Azure Active Directory plans and pricing

Cloud authentication
(Pass-through authentication, password hash synchronization)

Federated authentication

(Active Directory Federation Services or federation with other identity providers)

Single sign-on (SSO) unlimited³

Multifactor authentication (MFA)⁴

Passwordless

(Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations⁵)

Service-level agreement⁶

SaaS apps with modern authentication

(Azure AD application gallery apps, SAML, and OAUTH 2.0)

Group assignment to applications

Cloud app discovery (Microsoft Defender for Cloud Apps)⁷

Application Proxy for on-premises, header-based, and Integrated Windows Authentication

Secure hybrid access partnerships⁸

(Kerberos, NTLM, LDAP, RDP, and SSH authentication)

Role-based access control (RBAC)

Conditional Access

SharePoint limited access

Session lifetime management Learn more

Identity Protection

(Risky sign-ins, risky users, risk-based conditional access)

Custom security attributes

User and group management

Advanced group management

(Dynamic groups, naming policies, expiration, default classification)

Directory synchronization—Azure AD Connect (sync and cloud sync)

Azure AD Connect Health reporting⁹

Delegated administration—built-in roles

Global password protection and management – cloud-only users

Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory

Microsoft Identity Manager user client access license (CAL)¹⁰

Application launch portal (My Apps)

User application collections in My Apps

Self-service account management portal (My Account)

Self-service password change for cloud users

Self-service password reset/change/unlock with on-premises write-back

Self-service sign-in activity search and reporting

Self-service group management (My Groups)

Self-service entitlement management (My Access)

Automated user provisioning to apps

Automated group provisioning to apps

HR-driven provisioning

Terms of use attestation

Access certifications and reviews

Entitlements management

Privileged Identity Management (PIM), just-in-time access

Basic security and usage reports

Advanced security and usage reports

Identity Protection: vulnerabilities and risky accounts

Identity Protection: risk events investigation, SIEM connectivity

SMS sign-in

Shared device sign-out

Delegated user management portal (My Staff)

Cloud authentication
(Pass-through authentication, password hash synchronization)

Federated authentication

(Active Directory Federation Services or federation with other identity providers)

Single sign-on (SSO) unlimited³

Multifactor authentication (MFA)⁴

Passwordless

(Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations⁵)

Service-level agreement⁶

SaaS apps with modern authentication

(Azure AD application gallery apps, SAML, and OAUTH 2.0)

Group assignment to applications

Cloud app discovery (Microsoft Defender for Cloud Apps)⁷

Application Proxy for on-premises, header-based, and Integrated Windows Authentication

Secure hybrid access partnerships⁸

(Kerberos, NTLM, LDAP, RDP, and SSH authentication)

Role-based access control (RBAC)

Conditional Access

SharePoint limited access

Session lifetime management Learn more

Identity Protection

(Risky sign-ins, risky users, risk-based conditional access)

Custom security attributes

User and group management

Advanced group management

(Dynamic groups, naming policies, expiration, default classification)

Directory synchronization—Azure AD Connect (sync and cloud sync)

Azure AD Connect Health reporting⁹

Delegated administration—built-in roles

Global password protection and management – cloud-only users

Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory

Microsoft Identity Manager user client access license (CAL)¹⁰

Application launch portal (My Apps)

User application collections in My Apps

Self-service account management portal (My Account)

Self-service password change for cloud users

Self-service password reset/change/unlock with on-premises write-back

Self-service sign-in activity search and reporting

Self-service group management (My Groups)

Self-service entitlement management (My Access)

Automated user provisioning to apps

Automated group provisioning to apps

HR-driven provisioning

Terms of use attestation

Access certifications and reviews

Entitlements management

Privileged Identity Management (PIM), just-in-time access

Basic security and usage reports

Advanced security and usage reports

Identity Protection: vulnerabilities and risky accounts

Identity Protection: risk events investigation, SIEM connectivity

SMS sign-in

Shared device sign-out

Delegated user management portal (My Staff)

