Microsoft Solutions Partner — Security · 11,000+ engagements

Microsoft Entra ID Enterprise Guide (2026)

The unified Microsoft identity platform — Entra ID, External ID, Permissions Management, Verified ID, ID Governance, Private Access, Internet Access, and Workload ID. Workforce, customer, partner, and workload identity under one control plane, delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an Entra briefing Call 888-381-9725

What is Microsoft Entra ID and how do enterprises deploy unified identity across users, workloads, and customers? Microsoft Entra ID is the unified Microsoft identity platform — formerly Azure Active Directory, now expanded to cover eight underlying products spanning workforce identity (Entra ID), customer and partner identity (Entra External ID), multi-cloud entitlement management (Entra Permissions Management), decentralized identity (Entra Verified ID), identity governance (Entra ID Governance), Zero Trust network access (Entra Private Access), Secure Service Edge (Entra Internet Access), and identity for apps and services (Entra Workload ID). Enterprises deploy it through a five-phase Assess, Architecture, Conditional Access baseline, Identity Governance, Operate program that activates the P2-gated controls — Conditional Access, PIM, Identity Protection — most Microsoft 365 E5 customers license but never turn on, and stands up the identity foundation Defender XDR, Sentinel, and Purview all depend on.

Microsoft Entra ID is the unified Microsoft identity platform — eight products spanning workforce, customer, partner, multi-cloud, and workload identity. Most enterprises license Entra ID Premium P2 through Microsoft 365 E5 but activate only the basic SSO and MFA capabilities. EPC Group activates the P2 controls — Conditional Access, PIM, Identity Protection — and stands up the identity foundation Defender XDR, Sentinel, and Purview all depend on, under a fixed-fee five-phase accelerator.

Key Facts

Eight Entra products: Entra ID, External ID, Permissions Management, Verified ID, ID Governance, Private Access, Internet Access, Workload ID
Entra ID is the new name for Azure Active Directory — same product, expanded family
Premium P2 unlocks Identity Protection, PIM, and risk-based Conditional Access — required for any regulated enterprise
Conditional Access is the policy engine combining user, device, location, application, and risk signals
SMS and voice MFA are deprecated — passkeys, Windows Hello, and FIDO2 are the phish-resistant alternatives
Identity is the foundational signal source for Defender XDR, Microsoft Sentinel, and label-aware Purview Copilot grounding
EPC Group five-phase Accelerator delivers full activation in 8 to 16 weeks, fixed-fee $200K to $700K
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations

The eight Microsoft Entra products — what each does and what it requires

Microsoft Entra is one identity brand spanning eight underlying products. Most enterprises start with basic Entra ID for Microsoft 365 SSO and underutilize the rest of the family — leaving Identity Protection, PIM, ID Governance, Permissions Management, Private Access, Internet Access, and Workload ID dormant despite owning them under Microsoft 365 E5 or the Entra Suite.

Entra ID — the core workforce identity platform

What it does: Entra ID (formerly Azure Active Directory) is the identity provider for Microsoft 365, Azure, and 30,000+ pre-integrated SaaS applications in the Entra application gallery. It is the SSO, MFA, Conditional Access, Identity Protection, and Privileged Identity Management plane every Microsoft tenant runs whether the customer realizes it or not. Premium P1 unlocks Conditional Access, dynamic groups, self-service password reset writeback, and Entra Connect Health. Premium P2 adds risk-based Conditional Access, Identity Protection, Privileged Identity Management (PIM) just-in-time elevation, and Access Reviews.

Single sign-on across Microsoft 365, Azure, and 30,000+ pre-integrated SaaS apps in the Entra gallery
Conditional Access policy engine combining user, device, location, application, and risk signals
Identity Protection — sign-in risk and user risk scoring backed by Microsoft Security Graph
Privileged Identity Management — just-in-time elevation, approval workflows, and access reviews for privileged roles
Self-service password reset with writeback to on-premises Active Directory

Licensing: Microsoft Entra ID Free is bundled with Azure and Microsoft 365 subscriptions. Premium P1 is included in Microsoft 365 E3, F3, and Business Premium. Premium P2 — required for Identity Protection, PIM, and risk-based Conditional Access — is included only in Microsoft 365 E5 or the standalone Entra ID P2 SKU. Every regulated-industry enterprise EPC Group assesses should be running P2 tenant-wide.

