How Okta's Two Licensing Models Create Very Different Cost Trajectories
Okta operates two fundamentally different licensing models that serve distinct use cases and carry entirely different cost growth dynamics. Workforce Identity — Okta's original product, covering employee authentication, SSO, MFA, and lifecycle management — is licensed per user per month based on the number of licensed users in the organisation. Customer Identity Cloud (formerly Auth0) — Okta's developer-facing identity platform for customer-facing applications — is licensed per Monthly Active User (MAU) based on how many external users authenticate through it each month. The two models are structurally independent: a large enterprise may have 10,000 Workforce Identity users at a fixed per-seat cost and 2 million Customer Identity Cloud MAUs whose cost scales with customer engagement, and the renewal dynamics for each are completely different.
This guide covers both licensing models in commercial detail — Workforce Identity per-user pricing across the product tiers, Customer Identity Cloud MAU pricing and the cost exposure from user growth, add-on module costs for governance and privileged access, and the renewal negotiation tactics that apply to each. For identity security in the broader cybersecurity context, see our Palo Alto Enterprise Licensing Guide (covering Okta's integration with Palo Alto ZTNA) and our Security Consolidation Guide. For Okta contract advisory, our cybersecurity advisory team benchmarks and negotiates Okta agreements across both product lines.
Workforce Identity Licensing: Tiers, Pricing, and What Each Includes
Okta Workforce Identity is licensed per user per month, with pricing varying by the product tier and the add-on modules deployed. The core tiers:
| Product | What It Covers | List Price (Per User/Month) | Key Inclusions |
|---|---|---|---|
| Okta SSO | Single Sign-On for SaaS and web apps | $2.00–$4.00 | SAML/OIDC SSO, basic MFA (Okta Verify) |
| Okta MFA | Multi-factor authentication standalone | $3.00–$5.00 | Adaptive MFA, all authenticator types |
| Workforce Identity Cloud (WIC) Essentials | SSO + MFA combined | $5.00–$8.00 | Unified SSO and adaptive MFA |
| WIC Professional | Essentials + lifecycle management, provisioning | $8.00–$12.00 | Automated user provisioning and deprovisioning via SCIM |
| WIC Enterprise | Professional + advanced security policies, API access management | $12.00–$18.00 | Full lifecycle + advanced security + API access management |
The per-user cost at Enterprise tier for a 5,000-user organisation — at $12–$18/user/month list — runs $720,000–$1,080,000 annually at list price. Negotiated enterprise pricing for organisations above 5,000 users with multi-year commitments typically achieves 20–35% below list, bringing the effective annual cost to $468,000–$810,000. For organisations approaching renewal without benchmarking, accepting the auto-renewal at the prior year's rate — which typically includes a 5–8% uplift — is a common and avoidable outcome.
Okta Identity Governance: The High-Value Add-On
Okta Identity Governance (OIG) — covering access certification campaigns, separation of duties policy enforcement, identity risk scoring, and governance workflows — is a separately licensed add-on above the WIC base tiers. OIG pricing is per user per month above the base WIC cost, typically $3–$7/user/month at list. For large organisations with compliance obligations (SOX, HIPAA, ISO 27001) that require formal access certification and segregation of duties controls, OIG is effectively mandatory — and its cost adds materially to the total Okta bill. A 5,000-user deployment at WIC Enterprise plus OIG is paying $15–$25/user/month list — $900,000–$1,500,000 annually before discounting.
OIG competes with SailPoint Identity Security Cloud for enterprise identity governance. Organisations using Okta as their identity provider and considering SailPoint for governance should evaluate whether Okta OIG plus WIC Enterprise is more or less expensive than the equivalent WIC tier plus a SailPoint governance deployment — the comparative pricing is not always straightforward and depends heavily on the identity estate size and governance workflow complexity. Our SailPoint licensing guide covers the alternative in detail.
Customer Identity Cloud: The MAU Pricing Model and Growth Exposure
Customer Identity Cloud (CIC, formerly Auth0) is Okta's B2C and B2B identity platform for customer-facing applications — handling customer registration, login, MFA, and social authentication for web and mobile applications. CIC is licensed based on Monthly Active Users: the number of distinct external users who authenticate through the platform in a given month. MAU billing creates a fundamentally different cost dynamic from per-seat workforce licensing: cost scales directly with customer engagement growth, and a successful product launch or customer acquisition campaign can double MAU counts and double the Okta CIC bill simultaneously.
CIC pricing tiers in 2026 (negotiated enterprise rates vary significantly from these list benchmarks):
| CIC Tier | MAU Range | Approximate Monthly Cost | Notes |
|---|---|---|---|
| CIC Developer/Free | 0–7,500 MAU | $0 | Development and testing only |
| CIC Essential | 7,500–100k MAU | $23–$240/month | Basic B2C — email/social login |
| CIC Professional | 100k–1M MAU | $240–$1,500/month base + per-MAU | MFA, custom domains, advanced features |
| CIC Enterprise (negotiated) | 1M+ MAU | Custom — typically $0.01–$0.05/MAU/month | Volume rates — negotiate at 12+ month commitment |
The MAU overage trap: CIC Enterprise agreements typically specify a contracted MAU volume with overage billing for months where actual MAU count exceeds the contracted tier. Organisations that experience seasonal MAU spikes — retail companies during holiday periods, media platforms during live events — can incur significant overage bills from peak months even if the annual average MAU is below the contracted ceiling. Negotiating a peak MAU allowance or an annual average MAU billing model (rather than monthly cap with overage) substantially reduces exposure for organisations with variable MAU patterns.
Okta for Privileged Access and Machine Identity
Okta Privileged Access (OPA) — released as a standalone product — extends Okta's workforce identity platform to privileged access management: just-in-time privileged elevation, privileged session recording, infrastructure access for servers and databases, and secrets management. OPA pricing is per privileged user per month, typically $15–$30/user/month at list for the users who need privileged access capabilities. OPA competes with CyberArk PAM and BeyondTrust in the privileged access management market — a formally documented CyberArk evaluation is the most effective competitive lever for OPA pricing negotiations. Okta also offers Machine Identity products covering service account and workload authentication, priced per application or service, relevant for DevOps and platform engineering teams managing large non-human identity populations.
Renewal Negotiation Tactics
Okta's fiscal year ends January 31. The November–January window is the highest-leverage period for Okta renewals. Three negotiation inputs consistently move Okta's renewal position: a user count audit identifying inactive accounts and departed employee licenses (Okta's provisioning and lifecycle management data makes this straightforward — export the user directory, cross-reference against active HR data, identify accounts with no recent authentication events); a competitive evaluation of Microsoft Entra ID (formerly Azure AD) for Workforce Identity (included in Microsoft 365 at various tiers, providing SSO and MFA for M365 applications at zero marginal cost for existing licensees); and for Customer Identity Cloud, an Auth0 competitor evaluation including AWS Cognito, Azure B2C, or Ping Identity. For Okta advisory support, our cybersecurity team manages Okta renewals across both WIC and CIC. To discuss your agreement, book a call with our team.
Get Expert Okta Licensing and Renewal Advisory
Our cybersecurity advisory team benchmarks Okta WIC per-user rates and CIC MAU pricing, audits user counts and inactive accounts, models OIG vs SailPoint governance economics, and manages competitive evaluations that generate pricing movement at renewal.
Book an Okta Licensing Review →