Microsoft Entra Guest Governance Deep Dive: MAU Billing and Lifecycle Automation

Guest access is no longer a “set it and forget it” problem.

Most organizations today collaborate heavily with vendors, partners, auditors, and consultants using Microsoft Entra B2B. Over time, this creates a silent risk: Inactive guest users with persistent access to your tenant.

To address this, Microsoft introduced Guest governance with Monthly Active User (MAU), based billing tied to advanced governance actions, not just guest presence.

In this blog, I’ll break down:

1. How guest MAU billing really works
2. What triggers billing (and what does NOT)
3. What changes are mandatory from January 2026
4. And finally, a practical lifecycle workflow use case to automatically offboard inactive guest users

Guest Licensing in Microsoft Entra: MAU Model at a Glance

Microsoft Entra now licenses guest and external users using a Monthly Active User (MAU) model. Instead of assigning licenses upfront, billing is based on actual sign-in activity, making external collaboration more flexible and cost-effective.

The MAU model under Microsoft Entra External ID applies to:

• B2B guest users in workforce tenants (userType = Guest)
• All users in Microsoft Entra External tenants (consumers, business guests, and admins)

Internal users (userType = Member) signing in across multiple tenants are not counted toward MAU usage.

An MAU is counted only when an external user authenticates at least once in a calendar month. Microsoft aggregates MAUs across all tenants linked to the same subscription.

To reduce costs, Microsoft provides a free tier of up to 50,000 MAU, and you only pay as usage grows. This replaces the older 1:5 guest-to-license model, aligning costs with real usage rather than directory size.

To link an Azure subscription to your Microsoft Entra ID tenant and begin MAU billing for external user sign-ins, sign in to the Microsoft Entra admin center, navigate to External Identities, and then select Linked subscriptions.

On the Link Subscription page, select the required Azure subscription and resource group to add the billing unit. Once selected, click Apply to attach the Azure subscription to your Microsoft Entra ID workforce tenant for guest user Billing, first 50000 users won't be billed.

Understanding Guest MAU Billing in Microsoft Entra ID Governance

Microsoft Entra ID Governance feature also uses a Monthly Active User (MAU) billing model only for guest users, and this is fundamentally different from employee licensing.

Key principle (important)

You are not billed just because a guest exists in your tenant(If you are not exceeding 50,000).

You are billed only when a guest actively uses advanced governance features during a given month.(Even with in 50,000 Free MAU as well)

Who is considered a guest?

A user is treated as billable only if:

• userType = Guest
• Regardless of where they authenticate from
• Regardless of whether they come from another Entra tenant or external IdP

What Actually Triggers Billing for Entra Governance?

Billing is triggered per month, per guest, only when governance-exclusive actions occur.

Examples of billable guest actions

Some common real-world examples include:

• A guest requests an access package (or someone requests it on their behalf)
• A guest is assigned to an Entra ID role via Entitlement Management
• A guest goes through PIM for Groups via access packages
• A policy uses sponsor approvals, custom extensions, or Verified ID
• A Lifecycle Workflow runs for a guest user
• A guest is included in machine-learning assisted access reviews
• A guest is explicitly marked as governed

If none of these actions happen in a month → no billing for that guest.

What Is Not Billed?

This is where many admins get confused.

Basic Governance features that are already included with Microsoft Entra ID P2 are not billed under the guest MAU model.

That means:

• Basic access reviews
• Standard entitlement management scenarios
• Existing P2-based guest governance

No sudden billing surprises, as long as you’re not using Governance-exclusive features.

No Free Tier for Guest Governance MAU

Unlike some Entra features, there is no free MAU allowance here.

• Governance billing applies to all guest users, even within the first 50,000 MAU
• Billing is action-based, not volume-based

Multitenant Organizations: A Smart Cost Optimization

There’s an important exception worth calling out.

If:

• A Microsoft Entra ID Governance licensed user comes from another Entra tenant
• And is part of a multitenant organization
• And is added with userType = Member

That user does NOT count toward guest MAU billing

This is a strong architectural option for large partner ecosystems.

