-
Resources
- Forums
-
What is Microsoft Entra ID and why is it important?
What is Microsoft Entra ID?
Microsoft Entra ID, a cloud-based identity and access management service, is comprised of a database (directory) that stores user information and access permissions. Formerly known as Azure Active Directory, it offers a suite of services that facilitate employee authentication and authorization, ensuring that end users can securely access only the IT resources they are permitted to use. These resources encompass both internal assets like corporate intranet data and tools, as well as external resources such as Microsoft 365 and various SaaS applications.
But be sure to note one crucial distinction: Microsoft Entra ID is not merely an adaptation of Active Directory hosted on Microsoft's servers instead of on-premises data centers. Instead, it is a distinct solution integrated into the Microsoft Entra ID public cloud computing platform. However, it's worth noting that on-premises Active Directory and Entra ID can often coexist, forming hybrid AD environments.
What type of organizations need Microsoft Entra ID?
Any organization that has a subscription to Microsoft's online business services, like Microsoft 365, it automatically gains access to Microsoft Entra ID. Nevertheless, certain advanced features come at an additional cost. To unlock functionalities such as self-service options, enhanced monitoring, security reporting, and mobile device security, an upgrade to an Entra ID Basic, Premium P1, or Premium P2 license is required.
Who uses Microsoft Entra ID?
It’s generally used by three distinct user categories:
- IT administrators: Admins generally manage Entra ID, overseeing tasks like user setup, group management, permission configurations, etc. These settings may encompass requirements for multifactor authentication (MFA) and decisions regarding whether to grant access to external users. The IT admin who establishes the tenant automatically assumes the role of Global Administrator, with the ability to appoint additional administrators.
- Application developers: Often using Entra ID through application programming interfaces (APIs), application developers ensure that their applications seamlessly integrate with a user's Entra ID credentials. This allows them to create personalized application experiences using the organization's data.
- Business end users: Most organization employees might not be aware of it, but they also interact with Entra ID. Every time they access Microsoft cloud resources, such as Teams or SharePoint Online, Entra ID operates behind the scenes, confirming their identities and ensuring they can access only the resources for which they have authorization.
How is Entra ID set up?
The fundamental component that forms the foundation of Entra ID is known as a 'tenant.' An Entra ID tenant represents a dedicated instance of Entra ID tailored to a specific company.
To establish a tenant, your organization can simply enroll in a Microsoft cloud service, such as Microsoft 365, and furnish essential details like your organization's name and location. The initial domain name is constructed by combining the specified name with '.onmicrosoft.com' (e.g., domainname.onmicrosoft.com). The initial domain name is permanent and cannot be altered or removed, but you have the flexibility to incorporate custom domain names, such as companyname.com, into your tenant. Each tenant has a dedicated and trusted Entra ID directory, which includes the tenant's users, groups and apps, and performs identity and access management functions for the tenant’s resources.
Please note that we’re using the word “domain” in the internet sense (a website domain name). It has nothing to do with an on-premises AD domain, which is a group of related users, computers and other AD objects that are managed together. Similarly, Entra ID does not have forests, organizational units (OUs) or other frequent AD structures.
What's the difference between Microsoft Entra ID and Active Directory?
While on-premises Active Directory and Entra ID serve a shared fundamental purpose, it's important to recognize that they represent distinct solutions. Here are some critical points to remember:
- Active Directory operates as an integral component of the Windows Server operating system, functioning on dedicated servers known as domain controllers (DCs).
- In contrast, Microsoft Entra ID operates on Microsoft's servers situated within Microsoft datacenters.
- Active Directory adopts a hierarchical arrangement with the AD domain serving as the central unit. Within domains, objects are typically organized into organizational units (OUs) that reflect business divisions, like departments. In the case of larger organizations, multiple domains are often grouped together within a forest.
- Conversely, Microsoft Entra ID employs a flat organizational structure. Its core component is the 'tenant,' representing a distinct instance of Entra ID exclusively designed for a specific organization
- LDAP
- REST APIs
- Owing to its long history, Active Directory has witnessed significant evolution in its authentication protocols, transitioning from LM to NTLM, and subsequently to the currently utilized NTLMv2 and Kerberos.
- Entra ID leverages cutting-edge authentication protocols such as OpenID Connect, OAuth and SAML. In addition, it provides functionalities such as self-service password reset, multifactor authentication (MFA), Conditional Access policies, and even password-free authentication.
