What is Microsoft Entra ID and how is it different from Azure AD?

Microsoft Entra ID is the cloud-based identity and access management service from Microsoft, renamed from Azure Active Directory (Azure AD) in July 2023. The core functionality remained the same at the time of renaming — no migration was required. The name change reflected a strategy to separate the cloud identity product from on-premises Active Directory and unify it under the growing Entra product family, which now includes network access, governance, and AI agent identity products.

What is the difference between Entra ID Free, P1, and P2?

Entra ID Free (included with Microsoft 365) provides basic user management, SSO, and Security Defaults. P1 ($6/user/month, included in M365 E3) adds Conditional Access policies, dynamic groups, and self-service password reset. P2 ($9/user/month, included in M365 E5) adds Privileged Identity Management (PIM) for just-in-time admin access, Identity Protection for risk-based policies, and Access Reviews for periodic access certification.

What products are in the Microsoft Entra family?

The Microsoft Entra family includes: Entra ID (core IAM), Entra ID Governance (access lifecycle), Entra ID Protection (risk detection), Entra External ID (customer identity), Entra Workload ID (non-human identities), Entra Verified ID (decentralized credentials), Entra Internet Access (secure web gateway), Entra Private Access (ZTNA replacement for VPNs), and Entra Agent ID (identity for AI agents, announced at Ignite 2025).

Is Microsoft Entra ID the same as Active Directory?

No. Active Directory Domain Services (AD DS) is an on-premises directory using LDAP, Kerberos, Group Policy, and Organizational Units, designed for trusted corporate networks. Entra ID is a cloud-native identity service using REST APIs, OAuth 2.0, and Conditional Access, designed for Zero Trust environments where every access request is verified regardless of network location. Organizations can synchronize between the two using Entra ID Connect, but they are fundamentally different systems.

Microsoft Entra ID: The Complete Guide for IT Admins Who Manage Microsoft 365

You Are Already Using It. But Do You Understand It?

Every Microsoft 365 tenant runs on Microsoft Entra ID. Every time a user signs in, every time a Conditional Access policy fires, every time an admin activates a privileged role — that is Entra ID doing its job.

Yet most IT admins at mid-sized companies treat it like a background utility. Something that "just works." They log into the Entra admin center when they need to reset a password or add a user, and never dig deeper.

That is a problem. Entra ID is not just your directory. It is your identity security perimeter. And in a Zero Trust world, it is arguably the most important piece of infrastructure you manage.

This guide breaks down what Entra ID actually is, how it fits into the broader Microsoft Entra product family, and which capabilities you should have on your radar — whether you are on the Free tier or paying for P2.

What Is Microsoft Entra ID?

Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. If you have been in IT for more than a few years, you probably knew it as Azure Active Directory (Azure AD). Microsoft renamed it in July 2023 to better reflect what the product actually does and to separate it from the on-premises Active Directory brand.

At its core, Entra ID handles:

Authentication: Verifying that users are who they claim to be (passwords, MFA, passwordless, passkeys)
Authorization: Determining what authenticated users can access and under what conditions
Single Sign-On (SSO): Providing seamless access to thousands of SaaS applications using SAML, OAuth, and OpenID Connect
Directory Services: Managing users, groups, devices, and applications in a centralized cloud directory
Conditional Access: Enforcing access policies based on user identity, device compliance, location, risk level, and application sensitivity

Every Microsoft 365 service — Exchange Online, SharePoint, Teams, Defender — relies on Entra ID for authentication and access control. It is the foundation everything else sits on.

Entra ID Is Not Active Directory

This is the single most common misconception, and it leads to real configuration mistakes.

Active Directory Domain Services (AD DS) — the on-premises directory you might still be running — was designed for trusted corporate networks. It uses LDAP, Group Policy Objects (GPOs), and Organizational Units (OUs). It assumes the network perimeter is the security boundary.

Entra ID is fundamentally different:

	Active Directory (AD DS)	Microsoft Entra ID
Protocol	LDAP, Kerberos	REST APIs, OAuth 2.0, SAML, OpenID Connect
Structure	OUs, GPOs, forests, trusts	Flat directory, Conditional Access policies
Network model	Trusted internal network	Zero Trust, internet-first
Device management	Group Policy	Intune integration, device compliance
Authentication	Kerberos tickets	Tokens (JWT), MFA, passwordless
Multi-tenant	No (single forest)	Yes (built for multi-tenancy)

If you try to replicate your AD DS patterns in Entra ID — creating nested OUs, relying on network-level trust — you will struggle. Entra ID is designed for a world where the network is hostile and every access request must be verified independently.

