jeffsta
ms.custom: ge-structured-content-pilot, sfi-ga-nochange, sfi-image-nochange
#Customer Intent: As an IT admin, I want to add an existing Azure subscription to my tenant so that I can manage resources under my organization's directory.
---
 
All Azure subscriptions have a trust relationship with a Microsoft Entra tenant. Subscriptions rely on this tenant (directory) to authenticate and authorize security principals and devices. When a subscription expires, the trusted instance remains, but the security principals lose access to Azure resources. Subscriptions can only trust a single directory while one Microsoft Entra tenant might be trusted by multiple subscriptions.
 
[!INCLUDE [tenant-installation-account](../includes/definitions/tenant-installation-account.md)] However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role.
 
While users might only have a single authentication *home* directory, users might participate as guests in multiple directories. You can see both the home and guest directories for each user in Microsoft Entra ID.
 
After you associate a subscription with a different directory, you might need to do the following tasks to resume operations:
 
1. If you have any key vaults, you must change the key vault tenant ID. For more information, see [Change a key vault tenant ID after a subscription move](/azure/key-vault/general/move-subscription).
 
1. If you used system-assigned Managed Identities for resources, you must re-enable these identities. If you used user-assigned Managed Identities, you must re-create these identities. After re-enabling or recreating the Managed Identities, you must re-establish the permissions assigned to those identities. For more information, see [What are managed identities for Azure resources?](~/identity/managed-identities-azure-resources/overview.md).

title: Add an existing Azure subscription to your tenant
description: Instructions about how to add an existing Azure subscription to your Microsoft Entra tenant.
ms.topic: how-to
ms.date: 06/19/2026
ms.reviewer: jeffsta
ai-usage: ai-assisted
ms.custom: ge-structured-content-pilot, sfi-ga-nochange, sfi-image-nochange
#Customer Intent: As an IT admin, I want to add an existing Azure subscription to my tenant so that I can manage resources under my organization's directory.
---
 
All Azure subscriptions have a trust relationship with a Microsoft Entra tenant. Subscriptions rely on this tenant (directory) to authenticate and authorize security principals and devices. When a subscription expires, the trusted instance remains, but the security principals lose access to Azure resources. Subscriptions can only trust a single directory while one Microsoft Entra tenant might be trusted by multiple subscriptions.
 
Think of the subscription as the container for Azure resources and Azure role assignments, and the tenant as the directory that contains the identities used to sign in and receive access. Azure roles control access to Azure resources in the subscription. Microsoft Entra roles control access to directory resources, such as users, groups, and domains. Changing a subscription's directory changes which tenant supplies identities for Azure role-based access control (Azure RBAC), but it doesn't make the subscription owner a Global Administrator in the tenant.
 
[!INCLUDE [tenant-installation-account](../includes/definitions/tenant-installation-account.md)] However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role.
 
While users might only have a single authentication *home* directory, users might participate as guests in multiple directories. You can see both the home and guest directories for each user in Microsoft Entra ID.
 
After you associate a subscription with a different directory, you might need to do the following tasks to resume operations:
 

MODIFIED docs/fundamentals/create-new-tenant.md

Modified by Ken Withee on Jun 19, 2026 8:36 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Clarify tenant type options

Changes:

Before

After

title: Quickstart - Access and create new tenant
description: Instructions about how to find Microsoft Entra ID and how to create a new tenant for your organization.
ms.topic: quickstart
ms.date: 05/05/2026
ms.custom: it-pro, fasttrack-edit, mode-other, sfi-image-nochange
ms.collection: M365-identity-device-management
#Customer Intent: As an IT admin, I want to create a new Microsoft Entra tenant so that I can set up a directory for my organization or development environment.
 
1. On the Basics tab, select the type of tenant you want to create, either **Microsoft Entra ID** or **Microsoft Entra ID (B2C)**.
 
1. Select **Next: Configuration** to move to the Configuration tab.
 
1. On the Configuration tab, enter the following information:
 
 
 

title: Quickstart - Access and create new tenant
description: Instructions about how to find Microsoft Entra ID and how to create a new tenant for your organization.
ms.topic: quickstart
ms.date: 06/19/2026
ai-usage: ai-assisted
ms.custom: it-pro, fasttrack-edit, mode-other, sfi-image-nochange
ms.collection: M365-identity-device-management
#Customer Intent: As an IT admin, I want to create a new Microsoft Entra tenant so that I can set up a directory for my organization or development environment.
 
