What should admins know about Microsoft Entra features?

Microsoft has recently shuffled its identity management products to integrate its various services to make doing this critical work less challenging.

Microsoft Entra is the company’s suite of cloud-based identity management products that corrals many new and existing services under the Entra brand. Microsoft Entra features also include network security products. Long-time customers will have to adapt to these changes and see what, apart from the product name, has changed in the identity-based tools they use to manage users and business resources.

What is Microsoft Entra ID?

Microsoft Entra ID, formerly Azure Active Directory (AD), is the backbone of the Entra product line. It is a cloud-based version of on-premise Active Directory and provides authentication and access control services from the Microsoft cloud.

While Microsoft is changing the name from Azure AD to Microsoft Entra ID in August 2023, the company says the name is the only change customers need to understand. All associated Azure AD products have been renamed to updated SKUs in October 2023. For example, Azure Active Directory Premium P1 and Azure Active Directory Premium P2 are now Microsoft Entra ID P1 and Microsoft Entra ID P2.

This change only affects the cloud product. The on-premises Active Directory directory service on Windows Server will retain its name.

What is Microsoft Entra Permissions Management?

Microsoft Entra Permissions Management, formerly Azure AD Entitlement Management, is a cloud infrastructure entitlement management (CEIM) tool used to manage user permissions to access cloud resources.

Microsoft says this tool gives security professionals a more consistent way to assign security policies and a way to see what resources are accessed by each user or identity. Microsoft Entra Permissions Management helps organizations that want to follow a zero-trust security model and the principles of least user privilege.

What is Microsoft Entra Verified ID?

Microsoft Entra Verified ID, formerly Azure AD Verifiable Credentials, is a free part of the Entra suite included with all Microsoft Entra ID subscriptions.

Entra Verified ID creates verifiable user credentials, either based on templates or built using your own credential rules. These credentials are more than just user accounts. They can store many attributes for a particular person. For example, an organization can use Entra Verified ID to issue certifications or track a person’s education.

The credentials created by Verified ID are based on open standards, meaning you can create a digital identity that stays with a user. The question sent to the issuer determines the validity of a user’s credentials.

The issuer manages the entire lifecycle of the user’s credentials with the ability to suspend or revoke a set of credentials if needed.

What is Microsoft Entra Identity Governance?

Microsoft Entra Identity Governance, formerly Azure AD Identity Governance, gives users access to the resources they need while reducing the chance of breaches or insider threats.

Entra Identity Governance uses machine learning for access control decisions; users request access to resources and get an instant verified response without having to wait for manual authorization. Entra Identity Governance also manages access control requests for partners, suppliers and other external parties who may need access to your organization’s resources.

Entra Identity Governance helps an organization comply with compliance mandates. For example, the organization can schedule periodic access reviews to review user activities with resources and verify access requirements. Entra Identity Governance also enforces separation of duties and restricts access in case of conflicting requirements.

Lifecycle workflows is a feature of Entra Identity Governance used to create automated workflows related to common identity management tasks. Microsoft provides templates to simplify the workflow creation process in the following areas:

  • Onboarding a pre-hired employee.
  • Onboarding a new employee.
  • Real-time employee termination.
  • Pre-offboarding an employee.
  • Offboarding an employee.
  • Post-offboard an employee.

Entra Identity Governance works with Microsoft and third-party apps, running in the cloud or on premises.

What is Microsoft Entra Workload ID?

In the modern workplace, users aren’t the only ones who need access to cloud resources. Apps and services often need to use other apps and services to function properly. To facilitate this process, the Microsoft Entra Workload ID — Microsoft also uses the name Workload Identities — ensures that apps and services can access cloud resources in a secure manner. This product was previously called Azure AD Managed Service Identities.

Entra Workload ID performs three main tasks to ensure secure access to resources.

First, Entra Workload ID extends conditional access policies to work with apps and services, not just user accounts, to make access control decisions based on multiple factors such as geographic location and a perceived level of risk.

Next, Entra Workload ID protects workloads by identifying compromised workload identities by checking for leaked credentials or when it determines that the application is malicious.

Finally, Entra Workload ID simplifies workload lifecycle management with tools to review activities related to workload access and check privileges associated with workloads. Entra Workload ID flags workloads for deprovisioning.

What is Microsoft Entra ID Protection?

Microsoft Entra ID Protection, formerly Azure AD Identity Protection, is a feature that is currently in preview at the time of publishing this article. Microsoft Entra ID Protection will be free with Microsoft Entra ID if it is widely available.

Microsoft Entra ID Protection is a threat detection feature that tracks identity attacks with the ability to automatically remediate malicious activities. Microsoft Entra ID Protection attempts to align with the Miter ATT&CK framework for consistency in terminology used by Microsoft in its Entra dashboard. Microsoft Entra ID Protection tracks several types of risk detection, including suspicious sign-ins, password spraying attempts and mass access to sensitive files.

What is Microsoft Entra External ID?

Microsoft builds on the existing Azure AD External Identities product to create Microsoft Entra External ID, a customer identity and access management (CIAM) component to manage security-related tasks in these external account.

Features exclusive to Microsoft Entra External ID include tools for developers to create more secure applications for customers and the ability to use identities from external sources such as Google for sign-in.

Microsoft said its Azure AD B2C platform will continue to exist separately from Entra External ID for now.

What is Global Secure Access?

For network security, Global Secure Access consists of two network security products: Microsoft Entra Internet Access and Microsoft Entra Private Access. A zero-trust security model is at the core of these features where identity access is validated each time a request is made.

Microsoft says that Entra Private Access is an improved way to protect access to private apps and resources through a cloud-based VPN, which can help clients without a VPN client app, such as MacOS and Linux machines.

The company says Microsoft Entra Internet Access protects systems from malicious traffic through a secure web gateway to provide a direct route to Microsoft 365, private applications and other internet services.

Microsoft says that this combination of products is an improvement over VPNs and firewalls, which are limited in their capabilities in the event of a breach.

What is the cost and license for Microsoft Entra?

Because Microsoft Entra is a suite rather than an individual product, no subscription has access to all of Entra’s individual tools. However, each device must be licensed separately.

Microsoft Entra ID is the backbone of every other Entra product. In addition to any applicable Azure AD subscription fees, Microsoft charges $6 per user per month for Microsoft Entra ID P1 — formerly Azure AD Premium P1 — subscription or $9 per user per month for Microsoft Entra ID P2 subscription. Verified ID is included with all Microsoft Entra ID subscriptions, including the free plan.

Microsoft Entra Identity Governance is an add-on for Microsoft Entra ID P1 customers at $7 per user per month and an undisclosed price for Microsoft Entra ID P2 customers.

Entra Permissions Management is available for $10.40 per resource per month. the free version The Microsoft Entra Workload ID has a subscription to a commercial online service, such as Azure. Entra Workload ID Premium is $3 per workload identity per month.

How do I stay current with Microsoft Entra?

In addition to the documentation on Microsoft’s site and the Entra portal at entra.microsoft.com, customers can check out Identity PowerToys site managed by Microsoft employees in their identity management team. This site hosts a Microsoft Entra mind map that provides a visual representation of the interconnected services in the Microsoft Entra product line.

Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the US Department of Defense and as a network administrator for some of America’s largest insurance companies.

Leave a comment