In 2025, Microsoft introduced significant Microsoft Entra ID licensing changes (formerly Azure Active Directory), moving in a direction to modernise identity management, strengthen security, and simplify administration for enterprises.

These updates include:

  • Retirement of legacy PowerShell modules
  • Mandatory service principal authentication
  • AI-driven security and governance features

If your organisation is approaching a Microsoft renewal, it's important to understand these changes in order to avoid compliance risks and optimise licensing costs.

Key Microsoft Entra ID licensing changes

1. Guest governance Chargeable Usage

External guests performing governance actions (like entitlement management, access reviews, or lifecycle workflows) are now billed $0.75 per month. Internal users and partners are excluded.

2. Monthly Active Guest (MAG) Billing Model

Only active guests in a given month are billed, regardless of the number of governance actions. Inactive guests are free.

3. Product Terms Clarification

The Entra ID Governance add-on is exclusively for external guest identities. Licensing internal users or partners as guests for cost savings is non-compliant.

4. Authentication Methods Policy Migration

Microsoft is consolidating MFA and self-service password reset under the Authentication Methods Policy. Legacy policies will become read-only after September 30, 2025, and will be deprecated by mid-2026.

5. Passkey Authentication Enhancements

Group-scoped passkey policies (public preview Q4 2025) allow targeted enforcement with WebAuthn-compliant devices, supporting biometrics, device attestation, and phishing-resistant FIDO2 keys.

6. Managed Identities as Credentials

Apps can now use managed identities, improving automation and reducing reliance on app secrets or certificates.

7. Security Defaults for Guest Users

From July 29, 2025, new Entra tenants no longer require MFA for guest users by default, except for privileged or Azure-specific actions. Conditional Access policies can customize this.

8. Entra Permissions Management Enhancements

Microsoft is expanding cloud infrastructure entitlement management (CIEM) with deeper integrations across Microsoft Defender for Cloud and Entra Permissions Management.

Benefits of the 2025 Microsoft Entra ID updates

  • Improved security: Stronger authentication reduces unauthorized access.
  • AI-driven governance: Automated tools enforce identity policies intelligently.
  • Simplified management: Microsoft Graph provides a unified admin experience.
  • Better scalability: Supports modern enterprise applications and cloud infrastructure.

Challenges and considerations

  • Migration may require significant IT resources.
  • Delays in adoption can disrupt authentication and access.
  • IT teams must learn and adapt to new tools and AI-driven features.

Customer impact

Organizations using legacy authentication methods or PowerShell modules must:

  • Transition to Microsoft Graph PowerShell SDK
  • Update apps to include service principals to avoid failed authentication after March 2026

Why Microsoft made these changes

Microsoft’s goals include:

  • Strengthening identity security
  • Consolidating management tools under Microsoft Graph
    Enabling AI-driven identity governance
  • Reducing vulnerabilities from service-principal-less authentication

Best Practices for IT Teams

  1. Audit apps for service-principal-less authentication.
  2. Transition from MSOnline and AzureAD PowerShell modules to Microsoft Graph SDK.
  3. Leverage AI features for Conditional Access optimization.
  4. Stay updated via Microsoft Learn and Tech Community.
  5. Engage experts for migration and license optimization support.

Microsoft Entra ID Roadmap - 2025

  • Q2 2025: Governance billing model launches, with reporting via Azure Monitor.
  • Q3 2025: Conditional Access templates and passkey enforcement updates.
  • Q4 2025: Expanded Conditional Access and passkey capabilities.
  • Post-2025: Deeper integration with Microsoft Defender and Sentinel for identity threat detection.

Keystone Negotiation - Expert in Microsoft renewals

The 2025 Microsoft Entra ID licensing changes represent a critical shift for IT and procurement teams managing Microsoft renewals. Early planning, compliance checks, and expert guidance can ensure cost savings, security, and operational continuity.

Maximise your Microsoft license value, contact Keystone Negotiation today for expert guidance on renewals, optimisation, and compliance.

Reference links for Entra ID changes:

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/updates-and billing-guidance-for-guest-governance/4164498 

https://learn.microsoft.com/en-us/entra/id-governance/microsoft-entra-idgovernance-licensing-for-guest-users

https://learn.microsoft.com/en-us/answers/questions/2265162/access-review licensing-requirement-possible-confl 

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/what%E2%80%99s-new-in-microsoft-entra-%E2%80%93-june 2025/4352579 

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new