Last Update: Sep 04, 2024 | Published: Mar 18, 2016
Microsoft Entra ID – previously called Azure Active Directory (Azure AD) – is Microsoft’s cloud-based identity and access management (IAM) cloud service. Azure AD is generally seen as a move from on-premises IAM to the cloud. Learn more about Azure AD here.
Microsoft Entra ID (Azure AD, AAD) is a cloud IAM (Identity Access Management) service that allows administrators to manage end-user accounts, identities, and devices, among other entities. Several main services make up the core service – access management, directory, and access identity protection.
Microsoft Entra ID is generally described as ‘Active Directory in the cloud’. Each company has its own tenant to administer users and resources. Resources and employees are automatically protected from outside attacks via default security settings. If this is your focus, I plan to write another article solely based on Microsoft Entra ID security. Watch for it.
Security has been one of the main focuses of Microsoft Entra ID over the past ten years or so. Microsoft announced and released several security measures including secure sign-in, and multifactor authentication (MFA) to protect your users.
Every customer of Microsoft 365 uses Entra ID inherently. It is the backbone of all identity and authentication services across the M365 stack of applications and services.
One important aspect of Microsoft Entra ID is its ‘Platform as a Service’ (PaaS) benefits. Microsoft handles all the infrastructure instead of that responsibility being on you as a business owner or IT Pro. I’ll cover more on this subject next.
The biggest difference between the two is that Windows Server Active Directory requires you to build and support servers to host the Active Directory Domain Services (AD DS) role. IT Pros need to manage the security, patching, lifecycle of software and hardware, etc. Microsoft Entra ID, being a cloud-based service, runs on its own. Microsoft takes much of the responsibility for management and security.
Although the two services handle similar functions – managing users, authentication, and application management – the underlying technologies are rather disparate. They use completely different protocols and code bases.
Here are the key differences:
If you’re interested in the possibility of ‘upgrading’ from Windows Server AD to AAD, there are many reasons this is not feasible.
The Active Directory Certificate Services (ADCS) role in Windows Server does not have a counterpart service in Microsoft Entra ID. However, if your company uses client authentication certificates to access, for example, corporate WiFi, you can look into other options. For instance, if you use Cisco ISE, you can use that to directly integrate with MS Intune to handle the enrollment and compliance processes.
Always working to make transitions easier for their customers, Microsoft has recently announced a few related services in public preview. For example, certificate-based authentication (CBA) is an authentication method that allows users to log in directly with X.509 certificates against their Microsoft Entra ID (Microsoft Entra ID) identities.
In addition, Microsoft Intune has certificate services in preview form. This enables users to authenticate and secure access to VPN, WiFi, or other email profiles using certificates.
Because these features are at the ‘public preview’ stage, it is a very good sign that Microsoft is trying to close the ‘feature gap’ between all things Windows Server AD and AAD.
This one is a little more nuanced. Active Directory Federation Services (ADFS) offers single sign-on services in your on-premises environment. But it solely works inside your network (LAN). Microsoft Entra ID handles similar functions in the cloud.
Let me mention a few features in Microsoft Entra ID that replace some functionality in ADFS:
No, Microsoft Entra ID doesn’t natively support Kerberos authentication. However, you do have a clear option – Microsoft Entra Domain Services (Azure AD DS).
So how does this web-based cloud service tick? Let’s find out. I’ll go into greater detail here on the most important features and services it offers.
In terms of Microsoft Entra ID’s identity and access management (IAM) features, it is a secure online store for users and groups. When one of your users logs into Office 365 via office.com, Microsoft Entra ID provides the authorization and authentication engineering behind that interaction.
Microsoft Entra ID Groups offer similar functionality to AD Groups – security-based application access and distribution list-based email delivery.
Note – you can synchronize your users and groups from AD to Microsoft Entra ID using Microsoft Entra Connect or Microsoft Entra Connect cloud sync. I’ll show you more details later.
As I just mentioned, Microsoft Entra ID offers authentication and authorization to allow your users to access Platform as a Service (PaaS) examples like Word Online, Excel Online, SharePoint Online, etc. Through SSO, Microsoft Entra ID Conditional Access policies, and multifactor authentication, your users can securely and safely log into your tenant to avail themselves of all your tenant’s vast resources of gold and fortune.
This is a feature that allows your users to reset their Microsoft Entra ID passwords themselves. Through a series of ‘checks and balances’, users verify who they are via security methods that are initially set up before the feature is enabled.
This service provides a range of benefits including a reduction of help desk calls and loss of productivity when your users are locked out.
Once you taste how wonderful this is after initial testing, you’ll never go back. Your users are blessed with the ability to use a single set of credentials to log into on-premises AD and Microsoft Entra ID / Office 365 apps and services. When you utilize Microsoft Entra Connect, their AD password ‘passes through’ to their Microsoft Entra ID user account, automatically. When they change their on-premises password, it is also updated (kept in sync) in Microsoft Entra ID.
