All Products
Search
Document Center

Identity as a Service:Billing

Last Updated:Mar 31, 2026

IDaaS EIAM 2.0 offers two editions — Free and Enterprise — with optional add-ons for dedicated endpoints, conditional access, and machine-to-machine (M2M) authorization.

Edition comparison

Free Edition provides a set of identity connection features for basic identity management needs, such as synchronizing Active Directory (AD) accounts to IDaaS or using single sign-on (SSO) to access Alibaba Cloud RAM.

Enterprise Edition includes all identity connection features plus a wide range of identity security capabilities, and acts as a cloud identity hub to connect isolated identity silos.

The following table compares capabilities across editions. Items marked Add-on require a separate purchase on top of the Enterprise Edition subscription.

Identity sources (inbound IdPs)

CapabilityFree EditionEnterprise Edition
QR code logon and full synchronization for inbound DingTalk identity provider (IdP)SupportedSupported
Password-free workbench logon, incremental synchronization, and sensitive data synchronization (advanced) for inbound DingTalk IdPNot supportedSupported
Delegated logon, user filtering, and full synchronization for inbound AD/LDAP IdPSupportedSupported
Custom logon identities, incremental synchronization, and scheduled verification for inbound AD/LDAP IdPNot supportedSupported
QR code logon, password-free workbench logon, and data synchronization for inbound WeCom IdPNot supportedSupported (requires a dedicated endpoint — Add-on)
Federated authentication (logon to IDaaS) and manual account binding for inbound OpenID Connect (OIDC) IdPSupportedSupported
Automatic binding, automatic account creation, and automatic profile updates for inbound OIDC IdP (for federated logon from Azure AD (Entra ID), Okta, or a self-built 4A system)Not supportedSupported
Logon, data synchronization, and other features for all outbound IdPsNot supportedCurrently supports DingTalk. A separate purchase will be required in the future.

Applications

CapabilityFree EditionEnterprise Edition
Maximum number of applications per instance31,000
Group and extension field featuresNot supportedSupported
Marketplace application features (SSO, data synchronization, and API access)Supported for specific applications onlySupported
Standard application features (SAML, OIDC) and self-developed application features (SSO, data synchronization, and API access)Not supportedSupported

Logon and authentication

CapabilityFree EditionEnterprise Edition
Logon methods: IDaaS account password and SMS verification codeSupportedSupported
Two-factor authentication: OTP, SMS, and emailSupportedSupported
Bind two-factor authentication at logonNot supportedSupported

Security

CapabilityFree EditionEnterprise Edition
Basic security: password complexity rules and high-risk password detectionSupportedSupported
Advanced password features: initial passwords, periodic password changes, password history, and password resetNot supportedSupported
Conditional access policiesNot supportedSupported (Add-on)
Grant application access to accounts, organizations, and groupsSupportedSupported
Branding: custom icons, names, and domain namesNot supportedSupported

Infrastructure and support

CapabilityFree EditionEnterprise Edition
Maximum number of accounts per instance50Based on the number of purchased accounts
Dedicated endpoint (for WeCom connectivity or PrivateLink connections to AD/LDAP)Not supportedSupported (Add-on)
M2M application authorizationNot supportedSupported (Add-on)
Service availabilityNot guaranteed99.9% availability commitment with rapid response to critical impact events
SupportTicketsTicket response within 24 hours, 8×5 support
When an Enterprise Edition instance expires, its paid features are automatically restricted and the instance reverts to the Free Edition. Instance data is not deleted during this process. To restore paid features, purchase a new subscription.

Account billing

IDaaS EIAM 2.0 uses a subscription billing model. The price is based on the number of accounts in the instance, and the per-account price decreases as the total account count increases. For pricing details, see the purchase page.purchase page

Important

When the number of accounts in an instance reaches the purchased quota, no new accounts can be created. Existing operations — including user logon and SSO — are not affected. To resume account creation, upgrade the instance or reduce the number of accounts.

Dedicated endpoint billing

A dedicated endpoint lets you synchronize data and perform delegated authentication for AD/LDAP without opening public ports, and connect to WeCom using a dedicated public IP address. For more information, see Network endpoints.

Dedicated endpoints are available for Enterprise Edition instances only. The cost per dedicated endpoint is 30% of the total Enterprise Edition account cost.

Important

When an Enterprise Edition instance is released (reverts to Free Edition), its dedicated endpoints become unavailable and are automatically deleted after one day. Deleted resources and data cannot be recovered.

Conditional access billing

Conditional access evaluates the context of an access request — such as the application being accessed or the user's authentication method — to determine the appropriate access controls. For example, you can require different two-factor authentication methods for different applications. For more information, see Conditional access policies.

Conditional access is available for Enterprise Edition instances only. The cost is 40% of the total Enterprise Edition account cost.

Important

When an Enterprise Edition instance is released (reverts to Free Edition), custom conditional access policies become unavailable. Default conditional access policies are not affected.

M2M application billing

Machine-to-machine (M2M) authorization controls access in non-interactive, service-to-service scenarios. IDaaS issues authorization credentials, and components such as API Gateway authenticate callers, preventing unauthorized access to protected resources.

M2M is billed per EIAM instance, based on the number of M2M applications in that instance.

The application count in the following table refers to M2M applications within a single EIAM instance, not the total across all instances.
Maximum M2M applications per instanceFee (USD/month)
≤ 20
≤ 575
≤ 10150
≤ 30450
≤ 50750
≤ 1001,500

Maximum number of applications

Fee (USD/month)

≤ 2

0

≤ 5

75

≤ 10

150

≤ 30

450

≤ 50

750

≤ 100

1,500