How does user licensing work
MyPass Cloud uses a simple, predictable, and completely automated licensing model that is 100% driven by your Microsoft Active Directory (AD) security groups. You never have to manually add, remove, or count users — the platform does it for you.
Core Principle
You only ever pay for the users that are actually allowed to use MyPass.
Membership in one or more AD security groups that you designate as “licensed” determines everything. No named users, no CSV uploads, no manual syncs.
Licensing Flow – From Discovery to De-provisioning
1. You define the licensed audience (once)
The MyPass deployment team will identify the AD security groups that represent the population entitled to use MyPass (e.g., “SG-MyPass-Users”, “All Employees”, “Contractors”, etc.).
2. Automatic discovery & license allocation
A scheduled discovery job (default every 4 hours, fully configurable) continuously scans the selected groups and:
- Adds every member that is not yet in MyPass → license consumed, status = LICENSED
- Detects users that have left the groups, been disabled, or deleted in AD
3. User life-cycle statuses
| Status | Meaning | License consumed? | Can use self-service in? |
|---|---|---|---|
| LICENSED | In licensed group, self-service not yet used in portal | Yes | Yes |
| ENROLLED | Has successfully enrolled or logged in once | Yes | Yes |
| LOCKED | Too many failed attempts / suspicious activity (temporary) | Yes | No (until unlocked by Helpdesk) |
| DEPROVISIONED | Permanently removed (after grace period) | No | No |
4. Automatic de-provisioning and license release
When a user:
- is removed from all licensed groups, or
- is disabled in AD, or
- is deleted in AD
MyPass starts a configurable grace period (default 30 days, common values 7–90 days).
If the user is still in that state when the grace period expires, the platform:
- Permanently deletes the user record from MyPass
- Immediately releases the license so it can be reused by the next person
This means your license count automatically shrinks when people leave the company or change roles — you never over-pay or have to remember to clean up old accounts.
Licensing Summary Table
| Item | How it is counted |
|---|---|
| Base platform license | Per user that is member of at least one licensed AD group at any time during the billing period |
| Active Directory (mandatory) | Included in the base per-user price |
| Additional systems (MSSQL, Oracle, SAP, IBM i, Linux/SSH, etc.) | Additional per-user × per-system fee (only for the users that actually have accounts rotated on that system) |
Real-world example
- You have 5 000 employees in the licensed AD groups → 5 000 base licenses
- 200 people leave the company this month and are removed from the groups → after the 14-day grace period those 200 licenses are automatically freed
- Net consumption for the month = highest concurrent number of DISCOVERED + ENROLLED users (never exceeds your actual headcount)
Benefits of the MyPass Licensing Model
- No manual license management – ever
- True “pay for what you use” – licenses follow actual group membership
- Automatic off-boarding – no forgotten licenses when employees leave
- Full audit trail of license allocation and release
- Predictable budgeting – you can forecast exactly from your HR/AD data
- No penalties for temporary contractors (add them to the group → license used only while they are members)
With MyPass Cloud, licensing is not an administrative burden — it is an automated, secure, and fair extension of your existing Active Directory governance processes you already trust.