Microsoft Entra ID is the new name for Azure Active Directory (Azure AD) — Microsoft’s cloud-based identity and access management service. If you manage a Microsoft 365 tenant, you are already using it — the backbone of every login, every conditional access policy, and every permission in your organization. This guide explains what Entra ID is, how it works, and how to get the most out of it in your Microsoft 365 environment.
What Is Entra ID?
It is a cloud-based Identity and Access Management (IAM) solution. For the official overview, see Microsoft’s Entra ID documentation. This service acts as the central identity provider for Microsoft 365, Azure, and thousands of SaaS applications. Every time a user signs into Outlook, Teams, or SharePoint, the platform authenticates them and enforces access policies.
Microsoft officially rebranded Azure AD to Entra ID in 2023 as part of the broader Microsoft Entra product family, which also includes Entra External ID, Entra ID Governance, and Entra Permissions Management. The underlying technology is identical — only the name changed.
Microsoft Entra ID vs Azure Active Directory: What Changed?
Functionally, nothing changed in the product itself. The rebrand from Azure Active Directory to Entra ID reflects Microsoft’s vision of a unified security product family. Specifically, the mapping is:
- Free tier: Azure AD Free became Entra ID Free
- P1 tier: Azure AD P1 became Entra ID P1
- P2 tier: Azure AD P2 became Entra ID P2
- External Identities: Azure AD External Identities became Microsoft Entra External ID
If your organization uses Microsoft 365 Business or Enterprise plans, you already have the Free or P1 tier included in your subscription.
Core Features and Capabilities
1. Single Sign-On (SSO)
Single Sign-On lets users authenticate once and access all connected applications without re-entering credentials. The platform supports SSO for thousands of pre-integrated SaaS apps including Salesforce, Google Workspace, Dropbox, and ServiceNow, as well as any custom application that supports SAML 2.0 or OpenID Connect.
2. Multi-Factor Authentication (MFA)
The platform provides built-in Multi-Factor Authentication that goes far beyond SMS codes. It supports the Microsoft Authenticator app, FIDO2 security keys, Windows Hello for Business, and certificate-based authentication. See our dedicated guide on improving MFA efficiency in Microsoft 365 for configuration tips.
3. Conditional Access
Conditional Access is the zero-trust policy engine built into the platform. It evaluates signals — user identity, device compliance, location, application sensitivity, and risk score — and enforces access controls in real time. For example, you can block access from non-compliant devices or require MFA only when users sign in from outside the corporate network. Conditional Access requires P1 or higher. See the official Conditional Access documentation.
4. Identity Protection
Available in the P2 tier, Identity Protection uses machine learning from Microsoft to detect risky sign-ins and compromised credentials. It automatically responds to threats — for instance, by blocking a login flagged as high-risk or forcing a password reset. It integrates directly with Microsoft Defender for Office 365 and Defender policies.
5. Privileged Identity Management (PIM)
PIM (available with P2) enables just-in-time privileged access. Instead of assigning permanent admin roles, administrators request elevated access for a limited time window, with approval workflows and full audit trails. This dramatically reduces your attack surface by ensuring no one holds standing admin rights unnecessarily.
6. Device Management Integration
This platform integrates natively with Microsoft Intune for device compliance enforcement. When a Conditional Access policy requires a compliant device, Intune reports device health back to the identity service. This is the foundation of modern endpoint management — no device can access corporate data unless it meets your compliance baseline.
Microsoft Entra ID Licensing Tiers
Understanding which features are in each tier is critical for planning your identity strategy.
| Feature | Free | P1 | P2 |
|---|---|---|---|
| SSO (up to 10 apps) | ✅ | ✅ | ✅ |
| MFA | ✅ | ✅ | ✅ |
| Conditional Access | ❌ | ✅ | ✅ |
| Azure AD Join | ✅ | ✅ | ✅ |
| Self-Service Password Reset | ❌ | ✅ | ✅ |
| Identity Protection | ❌ | ❌ | ✅ |
| Privileged Identity Management | ❌ | ❌ | ✅ |
| Access Reviews | ❌ | ❌ | ✅ |
The P1 tier is included with Microsoft 365 Business Premium, E3, and F3. The P2 tier is included with Microsoft 365 E5 and can be purchased as an add-on. For a full breakdown of what’s included in each Microsoft 365 plan, see our guide on hidden features of the Microsoft 365 E3 license.
Using This Platform as a Microsoft 365 Administrator
Microsoft 365 administrators interact with this service through three main portals:
- the Entra admin center (entra.microsoft.com) — the primary identity management portal
- Microsoft 365 admin center (admin.microsoft.com) — simplified user and license management
- Azure portal (portal.azure.com) — advanced configuration and integration with Azure services
Key administrative tasks include managing user accounts, assigning licenses, configuring Conditional Access policies, setting up MFA registration campaigns, and enabling passwordless authentication.
Essential Setup Steps for Administrators
For any new Microsoft 365 tenant, here are the first configurations every administrator should complete:
- Enable Security Defaults or Conditional Access — Microsoft’s Security Defaults enforce MFA for all users automatically. Organizations with P1 or P2 should replace Security Defaults with custom Conditional Access policies for more granular control.
- Configure Self-Service Password Reset (SSPR) — Reduces helpdesk tickets by letting users reset their own passwords securely. Requires the P1 tier.
- Set up a custom domain — Replace the default .onmicrosoft.com domain with your company domain. See our step-by-step guide on setting up a custom domain in Office 365.
- Review Global Administrator accounts — Limit Global Admins to 2-4 accounts maximum. Use PIM for just-in-time access to privileged roles.
- Enroll devices in Microsoft Intune — Join corporate devices to Entra ID join (formerly Azure AD Join) to enable Conditional Access device compliance checks.
Entra ID vs On-Premises Active Directory
Many organizations still run on-premises Active Directory (AD DS). Entra ID is not a replacement for on-premises AD — it is a cloud identity service designed for modern, cloud-first workloads. The two coexist through Entra Connect (formerly Azure AD Connect), which synchronizes on-premises users, groups, and passwords to Entra ID.
In a hybrid scenario, users authenticate against either the cloud or on-premises directory depending on the resource they access. Notably, Entra ID does not support traditional AD protocols like LDAP, Kerberos, or Group Policy — for those, use Entra Domain Services (formerly Azure AD DS), a managed PaaS offering that provides domain join, LDAP, and Group Policy in the cloud.
Why Entra ID Matters for Zero Trust
The Zero Trust framework is built on three principles: verify explicitly, use least privilege access, and assume breach. It enforces all three principles. Specifically:
- Verify explicitly — Conditional Access evaluates identity, device health, location, and risk on every access request
- Least privilege — PIM ensures admins only hold elevated permissions when actively needed
- Assume breach — Identity Protection detects anomalies and responds automatically
For organizations managing Microsoft 365 security, This identity service is inseparable from tools like Microsoft Defender for Office 365 and the Security & Compliance Center.
📱 Need help setting up or optimizing your Microsoft 365 environment?
From license management to security configuration, we support IT teams and decision-makers. Book a free call or reach us directly on WhatsApp. 📅 Book a free 30-min call | 💬 Chat on WhatsApp