Cloud authentication
(Pass-through authentication, password hash synchronization)

Federated authentication

(Active Directory Federation Services or federation with other identity providers)

Single sign-on (SSO) unlimited³

Multifactor authentication (MFA)⁴

Passwordless

(Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations⁵)

Service-level agreement⁶

SaaS apps with modern authentication

(Azure AD application gallery apps, SAML, and OAUTH 2.0)

Group assignment to applications

Cloud app discovery (Microsoft Defender for Cloud Apps)⁷

Application Proxy for on-premises, header-based, and Integrated Windows Authentication

Secure hybrid access partnerships⁸

(Kerberos, NTLM, LDAP, RDP, and SSH authentication)

Role-based access control (RBAC)

Conditional Access

SharePoint limited access

Session lifetime management Learn more

Identity Protection

(Risky sign-ins, risky users, risk-based conditional access)

Custom security attributes

User and group management

Advanced group management

(Dynamic groups, naming policies, expiration, default classification)

Directory synchronization—Azure AD Connect (sync and cloud sync)

Azure AD Connect Health reporting⁹

Delegated administration—built-in roles

Global password protection and management – cloud-only users

Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory

Microsoft Identity Manager user client access license (CAL)¹⁰

Application launch portal (My Apps)

User application collections in My Apps

Self-service account management portal (My Account)

Self-service password change for cloud users

Self-service password reset/change/unlock with on-premises write-back

Self-service sign-in activity search and reporting

Self-service group management (My Groups)

Self-service entitlement management (My Access)

Automated user provisioning to apps

Automated group provisioning to apps

HR-driven provisioning

Terms of use attestation

Access certifications and reviews

Entitlements management

Privileged Identity Management (PIM), just-in-time access

Basic security and usage reports

Advanced security and usage reports

Identity Protection: vulnerabilities and risky accounts

Identity Protection: risk events investigation, SIEM connectivity

SMS sign-in

Shared device sign-out

Delegated user management portal (My Staff)

Cloud authentication
(Pass-through authentication, password hash synchronization)

Federated authentication

(Active Directory Federation Services or federation with other identity providers)

Single sign-on (SSO) unlimited³

Multifactor authentication (MFA)⁴

Passwordless

(Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations⁵)

Service-level agreement⁶

SaaS apps with modern authentication

(Azure AD application gallery apps, SAML, and OAUTH 2.0)

Group assignment to applications

Cloud app discovery (Microsoft Defender for Cloud Apps)⁷

Application Proxy for on-premises, header-based, and Integrated Windows Authentication

Secure hybrid access partnerships⁸

(Kerberos, NTLM, LDAP, RDP, and SSH authentication)

Role-based access control (RBAC)

Conditional Access

SharePoint limited access

Session lifetime management Learn more

Identity Protection

(Risky sign-ins, risky users, risk-based conditional access)

Custom security attributes

User and group management

Advanced group management

(Dynamic groups, naming policies, expiration, default classification)

Directory synchronization—Azure AD Connect (sync and cloud sync)

Azure AD Connect Health reporting⁹

Delegated administration—built-in roles

Global password protection and management – cloud-only users

Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory

Microsoft Identity Manager user client access license (CAL)¹⁰

Application launch portal (My Apps)

User application collections in My Apps

Self-service account management portal (My Account)

Self-service password change for cloud users

Self-service password reset/change/unlock with on-premises write-back

Self-service sign-in activity search and reporting

Self-service group management (My Groups)

Self-service entitlement management (My Access)

Automated user provisioning to apps

Automated group provisioning to apps

HR-driven provisioning

Terms of use attestation

Access certifications and reviews

Entitlements management

Privileged Identity Management (PIM), just-in-time access

Basic security and usage reports

Advanced security and usage reports

Identity Protection: vulnerabilities and risky accounts

Identity Protection: risk events investigation, SIEM connectivity

SMS sign-in

Shared device sign-out

Delegated user management portal (My Staff)