Interestingly, this article does a very good job of describing what a hybrid Active Directory deployment is. Let me offer you some bullet points that help explain the ‘hybrid’ aspect of this scenario.
This is vital. Every organization should have this enabled, including yours. This is not hyperbole. If a threat actor or hacker retains one of your user’s login credentials, they have free reign to hack into the account. Often, passwords are not created as securely as you would hope.
This is where multifactor authentication comes in. This offers a second factor users use to sign into Microsoft Entra ID and Office 365 services. Users can use push notifications to the Microsoft Authenticator app on their mobile devices, and receive a phone call or text to their mobile devices, among other authentication methods. This should be one of the first things you implement when setting up a new Microsoft Entra ID tenant.
This is also at the top of my ‘you need to use this feature’ list. Instead of allowing almost any password for your users, you can use Password Protection’s feature list to secure your user’s login events.
Microsoft Entra ID offers passwordless authentication, a feature that allows your users to use other forms of authentication like biometrics, security keys, or mobile devices.
You can utilize these features to achieve passwordless authentication.
Microsoft Entra ID offers a robust and efficient module for reporting on security and usage from your users. Activity Logs, Sign-In Logs, and Audit Logs all offer a ‘paper trail’ for all of your users’ activity online in Azure AD and Office 365.
The Usage and Insights report provides an application-centric view of your sign-in data and includes a report on authentication methods. With this data, you can find answers to questions like: What are your top applications used in your org? What users have the most failed sign-ins? What applications haven’t had a successful log-in for 30 days or more? These can all be answered quickly and securely to assist your IT Pros with managing the lifecycle of applications and onboarding/offboarding efforts.
Microsoft Entra ID Join is ‘essentially’ the counterpart to joining a computer to an Active Directory domain. When you join a device to Microsoft Entra ID, you gain the following benefits:
Another similar method to ‘joining’ a device to Microsoft Entra ID is what’s called ‘Microsoft Entra ID Registration.’ This process registers a device in Microsoft Entra ID and sets it up for ‘light management.’ Microsoft Entra ID Join is typically designed for corporate-owned devices and Microsoft Entra ID Register is for Bring Your Own Device (BYOD)-type device and does not offer all the management features in Microsoft Entra ID/Intune.
I mentioned this briefly earlier. Microsoft Entra Domain Services provides a fully managed domain built on Microsoft Entra Domain Services (AD DS). This offers organizations the ability to use Active Directory in a trial or robust environment in the cloud.
Microsoft Entra ID DS seamlessly integrates with Microsoft Entra ID, allowing enterprises to leverage their existing Microsoft Entra ID identities and passwords. Group Policy support is included. LDAP and Kerberos authentication are also offered.
The biggest perk is offering organizations applications or services that depend on Active Directory without needing to build and support an on-premises AD environment. You can let Microsoft manage all of your domain controllers, DNS servers, etc.
Azure AD Business to Business allows your organization to securely and efficiently communicate with external parties and guests. Applications and resources can be shared through intricate and granular controls to allow for more flexible communications between your users and guests.
One idea I want to get across here – Azure AD B2B is not a replacement or a transition from AD FS or other federation technologies from on-premises to the cloud. This is a secure method of bridging your users with approved and trusted guests, and external parties, to communicate seamlessly amongst your user groups.
Azure AD B2B simplifies collaboration and shared resource access by allowing external users to log in with their credentials. In addition, external guests can use single sign-on to access their native resources and your organization’s shared resources.
There are four pricing tiers related to Microsoft Entra ID. Free, Basic, Premium P1, and Premium P2. Here are some high-level details of each.
Pricing Level | Features | Pricing |
---|---|---|
Free | Up to 50,000 user accounts, Single sign-on (SSO) for up to 10 apps, user provisioning, and basic reports. Ideal for SMBs and very small companies. MFA and Microsoft Entra Connect are available. | Free |
Basic | SSO for unlimited apps, self-service password reset, and group access management. B2B collaboration. | $1 per user per month |
Premium P1 | All Basic features, conditional access, identity protection, and advanced reports | $6 per user per month |
Premium P2 | All Premium P1 features, Microsoft Entra ID Protection, and Privileged Identity Management | $9 per user per month |
Please note – this is a high-level summary and the pricing will vary due to the nature of your company’s agreement with Microsoft.
In conclusion, Microsoft Entra ID is a comprehensive and secure cloud-based identity and access management service provided by Microsoft Azure. Microsoft Entra ID facilitates secure authentication, seamless single sign-on experiences, and efficient management of user identities across a variety of applications and services.
There are many features and corresponding services that help assist you in your overall path from on-premises Active Directory to Microsoft Entra ID. Microsoft Entra Connect cloud sync is a perfect example that helps to securely provide an easier end-user experience to get their jobs done.
Please feel free to leave a comment or question below. Thank you for reading!