Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview offers a set of integrated solutions that help customers secure and govern their data. It's composed data security and data governance solutions for:
- Microsoft 365 and non-Microsoft 365 workloads and data systems.
- Microsoft 365 and non-Microsoft 365 endpoints.
- Compliance solutions for data used with Generative AI applications.
Microsoft Purview supports two complementary billing models to support this diverse environment:
- Per-user license for Microsoft 365 and Windows/macOS endpoint sources
- Pay-as-you-go model for non-Microsoft 365 data sources and certain other capabilities
This article takes you through:
- An overview of the two billing models.
- Links to information on the solution specific capabilities.
Note
The pay-as-you-go billing model builds on the per-user licensing model. The two are complementary, not mutually exclusive.
Per-user licensing model
The per-user licensing model is the familiar Microsoft 365 E3/E5/A5/F5/G5 model. It remains unchanged. This licensing model enables you to apply Microsoft Purview controls and protections to Microsoft 365 and Windows/macOS endpoint-based assets. It's described in the Microsoft Purview service description.
Pay-as-you-go billing model
The pay-as-you-go billing model is a consumption billing model. It extends Microsoft Purview data security, data governance, and data risk and compliance protection capabilities beyond Microsoft 365 and Windows/macOS to environments to non-Microsoft 365 locations. The billing mechanisms are Azure based, so you must associate your Microsoft 365 tenant with an active Azure subscription. It also protects data moving through networks, DataOps, application architectures, and AI apps and agents, as well as certain other user-agnostic capabilities.
In the pay-as-you-go model, you're charged based on your usage of various pay-as-you-go features, based on the unit of consumption for the feature. An Azure bill is generated at the end of the month for the total number of pay-as-you-go charges across all Microsoft solutions.
Note
For guidance on how to associate a Microsoft 365 tenant to an Azure subscription, see Enable Microsoft Purview pay-as-you-go features for new customers.
Capabilities that use the pay-as-you-go billing model
Note
Some Microsoft Purview solutions are billed on the per-user licensing model. Some require the per-user licensing model to be enabled before the pay-as-you-go billing model can be used, and some are pay-as-you-go only and don't require a per-user license.
Data Security and Data Governance
The pay-as-you-go billing model extends Microsoft Purview data security and governance capabilities beyond Microsoft 365 and Windows/macOS to environments like:
- Amazon Web Services (AWS)
- Azure ADLS
- Azure SQL
- Box
- Dropbox
- Google drive
- Microsoft Fabric
For details on data governance assets, see Microsoft Purview data governance billing.
Data security capabilities
| Solution | Applies to | Unit of Measure | Details |
|---|---|---|---|
| Data Security Investigations (preview) | Data storage meter based on the storage associated each investigation | Number of gigabytes of stored data for all investigations/month Number of Security Compute units consumed |
Learn more about billing for Data Security Investigations |
| Information Protection | Sensitivity labels that are applied to non-Microsoft 365 data sources | Number of assets in scope of protection policy/day | Refer to details below on how assets are defined and calculated |
| Insider Risk Management | Detect risky behavior for non-Microsoft 365 locations when using Cloud and generative AI policy indicators. | Data Security processing unit as measured on a daily basis | Learn more about Insider Risk Management policy indicators |
Data governance capabilities
| Solution | Applies | Unit of Measure | Details |
|---|---|---|---|
| Unified Catalog data curation | Applies when you actively curate and manage the technical assets in Microsoft Purview Unified Catalog | Number of unique assets governed/day | Learn more about data governance billing |
| Unified Catalog data health management | Applies when you manage data quality and take health management actions | Number of data governance processing units (DGPUs) consumed | Learn more about data governance billing |
Data governance processing units: For more information on data governance processing units, see Data governance processing units explained.
