Windows Hello for Business is a solid option for organizations that want an authentication service that uses Microsoft Entra ID and integrates with other first-party Microsoft tools, but the cost of this service can be difficult to ascertain.
The inclusion of Windows Hello for Business in other Microsoft licenses is helpful for IT departments looking to reduce licensing costs, but calculating cost and total cost of ownership (TCO) is made harder by this bundling.
Admins can manage Windows Hello for Business through other Microsoft tools such as Azure, Intune and Group Policy, and it supports advanced features such as MFA, single sign-on, and cloud-based trust. This allows IT to wrap authentication for all users — employees, contractors, partners, remote workers and BYOD users — into a comprehensive product.
Implementing a single product to manage all authentication in the enterprise can provide significant cost savings in software licenses and IT staff costs, including training. Organizations should learn how to view the cost of these authentication services as part of their Microsoft licensing bundles and how they can handle security compared to third-party services.
How much does Windows Hello for Business cost?
There is no specific cost for Windows Hello for Business since it is included in Microsoft 365 and Microsoft Entra ID subscription plans. It can function as a standalone feature or bundled with Microsoft 365 E3 for enterprise level plans and Microsoft 365 Business Premium for SMBs joined to Microsoft Entra ID. This product provides secure access and authentication for all enrolled systems.
There is no specific cost for Windows Hello for Business since it is included in Microsoft 365 and Microsoft Entra ID subscription plans.
Keep in mind that Windows Hello for Business is not compatible with Microsoft Entra Domain services — formerly Azure Active Directory (AD) Domain Services — which is a managed domain service within Azure. Windows Hello for Business requires a cloud-based hybrid domain join.
What licenses include Windows Hello for Business?
Before organizations implement Windows Hello for Business, IT must learn the editions and licenses that support Windows Hello for Business. Windows Hello for Business is supported by the following Windows editions:
- Windows Pro.
- Windows Enterprise.
- Windows Pro Education/SE.
- Windows Education.
Windows Hello for Business access is granted by the following licenses:
- Windows Pro, Pro Education/SE.
- Windows Enterprise E3.
- Windows Enterprise E5.
- Windows Education A3.
- Windows Education A5.
- Microsoft Entra ID P1.
- Microsoft Entra ID P2.
- Microsoft Entra Suite — though Entra ID P1 or P2 is required for this license.
Pricing options for each license vary widely based on the features. While the organization might already have one of the following licenses in production, it’s a good idea to review corporate needs to see if a licensing review should take place to take advantage of new features.
Windows Hello for Business license option breakdown
Table 1 shows the pricing options for Microsoft 365 plans that include Windows Hello for Business. Monthly costs are shown on a per user per month basis with the annual payment option.
|
Microsoft 365 E3 |
Microsoft 365 E5 |
Microsoft 365 Business Premium |
|
|
Monthly cost |
$33.75 |
$54.75 |
$20.00 |
|
Target customers |
SMBs — defined as up to 300 users |
Enterprise organizations |
Enterprise organizations |
|
Windows Hello for Business support |
Full support |
Full support with advanced Security |
Partial support. Does not include certificate trust model and some advanced features such as PIN recovery |
|
365 apps for desktop and mobile |
Yes |
Yes |
Yes |
|
Windows Enterprise |
Yes |
Yes |
Provides upgrade path from Windows 10 and 11 Pro |
|
Core security and ID management |
Yes |
Yes |
Yes, but some features are plan dependent |
|
Advanced security and compliance tools |
No |
Yes |
Includes security and basic compliance |
|
Business analytics with Power BI Pro |
No |
Yes |
No |
When describing Windows Hello for Business, Microsoft frequently uses the term “fully supported.” To expand on the details of this term, fully supported includes the following features:
- Cloud trust.
- Key trust.
- Certificate trust, which requires public key infrastructure.
- MFA with conditional access.
- Self-service password reset.
- Risk-based conditional access.
- Identity protection.
- Device compliance policies with Intune.
There are some exceptions to implementation of the above features in each licensing model as noted in Table 1 for Microsoft 365 plans and in Table 2 for Microsoft Entra ID plans.
|
Microsoft Entra ID P1 |
Microsoft Entra ID P2 |
Microsoft Entra Intune Suite add-on |
|
|
Cost per user per month |
$6.00 |
$9.00 |
$12.00 |
|
Windows Hello for Business support |
Full, but it lacks some advanced identity protection and analytics |
Full |
Full, assuming the customer has (based on whether Entra ID P1 or P2 is licensed) |
|
Avail as standalone |
Yes |
Yes |
No |
|
Included with Microsoft 365 E3 |
Yes |
No |
No |
|
Included with Microsoft 365 E5 |
No |
Yes |
No |
|
Requires subscription to Microsoft Entra ID P1 or P2 |
N/A |
N/A |
Yes |
|
Entra ID Protection |
Partial |
Yes |
Yes |
|
Entra ID Governance |
Partial |
Partial |
Yes |
|
Entra Verified ID |
Partial |
Partial |
Yes |
|
Entra Internet Access |
Partial |
Partial |
Yes |
|
Entra Private Access |
No |
No |
Yes |
Organizations might incur additional costs if they add biometric devices such as fingerprint or facial recognition sensors — assuming they are not included in current devices.
Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft’s Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.
