IDaaS EIAM 2.0 offers two editions — Free and Enterprise — with optional add-ons for dedicated endpoints, conditional access, and machine-to-machine (M2M) authorization.
Edition comparison
Free Edition provides a set of identity connection features for basic identity management needs, such as synchronizing Active Directory (AD) accounts to IDaaS or using single sign-on (SSO) to access Alibaba Cloud RAM.
Enterprise Edition includes all identity connection features plus a wide range of identity security capabilities, and acts as a cloud identity hub to connect isolated identity silos.
The following table compares capabilities across editions. Items marked Add-on require a separate purchase on top of the Enterprise Edition subscription.
Identity sources (inbound IdPs)
| Capability | Free Edition | Enterprise Edition |
|---|---|---|
| QR code logon and full synchronization for inbound DingTalk identity provider (IdP) | Supported | Supported |
| Password-free workbench logon, incremental synchronization, and sensitive data synchronization (advanced) for inbound DingTalk IdP | Not supported | Supported |
| Delegated logon, user filtering, and full synchronization for inbound AD/LDAP IdP | Supported | Supported |
| Custom logon identities, incremental synchronization, and scheduled verification for inbound AD/LDAP IdP | Not supported | Supported |
| QR code logon, password-free workbench logon, and data synchronization for inbound WeCom IdP | Not supported | Supported (requires a dedicated endpoint — Add-on) |
| Federated authentication (logon to IDaaS) and manual account binding for inbound OpenID Connect (OIDC) IdP | Supported | Supported |
| Automatic binding, automatic account creation, and automatic profile updates for inbound OIDC IdP (for federated logon from Azure AD (Entra ID), Okta, or a self-built 4A system) | Not supported | Supported |
| Logon, data synchronization, and other features for all outbound IdPs | Not supported | Currently supports DingTalk. A separate purchase will be required in the future. |
Applications
| Capability | Free Edition | Enterprise Edition |
|---|---|---|
| Maximum number of applications per instance | 3 | 1,000 |
| Group and extension field features | Not supported | Supported |
| Marketplace application features (SSO, data synchronization, and API access) | Supported for specific applications only | Supported |
| Standard application features (SAML, OIDC) and self-developed application features (SSO, data synchronization, and API access) | Not supported | Supported |
Logon and authentication
| Capability | Free Edition | Enterprise Edition |
|---|---|---|
| Logon methods: IDaaS account password and SMS verification code | Supported | Supported |
| Two-factor authentication: OTP, SMS, and email | Supported | Supported |
| Bind two-factor authentication at logon | Not supported | Supported |
Security
| Capability | Free Edition | Enterprise Edition |
|---|---|---|
| Basic security: password complexity rules and high-risk password detection | Supported | Supported |
| Advanced password features: initial passwords, periodic password changes, password history, and password reset | Not supported | Supported |
| Conditional access policies | Not supported | Supported (Add-on) |
| Grant application access to accounts, organizations, and groups | Supported | Supported |
| Branding: custom icons, names, and domain names | Not supported | Supported |
Infrastructure and support
| Capability | Free Edition | Enterprise Edition |
|---|---|---|
| Maximum number of accounts per instance | 50 | Based on the number of purchased accounts |
| Dedicated endpoint (for WeCom connectivity or PrivateLink connections to AD/LDAP) | Not supported | Supported (Add-on) |
| M2M application authorization | Not supported | Supported (Add-on) |
| Service availability | Not guaranteed | 99.9% availability commitment with rapid response to critical impact events |
| Support | Tickets | Ticket response within 24 hours, 8×5 support |
When an Enterprise Edition instance expires, its paid features are automatically restricted and the instance reverts to the Free Edition. Instance data is not deleted during this process. To restore paid features, purchase a new subscription.
Account billing
IDaaS EIAM 2.0 uses a subscription billing model. The price is based on the number of accounts in the instance, and the per-account price decreases as the total account count increases. For pricing details, see the purchase page.purchase page
When the number of accounts in an instance reaches the purchased quota, no new accounts can be created. Existing operations — including user logon and SSO — are not affected. To resume account creation, upgrade the instance or reduce the number of accounts.
Dedicated endpoint billing
A dedicated endpoint lets you synchronize data and perform delegated authentication for AD/LDAP without opening public ports, and connect to WeCom using a dedicated public IP address. For more information, see Network endpoints.
Dedicated endpoints are available for Enterprise Edition instances only. The cost per dedicated endpoint is 30% of the total Enterprise Edition account cost.
When an Enterprise Edition instance is released (reverts to Free Edition), its dedicated endpoints become unavailable and are automatically deleted after one day. Deleted resources and data cannot be recovered.
Conditional access billing
Conditional access evaluates the context of an access request — such as the application being accessed or the user's authentication method — to determine the appropriate access controls. For example, you can require different two-factor authentication methods for different applications. For more information, see Conditional access policies.
Conditional access is available for Enterprise Edition instances only. The cost is 40% of the total Enterprise Edition account cost.
When an Enterprise Edition instance is released (reverts to Free Edition), custom conditional access policies become unavailable. Default conditional access policies are not affected.
M2M application billing
Machine-to-machine (M2M) authorization controls access in non-interactive, service-to-service scenarios. IDaaS issues authorization credentials, and components such as API Gateway authenticate callers, preventing unauthorized access to protected resources.
M2M is billed per EIAM instance, based on the number of M2M applications in that instance.
The application count in the following table refers to M2M applications within a single EIAM instance, not the total across all instances.
| Maximum M2M applications per instance | Fee (USD/month) |
|---|---|
| ≤ 2 | 0 |
| ≤ 5 | 75 |
| ≤ 10 | 150 |
| ≤ 30 | 450 |
| ≤ 50 | 750 |
| ≤ 100 | 1,500 |
Maximum number of applications | Fee (USD/month) |
≤ 2 | 0 |
≤ 5 | 75 |
≤ 10 | 150 |
≤ 30 | 450 |
≤ 50 | 750 |
≤ 100 | 1,500 |