Data risk and compliance capabilities
For Generative AI apps and agents, Microsoft Purview offers the following capabilities on a pay-as-you-go billing model. Microsoft 365 Copilot experiences aren't charged
| Solution | Applies to | Unit of Measure | Details |
|---|---|---|---|
| Audit solutions | Audit logs for user interactions with non-Microsoft 365 generative AI applications | Number of audit records processed | Learn more about generative AI applications supported by Audit solutions. |
| Communication compliance | Detect inappropriate or risky interactions for non-Microsoft 365 AI interactions when using AI policy indicators | Number of text records scanned | Billing meters for communication compliance are broken down into two categories, standard, and premium. Learn more about the channels and generative AI applications supported by Communication Compliance |
| Data Lifecycle Management | Retention policies for AI interactions | Number of non-Microsoft 365 Copilot or AI App interactions (prompts and responses) under a retention policy | Each non-Microsoft 365 generative AI prompt and response count as a separate interaction and is retained and deleted according to the retention policy settings configured in Microsoft Purview. For more information on retention policies in DLM for Copilot and AI apps, see Learn about retention for Copilot & AI apps |
| eDiscovery | Storage of non-Microsoft 365 AI application data. | Number gigabytes stored/day | Learn more about eDiscovery billing |
Other Microsoft Purview solutions that use Pay-As-You-Go
| Solution | Applies to | Unit of Measure | Details |
|---|---|---|---|
| On-demand classification (preview) | Applies when you run a scan to identify and classify sensitive content in data stored in SharePoint and OneDrive | Asset, based on the number classified per scan | Learn more about On-demand classification (preview) |
| Security Copilot | Applies for all Security Copilot functions | Security Compute Units | Get started with Security Copilot |
| Network Data Security (preview) | Requests from an endpoint device to a website, cloud app, or generative AI app | Number of requests sent from the endpoint device to the website, cloud app, or generative AI app | Network data security only counts requests that are outbound from the device. |
Cost estimator tools
Understand pricing and estimate your expected monthly costs for pay-as-you-go capabilities:
Unit of measures for pay-as-you-go capabilities
Assets
An asset is any Microsoft 365 item which is being protected by a Microsoft Purview policy. They can be equated to a table for structured data or any file for unstructured data. You're charged per day for each asset that is in the scope of a policy. For Microsoft Data Lifecycle Management, assets include interactions (prompts and responses) between a user and a Copilot or AI App.
Here are some examples of assets for Microsoft Purview Data Security and Governance and the protection policies that can be applied to them.
| Cloud provider | Data source | Asset | Can be protected by |
|---|---|---|---|
| Azure | SQL DB | Table | Protection policy and auto-labeling policy from Microsoft Purview Information Protection |
| Azure | ADLS | File or resource set | Protection policy and auto-labeling policy from Microsoft Purview Information Protection |
| Azure | Blob | File or resource set | Protection policy and auto-labeling policy from Microsoft Purview Information Protection |
| Azure | Fabric | Supported item types | Protection policies from Microsoft Purview Information Protection |
| Azure | Fabric | Supported item types | Microsoft Purview Data Loss Prevention |
For details on data governance assets, see Microsoft Purview data governance billing.
Counting assets
Assets are counted based on the number of items that are in the scope of a policy. The asset doesn't have to match a policy's conditions to be counted, it just has to be in a ___location that's in the scope of a policy. An asset is only counted once, regardless of how many solutions or protection policies cover it.
Here are some examples:
- Protection policy: A tenant has SQL server with 100 tables, out of which 50 have been labeled Confidential and 20 have been labeled General. The protection policy only applies to assets labeled with Confidential, as a result the asset count will be 50.
- Auto-labeling policy: A tenant has 100 Azure SQL servers, each with 500 tables. An auto-labeling policy, based on its configuration, applies to 30 Azure SQL severs, then the asset count for that policy would be 15,000.
- Data Loss Prevention policy: A tenant has 10 Fabric lakehouses, each with 50 assets. The policy is only applicable to five of these Fabric lakehouses. The asset count for this policy will be 250.
Processing units
A processing unit is a measure of the amount of compute resources used to process signals from workloads that are included in pay-as-you-go.
Data governance processing units: A data governance processing unit (DGPU) is a fully managed compute unit used to run compute capabilities such as data quality and data health management. Each DGPU is 60 minutes of compute time run across varying sets of nodes based on the workload need. For more information on data governance processing units, see Data governance processing units explained.
Data security processing units: Microsoft Purview data security processing units are defined as the compute required to process user activities from non-Microsoft 365 data sources to generate insights. The number of units required can vary depending on the Purview solution and the complexity of the data being processed. Insider risk management is a pay-as-you-go feature that uses a processing unit based meter. It includes pay-as-you-go indicators. For more information, see Configure policy indicators in insider risk management.
