What Is Microsoft Entra ID? (Azure AD) – A Comprehensive Guide

Last Update: Sep 04, 2024 | Published: Mar 18, 2016

Network Security

SHARE ARTICLE

Microsoft Entra ID – previously called Azure Active Directory (Azure AD) – is Microsoft’s cloud-based identity and access management (IAM) cloud service. Azure AD is generally seen as a move from on-premises IAM to the cloud. Learn more about Azure AD here.

What is Microsoft Entra ID (Azure Active Directory)?

Microsoft Entra ID (Azure AD, AAD) is a cloud IAM (Identity Access Management) service that allows administrators to manage end-user accounts, identities, and devices, among other entities. Several main services make up the core service – access management, directory, and access identity protection.

Identity management in the cloud

Microsoft Entra ID is generally described as ‘Active Directory in the cloud’. Each company has its own tenant to administer users and resources. Resources and employees are automatically protected from outside attacks via default security settings. If this is your focus, I plan to write another article solely based on Microsoft Entra ID security. Watch for it.

What is Microsoft Entra ID? (Azure Active Directory) - Identity management in the cloud
Microsoft Entra ID (Azure Active Directory) – Identity management in the cloud (Image Credit: Microsoft)

Security has been one of the main focuses of Microsoft Entra ID over the past ten years or so. Microsoft announced and released several security measures including secure sign-in, and multifactor authentication (MFA) to protect your users.

Who uses Microsoft Entra ID?

Every customer of Microsoft 365 uses Entra ID inherently. It is the backbone of all identity and authentication services across the M365 stack of applications and services.

One important aspect of Microsoft Entra ID is its ‘Platform as a Service’ (PaaS) benefits. Microsoft handles all the infrastructure instead of that responsibility being on you as a business owner or IT Pro. I’ll cover more on this subject next.

What are the differences between Microsoft Entra ID and Active Directory?

The biggest difference between the two is that Windows Server Active Directory requires you to build and support servers to host the Active Directory Domain Services (AD DS) role. IT Pros need to manage the security, patching, lifecycle of software and hardware, etc. Microsoft Entra ID, being a cloud-based service, runs on its own. Microsoft takes much of the responsibility for management and security. 

Although the two services handle similar functions – managing users, authentication, and application management – the underlying technologies are rather disparate. They use completely different protocols and code bases.

Here are the key differences:

  • Active Directory supports NTLM and Kerberos for authentication, but Microsoft Entra ID uses SAML and OAuth 2.0.
  • Microsoft Entra ID includes Azure Policy whereas Active Directory uses Group Policy to manage end-user devices and their environment
  • Whereas Active Directory includes Organizational Units (OUs) and forests/domains, Microsoft Entra ID is a flat directory structure
  • Microsoft Entra ID is designed for many web-based services. It supports services that use Representational State Transfer (REST) APIs for Office 365 online apps, for example
  • Microsoft Entra ID supports Single Sign-On (SSO) and Multifactor Authentication (MFA), whereas Active Directory does not

Does Microsoft Entra ID have an equivalent to Active Directory Certificate Services (ADCS)?

If you’re interested in the possibility of ‘upgrading’ from Windows Server AD to AAD, there are many reasons this is not feasible. 

The Active Directory Certificate Services (ADCS) role in Windows Server does not have a counterpart service in Microsoft Entra ID. However, if your company uses client authentication certificates to access, for example, corporate WiFi, you can look into other options. For instance, if you use Cisco ISE, you can use that to directly integrate with MS Intune to handle the enrollment and compliance processes.

Always working to make transitions easier for their customers, Microsoft has recently announced a few related services in public preview. For example, certificate-based authentication (CBA) is an authentication method that allows users to log in directly with X.509 certificates against their Microsoft Entra ID (Microsoft Entra ID) identities.

In addition, Microsoft Intune has certificate services in preview form. This enables users to authenticate and secure access to VPN, WiFi, or other email profiles using certificates.

Because these features are at the ‘public preview’ stage, it is a very good sign that Microsoft is trying to close the ‘feature gap’ between all things Windows Server AD and AAD.

Does Microsoft Entra ID have an equivalent to Active Directory Federation Services (ADFS)?

This one is a little more nuanced. Active Directory Federation Services (ADFS) offers single sign-on services in your on-premises environment. But it solely works inside your network (LAN). Microsoft Entra ID handles similar functions in the cloud.

Let me mention a few features in Microsoft Entra ID that replace some functionality in ADFS:

  • Microsoft Entra Connect: This tool synchronizes users and groups between your on-premises Active Directory and Microsoft Entra ID, enabling federation. I’ll touch on this later.
  • Azure Active Directory B2C: This service provides identity and access management for external users, such as customers or partners, who don’t have an Microsoft Entra ID account. I will also delve into this feature later on.
  • Azure Active Directory B2B: collaboration between your users and trusted business guests from outside organizations, while keeping control of your corporate data.
  • Azure Application Proxy: This service allows you to publish on-premises applications to the cloud and enable access through Microsoft Entra ID.

