What is Microsoft Entra ID and how does it differ from Azure Active Directory?

Microsoft Entra ID is the renamed and expanded version of Azure Active Directory. As of 2024, Microsoft rebranded Azure AD to Entra ID to reflect its broader scope beyond Azure. Entra ID is the cloud-based identity and access management (IAM) platform that manages authentication and authorization for Microsoft 365, Azure, and thousands of SaaS applications. All Azure AD features, APIs, and licensing remain identical under the Entra ID brand. The Entra family also includes Entra External ID (B2B/B2C), Entra Permissions Management (CIEM), Entra Verified ID (decentralized identity), and Entra Internet Access/Private Access (SSE).

What Entra ID license do I need for Conditional Access?

Conditional Access requires Microsoft Entra ID P1 (included in Microsoft 365 E3/Business Premium) at minimum. Basic policies like requiring MFA for all users or blocking legacy authentication work with P1. Advanced features — risk-based Conditional Access (sign-in risk, user risk), token protection, and authentication context — require Entra ID P2 (included in Microsoft 365 E5). Organizations with E5 licensing get the full Conditional Access engine including continuous access evaluation and GPS-based named locations.

How does Privileged Identity Management (PIM) work in Entra ID?

PIM provides just-in-time (JIT) privileged access to Entra ID and Azure roles. Instead of permanent role assignments, administrators activate their roles on demand for a defined duration (typically 1-8 hours). PIM supports approval workflows, MFA enforcement on activation, justification requirements, and notification alerts. It covers Entra ID roles (Global Admin, Exchange Admin, etc.), Azure RBAC roles (Subscription Owner, Resource Group Contributor), and PIM for Groups (privileged access groups). PIM requires Entra ID P2 licensing.

What is the difference between Entra External ID for B2B and B2C?

Entra External ID B2B enables collaboration with external partners who authenticate using their own organization identity (federated) or a one-time passcode. B2B guests appear in your directory and can access SharePoint, Teams, and internal applications. Entra External ID B2C (now called External ID with CIAM features) is a customer-facing identity platform for consumer or customer-facing applications. B2C supports social identity providers (Google, Facebook, Apple), custom sign-up flows, and scales to millions of users. B2B is included in all Entra ID licenses; B2C pricing is based on monthly active users (first 50,000 MAU free).

How do I implement Zero Trust with Microsoft Entra ID?

Zero Trust implementation with Entra ID centers on three principles: verify explicitly, use least privilege access, and assume breach. Key configurations include: Conditional Access policies requiring MFA, compliant devices, and trusted locations for all users; Continuous Access Evaluation (CAE) to revoke sessions in near-real-time; Privileged Identity Management (PIM) for just-in-time admin access; Identity Protection for automated risk detection and remediation; App Consent policies to prevent illicit consent grant attacks; and cross-tenant access settings for B2B. EPC Group implements Zero Trust in phases over 90-120 days, starting with MFA enforcement and progressing to device compliance and risk-based policies.

Microsoft Entra ID Enterprise Guide 2026

Last updated: 2026 · Read time: ~8 min

Microsoft Entra ID is the identity and access management (IAM) platform at the center of the Microsoft security stack. This guide covers Conditional Access, identity governance, Privileged Identity Management, SSO, MFA, and Entra's Zero Trust architecture. Based on EPC Group's 300+ enterprise identity deployments across healthcare, financial services, and government.

Key facts

EPC Group has delivered 300+ enterprise Entra ID deployments. Microsoft Gold Partner (2016-2022) (oldest continuous Gold Partner in North America). Currently holds all six Solutions Partner designations.
The Entra family: Entra ID (core IAM), Entra External ID (B2B/B2C), Entra Permissions Management (multi-cloud CIEM), Entra Verified ID (decentralized credentials), Entra Workload ID (service principal governance), Entra Internet Access (SWG), Entra Private Access (ZTNA).
Conditional Access is the policy enforcement layer — controls who accesses what, from where, on what device.
Continuous Access Evaluation (CAE) revokes access within minutes of a security event — not at token expiry (60–90 minutes).
Privileged Identity Management (PIM) — just-in-time admin access. No standing admin roles.

The Microsoft Entra product family

Entra is Microsoft's identity and network access product family. Each product addresses a specific IAM or network access requirement.

Entra ID (formerly Azure AD) — core IAM: authentication, authorization, Conditional Access, SSO, MFA, identity governance. The foundation of the entire family.
Entra External ID — B2B collaboration and B2C customer identity. Replaces Azure AD B2B and Azure AD B2C.
Entra Permissions Management — multi-cloud CIEM (Cloud Infrastructure Entitlement Management) for Azure, AWS, and GCP. Discovers and right-sizes permissions across cloud environments.
Entra Verified ID — decentralized identity credentials. Digital ID cards for employees, students, and customers without a centralized identity registry.
Entra Workload ID — governance for service principals and managed identities. Controls what apps and automations can access.
Entra Internet Access — Secure Web Gateway (SWG) for internet-bound traffic. Zero Trust access to internet resources.
Entra Private Access — Zero Trust Network Access (ZTNA). Replaces VPN for on-premises and private app access.