However, to use Microsoft Entra ID Governance features, the tenant must have at least one of the following licenses assigned to an administrator:

• Microsoft Entra ID Governance
• Microsoft Entra Suite

Guest users themselves do not require individual (per-user) licenses to be governed under these features.

January 2026: Enforcement Is Coming

Starting January 2026, Microsoft will enforce subscription linking for guest governance.

If your tenant is not linked to an Azure subscription, you will lose access to several governance features for guests.

What you won’t be able to do without the add-on

• Create advanced guest access reviews
• Use sponsor approvals, Verified ID, or custom extensions
• Create guest auto-assignment policies
• Mark guests as governed
• Run Lifecycle Workflows scoped to guests

This is not just a billing change, it’s a functional enforcement.

How to link an Azure subscription for a guest user governance scenario

If an Azure subscription is already linked from the External Identities section, MAU billing is already active guest users but not Governance Billing for Guest users.

For Guest User Governance feature License activation ,Login to the Microsoft Entra admin center, go to Identity Governance, select Guest access governance, and click Get started.

Since the Microsoft Entra Suite add-on is already available in my tenant, governance features will be activated and tenant member users can start using these benefits immediately. The Below steps only required for your Guest users.

In the Identity Governance – Guest access setup, select the required Azure subscription and resource group, then click Turn on billing for Guest Governance.

The billing rate is $0.75 per guest per month will be shown. Once the correct subscription and resource group are selected, click Turn on to start the billing meter for the Guest Governance feature.

Within a few minutes, the subscription will be attached and ready for guest user governance. You will also see a Turn off option if you want to disable Guest Governance billing at any time.

When you view the Microsoft Entra Identity Governance dashboard, you can see the guest access governance details, including the number of guests and their status. A banner will also appear indicating that Guest Governance is enabled as a premium add-on.

When you select View inactive guests, you can see the default inactivity threshold set to 90 days, along with detailed insights such as Guest inactivity distribution, Guest inactivity overview, and Guest accounts summary.

Practical Use Case: Offboarding Inactive Guest Users Automatically

Microsoft Entra ID Governance offers multiple features for managing guest user accounts, as highlighted earlier. Among these, automatically offboarding inactive guest users is a key capability that many enterprises find especially valuable.

This is where things get really interesting.

Let’s walk through a real, practical scenario using Lifecycle Workflows.

Problem

• Guests join for short-term collaboration
• Projects end
• Guests remain inactive, but still have access
• Manual cleanup never happens

Solution

Use the “Offboard inactive users” lifecycle workflow template and extend it to guest users.

Entra Lifecycle workflows in action (Guest User Scenario)

Let’s create a Microsoft Entra Lifecycle Workflow for inactive guest users. In this approach, we’ll configure two separate workflows:

1. Disable inactive guest accounts that have not been used for more than 90 days, and automatically notify the manager or sponsor about the account inactivity via email.

2.Remove any group memberships\Teams associated with those disabled guest accounts, if present then finally Delete inactive guest accounts from the Microsoft Entra ID tenant.

This ensures a structured and automated offboarding process for inactive guest users.

Based on your business requirements, workflows can be adjusted and tasks can be customized accordingly.

Disable Inactive Guest Accounts

Lets begin the configuration

First, sign in to the Microsoft Entra admin center, navigate to the ID Governance section, and select Lifecycle workflows and then select Create workflow

From the Lifecycle workflow template selection window, choose the Offboard inactive users template from the list of available templates.

On the Workflow details page, provide a name and description for the workflow. Set the trigger type to Sign-in inactivity and select the desired inactivity period.

For this first workflow, I’ve chosen 90 days of inactivity, which will disable the guest account.

On the Configuration scope page, set the Scope type to Rule-based. In the rule, configure userType equals Guest.

This ensures the workflow is triggered only for guest in Microsoft Entra ID tenant.

On the Workflow tasks page, we will add two tasks:

• Send an email to the manager or sponsor of the guest user to notify them about the inactivity.
• Disable the guest user account.

You can rearrange the tasks as needed. Click on each task to customize it based on your requirements.

Let’s start by configuring the first task, which sends an email notification about user inactivity. Provide the required name, description, and customize the email notification template accordingly.

