FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Billing & Pricing
Billing & Pricing Important

What counts as an identity for billing?

0 views

title: What counts as an identity for billing? category: Billing & Pricing tags: billing, pricing, per identity, identities under governance priority: High

What counts as an identity for billing?

Certification Center is priced at $20 per identity per year, and you are billed only on the identities you bring under governance — the people whose access you actually certify. This article explains exactly what does and does not count, so there are no surprises on your bill.

The short answer

You pay for people under governance, not for every object in your directory. An identity is a real person whose access you are reviewing, certifying, or monitoring in Certification Center. Directory clutter — group objects, shared mailboxes, contacts, devices, service principals you are not governing — does not add to your bill.

Identities under governance vs. directory objects

Your connected directories usually contain far more objects than people. Certification Center distinguishes between the two.

Counts as a billable identity Does not count
A real person whose access you certify Group and role objects
A person included in an active review scope Shared mailboxes and resource accounts (unless you choose to govern them)
A person whose licenses you reconcile / reclaim Contacts and distribution lists
A person under a policy or SoD rule you enforce Devices and computers
Duplicate accounts that map to a person already counted

The key phrase is under governance. Simply syncing a directory does not bill you for everything in it — governance begins when a person is placed in a review scope, a license reconciliation, or a policy.

One person, many accounts — still one identity

Certification Center uses a person-centric model. If someone has an Active Directory account, an Entra ID account, and a Google Workspace account, those three accounts map to one identity — and you are billed once for that person, not three times.

This matters because it means:

  • Consolidating duplicate accounts does not inflate your bill
  • Connecting a second directory for the same people does not double your cost
  • The reconciliation that surfaces duplicates is working in your favour on price, not against it

What "under governance" includes

A person is under governance when they fall into any of these:

  • They are in the scope of an access review / certification campaign
  • Their assigned Microsoft 365 / Entra licenses are being reconciled for waste
  • They are subject to a Separation of Duties or other policy rule you have enabled
  • They are covered by policy-driven provisioning or drift monitoring

If a synced person is in none of these, they are just directory data — not a billable identity.

Worked example

Suppose your Entra tenant has 5,000 objects: 1,800 employee accounts, plus groups, shared mailboxes, guests, service principals, and devices. You run quarterly certifications and license reconciliation over your 1,800 employees, and you do not govern the guests or shared mailboxes.

Item Count Billable?
Employees under certification + license reconciliation 1,800 Yes
Group / role objects ~600 No
Shared mailboxes and resource accounts ~150 No
Guest accounts you do not govern ~400 No
Devices / service principals ~2,050 No

Billable identities: 1,800, at $20 each per year.

Why this model

Charging per governed identity keeps pricing aligned with the value you get — you pay for the people you are actually protecting, not for the size of a directory you happen to have connected. It also means cleaning up duplicates and orphaned accounts lowers, never raises, your cost.

Frequently asked

Do disabled or leaver accounts count? Only if you are actively governing them. Certifying and offboarding a leaver is part of the value; a long-disabled account you are not reviewing is not billed.

Do guest / external accounts count? Only the ones you bring under governance. Guests you sync but do not certify are not billable.

If I connect a second directory, does my count go up? Only by the number of new people it adds. The same person appearing in a second directory maps to their existing identity and is not billed again.

Is there a per-module charge on top? No. Pricing is one plan, everything included. See Pricing: one plan, everything included.

Next steps

Was this article helpful?

Related articles

Your free trial and the founding offer
Pricing: one plan, everything included