At a Glance
Effective 30 January 2026, Microsoft requires a linked Azure subscription for Entra ID guest governance configurations. Guest governance billing is charged at $0.75 per active guest user per month. The MAU billing model applies to Access Reviews, Entitlement Management, and Lifecycle Workflows where userType = Guest. Enforcement completes end of March 2026. Existing configurations continue to run but cannot be modified without subscription linkage.
If your governance framework is already structured and consistently applied, this is a short administrative task. If it grew incrementally and has never been properly reviewed, you are now managing a licensing deadline on top of a governance backlog that predates it. This guide covers both situations.
The State of Your Guest Directory
The harder question is what state your guest directory is actually in. Most organizations we speak with have not done a full audit of their guest accounts. They know roughly how many they have, but not how many have an active internal sponsor, how many are covered by a running Access Review, or how many belong to people who left a project two years ago and have not logged in since. The subscription deadline puts a date on a problem that has been accumulating quietly for years.
Where to Start
Start by linking your Azure subscription to Microsoft Entra ID Governance. Without it, you cannot create or modify any guest governance configurations, including Access Reviews, Entitlement Management policies, and Lifecycle Workflows. Then pull your guest directory and answer these questions with your team:
- How many guest accounts are currently in the directory?
- How many have a named internal sponsor who is actively accountable?
- How many are covered by a currently running Access Review?
- How many have had no sign-in activity in the last 90 days?
- How many have no expiry setting configured at all?
The gap between your total guest count and the number with active sponsors and running reviews is your governance backlog. For most organizations that number is larger than expected, and that is the most useful thing this exercise produces.
Where BCC Affirmatic Comes In
Managing Entra ID guest governance at scale, across Access Reviews, sponsor tracking, and expiry enforcement, requires consistent operational execution that most Microsoft 365 teams struggle to maintain manually.
In practice, guest governance in most Microsoft 365 tenants comes down to whoever has the time to chase it. Sponsors get assigned informally, reviews lapse when nobody follows up, and expiry policies cover the accounts someone thought to configure while missing the rest. Microsoft Entra ID gives you the components to build a solution, but the operational work of running it consistently still lands on your team, which means coverage is always partial and the backlog keeps growing.
BCC Affirmatic is built around that specific problem. The sponsor and business justification are captured as part of the access request, before the account exists, so governance is built in from the start rather than applied after the fact. Reviews run automatically and escalate when sponsors do not respond, which means they actually complete rather than quietly lapsing. Expiry is enforced consistently across the full guest population, not just the accounts someone thought to include, and rather than pulling together the picture from separate reports, administrators have a single view of sponsorship coverage, upcoming expirations, and accounts that need attention.
For organizations with a backlog going into the March 2026 deadline, the IT team does not have to hold the whole picture in their heads or coordinate manually across multiple workflows. Affirmatic carries that operational load, which means the work of closing the backlog gets done faster and the directory stays clean once it is.