Organizations running hybrid environments use Entra ID Connect to synchronize identities between on-premises AD and Entra ID. But synchronization does not mean equivalence. The two systems operate on fundamentally different security models.

The Microsoft Entra Product Family

Entra ID is one product in a growing family. Understanding the full landscape helps you know what is included in your license and what would require additional investment.

Core Identity

Microsoft Entra ID — The IAM foundation. Authentication, SSO, Conditional Access, directory services. Included with every Microsoft 365 subscription.
Microsoft Entra ID Governance — Automated access lifecycle management: access reviews, entitlement management, lifecycle workflows. Ensures the right people have the right access at the right time.
Microsoft Entra ID Protection — Machine learning-powered risk detection that identifies compromised credentials, impossible travel, and anomalous sign-in patterns. Feeds risk signals into Conditional Access for automated response.

External and Non-Human Identities

Microsoft Entra External ID — Customer-facing identity management (CIAM). Replaced Azure AD B2C for new deployments as of May 2025.
Microsoft Entra Workload ID — Identity and access management for applications, service principals, and managed identities. Because non-human identities now outnumber human ones in most organizations.
Microsoft Entra Verified ID — Decentralized identity verification based on open standards. Enables organizations to issue and verify credentials without centralized databases.

Network Access

Microsoft Entra Internet Access — Identity-centric Secure Web Gateway (SWG) for protecting SaaS and internet traffic.
Microsoft Entra Private Access — Zero Trust Network Access (ZTNA) for private applications. The modern replacement for VPNs.

Newest Addition

Microsoft Entra Agent ID — Announced at Ignite 2025, this extends identity management to AI agents. As autonomous AI systems proliferate in enterprise environments, they need identity, access control, and governance just like human users.

The strategic direction is clear: Microsoft is converging identity, network access, and governance into a single platform. Entra ID is the hub.

Licensing: Free vs P1 vs P2

This is where it gets practical. Which features you can use depends entirely on your license tier.

Entra ID Free — Included with Microsoft 365

Every Microsoft 365 subscription includes the Free tier. You get:

User and group management (up to 500,000 directory objects)
Basic SSO with pre-integrated SaaS applications
Self-service password change for cloud users
Directory synchronization via Entra ID Connect
Basic security reports
Security Defaults (Microsoft's baseline MFA enforcement)

For very small organizations with simple needs, this covers the basics. But it has critical gaps.

Entra ID P1 — $6/user/month

P1 unlocks the features most mid-sized organizations actually need:

Conditional Access: The policy engine that lets you enforce access rules based on identity, device, location, and application context. Without this, you are relying on Security Defaults — a blunt instrument.
Dynamic Groups: Automatically assign group membership based on user attributes. Essential for scalable policy targeting.
Self-Service Password Reset (SSPR): Allows on-premises users to reset their own passwords, reducing help desk load.
Cloud Write-Back: Sync changes from Entra ID back to on-premises AD.

P1 is included with Microsoft 365 E3 and Microsoft 365 Business Premium.

Entra ID P2 — $9/user/month

P2 adds the advanced security and governance features:

Privileged Identity Management (PIM): Just-in-time privileged access with time-bound role activation, approval workflows, and comprehensive audit trails. Instead of standing Global Admin access, users activate the role when needed and it expires automatically.
Identity Protection: Risk-based Conditional Access that automatically detects and responds to compromised credentials, impossible travel, and anomalous sign-in behavior.
Access Reviews: Periodic automated review of who has access to what. Resource owners certify or revoke access on a schedule.

P2 is included with Microsoft 365 E5 and EMS E5.

The Entra Suite — $12/user/month (requires P1)

For organizations wanting the complete package, the Entra Suite bundles Private Access, Internet Access, ID Governance, Verified ID, and ID Protection into a single SKU.

Five Features Every IT Admin Should Configure

Regardless of your license tier, there are capabilities you should be actively managing — not leaving at defaults.

1. Conditional Access (P1+)

If you have P1 or higher and are not using Conditional Access, you are leaving your most powerful security tool on the shelf. At minimum, configure policies for:

Require MFA for all users (with exclusions only for break-glass accounts)
Block legacy authentication (protocols like IMAP, POP3, and SMTP that cannot enforce MFA)
Require compliant devices for accessing sensitive applications
Block sign-ins from risky locations or impossible travel scenarios (P2)

Conditional Access is where your identity security posture lives. Every policy gap is an attack surface.

2. Privileged Identity Management (P2)

Standing privileged access is one of the most common identity risks in Microsoft 365. Organizations routinely have five, seven, even ten permanent Global Administrators — far more than the two that Microsoft recommends.