Entra External ID — B2C, B2B, and customer identity

What it does: Entra External ID is the unified customer and partner identity platform that supersedes Azure AD B2C and the original B2B collaboration feature. It is the platform for consumer-facing apps (customer portals, mobile apps, e-commerce sign-in), partner federation (vendor self-service portals, B2B collaboration with guest users), and citizen identity for government services. It supports email + password, phone OTP, social identity providers (Google, Facebook, Apple, LinkedIn), and SAML/OIDC federation with external Entra tenants, Okta, Ping, and any standards-based identity provider.

Branded sign-in experiences with custom HTML/CSS, custom domains, and conditional UX flows
Social identity provider integration — Google, Facebook, Apple, LinkedIn, Microsoft personal accounts
B2B guest collaboration with cross-tenant access settings, mutual trust controls, and identity governance for guests
Custom user attributes, MFA enforcement at the consumer tier, and Conditional Access for external users
Migrates legacy Azure AD B2C tenants and consolidates B2B + B2C into a single customer identity plane

Licensing: Entra External ID is priced per monthly active user (MAU) — the first 50,000 MAUs are free, with tiered pricing above. B2B guest user collaboration in workforce tenants is included in Entra ID Premium and billed at one paid user per five external collaborators under the External Identities billing model.

Entra Permissions Management — multi-cloud CIEM

What it does: Permissions Management is the Cloud Infrastructure Entitlement Management (CIEM) plane spanning Microsoft Azure, Amazon Web Services, and Google Cloud Platform. It discovers every identity (human and workload) across all three clouds, calculates the Permission Creep Index (PCI) for each identity, recommends right-sized permissions, and produces continuous evidence for least-privilege compliance. It is what closes the gap between identity governance (which roles users hold) and cloud entitlement governance (what those roles can actually do at the cloud-resource level).

Multi-cloud discovery across Azure subscriptions, AWS accounts, and GCP projects in a single pane
Permission Creep Index (PCI) score per identity, ranking 0-100 by gap between assigned and used permissions
Just-in-time permission elevation for cloud resources with approval workflows and time-bound grants
Anomaly detection on unusual permission use patterns — privileged role assumption from unusual location or time
Continuous compliance reporting for least-privilege control claims under FedRAMP, SOC 2, ISO 27001

Licensing: Entra Permissions Management is a standalone SKU priced per cloud resource billed monthly. Not included in Microsoft 365 E5. Sold as part of the Entra Suite or standalone — customers running serious workloads in AWS or GCP alongside Azure are the primary buyer profile.

Entra Verified ID — decentralized identity credentials

What it does: Verified ID is the decentralized identity (DID) plane based on the W3C Decentralized Identifiers and Verifiable Credentials standards. It lets organizations issue and verify cryptographically signed credentials — employment verification, professional licenses, training completion, partner attestations, age verification — without a centralized identity provider in the verification path. Real enterprise use cases are employee onboarding (replace document upload with verified credentials), partner verification (verify a contractor holds the required certification), and HR rehire (verify prior employment from the original employer).

Issue credentials backed by the Entra tenant as the trust anchor with cryptographic signing
Verify credentials issued by any compliant DID issuer without round-tripping the issuer tenant
Standards-aligned with W3C Verifiable Credentials, DID specifications, and OpenID for Verifiable Credentials
Onboarding flow integration — Microsoft Authenticator wallet plus custom mobile wallet SDK
Real revocation, real auditability, and real verification without bilateral integration agreements

Licensing: Verified ID is included in Microsoft Entra ID Premium P1 and P2. Per-verification charges apply above included quotas. The economics work for any onboarding pattern with above 5,000 verifications per year.

Entra ID Governance — access reviews, entitlement, lifecycle

What it does: ID Governance is the identity governance and administration (IGA) plane covering access reviews, entitlement management (access packages with approval workflows), lifecycle workflows (joiner-mover-leaver automation), and separation of duties. It is the platform that replaces legacy SailPoint, Saviynt, or Oracle Identity Governance deployments for Microsoft-centric customers — or runs alongside them as the Microsoft-resource governance layer when an enterprise IGA platform owns the cross-platform story.

Access reviews for groups, applications, and privileged roles with multi-stage reviewer chains
Entitlement management — access packages bundling roles, groups, and app assignments with approval flows
Lifecycle workflows — automated joiner (provisioning), mover (role change), leaver (de-provisioning) with HR-system triggers
Separation of duties — incompatible access package detection blocking risky combinations before assignment
Connect HR system (Workday, SAP SuccessFactors, ServiceNow HR) as the authoritative joiner-mover-leaver source

Licensing: Entra ID Governance is a standalone SKU layered on top of Entra ID Premium P2. Priced per governed user. Included in the Entra Suite. Required for any enterprise serious about closing the joiner-mover-leaver lag — the typical pre-deployment finding is twelve to twenty-five percent of active accounts belong to users who left more than ninety days ago.