Does Microsoft Entra ID support Kerberos authentication?

No, Microsoft Entra ID doesn’t natively support Kerberos authentication. However, you do have a clear option – Microsoft Entra Domain Services (Azure AD DS).

  • Microsoft Entra Domain Services (Azure AD DS)
    • This is an example of a ‘Platform as a Service (PaaS)’ that provides Active Directory Domain Services in the cloud.
    • When you deploy Microsoft Entra Domain Services, you can then join your Azure virtual machines (VMs) to it and use Kerberos authentication to access resources within your domain.
  • Microsoft Entra Kerberos authentication on Azure Files
    • This is a recent feature from Microsoft that allows Microsoft Entra ID to utilize and issue Kerberos tickets for accessing Azure Files shares (from your on-premises network).
  • Kerberos Constrained Delegation (KCD)
    • A feature in Windows Server that can be used with single sign-on to your on-premises applications published through Application Proxy that requires Kerberos authentication.

How does Microsoft Entra ID Work?

So how does this web-based cloud service tick? Let’s find out. I’ll go into greater detail here on the most important features and services it offers.

Users and groups

In terms of Microsoft Entra ID’s identity and access management (IAM) features, it is a secure online store for users and groups. When one of your users logs into Office 365 via office.com, Microsoft Entra ID provides the authorization and authentication engineering behind that interaction.

Microsoft Entra ID Groups offer similar functionality to AD Groups – security-based application access and distribution list-based email delivery.

Note – you can synchronize your users and groups from AD to Microsoft Entra ID using Microsoft Entra Connect or Microsoft Entra Connect cloud sync. I’ll show you more details later.

Cloud authentication

As I just mentioned, Microsoft Entra ID offers authentication and authorization to allow your users to access Platform as a Service (PaaS) examples like Word Online, Excel Online, SharePoint Online, etc. Through SSO, Microsoft Entra ID Conditional Access policies, and multifactor authentication, your users can securely and safely log into your tenant to avail themselves of all your tenant’s vast resources of gold and fortune.

Self-service password resets

This is a feature that allows your users to reset their Microsoft Entra ID passwords themselves. Through a series of ‘checks and balances’, users verify who they are via security methods that are initially set up before the feature is enabled.

This service provides a range of benefits including a reduction of help desk calls and loss of productivity when your users are locked out.

Federated authentication

Once you taste how wonderful this is after initial testing, you’ll never go back. Your users are blessed with the ability to use a single set of credentials to log into on-premises AD and Microsoft Entra ID / Office 365 apps and services. When you utilize Microsoft Entra Connect, their AD password ‘passes through’ to their Microsoft Entra ID user account, automatically. When they change their on-premises password, it is also updated (kept in sync) in Microsoft Entra ID.

Hybrid Active Directory deployments

Interestingly, this article does a very good job of describing what a hybrid Active Directory deployment is. Let me offer you some bullet points that help explain the ‘hybrid’ aspect of this scenario.

  • Microsoft Entra Connect (and cloud sync)
    • This software tool allows you to synchronize your on-premises AD users and groups to Microsoft Entra ID. This is a classic example of a hybrid environment. You utilize on-premises and cloud-based IAM tools.
  • Single Sign-On
    • Users in a hybrid AD deployment can benefit from SSO. This allows them to manage one set of credentials when logging into their devices, accessing on-premises resources, and logging into Office 365 (Microsoft Entra ID).
  • Group Policy
    • GPOs (Group Policy Objects) from on-premises AD can be synced and applied to Microsoft Entra ID-joined devices, helping the migration path from GPOs to Microsoft Intune-based policies.

Multifactor authentication

This is vital. Every organization should have this enabled, including yours. This is not hyperbole. If a threat actor or hacker retains one of your user’s login credentials, they have free reign to hack into the account. Often, passwords are not created as securely as you would hope.

This is where multifactor authentication comes in. This offers a second factor users use to sign into Microsoft Entra ID and Office 365 services. Users can use push notifications to the Microsoft Authenticator app on their mobile devices, and receive a phone call or text to their mobile devices, among other authentication methods. This should be one of the first things you implement when setting up a new Microsoft Entra ID tenant.

Password protection

This is also at the top of my ‘you need to use this feature’ list. Instead of allowing almost any password for your users, you can use Password Protection’s feature list to secure your user’s login events.

  • Password Policies
    • Admins can create policies that force users to use specific criteria for their passwords – length, special characters, prevention of common dictionary words, etc.
  • Banned Passwords
    • When utilized, a globally managed list by Microsoft of commonly hacked passwords is automatically prevented from being used when users create or change their passwords.
  • Real-Time Feedback
    • Users will receive feedback when they are resetting their password to verify they are utilizing the most secure aspects of their password.
  • Customization
    • Detailed logging and reporting are available to offer insights into password-related events and potential security incidents in your network.

