Posted in AZ Network Engineer, AZ-500 Azure Security Engineer Associate, AZ-900, Azure Administrator, Azure Security Engineer, Azure Solutions Architect

Microsoft Entra ID

   October 28, 2024

Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is Microsoft’s cloud-based identity and access management (IAM) service. It’s a central hub for managing user identities, securing access to resources, enabling collaboration, and providing seamless, secure sign-in experiences for employees, partners, and customers.

Entra ID is essential for controlling who can access what resources in an organization, whether the users are internal employees, external partners, or customers. Here’s a complete breakdown of Entra ID’s features, functions, and practical usage examples to help you understand how it works in real-world scenarios.

Overview of Microsoft Entra ID

Entra ID is built on three primary goals:

  1. Secure Access: Ensures that only authorized users can access resources.
  2. Enable Collaboration: Allows secure sharing and collaboration with external users.
  3. Identity Management and Governance: Simplifies managing user identities, groups, and access policies.

Entra ID is central to Microsoft’s approach to Zero Trust security: verifying every user and device before granting access, regardless of where they are.

Key Features and Functions of Microsoft Entra ID

1. User and Group Management

  • User Management: Entra ID allows admins to create, manage, and delete user accounts for employees, contractors, partners, and customers. Users can be organized based on roles, departments, or functions.
  • Group Management: Users can be grouped to simplify permissions. Groups allow admins to assign permissions to many users at once (e.g., the Sales Team, HR Department).
  • Usage Example: The HR team sets up groups for different departments (e.g., “Marketing,” “Sales”) and assigns specific permissions to each group. When a new employee joins, they are added to their respective group and automatically inherit the necessary permissions.

2. Single Sign-On (SSO)

  • Purpose: SSO allows users to sign in once and access multiple applications without needing to log in again.
  • How It Works: Users authenticate with Entra ID, gaining access to both Microsoft applications (e.g., Microsoft 365, Teams) and third-party applications (e.g., Salesforce, ServiceNow).
  • Usage Example: A user signs into Entra ID, then opens Microsoft Teams, Outlook, and a third-party CRM without additional logins.

3. Multi-Factor Authentication (MFA)

  • Purpose: Adds an extra layer of security by requiring additional verification methods beyond a password.
  • How It Works: After entering their password, users must confirm their identity through a second method, such as an SMS code, phone call, or the Microsoft Authenticator app.
  • Usage Example: An employee accesses a sensitive application. Entra ID prompts them to authenticate through the Microsoft Authenticator app, adding extra security.

4. Conditional Access

  • Purpose: Conditional Access enforces specific access policies based on user attributes like location, device, and role.
  • How It Works: Policies are set to allow or block access based on conditions, such as only allowing access from known networks or compliant devices.
  • Usage Example: A company has a Conditional Access policy that blocks access from outside the country unless the user completes MFA. This ensures higher security for remote access.

5. Identity Protection

  • Purpose: Uses machine learning to detect identity risks, such as compromised accounts or unusual sign-in patterns.
  • How It Works: Identity Protection continuously assesses sign-in behavior to detect risks like atypical login locations, detecting and flagging potential compromised accounts.
  • Usage Example: An employee’s account is flagged after multiple login attempts from unfamiliar locations. Identity Protection alerts the admin and requires the user to reset their password.

6. Privileged Identity Management (PIM)

  • Purpose: PIM controls and monitors privileged access to resources by allowing just-in-time (JIT) access for high-level roles.
  • How It Works: Users request elevated permissions for a limited time, reducing the risks of constant admin-level access.
  • Usage Example: An IT admin requests elevated access to manage critical infrastructure. PIM grants temporary admin permissions, which expire after the task is completed.

7. Application Management

  • Purpose: Centralizes and secures access to applications for users, simplifying the management of application permissions.
  • How It Works: Entra ID integrates applications (e.g., SaaS apps, custom apps) into the directory, allowing admins to assign and manage access to these applications.
  • Usage Example: An admin integrates Salesforce with Entra ID, allowing employees to access Salesforce through their Entra ID accounts without separate logins.

8. External Identities (B2B and B2C)

  • Entra ID B2B (Business-to-Business): Enables secure collaboration with external partners, vendors, and contractors by inviting them as guest users.
  • Entra ID B2C (Business-to-Consumer): Allows organizations to manage identity for customer-facing applications, offering social logins, MFA, and custom branding for consumer applications.
  • Usage Examples:
    • B2B: A marketing firm invites a partner agency to collaborate in a project-specific Microsoft Teams environment, where partner users use their own organization’s credentials to access the environment.
    • B2C: An e-commerce website uses Entra ID B2C to let customers create accounts or log in using Google or Facebook, offering secure access without creating new usernames.