Entra Private Access — ZTNA replacement for VPN

What it does: Private Access is the Zero Trust Network Access (ZTNA) plane for private corporate applications — the modern replacement for site-to-site VPN, Citrix NetScaler, or F5 BIG-IP remote access. It tunnels access from any endpoint to private apps (on-premises, in private datacenters, in any cloud VPC) through the Microsoft global network with Conditional Access, MFA, and Identity Protection signals enforced before the tunnel establishes. Users get app-by-app access not network-segment access — closing the implicit-trust gap legacy VPN created.

Replace legacy VPN, Citrix Gateway, or F5 APM with per-app ZTNA tunnels
Conditional Access, MFA, and Identity Protection enforced before tunnel establishes
Per-app network access — no flat network-segment access — eliminating lateral-movement risk after credential compromise
Microsoft global network as the data plane — co-located with Microsoft 365 and Azure egress for latency control
Connector deployment inside private network advertising apps to the Entra cloud control plane

Licensing: Entra Private Access is part of the Entra Suite. Priced per user. Replaces VPN concentrator licensing, MFA appliance licensing, and per-user remote access licensing — payback typically inside year one for any enterprise running legacy VPN at scale.

Entra Internet Access — SSE/SWG for outbound web

What it does: Internet Access is the Secure Service Edge (SSE) and Secure Web Gateway (SWG) plane for outbound web traffic — the modern replacement for on-premises web proxies (BlueCoat, Zscaler, McAfee Web Gateway). It enforces Conditional Access, content filtering, and Microsoft 365 traffic acceleration on every outbound web session from a managed endpoint. The Microsoft 365 traffic acceleration is the differentiator — outbound Microsoft 365 traffic is bypassed efficiently to the closest Microsoft front-door rather than backhauled through the proxy, fixing the Office 365 performance problem legacy SWG architectures create.

Secure Web Gateway for outbound web traffic with URL filtering, malware scanning, and Conditional Access
Microsoft 365 traffic acceleration with localized egress to the nearest Microsoft front-door
Tenant restrictions v2 — block sign-in to non-corporate Microsoft tenants from corporate devices
Universal Conditional Access — extend Conditional Access policies to network-layer signals
Microsoft 365 + Internet Access + Private Access deliver the unified Microsoft SSE story

Licensing: Entra Internet Access is part of the Entra Suite. Priced per user. Sold alongside Private Access — most customers buy them together as the unified SSE bundle.

Entra Workload ID — identity for apps and services

What it does: Workload ID is the identity plane for non-human identities — applications, services, scripts, automation, CI/CD pipelines, Azure managed identities, federated credentials for GitHub Actions and Kubernetes service accounts. It applies Conditional Access, sign-in risk detection, and access reviews to workload identities the same way Entra ID applies them to human users. Closes the unmanaged-service-principal gap that is the single largest unmanaged attack surface in modern Azure tenants.

Conditional Access for workload identities — block service principal sign-in from unusual locations or risky IPs
Identity Protection for workload identities — risk scoring on service principals and managed identities
Access reviews for workload identities — periodic reviewer attestation of service principal ownership and necessity
Federated credentials replace stored secrets — GitHub Actions, Kubernetes service accounts authenticate without secret rotation
Discovery and inventory across Azure subscriptions of dormant, abandoned, or over-privileged service principals

Licensing: Entra Workload ID Premium is a per-workload-identity SKU sold standalone or as part of the Entra Suite. Free tier covers basic managed identities. Premium adds Conditional Access, Identity Protection, and access reviews for workloads — the controls every Azure-native enterprise needs and most have not turned on.

The policy engine

Conditional Access is the most important control in the entire Microsoft security stack

Every other Entra capability flows through Conditional Access. Identity Protection signals feed the risk conditions. PIM elevation triggers the privileged-role requirements. External ID guests inherit the external-user policies. Private Access tunnels are gated by Conditional Access before they establish. Internet Access enforces it at the network layer. Defender for Cloud Apps applies it to sanctioned SaaS. Microsoft Intune surfaces device compliance signals into it. It is the policy engine that combines user, device, location, application, and risk signals into a real-time grant or block decision on every sign-in.

