Alex - stock.adobe.com

Tip

What should admins know about Microsoft Entra features?

Microsoft Entra combines new and existing cloud-based products and packages them under a new name. Learn how this change affects identity access management in your organization.

Microsoft recently shuffled its identity management products to unify its range of services to make it less of a challenge to perform this critical work.

Microsoft Entra is the company's suite of cloud-based identity management products that corrals several new and existing services under the Entra brand. Microsoft Entra features also include network security products. Long-time customers will now have to adapt to these changes and see what, besides the product name, has changed with the identity-based tools they use to manage users and resources in the enterprise.

What is Microsoft Entra ID?

Microsoft Entra ID, formerly Azure Active Directory (AD), is the backbone of the Entra product line. It is essentially a cloud-based version of the on-premises Active Directory and provides authentication and access control services from the Microsoft cloud.

While Microsoft changed the name from Azure AD to Microsoft Entra ID in August 2023, the company said the name is the only change its customers will need to understand. All the associated Azure AD products have been renamed with updated SKUs as of October 2023. For example, Azure Active Directory Premium P1 and Azure Active Directory Premium P2 are now Microsoft Entra ID P1 and Microsoft Entra ID P2 respectively.

This change only affects the cloud product. The on-premises Active Directory directory service in Windows Server will keep its name.

What is Microsoft Entra Permissions Management?

Microsoft Entra Permissions Management, formerly Azure AD Entitlement Management, is a cloud infrastructure entitlement management (CEIM) tool used to manage user's permissions to access cloud resources.

Microsoft said this tool gives security professionals a more consistent way to assign security policies and a way to see what resource each user or identity is accessing. Microsoft Entra Permissions Management assists organizations that want to follow a zero-trust security model and the principles of least user privilege.

What is Microsoft Entra Verified ID?

Microsoft Entra Verified ID, formerly Azure AD Verifiable Credentials, is a free component of the Entra suite that's included with all Microsoft Entra ID subscriptions.

Entra Verified ID creates verifiable user credentials, either based on templates or built with your own credential rules. These credentials are more than just user accounts. They can store several attributes for a particular person. For example, an organization might use Entra Verified ID to issue certifications or track someone's education.

The credentials created by Verified ID are based on open standards, meaning you can make a digital identity that stays with a user. A query sent to the issuer determines the validity of a user's credentials.

The issuer manages the full lifecycle of user credentials with the ability to suspend or revoke a set of credentials when needed.

What is Microsoft Entra Identity Governance?

Microsoft Entra Identity Governance, formerly Azure AD Identity Governance, grants users access to the required resources while reducing the chances of breaches or insider threats.

Entra Identity Governance uses machine learning for access control decisions; users request access to resources and get an immediate vetted response without the need to wait for manual approval. Entra Identity Governance also manages access control requests for partners, suppliers and other external parties who might need access to your organization's resources.

Entra Identity Governance can help an organization follow compliance mandates. For example, the organization might schedule periodic access reviews to check user activities with resources and verify access requirements. Entra Identity Governance also enforces separation of duties and restricts access when conflicting requirements occur.

Lifecycle workflows is a feature in Entra Identity Governance used to build automated workflows related to common identity management tasks. Microsoft provides templates to simplify the workflow creation process in the following areas:

  • Onboarding a pre-hire employee.
  • Onboarding a new hire employee.
  • Real-time employee termination.
  • Pre-offboarding an employee.
  • Offboarding an employee.
  • Post-offboarding an employee.

Entra Identity Governance works with both Microsoft and third-party apps, running in the cloud or on-premises.

What is Microsoft Entra Workload ID?

In the modern workplace, it is not just users who require access to cloud resources. Apps and services often need to use other apps and services to function properly. To facilitate this process, Microsoft Entra Workload ID -- Microsoft also uses the name Workload Identities -- ensures that apps and services access cloud resources in a secure manner. This product was formerly called Azure AD Managed Service Identities.

Entra Workload ID performs three main tasks to ensure secure access to resources.

First, Entra Workload ID extends conditional access policies to work with apps and services, not just user accounts, to make access control decisions based on several factors such as geographic location and a perceived level of risk.

Next, Entra Workload ID protects workloads by detecting compromised workload identities by checking for leaked credentials or if it determines the application is malicious.

Lastly, Entra Workload ID simplifies workload lifecycle management with tools to review workload access-related activities and check the privileges associated with those workloads. Entra Workload ID flags workloads for deprovisioning.

What is Microsoft Entra ID Protection?

Microsoft Entra ID Protection, formerly Azure AD Identity Protection, is a feature currently in preview at the time of this article's publication. Microsoft Entra ID Protection will be free in Microsoft Entra ID when it is generally available.

Microsoft Entra ID Protection is a threat detection feature that tracks identity attacks with the ability to automatically remediate those malicious activities. Microsoft Entra ID Protection attempts to align with the Mitre ATT&CK framework for consistency with the terminology Microsoft uses in its Entra dashboard. Microsoft Entra ID Protection tracks several risk detection types, including suspicious sign-ins, password spray attempts and mass access to sensitive files.

What is Microsoft Entra External ID?

Microsoft built off its existing Azure AD External Identities product to make Microsoft Entra External ID, a customer identity and access management (CIAM) feature to handle tasks related to the security of these external accounts.

Features that are exclusive to Microsoft Entra External ID include tools for developers to produce more secure applications for customers and the ability to use identities from outside sources such as Google for sign-ins.

Microsoft said its Azure AD B2C platform will continue to exist separately from Entra External ID for the time being.

What is Global Secure Access?

For network security, Global Secure Access covers two network security products: Microsoft Entra Internet Access and Microsoft Entra Private Access. The zero-trust security model is at the core of these features where identity access is validated each time a request is made.

Microsoft said Entra Private Access is an improved way to protect access to private apps and resources through a cloud-based VPN, which is helpful for clients that might not have a VPN client app, such as MacOS and Linux machines.

The company said Microsoft Entra Internet Access protects systems from malicious traffic through a secure web gateway to provide a direct route to Microsoft 365, private applications and other internet services.

Microsoft said this combination of products is an improvement over VPNs and firewalls, which are limited in their capabilities once a breach occurs.

What is the cost and licensing for Microsoft Entra?

Because Microsoft Entra is a suite rather than an individual product, there is no subscription with access to all the individual Entra tools. Instead, each tool will need to be licensed separately.

Microsoft Entra ID is the backbone of every other Entra product. Besides any applicable Azure AD subscription fees, Microsoft charges $6 per user per month for a Microsoft Entra ID P1 -- formerly Azure AD Premium P1 -- subscription or $9 per user per month for a Microsoft Entra ID P2 subscription. Verified ID is included with all Microsoft Entra ID subscriptions, including the free plan.

Microsoft Entra Identity Governance is an add-on for Microsoft Entra ID P1 customers at $7 per user per month and undisclosed pricing for Microsoft Entra ID P2 customers.

Entra Permissions Management is available for $10.40 per resource per month. The free version of Microsoft Entra Workload ID comes with a subscription to a commercial online service, such as Azure. Entra Workload ID Premium is $3 per workload identity per month.

How do I stay current with Microsoft Entra?

In addition to the documentation on Microsoft's site and the Entra portal at entra.microsoft.com, customers can check the Identity PowerToys site managed by Microsoft employees on their identity management team. This site hosts the Microsoft Entra mind map that provides a visual representation of the interconnected services in the Microsoft Entra product line.

Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.

Dig Deeper on Microsoft identity and access management