Microsoft Entra ID: Enterprise Identity & Access Guide

• User or group membership — scope policies to specific populations
• Cloud application — target specific apps or all cloud apps
• Device platform (Windows, macOS, iOS, Android, Linux)
• Device compliance status from Intune
• IP location — named locations for offices, VPN, trusted networks
• Sign-in risk level — real-time risk from Identity Protection
• User risk level — cumulative risk based on behavior patterns
• Client application type — browser, mobile app, desktop client

• Require multi-factor authentication
• Require device to be marked as compliant (Intune)
• Require hybrid Entra joined device
• Require approved client application
• Require authentication strength (phishing-resistant MFA, FIDO2)
• Require password change (for risky users)
• Block access entirely

• Sign-in frequency — force re-authentication every N hours
• Persistent browser session — allow or block "stay signed in"
• Conditional Access App Control — proxy sessions through Defender for Cloud Apps
• Continuous Access Evaluation (CAE) — real-time token revocation on policy change
• Customize token lifetime and session behavior per application

Automate onboarding tasks (create account, assign licenses, add to groups, send welcome email) and offboarding tasks (disable account, revoke sessions, remove group memberships, archive mailbox). Trigger workflows based on Entra ID attribute changes — department, title, manager, or employee status. Reduces manual IT provisioning effort by 80% and eliminates the #1 audit finding: orphaned accounts with active access.

Bundle resources (groups, apps, SharePoint sites, Teams) into access packages that users can request through a self-service portal. Each package has approval workflows (manager, resource owner, or multi-stage), time-limited assignments, and automatic expiration. Ideal for project-based access, cross-department resource sharing, and contractor onboarding.

Schedule periodic reviews of group memberships, application assignments, and privileged roles. Reviewers (managers, resource owners, or self-review) certify or deny continued access. Configure auto-removal for unreviewed assignments. Multi-stage reviews route decisions through multiple approvers. Machine learning recommendations help reviewers make informed decisions based on usage patterns.

Issue and verify decentralized identity credentials based on open standards (W3C Verifiable Credentials). Use cases include employee ID verification for remote onboarding, education credential verification, and partner organization validation. Credentials are stored in the user's digital wallet and presented on demand — the issuing organization does not need to be contacted for each verification.

What is Microsoft Entra ID and how does it work?

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It authenticates users, enforces access policies, and manages identities across Microsoft 365, Azure, and thousands of third-party SaaS applications. Entra ID evaluates every sign-in request against Conditional Access policies that consider user identity, device compliance, location, risk level, and application sensitivity before granting access. It supports single sign-on (SSO), multi-factor authentication (MFA), passwordless authentication (FIDO2, Windows Hello), and integrates with on-premises Active Directory via Entra Connect. EPC Group deploys Entra ID for enterprises across healthcare, financial services, and government with compliance-ready configurations.

What is the difference between Azure AD and Microsoft Entra ID?

Microsoft Entra ID is the rebranded name for Azure Active Directory (Azure AD). Microsoft renamed the product in July 2023 as part of the broader Microsoft Entra product family. All features, APIs, licensing, and capabilities remain identical — the underlying technology did not change. Azure AD Free became Entra ID Free, Azure AD P1 became Entra ID P1, and Azure AD P2 became Entra ID P2. Existing Azure AD configurations, Conditional Access policies, and app registrations carried over automatically. The only changes are branding in the Azure portal (now under "Microsoft Entra") and updated documentation URLs. EPC Group helps enterprises update their internal documentation and training materials to reflect the new naming.

What are the Microsoft Entra ID licensing tiers and which one do I need?

Entra ID has four licensing tiers: (1) Free — included with any Microsoft cloud subscription, provides basic SSO, MFA via security defaults, and user/group management for up to 50,000 objects. (2) P1 ($6/user/month, included in M365 E3) — adds Conditional Access, group-based access management, self-service password reset, hybrid identity with Entra Connect, and dynamic groups. (3) P2 ($9/user/month, included in M365 E5) — adds Identity Protection with risk-based Conditional Access, Privileged Identity Management (PIM) with just-in-time admin access, and access reviews. (4) Entra ID Governance ($7/user/month add-on) — adds lifecycle workflows, entitlement management, and advanced access reviews. Most enterprises need P2 for Identity Protection and PIM. EPC Group conducts licensing assessments to right-size Entra ID spend.

How do Conditional Access policies work in Microsoft Entra ID?