The email customization template can be tailored to meet your specific business requirements.

Now, let’s configure the User Disable task.

Now, let’s review the Lifecycle workflow, verify that the schedule is enabled, and then create the workflow.

Now that the workflow is ready for execution, 

Now, we will create our second Lifecycle Workflow to remove any group or Teams memberships and delete the guest account that has been disabled and has not signed in for more than 120 days.

Remove Disabled Guest Accounts

Click Create workflow, select the same template used earlier ,Offboard inactive users and then click Select.

Enter the workflow details, including the name, description, and set the trigger type to Sign-in inactivity. Configure the inactivity period to 120 days.

In this scenario, guest accounts are first disabled after 90 days of inactivity, and after 120 days, we will remove any group memberships and delete the guest account.

This timeline can be adjusted based on your business requirements, this is just an example scenario.

Next, in the Scope details and Rules section, set userType to Guest and accountEnabled to False, then continue with the configuration

In the Workflow tasks section, you can add any tasks required, such as removing the guest user from groups or Microsoft Teams channels.

In this example scenario, I’m adding only the task to delete the guest account from the Microsoft Entra ID tenant.

In the next step, review the workflow, ensure the schedule is enabled, and then click Create.

Now both workflows are ready. They will run automatically based on the default schedule (every 1 hour), which cannot be modified. However, you can run the workflows on demand at any time if needed.

Now, let’s review the workflow that disables guest accounts which have not signed in for the past 90 days. You can see the next scheduled run time displayed below.

Now, let’s review our guest users. As seen earlier in the Identity Governance dashboard, the guest user account is currently enabled, and the last sign-in activity is more than 90 days ago.

After waiting a few minutes, once the scheduled time is reached, we can view the workflow execution status in the Workflow history section.

The Users tab shows which users are scheduled to be processed by this workflow.

The Runs tab displays the workflow execution status, including failed users, failed tasks, unprocessed tasks, and overall run status counts.

When you select summary tab, detailed information is displayed. As shown in the screenshot below, 

If you click on a specific guest user, you can view detailed information showing whether the workflow execution was successful or failed, along with the related task details.

In the below screenshot user experienced a failed execution.

The failure occurred because the email notification task could not run, as no manager/sponsor attribute was configured for the guest user. Since the “Continue on error” option was not enabled for this task, the workflow stopped entirely and did not proceed to execute the second task for this specific user.

Now, let’s check a successful user in the Microsoft Entra admin center. The guest user’s account status now shows as disabled, which confirms that the workflow executed successfully and performed the intended action.

At any time, you can navigate to the Execution conditions and Execution user scope tabs to see the users that are scheduled to be processed by the workflow. These lists show users who, based on the latest evaluation, are in scope for the scheduled workflow, even if some of them have not yet been processed.

Now, let’s review the execution status of the second workflow, which processes guest accounts that have been inactive for 120 days and whose account status is disabled.

We can now see that the workflow successfully executed for one of the guest accounts that met all the criteria configured in the workflow. When we review the tasks, we can confirm that the guest user account deletion task has been completed.

Now that the task has been successfully completed, the guest account will no longer appear in the Microsoft Entra ID Users list. Instead, it will be visible under the Deleted users tab.

When we review it there, we should see the account listed as a Guest, with the deletion timestamp matching the workflow execution time.

Note: 

Billing impact

The workflow execution for a guest is billable But only once per month per active guest
Dormant guests with no workflow execution → no charge

Why Guest User Lifecycle Workflows Are Worth It

• Reduces standing access risk by automatically offboarding inactive guests
• Meets audit and compliance expectations with consistent, policy-driven governance
• Eliminates manual quarterly cleanup efforts through automation
• Aligns costs directly with real governance activity, ensuring value-based spending

Final Thoughts

Guest access is no longer just an identity feature ,it’s a governance responsibility.

The MAU billing model:

• Encourages intentional governance
• Charges only when advanced controls are used
• Pushes organizations toward automation over sprawl

If you’re already managing guests seriously, Lifecycle Workflows alone justify the model, especially for offboarding inactive external users.

Good governance is not about having more guests.
It’s about knowing when they should no longer be there.