Deep Dive into Microsoft Entra ID

byGyan Mainali -

Deep Dive into Microsoft Entra ID

Microsoft Entra ID is Microsoft’s modern, cloud-based identity and access management (IAM) solution. It’s the backbone of secure access for organizations using Microsoft services. Also enables Zero Trust architecture by verifying identities and enforcing granular access controls. 

Microsoft Entra ID is the new name for Azure AD, reflecting Microsoft’s broader vision for a unified identity platform, multicloud, multiplatform identity and access management. The change helps unify the Microsoft Entra product family, reduce confusion with Windows Server Active Directory, and signal a shift toward a more integrated, modern security platform 

  • Cloud-based Identity and Access Management (IAM) platform by Microsoft. 
  • Central to managing authentication, authorization, and identity governance across Microsoft 365, Azure, and third-party apps.

Core Features of Entra ID

1. Identity Management: Ensures secure, centralized control over user identities, enabling seamless access to apps and resources while enforcing policies across hybrid and cloud environments. 

  • Create and manage users, groups, and devices
  • Supports hybrid identity via Entra Connect or Cloud Sync (sync with on-prem AD). 
  • Enables WorkforceExternal, and Workload identities. 

2. Authentication

  • Single Sign-On (SSO): Enables users to authenticate once and gain secure, uninterrupted access to multiple applications without repeated logins. Seamless access across apps. 

 OAuth 2.0 – Authorization Framework Purpose: Grants access to resources without sharing credentials. 

    • Use Case: Delegated access (e.g., app accessing user’s calendar). 
    • Flow: Issues access tokens to authorize API calls. Does NOT authenticate users directly. 

 OpenID Connect (OIDC) – Authentication Layer on OAuth 

    • Purpose: Authenticates users and provides identity info. 
    • Use Case: Login to apps using Google, Microsoft, etc. 
    • Flow: Issues ID token JSON Web Token (JWT) with user claims. Built on OAuth 2.0, adds identity layer. 

 SAML 2.0 – Security Assertion Markup Language XML-based Federation Protocol 

    • Purpose: Enables SSO across enterprise apps. 
    • Use Case: Logging into Salesforce via corporate credentials. 
    • Flow: Uses SAML assertions Extensible Markup Language (XML) to pass identity info. Widely used in enterprise and legacy systems. 

 WS-Federation (WS-Fed) – Simple Object Access Protocol (SOAP) based Federation Protocol 

    • Purpose: Legacy protocol for federated identity. 
    • Use Case: Integrating with older Microsoft services (e.g., SharePoint). 
    • Flow: Uses WS-Trust tokens via browser redirects. Being phased out 

OpenID Connect and OAuth 2.0 offer a modern, lightweight, and API-friendly approach to authentication and authorization. Compared to SAML, they’re better suited for mobile, cloud-native, and distributed architectures - making them ideal for scalable identity solutions.


Authentication Protocol: OAuth+OIDC vs SAML

1. Modern Protocol Stack 

    • OIDC uses JavaScript Object Notation (JSON) & REpresentational State Transfer (REST); SAML relies on Extensible Markup Language (XML) & Simple Object Access Protocol (SOAP). Easier to implement, debug, and scale in web and mobile apps

2. Mobile & SPA Friendly 

    • OIDC is optimized for mobile appssingle-page apps (SPAs), and API-based architectures. SAML is browser-centric, less suited for native or mobile environments. 

3. Token Format: JWT vs XML 

    • OIDC uses JWT (JSON Web Tokens) - compact, stateless, and easy to parse. SAML uses XML assertions - verbose and harder to handle in lightweight clients. 

4. Better Developer Experience 

    • OIDC/OAuth has standardized librariesSDKs, and tooling across platforms. SAML implementations are more complex and rigid

5. Granular Authorization 

    • OAuth scopes allow fine-grained access control to APIs. SAML is focused on authentication, not delegated authorization. 

6. Token Versatility 

    • OAuth supports access tokensrefresh tokens, and ID tokens. SAML lacks native support for token refresh or API access delegation

7. Cloud-Native & Multicloud Ready

    • OIDC/OAuth is widely adopted in cloud-nativemicroservices, and multicloud environments. SAML is more common in legacy enterprise setups. 
    • Multi-Factor Authentication (MFA): Multi-Factor Authentication (MFA) strengthens identity verification by requiring two or more factors – like a password plus a biometric or device prompt—making unauthorized access significantly harder. Adds security beyond passwords. 

To protect VPN accesses, Microsoft offers the Network Policy Server (NPS) extension for RADIUS, which integrates with Entra ID to enforce MFA during VPN sign-ins. This ensures that even if a password is compromised, unauthorized access is blocked unless the second factor is verified, helping organizations secure remote connections without replacing their existing VPN infrastructure.

Core Authentication Factors:

  • Something You Know
    • Example: Password, PIN, or security question. 
    • Risk: Susceptible to phishing, brute-force attacks, and credential leaks. 
  • Something You Have
    • Example: Mobile device, smart card, hardware token (e.g., YubiKey). 
    • Role: Used for OTPs, push notifications, or physical token verification. 
  • Something You Are(Biometric)
    • Example: Fingerprint, facial recognition, retina scan. 
    • Benefit: Unique to the user, hard to replicate or steal. 
  • Passwordless options: Password-less authentication replaces traditional passwords with secure methods like biometrics, FIDO2 security keys, or authenticator apps to enhance both user experience and security. 