Signals — who, what, where

User attributes, group membership, role assignment, device compliance state, device trust, sign-in location, network range, application identifier, and Identity Protection risk score all enter the policy engine as signals on every sign-in.

Policies — the decision rules

Named policies combine signals into conditions and map to grant or block actions — require MFA, require phish-resistant MFA, require compliant device, require approved client app, session controls, terms of use, or outright block.

Grants — the enforcement

Allow with MFA, allow with compliant device, allow with approved client app, allow with session controls and terms of use accepted, or block. Every decision is audit-logged with the actor, signals, policy, and outcome.

Six Entra deployment patterns

Every Entra engagement composes from six deployment patterns. Most enterprises run a hybrid AD baseline plus one regulatory pattern in parallel; multi-cloud SSO and M&A consolidation patterns appear as Year-2 phases sequenced after the workforce identity tenant is hardened.

Pattern 1 — Greenfield M365 + Entra (no on-prem identity)

The greenfield pattern is the cleanest starting point — a brand new Entra tenant with no on-premises Active Directory dependency. EPC Group ships a tenant-baseline Conditional Access policy set (block legacy authentication, require MFA, require compliant device for admin roles, sign-in risk-based step-up for users), Entra ID P2 enabled tenant-wide, Identity Protection active, PIM enforced for every privileged role, and Workday or BambooHR connected as the joiner-mover-leaver source. The deliverable is a cloud-native identity tenant with no on-premises sync, no AD FS, and no synchronization break-points. Most M&A spin-out scenarios and net-new businesses launch this way.

Pattern 2 — Hybrid AD + Entra (Entra Connect Cloud Sync)

The hybrid pattern is the most common enterprise reality — on-premises Active Directory remains the authoritative directory for legacy applications, but Entra is the cloud identity plane for Microsoft 365, Azure, and SaaS. EPC Group migrates from legacy Entra Connect (Sync) to Entra Connect Cloud Sync where the topology supports it, decommissions any remaining AD FS in favor of Entra federation, applies password hash sync or pass-through authentication, and stands up Entra Connect Health for sync monitoring. Conditional Access policies apply to all cloud sign-in regardless of on-premises source. The deliverable is a cloud-first hybrid model where on-premises AD is a synchronization source — not the federation plane.

Pattern 3 — Multi-cloud SSO across Azure + AWS + GCP

The multi-cloud pattern uses Entra ID as the SSO and SCIM provisioning plane across Azure (native), AWS (via IAM Identity Center federation), and GCP (via Google Cloud Identity federation). Entra Permissions Management runs underneath, surfacing the Permission Creep Index across all three clouds. EPC Group standardizes the joiner-mover-leaver workflow into AWS and GCP — when a user leaves Entra (HR triggers de-provisioning), the cascading de-provisioning fires across AWS IAM Identity Center and GCP Cloud Identity within minutes. This is the architecture our multi-cloud orchestration hub at /microsoft-azure-aws-gcp-multi-cloud-orchestration assumes underneath.

Pattern 4 — B2C customer portal (Entra External ID)

The customer identity pattern uses Entra External ID for consumer-facing applications — patient portals (healthcare), member portals (insurance, credit union), customer self-service portals (utilities, retail), or citizen-services portals (state and local government). EPC Group ships custom-branded sign-in experiences, social identity provider integration (Google, Apple, Facebook for consumer; SAML federation for enterprise B2B partners), MFA enforcement, Conditional Access for external users, and OAuth/OIDC integration with the customer application stack. Legacy Azure AD B2C tenants migrate into Entra External ID — Microsoft has set the legacy product into maintenance mode and customers running on it are on a multi-year migration clock.

Pattern 5 — Regulated workforce (PIM + Identity Protection + Conditional Access baseline)

The regulated-workforce pattern is the EPC Group fixed-fee deliverable for healthcare (HIPAA), financial services (FINRA, GLBA, SOX), government contractors (CMMC, ITAR), and life sciences (GxP, 21 CFR Part 11). It anchors on the tenant-baseline Conditional Access policy set hardened to industry-specific requirements, Identity Protection tuned to the customer threat model, PIM enforced for every privileged role with multi-approver workflows for the highest-tier roles, Access Reviews scheduled quarterly for app and role assignments, and audit-log export to Microsoft Sentinel for long-term retention. The deliverable is a tenant configuration auditors will accept against the customer regulatory profile with evidence-package output from Compliance Manager.