Passwordless authentication

Microsoft Entra ID offers passwordless authentication, a feature that allows your users to use other forms of authentication like biometrics, security keys, or mobile devices.

You can utilize these features to achieve passwordless authentication.

  • Windows Hello for Business
  • Microsoft Authenticator (mobile app)
  • FIDO2-compliant security keys
  • Certificate-based authentication

Security and usage reporting

Microsoft Entra ID offers a robust and efficient module for reporting on security and usage from your users. Activity Logs, Sign-In Logs, and Audit Logs all offer a ‘paper trail’ for all of your users’ activity online in Azure AD and Office 365.

The Usage and Insights report provides an application-centric view of your sign-in data and includes a report on authentication methods. With this data, you can find answers to questions like: What are your top applications used in your org? What users have the most failed sign-ins? What applications haven’t had a successful log-in for 30 days or more? These can all be answered quickly and securely to assist your IT Pros with managing the lifecycle of applications and onboarding/offboarding efforts.

What is Microsoft Entra ID Join?

Microsoft Entra ID Join is ‘essentially’ the counterpart to joining a computer to an Active Directory domain. When you join a device to Microsoft Entra ID, you gain the following benefits:

  • Device Registration – a record of the device is added to Microsoft Entra ID. The details of the device including operating system, name, etc. are included.
  • Authentication – Users sign in to their devices using their Microsoft Entra ID (Office 365) credentials.
  • Authorization – Microsoft Entra ID determines what resources the user is authorized to access based on roles and permissions.
  • Access – Cloud apps, Azure Files, and other cloud services are offered based on their access levels and permissions.
  • and access to Enterprise State Roaming.

Another similar method to ‘joining’ a device to Microsoft Entra ID is what’s called ‘Microsoft Entra ID Registration.’ This process registers a device in Microsoft Entra ID and sets it up for ‘light management.’ Microsoft Entra ID Join is typically designed for corporate-owned devices and Microsoft Entra ID Register is for Bring Your Own Device (BYOD)-type device and does not offer all the management features in Microsoft Entra ID/Intune.

Microsoft Entra ID identities diagram
Microsoft Entra ID identities (Image Credit: Microsoft)

What is Microsoft Entra Domain Services?

I mentioned this briefly earlier. Microsoft Entra Domain Services provides a fully managed domain built on Microsoft Entra Domain Services (AD DS). This offers organizations the ability to use Active Directory in a trial or robust environment in the cloud.

Microsoft Entra ID DS seamlessly integrates with Microsoft Entra ID, allowing enterprises to leverage their existing Microsoft Entra ID identities and passwords. Group Policy support is included. LDAP and Kerberos authentication are also offered.

The biggest perk is offering organizations applications or services that depend on Active Directory without needing to build and support an on-premises AD environment. You can let Microsoft manage all of your domain controllers, DNS servers, etc.

What is Azure AD B2B?

Azure AD Business to Business allows your organization to securely and efficiently communicate with external parties and guests. Applications and resources can be shared through intricate and granular controls to allow for more flexible communications between your users and guests.

One idea I want to get across here – Azure AD B2B is not a replacement or a transition from AD FS or other federation technologies from on-premises to the cloud. This is a secure method of bridging your users with approved and trusted guests, and external parties, to communicate seamlessly amongst your user groups.

Azure AD B2B collaboration overview
Azure AD B2B collaboration overview (Image Credit: Microsoft)

Azure AD B2B simplifies collaboration and shared resource access by allowing external users to log in with their credentials. In addition, external guests can use single sign-on to access their native resources and your organization’s shared resources.

Microsoft Entra ID licensing

There are four pricing tiers related to Microsoft Entra ID. Free, Basic, Premium P1, and Premium P2. Here are some high-level details of each.

Pricing LevelFeaturesPricing
FreeUp to 50,000 user accounts, Single sign-on (SSO) for up to 10 apps, user provisioning, and basic reports. Ideal for SMBs and very small companies. MFA and Microsoft Entra Connect are available.Free
BasicSSO for unlimited apps, self-service password reset, and group access management. B2B collaboration.$1 per user per month
Premium P1All Basic features, conditional access, identity protection, and advanced reports$6 per user per month
Premium P2All Premium P1 features, Microsoft Entra ID Protection, and Privileged Identity Management$9 per user per month
Microsoft Entra ID pricing

Please note – this is a high-level summary and the pricing will vary due to the nature of your company’s agreement with Microsoft.

Conclusion

In conclusion, Microsoft Entra ID is a comprehensive and secure cloud-based identity and access management service provided by Microsoft Azure. Microsoft Entra ID facilitates secure authentication, seamless single sign-on experiences, and efficient management of user identities across a variety of applications and services.

There are many features and corresponding services that help assist you in your overall path from on-premises Active Directory to Microsoft Entra ID. Microsoft Entra Connect cloud sync is a perfect example that helps to securely provide an easier end-user experience to get their jobs done.

Please feel free to leave a comment or question below. Thank you for reading!

Table of contents

Table of contents

SHARE ARTICLE