1. On the Basics tab, select the type of tenant you want to create, either **Microsoft Entra ID** or **Microsoft Entra ID (B2C)**.
 
   Choose **Microsoft Entra ID** to create a workforce tenant for your organization's users and resources. Choose **Microsoft Entra ID (B2C)** only if you need an Azure AD B2C tenant. If **Microsoft Entra ID** is unavailable, review the prerequisites in the previous note, including paid customer requirements, tenant creation settings, and the Tenant Creator role.
 
1. Select **Next: Configuration** to move to the Configuration tab.
 
1. On the Configuration tab, enter the following information:

MODIFIED docs/global-secure-access/how-to-universal-tenant-restrictions.md

Modified by Alexander Pavlovsky on Jun 19, 2026 9:39 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Revise source IP restoration guidance and roles (#2011)

Changes:

Before

After

 
## Related content
 
- [Enable Global Secure Access signaling for Conditional Access](how-to-source-ip-restoration.md#enable-global-secure-access-signaling-for-conditional-access)
- [Set up tenant restrictions v2](/azure/active-directory/external-identities/tenant-restrictions-v2)
- [Enable source IP restoration](how-to-source-ip-restoration.md)
- [Enable compliant network check with Conditional Access](how-to-compliant-network.md)

 
## Related content
 
- [Enable Global Secure Access signaling for Microsoft Entra ID and Microsoft Graph](how-to-source-ip-restoration.md#enable-global-secure-access-signaling-for-microsoft-entra-id-and-microsoft-graph)
- [Set up tenant restrictions v2](/azure/active-directory/external-identities/tenant-restrictions-v2)
- [Enable source IP restoration](how-to-source-ip-restoration.md)
- [Enable compliant network check with Conditional Access](how-to-compliant-network.md)

MODIFIED docs/external-id/customers/faq-customers.md

Modified by Robert Lyon on Jun 19, 2026 8:46 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: [Entra External ID] Pricing and billing add-ons (#11737)

Changes:

Before

After

Microsoft Entra External ID pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. External ID consists of a core offer and premium add-ons. The Microsoft Entra External ID core offering is free for the first 50,000 MAU. For the latest information about usage billing and pricing, see [Billing model for Microsoft Entra External ID](../external-identities-pricing.md).
 
> [!NOTE]
> Existing subscriptions to Azure Active Directory B2C (Azure AD B2C) B2C or B2B collaboration under an Azure AD External Identities P1/P2 SKU remain valid and no migration is necessary. We communicate upgrade options once they're available.
 
### Does the 50,000 MAU free tier apply to add-ons?

Microsoft Entra External ID pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. External ID consists of a core offer and premium add-ons. The Microsoft Entra External ID core offering is free for the first 50,000 MAU. For the latest information about usage billing and pricing, see [Billing model for Microsoft Entra External ID](../external-identities-pricing.md).
 
> [!NOTE]
> If you previously subscribed to Azure Active Directory B2C (Azure AD B2C) or to B2B collaboration under an Azure AD External Identities P1/P2 SKU, see the [External ID pricing](../external-identities-pricing.md) page for information about current pricing options and any available upgrade paths.
 
### Does the 50,000 MAU free tier apply to add-ons?

MODIFIED docs/id-protection/concept-identity-protection-policies.md

Modified by ebasseri on Jun 19, 2026 4:15 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Remove preview tag for ARR (now GA)

Changes:

Before

After

 
ID Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user is compromised. If a user has risky user sign-in behavior, or their credentials were leaked, ID Protection uses these signals to calculate the user risk level. Administrators can configure risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as: 
 
Require risk remediation (preview): ID Protection manages the appropriate remediation flow for all authentication methods.
Require password change: ID Protection blocks access until user completes a secure password change.
Block access: ID Protection blocks the user until risk is addressed.

 
ID Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user is compromised. If a user has risky user sign-in behavior, or their credentials were leaked, ID Protection uses these signals to calculate the user risk level. Administrators can configure risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as: 
 
Require risk remediation: ID Protection manages the appropriate remediation flow for all authentication methods.
Require password change: ID Protection blocks access until user completes a secure password change.
Block access: ID Protection blocks the user until risk is addressed.

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files