9. Verified ID (Decentralized Identity)

  • Purpose: Enables organizations to issue, manage, and verify digital credentials that users can store in their digital wallets.
  • How It Works: Organizations issue Verified IDs, which users store in a digital wallet. Users then present credentials to verifiers without sharing sensitive data.
  • Usage Example: A university issues a digital student ID as a Verified ID. Students can present this credential to access services like student discounts without revealing personal information.

10. Access Reviews and Identity Governance

  • Access Reviews: Ensures users have appropriate access by periodically reviewing group and application memberships. It’s essential for maintaining least-privilege access.
  • Identity Governance: Establishes policies to manage user access throughout their lifecycle, including employee onboarding, role changes, and termination.
  • Usage Example: A company performs access reviews every quarter for sensitive applications, removing access for users who no longer need it, thereby maintaining security.

11. Self-Service Password Reset (SSPR)

  • Purpose: Allows users to reset their passwords without needing IT assistance, reducing the IT support load and improving productivity.
  • How It Works: Users verify their identity (using MFA or security questions) to reset their password securely.
  • Usage Example: An employee forgets their password and uses the self-service portal to reset it by verifying their identity with a code sent to their phone.

Working Examples of Microsoft Entra ID in Action

Scenario 1: Employee Access Management and Security with SSO, MFA, and Conditional Access

Situation: A medium-sized business wants to secure employee access to corporate resources without creating too many login hurdles.

  1. Single Sign-On (SSO): All applications used by employees, including Microsoft 365, Salesforce, and the company’s HR system, are integrated with Entra ID for SSO, so employees only log in once to access them.
  2. Multi-Factor Authentication (MFA): Entra ID requires MFA for applications handling sensitive information, like financial and HR systems, while allowing straightforward access to other applications.
  3. Conditional Access Policies: The company sets a policy that only permits access to sensitive systems from compliant, company-owned devices. If a device is non-compliant or from an unfamiliar location, the user must verify with MFA.

This setup secures employee access to applications while reducing the risk of unauthorized access from unknown locations or insecure devices.

Scenario 2: Secure Collaboration with External Partners Using Entra ID B2B

Situation: A company is working on a joint project with an external vendor who needs access to certain internal documents in SharePoint and project discussions in Microsoft Teams.

  1. Guest User Invitation: The company uses Entra ID B2B to invite the vendor’s team members as guest users, giving them access to specific Teams channels and SharePoint folders.
  2. Conditional Access: The company requires the guest users to complete MFA for any access from outside trusted IP ranges.
  3. Access Review: After the project ends, the company performs an access review to remove any guest users who no longer need access.

This setup facilitates collaboration while maintaining control and security over the company’s resources.

Scenario 3: Customer Identity Management for a Consumer Application Using Entra ID B2C

Situation: An online retail company needs to manage customer accounts securely, allowing users to register or sign in with their social media accounts.

  1. Customer Sign-Up Options: The retailer uses Entra ID B2C to allow customers to sign up using Google, Facebook, or an email-based account.
  2. Brand Customization: The company customizes the login page to match its branding, offering a seamless user experience.
  3. MFA for Security: Entra ID B2C enables MFA, which customers can activate for additional security on their accounts.

With Entra ID B2C, the retailer can manage customer identities securely while offering an easy-to-use login experience.

Scenario 4: Streamlined Onboarding and Offboarding with Identity Governance

Situation**: A large enterprise has frequent employee role changes and needs an efficient way to onboard, manage, and offboard employees.

  1. Automated Onboarding: When a new employee is added to Entra ID, their department and role determine their access to specific groups and applications.
  2. Access Reviews: Regular access reviews ensure that employees maintain only necessary access as they change roles or departments.
  3. Automated Offboarding: When an employee leaves, their Entra ID account is disabled, removing access to all company resources.

Using Entra ID’s identity governance features, the company can automate access based on role, reducing the administrative load and enhancing security.

Benefits of Using Microsoft Entra ID

  1. Enhanced Security: With features like MFA, Conditional Access, and Identity Protection, Entra ID safeguards access to resources, helping organizations implement a Zero Trust security model.
  2. Simplified User Experience: SSO and self-service password reset simplify access management, reducing the burden on IT support and improving user satisfaction.
  3. Improved Collaboration: Entra ID B2B and B2C streamline secure collaboration with partners, vendors, and customers, expanding secure access beyond the organization.
  4. Comprehensive Identity Governance: Access reviews, identity protection, and automated workflows keep identities and access compliant with security policies.
  5. Scalable and Centralized Management: With a single platform for managing all identities and access policies, Entra ID provides a scalable solution for companies of all sizes.

Conclusion

Microsoft Entra ID provides a robust, flexible framework for managing and securing identities across an organization. With features ranging from SSO and MFA to guest access and Verified ID, Entra ID empowers organizations to implement strong identity management and security practices. By understanding and leveraging each feature, companies can create a secure, streamlined experience for employees, partners, and customers alike, positioning Entra ID as an essential tool in modern identity and access management.

Share: XFacebookPinterestLinkedin
Author: tonyhughes