Pattern 6 — M&A consolidation (cross-tenant access + B2B + Entra Connect strategy)

The M&A pattern is the EPC Group differentiated capability — 216+ M&A tenant consolidations covering 1.83 million users across 2023-2025. EPC Group stands up cross-tenant access settings between the acquirer and target tenants on Day 1 (B2B trust without merging directories), runs the Entra Connect strategy for source-tenant on-premises AD (sync into source tenant, then sync into target tenant, then decommission source), migrates user mailboxes, OneDrive, SharePoint, and Teams under the cross-tenant migration framework, and lands every user in the acquirer tenant with identity continuity preserved. This is the only pattern where Entra Permissions Management is mandatory from Day 1 — the acquired Azure subscriptions arrive with completely unknown permission topology and PCI scoring is the only path to safe consolidation.

Phish-resistant MFA

SMS MFA is deprecated. Passkeys, Windows Hello, and FIDO2 are the new baseline.

Adversary-in-the-middle (AiTM) phishing kits — Evilginx, Modlishka, and their commercial successors — proxy the full sign-in flow including SMS or push-notification MFA in real time, completing the sign-in and stealing the session cookie. SMS is additionally vulnerable to SIM swap and signaling-protocol attacks. The phish-resistant alternatives bind the credential to the device using FIDO2 cryptography, making AiTM proxy attacks impossible. Every enterprise EPC Group assesses should have an active migration plan to phish-resistant methods for all privileged roles within thirty days and all users within twelve months.

Passkeys (Microsoft Authenticator)

Device-bound FIDO2 credential synced through the Microsoft Authenticator app. Zero hardware cost, biometric or PIN unlock, phish-resistant. The recommended default for most users.

Windows Hello for Business

Hardware-backed credential in the TPM with biometric or PIN unlock. Native to Windows 11. Zero additional cost. Recommended for Windows endpoints — same security guarantees as FIDO2 hardware keys.

FIDO2 hardware keys

YubiKey, Feitian, SoloKeys. Required for break-glass accounts. Recommended for Tier-0 privileged roles. The strongest phish-resistant credential available.

Deprecated — SMS, voice, email OTP

SMS, voice call, and email-link OTP are vulnerable to SIM swap, signaling attacks, and AiTM phishing. Microsoft has set them to deprecated for enterprise enforcement and they should be removed from available authentication methods after migration.

Identity is the foundation

Identity is the foundational signal source for Defender XDR, Sentinel, and Purview

The Microsoft security stack is layered. Defender XDR correlates threat signals across endpoint, identity, email, cloud apps, and cloud workload — and the identity correlation comes from Entra. Microsoft Sentinel ingests Entra sign-in logs, audit logs, and Identity Protection alerts as the most signal-dense data source in the SIEM. Microsoft Purview enforces label-aware Copilot grounding using the Entra-authenticated user identity to scope retrieval. When identity moves, every downstream control moves with it — when identity is dormant, every downstream control degrades to pattern matching against anonymous events.

Defender XDR

Identity-correlated threat detection across endpoint, identity, email, cloud apps, and cloud workload.

Microsoft Sentinel

Entra sign-in, audit, and Identity Protection logs are the most signal-dense data source in the SIEM.

Microsoft Purview

Label-aware Copilot grounding scopes retrieval to the Entra-authenticated user identity.

Cross-link to our Microsoft Cloud Orchestrator hub for the broader orchestration story under which Entra is the identity plane that every other Microsoft cloud workload depends on.

Governance and compliance — Entra controls mapped to your regulatory reality

Entra controls map directly to HIPAA, FINRA, GLBA, FedRAMP, CMMC, GxP, GDPR, and ISO 27001. Phish-resistant MFA, PIM with just-in-time elevation, Conditional Access with risk-based step-up, and Access Reviews are the named controls every modern audit framework expects. EPC Group ships the audit-ready evidence package — Conditional Access policy export, PIM role assignment history, Identity Protection alert log, and Access Review completion record — as part of the Phase 5 Operate deliverable. See our standards alignment library for the full mapping.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

The EPC Group Entra Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Architecture, Conditional Access baseline, Identity Governance, Operate. Fixed-scope between $200,000 and $700,000 depending on tenant scale, regulatory scope, and managed-service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

Identity maturity assessment in three weeks

Phase one inventories every Entra license the tenant owns, every product in the Entra Suite that is licensed, every Conditional Access policy in place, every privileged role assignment, every dormant service principal, and every gap against the customer regulatory profile. EPC Group ships a costed activation roadmap, a risk-weighted backlog, and a board-ready decision package anchoring on the Assess stage of the EPC Group Lifecycle.

