Microsoft Entra Services - Comprehensive Identity & Access Guide

Entra ID Entra vs On-Prem AD Industrial Use Cases Free vs P1 vs P2 Recommendations Governance & Compliance Limitations

🔹 Entra ID

What is Entra ID?

Microsoft's cloud-based Identity & Access Management (IAM) platform (formerly Azure Active Directory).
Central sign-in for Microsoft 365, Azure, on-prem apps (via connectors) and thousands of SaaS apps.
Supports SSO, MFA, Conditional Access, B2B guest and External (B2C) identities.
Works with device posture (Intune), risk-based policies, and privileged access controls.

Why is Entra ID required?

Blocks credential attacks with MFA and risk-aware access.
Enables Zero Trust: verify explicitly, least privilege, assume breach.
Automates joiner—mover—leaver lifecycle to reduce human error.
Simple, secure partner & customer access without local accounts.
Cloud scale & high availability—no domain controller upkeep.

🔹 Entra ID vs On-Prem AD

Key takeaway: On-prem AD manages computers & legacy apps inside a domain; Entra ID secures identities & access across cloud, mobile and SaaS with modern, risk-aware controls.

Capability	AD (On-Prem)	Microsoft Entra ID (Cloud)
Deployment	Domain controllers on servers	Cloud-native, global service
Authentication	Kerberos / NTLM	OAuth2, OpenID Connect, SAML
MFA	Requires add-ons	Built-in MFA & passwordless
Conditional Access	Not native	Risk, device, location, app-based
SSO Coverage	Primarily domain-joined apps	First-party + 3,000+ SaaS apps
External Users	VPN/accounts in AD	Guest (B2B) & External ID (B2C)
Lifecycle (JML)	Manual scripts & tickets	SCIM & HR-driven automation
Admin Access	Static admin groups	Privileged Identity Mgmt (PIM) JIT
Device Posture	GPO on Windows only	Intune compliance signals in access
Resiliency	Site/DR planning needed	Multi-region HA managed by Microsoft
Auditing	Basic logs	Rich sign-in/admin logs to SIEM
Zero Trust	Not inherent	Native Zero Trust controls
Hybrid Support	Core for legacy apps	Cloud-first; supports hybrid via sync
Cost/TCO	Hardware, patching, ops	Subscription; reduced ops burden
Feature Velocity	Slow upgrade cycles	Rapid cloud releases

🔹 Industrial Use Cases

BFSI

MFA + Conditional Access for payments and high-value transactions.
PIM for auditors/admins; time-bound elevation with approvals.
Vendor B2B access with auto-expiry and access reviews.
SIEM export of sign-in risk for SOX/FFIEC evidencing.

Healthcare

Allow EHR access only from compliant devices (Intune).
Break-glass accounts controlled by PIM with full audit.
Patient portals via External ID with adaptive MFA.
Identity governance supports HIPAA safeguards.

Manufacturing

Contractor onboarding with Entitlement Management packages.
Restrict OT/kiosk access by location & device state.
Supplier collaboration with least-privilege SharePoint access.
Periodic access reviews for long-running projects.

IT Services & Consulting

Tenant-to-tenant B2B with Conditional Access & session controls.
PIM + approval flows for elevated roles in client tenants.
SCIM provisioning for JML across multiple clients.
Central sign-in logs streamed to SOC/SIEM.

Retail & E-commerce

Role-based launcher for store staff; restrict after-hours sign-ins.
External ID for customers; social logins with adaptive MFA for risky orders.
Partner access for logistics with auto-expire policies.
Session controls to limit downloads on unmanaged devices.

Education

Separate policies for students vs staff; exam apps allow-listed.
Guest lecturers via access packages with automatic expiry.
SSPR reduces helpdesk load and downtime.
Risk-based sign-in prompts during mass phishing waves.

Government

Geo/location-based restrictions for sensitive workloads.
PIM with approvals and separation of duties.
B2B direct connect for cross-agency collaboration.
Comprehensive audit trails for oversight bodies.

