Microsoft Entra is Microsoft’s family of identity and access management products, built around the core service formerly known as Azure Active Directory (Azure AD). If you use Microsoft 365, Azure, or any Microsoft cloud service, Entra is the system that verifies who you are, decides what you can access, and enforces security policies across your organization’s apps and devices.
How Azure AD Became Microsoft Entra
Microsoft publicly announced the rebranding on July 11, 2023, and began rolling out name changes across its products on August 15, 2023. By the end of that year, most references to “Azure Active Directory” had been replaced with “Microsoft Entra ID” throughout Microsoft’s interfaces, documentation, and partner tools.
The rename wasn’t just cosmetic. Microsoft expanded what had been a single product (Azure AD) into a broader family of related tools. Azure AD became Microsoft Entra ID, the foundational piece. But several other services that previously carried the Azure AD name also got new Entra branding: Azure AD External Identities became Microsoft Entra External ID, Azure AD Identity Governance became Microsoft Entra ID Governance, Azure AD Verifiable Credentials became Microsoft Entra Verified ID, and so on. Features you might have known as “Azure AD Conditional Access” or “Azure AD single sign-on” are now “Microsoft Entra Conditional Access” and “Microsoft Entra single sign-on.”
If you see references to Azure AD in older documentation or blog posts, they’re talking about what is now Microsoft Entra ID. The underlying technology didn’t change with the rebrand.
What Microsoft Entra ID Does
Microsoft Entra ID is the core product in the family. It’s a cloud-based identity service that handles authentication (confirming you are who you say you are) and authorization (deciding what you’re allowed to do). When you sign into Microsoft 365, Teams, or an Azure resource, Entra ID is what checks your credentials, applies security policies, and grants or blocks access.
For most organizations, the day-to-day features include single sign-on (one login for all your work apps), multifactor authentication (requiring a second verification step like a phone prompt), and Conditional Access (rules that control access based on factors like your location, device, or risk level). Entra ID also syncs with on-premises Active Directory, so companies that still run local servers can bridge their existing user accounts into the cloud.
Products in the Entra Family
Beyond the core identity service, Microsoft Entra includes several specialized tools:
- Microsoft Entra ID Governance automates the lifecycle of user access. It handles access requests, assignments, and periodic reviews so administrators can ensure people only have the permissions they actually need.
- Microsoft Entra ID Protection detects identity-based risks like compromised accounts or suspicious sign-in patterns. It feeds risk signals into Conditional Access so policies can automatically respond, for example by requiring a password change when a sign-in looks suspicious.
- Microsoft Entra Private Access secures connections to internal corporate apps and resources without requiring a traditional VPN. Remote workers can reach internal systems from any device or network.
- Microsoft Entra Internet Access secures outbound traffic to internet resources, SaaS apps, and Microsoft 365 services.
- Microsoft Entra External ID manages identities for people outside your organization, whether that’s business partners collaborating on shared projects or customers signing into a consumer-facing app.
- Microsoft Entra Verified ID lets organizations issue and verify digital credentials based on decentralized identity standards. Think of it as a tamper-proof digital badge that proves something about a person, like their employment status or educational degree.
- Microsoft Entra Workload ID handles identity for non-human entities like applications, services, and containers that need to authenticate and access resources.
- Microsoft Entra Agent ID extends identity and security controls to AI agents, giving organizations a way to authenticate and govern autonomous or assistive AI workloads.
- Microsoft Entra Domain Services provides managed domain services like group policy, LDAP, and Kerberos authentication for legacy applications that can’t use modern cloud authentication.
How Conditional Access Works
Conditional Access is the policy engine at the heart of Entra’s security model. It works on a simple if-then logic: if a user wants to access a resource, then they must meet certain conditions. The system pulls together signals from multiple sources to make each decision, including who the user is, what device they’re on, their IP address and geographic location, which application they’re trying to reach, and real-time risk scores from ID Protection.
Based on those signals, a policy can block access entirely or grant access with requirements attached. Those requirements might include completing multifactor authentication, using a compliant or company-managed device, accepting terms of use, or changing a password. This approach aligns with Zero Trust security principles: verify every access attempt explicitly, grant the minimum access necessary, and assume that any account could be compromised.
Licensing Tiers and Costs
Microsoft Entra ID comes in three tiers:
Free is included with any Microsoft cloud subscription like Microsoft 365 or Azure. It covers the basics: multifactor authentication, unlimited single sign-on across SaaS apps, basic reporting, self-service password changes for cloud users, and the ability to manage users and groups and sync with an on-premises directory.
P1 costs $6.00 per user per month (billed annually). It adds Conditional Access, role-based access control, dynamic groups, automated user provisioning to SaaS and on-premises apps, privileged identity management, advanced security reports, session lifetime management, and cross-tenant synchronization for multi-tenant organizations.
P2 costs $9.00 per user per month (billed annually). It includes everything in P1 plus Microsoft Entra ID Protection with real-time risk detection, risk-based Conditional Access that adapts dynamically to sign-in and user risk levels, token protection, entitlement management with separation-of-duties checks, HR-driven provisioning, and machine learning-assisted access reviews.
For many small organizations, the Free tier handles basic identity needs. P1 becomes important once you need Conditional Access policies or automated provisioning. P2 is geared toward organizations that want advanced threat detection and automated risk response.
Managing External Users
Microsoft Entra External ID handles two distinct scenarios. The first is business-to-business (B2B) collaboration, where you invite partners, vendors, or contractors to access your organization’s apps. These guest users authenticate with their own organization’s credentials or a personal account (Microsoft, Google, etc.), and Entra creates a guest user object in your directory that you can manage alongside your employees, adding it to groups and assigning permissions.
A lighter-weight option called B2B direct connect creates two-way trust relationships between Microsoft Entra organizations. This powers features like Teams shared channels, where external users authenticate in their home organization and receive access tokens from yours without ever being added as guests to your directory.
The second scenario is consumer-facing. If you’re building an app where customers create accounts and sign in, you can set up an external tenant in Entra to manage those identities separately from your workforce. This includes self-service registration flows, social login options (Google, Facebook), email and password sign-up, and one-time passcodes. Conditional Access policies can enforce MFA for these customer accounts using email one-time passcodes or SMS-based verification.
Who Uses Microsoft Entra
If your organization runs Microsoft 365 or Azure, you’re already using Microsoft Entra ID, even if you still think of it as Azure AD. IT administrators manage it through the Microsoft Entra admin center (formerly the Azure AD portal). End users interact with it every time they sign in to a work app, complete an MFA prompt, or request access to a resource.
Developers building apps that need user authentication integrate with Entra ID using standard protocols like OAuth 2.0 and OpenID Connect. And security teams use it as the central control point for access policies, risk detection, and identity governance across the organization’s cloud and hybrid environment.