- When users with authenticated credentials attempt an action, such as accessing data or launching an application, Active Directory determines whether or not to permit the action. This determination involves assessing the permissions granted to users both individually and through their membership in Active Directory security groups. Active Directory also considers policies defined in Group Policy.
- Entra ID Security Groups: These groups, analogous in structure and function to AD security groups, consist of Entra ID user accounts. They serve the purpose of providing access to cloud resources like Teams and SharePoint Online.
- MMicrosoft 365 Groups: Functioning similarly to security groups, Microsoft 365 Groups also serve as data repositories for shared mailboxes, SharePoint Online, and Teams, expanding their utility beyond traditional security measures.
- Entra ID Roles: These roles bestow specific sets of permissions upon different categories of administrators. Boasting a multitude of pre-built roles such as Exchange Administrator, Entra ID also allows the creation of custom roles to tailor permissions according to specific requirements.
Entra ID employs a different approach to authorization than Active Directory. Key components include:
- Within Active Directory, Group Policy emerges as a potent tool for computer management. It facilitates a range of capabilities, including the ability to thwart the installation of unauthorized machines, enact computer lockdowns following designated periods of inactivity, automate the installation of software updates across all computers, and restrict the utilization of removable storage devices.
- Within the Entra ID system, the administration of devices is conducted through Microsoft Intune. Distinct rules can be configured for devices owned by the organization and those designated as personal Bring Your Own Device (BYOD) units enrolled in Intune. Possibilities encompass preventing the use of jailbroken devices, deploying certificates to enable users to establish a connection to the network through a VPN, and erasing corporate data from a device in the event of loss or theft.
- Another consideration is how Entra ID interacts with Microsoft Security Copilot. Currently any devices in Entra ID and managed by Intune will send telemetry data to Security Copilot (which is not possible with Active Directory). This setup gives administrators the ability to take advantage of emerging developments coming out of Microsoft. According to Gartner, converting a device from Hybrid Join to Microsoft Entra Joined is a highly disruptive process, and involves removing it from AD, resetting and wiping, and reprovisioning it as an Entra ID device. Quest offers a game-changing solution to move Windows 10/11 devices to Entra ID without reimaging and rebuilding profiles. This streamlines endpoint modernization, accelerates Intune adoption and unblocks Security Copilot integration with Intune.
How does on-premises ActiveDirectory interact with Microsoft Entra ID?
It's certainly feasible to establish a fully cloud-based environment, the prevailing trend among organizations today involves maintaining a hybrid Active Directory environment. The integration is facilitated through the utilization of the Microsoft tool Entra ID Connect, which synchronizes identity data from the on-premises AD to Entra ID. Consequently, users can employ their on-premises credentials to authenticate access to cloud resources such as Teams, SharePoint Online, and SaaS-based applications like Dropbox, Google Apps and Amazon Web Services (AWS).
On the backend, IT professionals primarily handle user management, group administration, and permissions within on-premises Active Directory. Any modifications made are automatically synchronized with the cloud. This approach mitigates the challenge of managing two entirely distinct sets of identities and permissions, a task prone to considerable difficulty and error.
Yet it's crucial to acknowledge that not all aspects can be stored and managed within the on-premises Active Directory. For example, cloud-only objects and attributes come into play, including:
Cloud-specific User Accounts: Organizations typically establish Business-to-Business (B2B) and Business-to-Consumer (B2C) accounts in Entra ID for external users. For example, invitations sent to business partners or consultants result in the federation of their external identities into Microsoft Entra ID, creating an account that exists exclusively in the cloud and not in the on-premises AD.
Cloud-specific Attributes: Certain attributes, such as the "license type," are exclusive to the cloud. Every user in the on-premises AD permitted to use Office 365 applications possesses this attribute, determining their entitlement to specific features. In the event of a user object deletion, recovery of the on-premises AD user object via Entra ID Connect synchronization may occur. However, the cloud-only attribute, like the license type, would be lost, rendering the user unable to operate in Office 365 until the issue is manually addressed.
Consequently, even in a hybrid AD environment, exclusive reliance on on-premises management, security, migration, and reporting solutions is insufficient, emphasizing the need for a comprehensive approach that encompasses both on-premises and cloud-based considerations.
How can I get more information about Microsoft Entra ID and hybrid Active Directory?
These resource pages offer additional detail about Microsoft Entra ID and its role in hybrid Active Directory:
- Cybersecurity and cyber resilience for Microsoft Entra ID and hybrid AD
- Management and reporting for Microsoft Entra ID and hybrid AD
- Backup and recovery for Microsoft Entra ID and hybrid AD
- Microsoft platform migration and consolidation