PIM eliminates this by making privileged access temporary:

Admins activate roles when needed, for a defined time window
Activation can require MFA, justification, or approval
All activations are logged with full audit trails
Roles automatically deactivate when the window expires

If you have P2 and are not using PIM, you are accepting unnecessary risk.

3. Security Defaults (Free)

If you are on the Free tier and cannot use Conditional Access, at minimum ensure Security Defaults are enabled. This enforces:

MFA registration for all users
MFA challenges when necessary (risk-based)
Blocking of legacy authentication protocols

Security Defaults are a baseline, not a security strategy. But they are significantly better than nothing. They are also not enough for most organizations.

4. Multi-Factor Authentication

MFA is non-negotiable in 2026. But how you implement it matters:

Phishing-resistant MFA (FIDO2 security keys, passkeys, Windows Hello for Business) for privileged users
Microsoft Authenticator with number matching and additional context for standard users
Avoid SMS-based MFA where possible — it is vulnerable to SIM swapping and SS7 attacks

Microsoft is auto-enabling passkey profiles across all tenants starting March 2026. If you have not prepared for this, now is the time.

5. Access Reviews (P2 / Governance)

Access accumulates over time. Users change roles, projects end, contractors leave — but their access often persists. Access Reviews automate the cleanup:

Schedule quarterly reviews of group memberships and application access
Delegate reviews to resource owners or managers who understand the business context
Automatically revoke access when reviewers do not respond

This is not just a security measure. It is increasingly an audit requirement for frameworks like SOC 2, ISO 27001, and CIS Benchmarks.

How Entra ID Fits Into Zero Trust

Zero Trust is not a product you buy. It is an architecture principle: never trust, always verify. Entra ID is where that principle gets implemented for Microsoft 365.

In a Zero Trust model, identity replaces the network perimeter as the primary security boundary. Every access request — regardless of where it comes from — is evaluated based on:

Who is requesting access (user identity, role, risk level)
What device they are using (managed, compliant, health status)
Where they are connecting from (network location, known vs. unknown)
What they are trying to access (application sensitivity, data classification)
What the current risk context is (sign-in risk, user risk, session risk)

Conditional Access is the policy engine that evaluates all of these signals and makes a real-time access decision: allow, block, or require additional verification.

This is why Entra ID configuration is not a set-and-forget exercise. Your Zero Trust posture is only as strong as your current configuration state. One disabled Conditional Access policy, one overprivileged role assignment, one legacy authentication protocol left enabled — and the model breaks down.

The Configuration Drift Problem

Here is the reality that licensing tiers and feature lists do not capture: Entra ID configuration changes constantly.

Admins make changes. Microsoft rolls out new defaults. Automated processes modify settings. And in most organizations, nobody is tracking these changes against a defined baseline.

Consider what can happen in a typical week:

A help desk tech excludes a user from a Conditional Access policy to troubleshoot a sign-in issue — and forgets to re-add them
Microsoft auto-enables a new feature like passkey profiles, changing your authentication configuration
An admin grants someone Global Admin "temporarily" and never revokes it
A service account gets created with application permissions that bypass your Conditional Access policies entirely

None of these changes trigger alerts in the default Entra ID configuration. Your tenant drifts from your intended state, and you do not know about it until something goes wrong — or an auditor asks questions you cannot answer.

This is the gap between knowing what Entra ID can do and knowing what it is currently doing in your tenant. The first is a licensing decision. The second is an operational discipline.

Moving Forward

Microsoft Entra ID is not going to get simpler. The product family is expanding. New capabilities arrive quarterly. Microsoft continues to change defaults and auto-enable features. AI agents are entering the identity landscape.

For IT admins at mid-sized organizations, the priority is clear:

Know your license tier and use the features you are paying for. If you have P1, use Conditional Access. If you have P2, use PIM and Identity Protection.
Define your intended state. Document what your Entra ID configuration should look like — not just what it looks like today.
Monitor for drift. Configuration changes are inevitable. Detecting them quickly is the difference between a controlled environment and an unknown one.
Stay ahead of Microsoft's changes. Auto-enablement of features like passkey profiles is the new norm. Proactive preparation beats reactive firefighting.

Entra ID is the foundation of your Microsoft 365 security posture. Understanding it deeply is not optional — it is the job.

TrueConfig continuously monitors your Microsoft Entra ID configuration against your defined baseline. When Conditional Access policies change, privileged roles drift, or Microsoft auto-enables new features in your tenant, you see it immediately — with full context on what changed and what your intended state should be. Learn more