Microsoft Priva Data Privacy: Licensing and Whether It Replaces OneTrust

What Microsoft Priva Actually Is

Microsoft Priva is a suite of privacy management tools designed to help organisations identify and manage personal data within their Microsoft 365 environment, automate responses to data subject rights requests, and establish privacy policies that reduce internal data exposure risk. It is built on the Microsoft Purview compliance platform and integrates directly with Microsoft 365 data — Exchange Online, SharePoint, OneDrive, and Teams.

Priva consists of two separately licensed solutions: Priva Privacy Risk Management and Priva Subject Rights Requests. These can be purchased independently, combined, or integrated with each other depending on your privacy programme requirements. Neither is included in any base M365 E3, E5, Business Standard, Business Premium, or E7 licence — they are purchased as add-ons on top of your existing M365 subscription.

The fact that Priva is an add-on rather than an M365 inclusion is the first thing most organisations discover when they investigate it for the first time, and it frequently contradicts the impression created by Microsoft product demonstrations that present Priva as part of the standard compliance experience for M365 customers.

Priva Privacy Risk Management: What It Does

Priva Privacy Risk Management identifies personal data across your Microsoft 365 environment and surfaces privacy risks that stem from how that data is stored, used, and shared. It creates a continuous inventory of personal data locations — scanning Exchange, SharePoint, OneDrive, and Teams — and applies sensitivity classification to identify personal information that may be overshared, over-retained, or transferred to inappropriate locations.

Core Privacy Risk Management Features

The primary capabilities include automated personal data discovery across M365 services using Microsoft Purview's information protection scanning engine, privacy risk policies that alert users and compliance teams when personal data is being handled in ways that conflict with defined privacy policies (such as oversharing in Teams or retaining personal data beyond defined retention periods), user nudges and privacy communications that surface in-the-moment guidance when M365 users are about to take actions that trigger privacy policies, and a privacy risk dashboard with insights into data exposure patterns across the organisation.

Priva Privacy Risk Management is fundamentally a data governance layer applied specifically to personal data within M365. It is most valuable for organisations where the majority of personal data risk lives in email, Teams, SharePoint, and OneDrive — which describes many knowledge-worker-heavy organisations with limited on-premises data infrastructure.

What Priva Risk Management Cannot Do

The critical limitation: Priva Privacy Risk Management scans only M365 data. It has no native visibility into on-premises databases, third-party SaaS applications, CRM systems, ERP data, cloud databases outside Azure, or non-Microsoft cloud storage. For organisations where significant personal data lives in Salesforce, SAP, AWS RDS, on-premises SQL Server, or custom applications, Priva's risk management capability covers only a subset of the overall privacy risk landscape.

This is the central limitation that defines when Priva is sufficient and when it is not. An organisation whose personal data footprint is almost entirely within M365 can manage meaningful privacy risk through Priva alone. An organisation with personal data dispersed across a multi-vendor technology stack needs a privacy management platform with broader data source connectivity — which points toward OneTrust or alternatives rather than Priva.

Priva Subject Rights Requests: What It Does

Priva Subject Rights Requests automates the process of managing data subject access requests (DSARs), deletion requests, and export requests under GDPR, CCPA, and other privacy regulations. When a data subject submits a request, Priva can initiate an automated search across connected M365 data sources, compile responsive content, facilitate legal review and redaction, and track the request through to completion within regulatory deadlines.

Subject Rights Requests Licensing Model

The licensing model for Priva Subject Rights Requests is volume-based, unlike most Microsoft compliance tools which are per-user-per-month. Organisations purchase rights request capacity in tiers — the number of subject rights requests they need to handle — rather than paying a flat per-user fee. Microsoft offers a free trial that allows up to 50 subject rights requests at no cost, making it genuinely easy to evaluate before committing to a paid tier.

The practical implication of volume-based licensing: cost scales with DSAR volume, not headcount. A large organisation with a small DPO team handling a moderate DSAR volume may find Priva Subject Rights Requests cheaper than per-user privacy management platforms. Conversely, an organisation under active regulatory scrutiny with high DSAR volumes will see costs escalate proportionally in ways that are harder to predict than fixed per-user pricing.

Automation Scope and Limitations

Priva Subject Rights Requests automates data discovery and compilation within M365 — the same data source boundary as Priva Risk Management. For DSARs that require searching data sources outside M365 (on-premises systems, third-party SaaS, legacy databases), the process remains manual or requires integration with additional systems. For organisations subject to GDPR with personal data spanning multiple systems, Priva Subject Rights Requests is a useful component of DSAR management, not a complete solution.

Priva vs OneTrust: An Honest Comparison

OneTrust commands 17.3 percent mindshare in the privacy management software market as of 2026, compared to Microsoft Priva's 3.1 percent. That gap reflects a fundamental difference in product scope and maturity that is important to understand before making a procurement decision.