Conditional Access is the Zero Trust policy engine in Entra ID. It intercepts every authentication request and evaluates it against configurable if-then policies. Conditions (signals) include: user or group membership, application being accessed, device platform and compliance status, IP location and named locations, sign-in risk level (from Identity Protection), and client app type. Grant controls include: require MFA, require compliant device, require hybrid Azure AD join, require approved client app, require authentication strength (phishing-resistant MFA), and block access. Session controls include: sign-in frequency, persistent browser session, app-enforced restrictions, and Conditional Access App Control (MCAS integration). EPC Group typically deploys 25 to 40 Conditional Access policies per enterprise, organized by baseline, enhanced, and advanced tiers.

What is Privileged Identity Management (PIM) in Entra ID?

Privileged Identity Management (PIM) provides just-in-time, time-limited, and approval-required access to privileged roles in Entra ID, Azure resources, and Microsoft 365. Instead of permanently assigning Global Administrator or Exchange Administrator roles, PIM makes users "eligible" for roles. When they need elevated access, they activate the role through an approval workflow, provide justification, and receive time-limited access (typically 1 to 8 hours). PIM logs every activation for audit compliance. It also provides access reviews to periodically certify that role assignments are still appropriate. PIM requires Entra ID P2 licensing. EPC Group implements PIM as a foundational security control for every enterprise engagement — it reduces standing admin access by 90% and is required for HIPAA, SOC 2, and FedRAMP compliance.

How does Entra ID Identity Protection detect and respond to threats?

Entra ID Identity Protection uses machine learning trained on trillions of signals from Microsoft's global authentication traffic to detect three categories of risk: (1) User risk — credentials leaked on the dark web, unusual activity patterns, threat intelligence matches. (2) Sign-in risk — unfamiliar locations, impossible travel, anonymous IP addresses, malware-linked IPs, password spray attacks. (3) Workload identity risk — anomalous service principal behavior. Each risk is scored as low, medium, or high. Risk signals feed into Conditional Access policies that can automatically require MFA, force password change, or block access. Identity Protection dashboards provide a unified view of risky users, risky sign-ins, and risk detections. EPC Group configures automated remediation policies and weekly risk review processes for enterprise clients.

What is Entra ID Governance and how does it manage the identity lifecycle?

Entra ID Governance is the identity governance and administration (IGA) layer that automates the entire identity lifecycle: joiner (new employee gets appropriate access on day one), mover (role change triggers access recertification), and leaver (termination immediately revokes all access). Key capabilities include: Lifecycle Workflows to automate onboarding/offboarding tasks, Entitlement Management with access packages that bundle resources into requestable bundles with approval workflows, Access Reviews that periodically certify access is still appropriate (auto-remove if not reviewed), and Verified ID for decentralized identity credentials. Entra ID Governance requires a separate add-on license ($7/user/month) on top of P1 or P2. EPC Group implements governance frameworks for enterprises in regulated industries where audit trails and least-privilege access are compliance requirements.

How does Entra ID B2B and B2C work for external identities?

Entra ID External Identities handles two scenarios: B2B (business-to-business) collaboration lets you invite partners, vendors, and contractors to access your Microsoft 365 and Azure resources using their own organizational accounts. You maintain control through cross-tenant access settings, Conditional Access policies for guest users, and access reviews. B2C (business-to-consumer) provides a customer-facing identity platform for custom applications — users sign up and sign in with email, social accounts (Google, Facebook, Apple), or local accounts. B2C supports custom branding, user flows (sign-up/sign-in/password reset), and API connectors for identity verification. Entra External ID (the unified platform replacing standalone B2C) adds workforce and customer scenarios under one admin experience. EPC Group configures B2B cross-tenant policies for enterprises with complex partner ecosystems and builds B2C identity experiences for customer-facing applications.

What are workload identities in Entra ID and why do they matter?

Workload identities are non-human identities used by applications, services, and automation — including service principals, managed identities, and app registrations. In most enterprises, workload identities outnumber human identities 10 to 1, yet they receive far less security scrutiny. Entra Workload ID provides: Conditional Access for workload identities (restrict service principals by IP range and risk), workload identity federation (eliminate stored secrets by federating with external identity providers like GitHub Actions or Kubernetes), managed identities (Azure-assigned identities that eliminate credential management entirely), and app health recommendations. Workload Identities Premium ($3/workload/month) adds Conditional Access, access reviews, and risk detection for service principals. EPC Group audits workload identities as part of every security assessment — most enterprises have hundreds of over-permissioned app registrations with expired or exposed credentials.