Counting processing units
The number of processing units that are needed can vary depending on the Microsoft Purview solution and the complexity of the data being processed.
For example, Insider Risk Management processes user activities corresponding to the non-Microsoft 365 indicators selected in data theft and data leak policies to generate insights, alerts, and cases. For Insider Risk Management, a processing unit is defined as the compute required to process 10,000 such user activities. Billing is based on the number of processing units utilized. Insider Risk Management indicators that detect activity in cloud storage apps (Box, Dropbox, Google Drive), cloud services (AWS, Azure), and Microsoft Fabric (Power BI) are billed on data security processing units.
Data storage meter (GBs)
Microsoft Purview data storage meter is defined by a gigabyte per month storage amount billed at a specific rate for applicable solutions. The total amount of data within a solution subject to data storage meter is automatically calculated from the current amount of data in solution-related containers. For example, pay-as-you-go in Data Security Investigations (preview) and eDiscovery use the data storage meter.
Text records
Microsoft Purview text records meter is defined by text records, where one text record is equal to 1,000 characters. Each message is converted into multiple text records based on character length. For example, pay-as-you-go in Communication Compliance uses a text records-based meter.
1 text record = 1000 characters
If a message is more than 1,000 characters, it counts as one text record for each unit of 1,000 characters. For instance, if a message contains 7,500 characters, it counts as eight text records. If message contains 500 characters, it counts as one text record.
Counting text records for Communication Compliance Premium
Counting text records for premium is based on the type of detections that the messages are being evaluated for. If the messages are evaluated for the following detections, then they'll be charged as premium:
Code of conduct: Hate, self-harm, violence, sexual
Risky Gen AI: Prompt shields, protected materials
Calculating text records for Communication Compliance Standard
If messages are evaluated for any other detections (other trainable classifiers, sensitive info types etc.), they'll be charged as standard. Messages evaluated for both premium and standard detections are charged only for premium detections.
Security Compute Units (SCU)
A security compute unit (SCU) is a bundled unit of measure. It combines all the resources, like network, processor, and storage, that are needed for Security Copilot to provide service into a single, billable quantity. For example, pay-as-you-go in Data Security Investigations (preview) uses SCUs.
For more information on SCUs, see Get started with security compute units.
Counting SCUs
The number of SCUs you have available to you is referred to as your capacity. The capacity that is available to you to use is made up of two different types:
Provisioned SCUs: These are units that you pre-allocate. You use the cost estimators to project the number of SCUs you anticipate using. Use of provisioned SCUs is measured in hourly blocks. For example, if you provision an SCU at 9:05 a.m., then deprovision it at 9:35 am, and then provision another SCU at 9:45 am, you are charged for two units within the 9:00 a.m. to 10:00 a.m. hour. To maximize usage, make SCU provisioning changes at the beginning of the hour. For more information, see Manage usage.
Overage SCUs: These are units that are used to cover unexpected spikes in usage. To manage unexpected demand spikes, you can allocate an overage amount to ensure that additional SCUs are available when you run out of provisioned units. Overage units are billed on-demand. You can set limits for overage units as unlimited or set a maximum upper amount. This approach enables predictable billing while providing the flexibility to handle both regular and unexpected usage.
Requests
A request as a unit of measure for pay-as-you-go billing purposes is defined as each network call made from a devices or browser to a website or API. This doesn't include the responses to the requests. Requests are counted in the monthly pay-as-you-go bill you receive from Azure on a monthly basis. Microsoft Purview network data security pay-as-you-go uses requests as its unit of measure. Here are some examples:
| Activity | Data type | Example |
|---|---|---|
| Text sent to or shared with cloud or AI app | human readable strings transmitted inline | - submiting a form with textual information - Sending raw text or a prompt to a generative AI - the body of an email - sending JDSON data to an API |
| File uploaded to or shared with cloud or AI app | Byte streams, including text based file, binary files, txt files, source code, documents, images, videos, .exe's, .pdf's, archive files | - Uploading a profile picture to social media - sending a document or PDF file as an email attachement - sharing a document with generative AI - transferring a document or .ZIP files to a cloud storage solution |