 
3. Conditional Access: Conditional Access applies policy-based access control using signals to enforce secure, context-aware authentication decisions 

  • Policy-based access control using signals like:
    • User risk 
    • Sign-in behavior 
    • Device compliance 
    • Location 
    • App sensitivity 
    • Session risk 

 
4. Identity Protection: Leverages machine learning to detect risky sign-ins and compromised accounts, automatically assessing user risk levels and enforcing adaptive access controls to mitigate threats in real time. 

  • Detects and responds to risky sign-ins and compromised accounts
  • Uses machine learning to assess user risk levels

 
5. Privileged Identity Management (PIM): Provides just-in-time access to elevated roles with enforced approval workflows, multi-factor authentication, and detailed audit logging – minimizing standing privileges and reducing the risk of misuse or compromise. 

  • Just-in-time access to elevated roles
  • Role activation with approval workflowsMFA, and audit logs

 
6. Access Reviews: Enables organizations to conduct periodic evaluations of user access to apps and groups, ensuring that permissions align with current roles and responsibilities – supporting least privilege principles and regulatory compliance. 

  • Periodic reviews of user access to apps and groups. 
  • Helps maintain least privilege and compliance

 
7. Verified ID: Uses decentralized identity principles and Verifiable Credentials to give users full control over their digital identity – allowing them to present trusted, cryptographically secure claims without relying on centralized identity providers. 

  • Decentralized identity using Verifiable Credentials
  • Empowers users to control their digital identity. 

 
8. External ID: Enables secure identity management for guests, partners, and customers, offering customizable sign-in experiences across B2B and B2C scenarios—from federated access to branded login journeys. 

 Key Capabilities 

  • B2B: Invite external users to collaborate using their own identity providers (e.g., Google, Microsoft). 
  • B2C: Provide public-facing apps with flexible sign-in options (social logins, email, etc.). 
  • Custom UX: Tailor branding, user journeys, and policies for different audiences. 
  • Manages guest userspartners, and customers securely. 
  • Customizable sign-in experiences (B2B/B2C scenarios). 


️ Deprecation & Transition Update

Microsoft is retiring Azure AD B2B/B2C licensing for new customers starting May 1, 2025. This marks a shift toward the next-gen Customer Identity and Access Management (CIAM) platform: Microsoft Entra External ID. 


🔄 What’s Changing 

  • New customers can no longer purchase Azure AD External Identities P1/P2 after May 2025. 
  • Existing tenants can continue using Azure AD B2C/B2B—likely supported through 2030
  • No immediate feature loss, but future innovation will focus on Entra External ID

“Microsoft is consolidating its external identity strategy under Entra External ID to reduce technical debt and deliver a unified CIAM experience with future-proof scalability, modern security, and simplified licensing.” 


9. Role-Based Access Control (RBAC): Streamlines access management by assigning permissions to roles rather than individual users—ensuring consistent, scalable, and least-privilege access across Azure resources. 

  • Assigns permissions based on roles, not individuals. 
  • Simplifies access management across Azure resources. 

 
10. Audit & Monitoring: Microsoft Entra ID provides deep visibility into identity-related activities by capturing detailed logs of user actions, sign-ins, provisioning events, and policy changes – enabling organizations to detect anomalies, investigate incidents, and maintain compliance through real-time insights and historical reporting. 

  • Detailed sign-in logsaudit trails, and alerts
  • Integrates with Microsoft Sentinel and Log Analytics

🔍 Log Types 

  • Audit Logs: Track changes like role assignments, group edits, and app updates.
    • Use Case: Compliance, change tracking, and forensic investigations. 
    • Immutable: Entries cannot be modified or delete. 
  • Sign-In Logs: Monitor who signed in, from where, how, and whether it succeeded.
    • Use Case: Detect suspicious activity, troubleshoot login issues, analyze usage trends 
  • Provisioning Logs: Show identity sync and app provisioning events.
    • Use Case: Track identity sync and app provisioning events. 
  • Risk Logs: Flag risky sign-ins and compromised accounts.
    • Use Case: Used by Identity Protection to flag risky sign-ins. 

🔍 SIEM Integration for Entra

To gain deeper insights and enable proactive security monitoring, Entra logs can be integrated with Security Information and Event Management (SIEM) tools. 

Audit logs help track what changed, while sign-in logs reveal who accessed what and how. Integrating both with SIEM tools like Sentinel or Splunk enables real-time threat detection, compliance visibility, and deep forensic analysis – critical for enterprise-grade identity governance. 

🔧 Integration Methods 

  • Azure Monitor Logs: For querying and visualizing data via Log Analytics. Stream to Event Hub or Log Analytics Workspace
  • Microsoft Sentinel: Natively integrates Entra ID logs using built-in data connectors for audit, sign-in, and risk logs—enabling advanced analytics, threat detection, and automated response 
  • Event Hub Streaming: Route logs to third-party SIEMs like:
    • Splunk 
    • Sumo Logic 
    • ArcSight 
    • IBM QRadar 
  • Use Cases
    • Real-time threat detection 
    • Alerting on risky sign-ins or role changes 
    • Compliance reporting 
    • Incident response and forensic analysis 

 

Tags:
Previous Post Next Post
Share to other apps
Copy Post Link

Contact Form