🔹 Entra ID Plans — Free vs P1 vs P2

Capability (Plain English)	Free	P1	P2
Single Sign-On (SSO)	Sign in once to a few Microsoft apps	Unlimited enterprise SSO for SaaS & custom apps	Same as P1
Multi-Factor Authentication (MFA)	Basic per-user setup	MFA enforced by Conditional Access policies	Risk-based MFA that adapts to suspicious activity
Conditional Access	✗	Block/allow by device, location, app	Also reacts to risky users/sign-ins automatically
Passwordless Sign-In	Limited	Supported (Authenticator, FIDO2)	Supported (Authenticator, FIDO2)
Self-Service Password Reset	Basic reset options	Full self-service with policies	Risk-based password reset flows
User Lifecycle Automation	Mostly manual	Automated provisioning with HR/SCIM	Governed automation + workflows
Access Reviews	✗	Review access to groups/apps	Review privileged roles, guests & high-risk users
Identity Protection	✗	✗	Risk detection on users & sign-ins, automated responses
Privileged Identity Management (Admin Rights)	✗	✗	Just-in-Time admin rights with approval workflows
Guest/Partner Access (B2B)	Invite basic guests	Guests with Conditional Access and MFA	Guests with risk-based controls and governance
Customer Identities (External ID/B2C)	Separate SKU	Separate SKU	Separate SKU
Device Trust	Limited device checks	Integrates Intune compliance into access	Same + adds risk-based signals
Entitlement Management	✗	Access packages & workflows	Deeper governance with lifecycle enforcement
App Governance / Workload Identities	Basic app registrations	Conditional policies for enterprise apps	Risk insights & governance for app/service identities
Reporting & Logs	Basic sign-in logs	Detailed reports & policy insights	Advanced risk analytics, SIEM integration
Support & SLA	Community support	Enterprise-grade support	Enterprise-grade support
Typical Fit	Small orgs with basic needs	SMBs & enterprises needing secure workforce access	Enterprises & regulated industries with strict compliance

🔹 Recommendations Based on Organization Size

Small Businesses (1—250 users)

Start with Entra Free or P1 (via M365 Business Premium).
Mandate MFA for all employees.
Use basic Conditional Access (if P1).
Add Intune for device and app security.

Mid-Market (250—2,000 users)

Adopt P1 as the security baseline.
Implement Conditional Access for risky sign-ins & unmanaged devices.
Automate provisioning with HR-driven workflows.
Run access reviews and enforce guest account expirations.

Enterprises (2,000+ users)

Standardize on P2 licensing.
Enforce Identity Protection (risk-based MFA & sign-in risk).
Deploy Privileged Identity Management (PIM) for all admins.
Run regular access reviews across users and guests.
Stream logs to SIEM/Sentinel for compliance reporting.

Highly Regulated (Finance, Govt, Healthcare)

Always choose P2 for full governance features.
Apply Zero Trust Conditional Access to all sensitive apps.
Use Just-in-Time access with PIM + approvals.
Generate audit-ready reports for ISO, SOC, HIPAA, GDPR, DPDP.
Integrate identity risk into Defender & Sentinel workflows.

↑ Back to Top

🔹 Governance & Compliance Framework

Standard	How Entra ID Helps
ISO 27001	PIM for least privilege; Conditional Access; centralized audit logs.
SOC 2 / SOX	Access reviews, activity logging, approver workflows for elevated access changes.
HIPAA	Conditional Access + audit logs ensure PHI access only from compliant devices/users.
GDPR / DPDP	Right-to-access, guest user governance, lifecycle workflows for timely de-provisioning.
PCI DSS	MFA for cardholder apps; PIM for privileged roles.
NIST / Zero Trust	Risk-based access decisions; device + user + app context checks.

🔹 Feature Limitations & Considerations

Operational

Not a GPO replacement — use Intune for device policies; some GPO cases need hybrid.
Legacy/LDAP apps may require on-prem AD or Azure AD DS as a bridge.
Endpoint control & EDR require Intune/Defender — Entra focuses on identity.
Deep B2C user journeys can need developer customization.

Strategic

Feature/licensing spread across Free/P1/P2/External ID — plan the mix.
Advanced threat hunting beyond identity signals uses Defender/Sentinel.
No native network access control (NAC); integrate ZTNA/third-party if needed.

↑ Back to Top

↑ Top

Home M365 Plans Defender Entra ID Intunes Purview Backup Managed Support