License inventory — Entra ID Free, P1, P2, ID Governance, Permissions Management, External ID, Entra Suite
Capability-level audit — Conditional Access coverage, PIM enforcement, Identity Protection signal volume, Access Review cadence
Privileged role census — Global Administrator, Privileged Role Administrator, every Tier-0 role in current assignment
Workload identity inventory — service principals, managed identities, dormant credentials, federated credentials
Activation backlog with effort, sequence, dependency annotations, and Year-1 and Year-2 phasing

Phase 2 — Architecture

Target-state identity architecture and Conditional Access design

Phase two designs the target-state identity architecture. EPC Group documents the tenant topology (single tenant, multi-tenant, B2B trust mesh), the synchronization model (cloud-only, Entra Connect Cloud Sync, legacy Entra Connect), the federation surface (Entra-native, AD FS retirement plan), and the named Conditional Access policy set the customer will run. This is the architectural artifact a CIO and CISO sign before any production change happens.

Tenant topology design — workforce tenant, External ID tenant, any subsidiary tenants
Synchronization model — Entra Connect Cloud Sync vs legacy Sync vs cloud-only
Named Conditional Access policy set — typically 12-18 policies covering admin, user, device, location, risk, and break-glass scenarios
PIM role design — Tier-0, Tier-1, Tier-2 role separation with approval workflows for Tier-0 elevation
Identity Protection tuning baseline — risk thresholds, exclusions, response actions

Phase 3 — Conditional Access baseline

The 12-policy enterprise Conditional Access baseline

Phase three deploys the Conditional Access baseline. EPC Group ships in audit-only mode for fourteen days, runs the false-positive review window, builds the break-glass account configuration with dedicated FIDO2 keys stored in a sealed envelope, and only then promotes policies to enforce. The baseline blocks legacy authentication tenant-wide, requires MFA for all users, requires phish-resistant MFA for admins, requires compliant device for privileged roles, and applies sign-in risk-based step-up for all users.

Twelve-policy Conditional Access baseline covering all major risk surfaces
Audit-to-enforce migration with fourteen-day false-positive review window
Break-glass account configuration — two dedicated accounts with FIDO2 keys in sealed envelopes
Legacy authentication block tenant-wide — IMAP, POP, SMTP-AUTH, basic auth retirement
Phish-resistant MFA enforcement for privileged roles — passkeys, Windows Hello, FIDO2 only

Phase 4 — Identity Governance

PIM, Access Reviews, entitlement management, lifecycle workflows

Phase four operationalizes Identity Governance. EPC Group enforces PIM on every Tier-0 and Tier-1 role with approval workflows, schedules quarterly Access Reviews on application assignments and privileged groups, builds access packages bundling roles and group assignments for the most common joiner scenarios, and connects the HR system (Workday, SAP SuccessFactors) as the authoritative joiner-mover-leaver source.

PIM enforced for every Tier-0 and Tier-1 role with multi-approver workflows for the highest tier
Access Reviews scheduled quarterly with reviewer assignment, rotation, and escalation rules
Access packages built for top ten joiner scenarios with approval workflow and time-bound assignment
Lifecycle workflows connected to HR system — joiner provisioning, mover role change, leaver de-provisioning
Separation of duties policies blocking incompatible access package combinations before assignment

Phase 5 — Operate

Managed Entra with senior-architect escalation

Phase five is steady-state operation. EPC Group provides managed Entra services — Conditional Access policy evolution, PIM approver health, Identity Protection alert triage, Access Review completion governance, dormant credential cleanup, and quarterly identity steering committee output. Senior-architect on-call escalation for incident-tier identity events. Identity is the foundation under the broader Microsoft security stack — when identity moves, every downstream control moves with it.

Monthly identity health report — Conditional Access coverage, PIM activation rate, Identity Protection alert volume
Quarterly Access Review completion governance — escalation for stalled reviews, regulator-ready evidence packages
Continuous dormant service principal and credential cleanup
Senior-architect on-call escalation for identity incidents — credential compromise, mass sign-in failure, federation outage

Continue exploring the EPC Group enterprise Microsoft library

Entra is the identity plane under which the Microsoft security stack — Defender XDR, Sentinel, Purview — and the broader Microsoft Cloud orchestration story all operate. These hubs and analyses cover adjacent and complementary territory.