Where OneTrust Is Superior

OneTrust is a purpose-built, standalone enterprise privacy programme platform with more than a decade of development focused exclusively on privacy operations. Its strengths versus Priva include multi-system data discovery across on-premises databases, SaaS applications, cloud storage, and legacy systems through native connectors and API integration; structured privacy impact assessment and data protection impact assessment workflows; vendor risk management and third-party data processing agreement tracking; consent management platform for web and mobile; cookie scanning and consent banner management; regulatory workflow management for GDPR, CCPA, LGPD, PIPL, and other frameworks; DSAR management across multi-system data landscapes; and a significantly larger compliance team user base that benefits from OneTrust's ongoing regulatory intelligence updates.

For organisations operating complex, multi-vendor technology environments with personal data distributed across numerous systems, OneTrust provides a level of privacy programme coverage that Priva cannot match at its current state of development.

Where Priva Is Superior

Priva is genuinely superior within a specific, bounded scenario: M365-native organisations where the vast majority of personal data risk lives within Exchange, Teams, SharePoint, and OneDrive, and where Microsoft integration — native DLP policy sync, Purview integration, compliance admin centre unification — provides meaningful operational simplicity. Priva also benefits from tighter integration with the Microsoft information protection stack. If you have deployed Microsoft Purview sensitivity labels and information protection policies, Priva Risk Management leverages that classification framework directly without requiring re-implementation in a separate tool.

Priva is also operationally simpler for smaller privacy teams that do not require the full enterprise privacy programme infrastructure that OneTrust provides. The learning curve for Priva is lower, the administrative overhead is lower, and if your privacy compliance requirements are primarily about managing personal data within M365 and handling a predictable volume of DSARs, Priva may be cost-effective and sufficient.

The Integration Reality

Notably, OneTrust and Microsoft Priva are not purely competing products — they can and do coexist in enterprise environments. OneTrust has integrated with Microsoft Priva to automate DSAR fulfillment for data subject requests involving M365 data, while OneTrust manages the broader programme framework including non-Microsoft data sources. For large enterprises with complex data environments, a complementary architecture — OneTrust for programme management, Priva for M365-specific privacy operations — may be more effective than choosing one exclusively.

Negotiating Priva in Your Microsoft EA

Because Priva is a Microsoft add-on sold through the EA channel, there are negotiation levers that do not exist when purchasing from specialist privacy vendors. The most important: Priva should be negotiated as a line item within your overall EA renewal, not purchased separately at Microsoft list price.

Microsoft's elimination of automatic volume discounts (Level B through D) in November 2025 means that every add-on — including Priva — must be individually negotiated within the EA context. Organisations that add Priva to an existing EA without negotiation pay list price. Organisations that negotiate Priva as part of a broader EA renewal or true-up discussion can typically achieve 10 to 20 percent reduction from list through the standard EA negotiation levers — Q4 timing, multi-product commit, and competitive positioning.

Microsoft's fiscal year ends June 30. The Q4 window from April through June is when Microsoft's field team has maximum authority to offer pricing concessions. If your EA renewal falls in Q4 and you are adding Priva, this is the optimal moment to negotiate. Q4 deals average 15 to 20 percent better discount depth than Q1 deals for comparable commits.

For organisations comparing Priva against OneTrust commercially, use the OneTrust price as a negotiation anchor with Microsoft. A credible OneTrust proposal on the table consistently improves Microsoft's Priva pricing offer — the two are direct competitors in the buyer's mind even if their scopes differ, and Microsoft's field team will defend the commercial position to win the decision.

Practical Decision Framework

Choose Priva if: your personal data footprint is predominantly within M365 (Exchange, Teams, SharePoint, OneDrive), your compliance programme requirements centre on DSAR automation and internal data exposure risk within M365, you want privacy management integrated with your existing Microsoft Purview and DLP infrastructure, your privacy team is small and values simplicity over feature breadth, and you can negotiate Priva as part of your EA renewal rather than buying at list price.

Choose OneTrust (or keep OneTrust) if: your personal data lives across multiple systems including non-Microsoft SaaS, on-premises databases, and third-party cloud services, your privacy programme requires structured PIA and DPIA workflows, you operate in multiple regulatory jurisdictions with complex consent and vendor management requirements, your DSAR volume is high and spans multiple systems requiring integrated cross-platform management, and your privacy team needs the workflow maturity and regulatory intelligence that dedicated privacy platforms provide.

Consider both if: you have an existing OneTrust investment for programme management and want to enhance M365-specific privacy operations. The integration between the two platforms is designed to support this model, and the combination provides broader coverage than either alone without duplicating functionality.

Before committing to either option, an independent assessment of your actual data privacy risk landscape — where your personal data lives, how much DSAR volume you handle, what regulatory requirements apply — provides the factual basis for a procurement decision that Microsoft's standard sales process does not supply.

In one engagement, a European financial institution with GDPR Subject Rights Request obligations was evaluating OneTrust at €180,000 per year. Redress modelled the Priva SRR module against their M365 E5 entitlements and demonstrated that the capability was already included — at zero incremental cost. The first-year saving was the full €180,000 platform fee.