Zero Trust identity model

Microsoft's Zero Trust model uses Entra ID as the policy enforcement point. It operates on three principles:

Verify explicitly — authenticate and authorize using all available signals: user identity, device compliance, location, application, data classification, and risk level.
Use least privilege access — just-in-time access (PIM), just-enough access (JEA), and risk-based adaptive policies. No standing admin roles.
Assume breach — minimize blast radius with network segmentation. Verify end-to-end encryption. Use Entra ID analytics (Identity Protection) to detect threats.

Conditional Access

Conditional Access is the primary policy enforcement layer for Microsoft 365 and Azure. It evaluates every authentication request before granting access.

Key configurations for enterprise deployment:

Require MFA for all users via Conditional Access policy (not Security Defaults — Security Defaults cannot be customized for enterprise exclusions).
Require compliant or Hybrid Azure AD joined devices for M365 resource access.
Block legacy authentication protocols entirely.
Restrict access from high-risk sign-in locations.
Session controls for unmanaged devices (browser-only, no download).
Enable Continuous Access Evaluation (CAE) — revokes access within minutes of security event.

Deploy in report-only mode first. Validate no unintended exclusions. Then enforce. Never deploy enforce-mode Conditional Access policies without a pilot in report-only mode first.

Continuous Access Evaluation (CAE)

Standard OAuth access tokens remain valid for 60–90 minutes after issuance. If a user account is disabled, the token is still valid until expiration.

CAE solves this. When a security event occurs — account disabled, password changed, high-risk detection, location change — the resource provider revokes the session within minutes, not at token expiry.

Supported applications: Exchange Online, SharePoint Online, Microsoft Teams, Microsoft Graph.
Enable via Conditional Access policy — no additional licensing required for Entra ID P1 plans.
Pair with Identity Protection risk policies for automated account remediation on high-risk sign-ins.

Privileged Identity Management (PIM)

PIM gives admins temporary elevation to privileged roles on a just-in-time basis. No standing admin accounts. No permanent Global Admin sessions.

Admins request elevation for a defined time window (1–8 hours).
Elevation requires MFA, business justification, and manager approval (configurable).
All PIM activations are logged in Entra ID audit logs for compliance review.
Emergency access (break-glass) accounts are excluded from PIM but monitored continuously.
PIM supports Azure AD roles, Azure resource roles, and Microsoft 365 admin roles.

Identity governance

Entra ID Governance automates the lifecycle of user access — from onboarding to offboarding.

Entitlement management — users request access to resources through access packages. Approvers are defined by policy.
Access reviews — resource owners re-approve access on a schedule (quarterly for most, monthly for high-risk). Non-responses auto-remove access.
Lifecycle workflows — automate provisioning and deprovisioning triggered by HR system events (hire, transfer, departure).
Separation of duties — incompatible role combinations are blocked automatically (no user can hold conflicting access roles simultaneously).

Enterprise SSO

Entra ID provides SSO for 5,000+ pre-integrated SaaS applications in the Azure AD app gallery, plus custom application integration via SAML 2.0, OpenID Connect, and OAuth 2.0.

Users authenticate once with their corporate credentials — then access all SSO-integrated applications without re-entering passwords.
Conditional Access policies apply to every SSO-federated application — not just Microsoft apps.
App Proxy extends SSO to on-premises web applications without a VPN.

Frequently asked questions

What is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity and access management platform.

It provides authentication, authorization, SSO, MFA, Conditional Access, and identity governance for Microsoft 365, Azure, and thousands of third-party SaaS applications. It is the identity layer of the Microsoft Zero Trust security model.

What is the difference between Entra ID P1 and P2?

P1 adds Conditional Access, Entra Application Proxy, and hybrid identity. P2 adds Identity Protection (risk-based Conditional Access), Privileged Identity Management (PIM), and Entra ID Governance (access reviews, entitlement management). Regulated industries typically require P2. P2 is included in Microsoft 365 E5.

What is Privileged Identity Management?

PIM provides just-in-time admin access. Admins have no standing privileged roles — they request time-limited elevation (1–8 hours) with MFA, business justification, and optional manager approval. All activations are logged. PIM eliminates the risk of permanent standing admin accounts being compromised.

How many enterprise identity deployments has EPC Group completed?

300+ across healthcare, financial services, education, and government. EPC Group was the oldest continuous Microsoft Gold Partner in North America (2003–2022) and currently holds core Microsoft Solutions Partner designations including Security.

What is Continuous Access Evaluation?

CAE is a protocol that allows Microsoft 365 resources to revoke access tokens in near-real-time when a security event occurs — account disabled, password changed, high-risk sign-in detected, or location change. Without CAE, compromised tokens remain valid for 60–90 minutes after the triggering event.

Schedule an Entra ID assessment

Talk to an EPC Group identity architect about your Entra ID deployment or migration. Call (888) 381-9725 or request a discovery call.