Microsoft Defender XDR enterprise guide

Identity-correlated threat detection across endpoint, identity, email, cloud apps, and cloud workload — built on the Entra identity signal foundation.

Microsoft Sentinel SIEM enterprise guide

The SIEM and SOAR platform that ingests Entra sign-in, audit, and Identity Protection logs as its most signal-dense data source.

Microsoft Purview data governance guide

Label-aware Copilot grounding scopes retrieval to the Entra-authenticated user identity — Purview rides on Entra.

Entra ID vs Okta — enterprise identity comparison

Side-by-side decision framework for Microsoft-centric enterprises evaluating consolidation from Okta to Entra ID.

Standards alignment library

HIPAA, FINRA, GLBA, FedRAMP, CMMC, GxP, GDPR, and ISO 27001 control mappings for Microsoft Entra ID.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which Entra is the identity plane every workload depends on.

Azure + AWS + GCP multi-cloud orchestration

Multi-cloud SSO via Entra ID with Entra Permissions Management providing CIEM across all three clouds.

Microsoft 365 admin center enterprise guide

The administrative surface under which the Entra tenant configuration, license assignment, and group governance happens day to day.

Why EPC Group leads enterprise Entra deployments

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Users migrated

Microsoft Solutions Partner — Security & Modern Work

Microsoft Solutions Partner with the Security and Modern Work designations plus four additional designations covering Infrastructure, Data & AI, Digital & App Innovation, and Business Applications. Senior architects average two decades of Microsoft platform delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee accelerators

Every Entra engagement is fixed-fee with a costed roadmap and a named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP. Entra deployments ship with audit-ready Conditional Access policy export, PIM history, Identity Protection log, and Access Review evidence — not generic screenshots.

Frequently asked questions — Microsoft Entra ID

What is the difference between Microsoft Entra ID and Azure Active Directory (Azure AD)?

Microsoft Entra ID is the new name for what was historically called Azure Active Directory (Azure AD). The product, the license, the API surface, the portal, and the tenant are identical — the rename was announced in July 2023 and rolled out across 2023-2024. Documentation, PowerShell modules, Graph API endpoints, and SDK names that still reference Azure AD will be aliased or renamed over time, but every Azure AD tenant is automatically an Entra ID tenant. The reason for the rename is that Microsoft expanded the brand to cover the broader identity portfolio — Entra External ID (customer/partner identity), Entra Permissions Management (multi-cloud CIEM), Entra Verified ID (decentralized identity), Entra ID Governance (IGA), Entra Private Access (ZTNA), Entra Internet Access (SSE), and Entra Workload ID (identity for apps and services). Azure AD did not cover those expansion areas, Entra does.

Is Entra ID Premium P1 sufficient or do I need P2?

Premium P1 is sufficient for tenants that need Conditional Access, dynamic groups, self-service password reset with on-premises writeback, and Microsoft Entra Connect Health monitoring. Premium P2 is required for any regulated-industry enterprise — it adds Identity Protection (sign-in risk and user risk scoring), Privileged Identity Management (just-in-time elevation, approval workflows, access reviews on privileged roles), and risk-based Conditional Access (the ability to escalate or block based on Identity Protection signals). The recommendation EPC Group gives every healthcare, financial services, government, and life sciences customer is uniform — P2 tenant-wide. The cost differential is small relative to what one credential compromise costs without Identity Protection and PIM in place. P1-only deployments invariably end up needing P2 within twelve months and then have to re-run the deployment to turn on the P2-gated controls.

What is the difference between B2B, B2C, and Entra External ID?

B2B (business-to-business) is the legacy term for guest user collaboration in workforce tenants — external partners invited as guests to access SharePoint sites, Teams, or applications inside the host tenant. B2C (business-to-consumer) was the legacy standalone product (Azure AD B2C) for customer-facing applications with branded sign-in, social identity providers, and custom user flows. Entra External ID is the consolidated platform — it absorbs both B2B and B2C into a single product with one billing model (monthly active users above the 50,000 free tier), one set of policy controls (Conditional Access for external users), and one administrative surface. Customers running on legacy Azure AD B2C tenants are on a migration clock — Microsoft has set the legacy product into maintenance mode and new customer development should target Entra External ID directly.

What policies should be in the Conditional Access baseline?

