Learn about Microsoft Purview billing models

This feature is in preview.

Microsoft Purview is a unified security, governance, and compliance solution for Microsoft 365 and non-Microsoft 365 workloads and data systems. Microsoft Purview supports two complementary billing models to support this diverse environment:

  • Per-user license for Microsoft 365 and Windows/macOS endpoint sources
  • Pay-as-you-go model for non Microsoft 365 data sources

This article takes you through:

  • An overview of the two billing models.
  • An overview of the consent experience.
  • Links to information on the solution specific capabilities.

Note

The pay-as-you-go billing model builds on the per-user licensing model. The two are complementary, not mutually exclusive.

Per-user licensing model

The per-user licensing model is the familiar Microsoft 365 E3/E5/A5/F5/G5 model. It remains unchanged. This licensing model enables you to apply Microsoft Purview controls and protections to Microsoft 365 and Windows/macOS endpoint-based assets. It's described in the Microsoft Purview service description.

Pay-as-you-go billing model

The pay-as-you-go billing model is a consumption billing model. It extends Microsoft Purview security, governance, and protections beyond Microsoft 365 and Windows/macOS based assets to environments like Microsoft Fabric, Azure SQL, Azure ADLS, Amazon Web Services (AWS), Google Cloud Platform (GCP), Box, and Dropbox.

In the pay-as-you-go model, you're charged on a monthly based on the number of Assets you protect and the number of Processing units you use throughout the month. The Azure bill is generated at the end of the month.

Assets

An asset is any non Microsoft 365 item which is being protected by a Microsoft Purview policy. They can be equated to a table for structured data or any file for unstructured data.

Here are some examples of assets and the protection policies that can be applied to them.

Cloud provider Data source Asset Can be protected by
Azure SQL Tables which are labeled for structured data and in scope of a security policy Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling
Azure ADLS File or resource set Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling
Azure Storage - Tables which are labeled for structured data and in scope of a security policy
- Files or resource groups which are labeled for unstructured data and in scope of a security policy
Microsoft Purview Information Protection policy, Microsoft Purview Information Protection Auto-labeling

For details on data governance assets, see Microsoft Purivew data governance pricing concepts.

Pay-as-you-go Asset protection capabilities

Pay-as-you-go enables protection of non-Microsoft 365 assets in the following locations:

Location Current release state Billing starts on
Azure SQL Public preview January 6, 2025
Azure storage Public preview January 6, 2025

Processing units

A processing unit is a measure of the amount of compute resources used to process signals from workloads that are included in pay-as-you-go.

Counting assets and processing units

The pay-as-you-go billing model is based on the number of assets you protect and the number of processing units you use. They are measured differently.

Counting Assets

Assets are counted based on the number of items that are in the scope of a policy. The asset doesn't have to match or trigger a policy to be counted, it just has to be in a location that's in the scope of a policy. An asset is only counted once, regardless of how many solutions or protection policies cover it.

Here are some examples:

  • Protection policy: A tenant has SQL server with 100 tables, out of which 50 have been labeled Confidential and 20 have been labeled General. The protection policy only applies to assets labeled with Confidential, as a result the asset count will be 50.

  • Auto-labeling policy: A tenant has 100 Azure SQL servers, each with 500 tables. An auto-labeling policy, based on its configureation, applies to 30 Azure SQL severs, then the asset count for that policy would be 15,000.

Counting Processing units

The number of processing units that are needed can vary depending on the Purview solution and the complexity of the data being processed.

For instance, Microsoft Purview Insider Risk Management processes user activities corresponding to the non-Microsoft 365 indicators selected in data theft and data leak policies to generate insights, alerts and cases. For IRM, a processing unit is defined as the compute required to process 10,000 such user activities. Billing is based on the number of processing units utilized. Microsoft Purview Insider Risk Management indicators that detect activity in cloud storage apps (Box, Dropbox, Google Drive), cloud services (AWS, Azure), and Microsoft Fabric (Power BI) are billed on data security processing units.

See also