The EPC Group enterprise Conditional Access baseline ships with twelve named policies. Policy 1 — block legacy authentication tenant-wide (IMAP, POP, SMTP-AUTH, basic auth). Policy 2 — require MFA for all users. Policy 3 — require phish-resistant MFA (passkey, Windows Hello, FIDO2) for privileged roles. Policy 4 — require compliant device for privileged role activity. Policy 5 — sign-in risk-based step-up MFA for all users. Policy 6 — user risk-based password change for elevated user risk. Policy 7 — block sign-in from sanctioned countries or untrusted regions. Policy 8 — require approved client app for mobile access. Policy 9 — require compliant device for sensitive applications. Policy 10 — session controls for external users on labeled SharePoint content. Policy 11 — block tenant restrictions v2 violations. Policy 12 — break-glass account exclusions documented and audited. Every baseline policy ships in audit mode for fourteen days before enforce.

Can I replace Okta with Entra ID?

Yes — most Microsoft-centric enterprises that have Okta in production can consolidate to Entra ID with cost savings and a simpler administrative surface. The decision depends on three things — application coverage in the Entra application gallery (30,000+ pre-integrated SaaS apps cover most enterprise needs), the depth of Okta Workflows or Okta Lifecycle Management automation that has been built (these need re-implementation in Entra ID Governance), and any third-party Okta-specific integrations the customer has built. EPC Group runs the migration as a phased cutover — Entra ID stands up alongside Okta, applications cut over in waves, Okta is decommissioned at the end. Cross-link to our full comparison at /blog/microsoft-entra-id-vs-okta-enterprise-identity-2026 for the side-by-side decision framework.

Why does every enterprise need PIM for privileged accounts?

Standing privilege is the single largest credential-compromise risk in any tenant. A Global Administrator account that is permanently active is one credential away from full tenant compromise — and the data exfiltration window from a compromised standing-privileged credential is typically measured in days before detection. Privileged Identity Management (PIM) eliminates standing privilege — privileged roles are eligible by default and only become active for time-bound elevation windows (typically 1-8 hours) with optional approval workflows, MFA re-prompt, and justification capture. Every elevation is audit-logged with the actor, the role, the duration, the justification, and the approver if applicable. PIM is required for any audit framework that takes least-privilege seriously — FedRAMP, CMMC, SOC 2 Type II, HITRUST. Enabling PIM on Tier-0 roles is the single highest-leverage identity-security change most enterprises can make and is included in Microsoft 365 E5 / Entra ID P2.

What is a real enterprise use case for Entra Verified ID?

The clearest enterprise use case is employment verification for the gig economy and partner ecosystem — instead of asking a contractor to upload a PDF of their previous employment letter (which can be forged, scanned, or simply lost), the contractor presents a cryptographically signed credential issued by their prior employer via Entra Verified ID. The verifying enterprise validates the credential without contacting the issuing tenant — the W3C Verifiable Credentials standard makes the credential self-verifying through the issuer DID. Other strong use cases — professional license verification (Verified ID for nursing license, CPA license, attorney bar admission), training completion (verified completion of mandatory training before facility access), and partner attestations (certified vendor status, qualified subcontractor status). The pattern fits any high-volume verification workflow where the alternative is a manual document review and the trust anchor is an institutional issuer.

How do I migrate from SMS MFA to phish-resistant MFA?

SMS and voice-call MFA are deprecated for enterprise use — they are vulnerable to SIM swap, signaling protocol attacks, and adversary-in-the-middle phishing kits that proxy the OTP. The phish-resistant alternatives are passkeys (Microsoft Authenticator passkey, hardware FIDO2 security keys), Windows Hello for Business (hardware-backed biometric or PIN), and FIDO2 security keys (YubiKey, Feitian, SoloKeys). The EPC Group migration playbook — first, enable phish-resistant methods as available authentication methods in Entra; second, enforce phish-resistant MFA via Conditional Access on privileged roles immediately; third, enforce phish-resistant MFA for executives, finance, IT, and HR users; fourth, set a tenant-wide cutover date for phish-resistant MFA on all users with a ninety-day notification window; fifth, retire SMS and voice as available methods. Most enterprises can complete the full migration inside six months with no productivity disruption — the user experience for passkey sign-in is faster than the legacy MFA experience.

Activate the Entra you already own — and harden the foundation under your security stack

Book an Entra briefing with an EPC Group senior architect. Two-hour working session — Entra license inventory, Conditional Access posture review, PIM activation gap analysis, phish-resistant MFA migration scoping, and accelerator scoping. Zero obligation, board-ready output.

Book the briefing 888-381-9725

‌
‌
‌

‌
‌