It has been over a year since Microsoft announced Entra ID as the successor to the Azure AD service. The new name is progressively becoming ingrained in the vocabulary of specialists and users of the Microsoft Azure cloud service. However, what lies behind the name “Microsoft Entra“? Our friends at Microsoft appreciate the rebranding of various services as part of promoting new concepts or aligning with current trends in the IT industry. In many cases the new name does not come with a revolutionary change in terms of architecture, rather it represents an evolutionary development with improved functions and additional options tailored to user interests. It may sound like upgrading to new versions of an existing product but is that the case with Entra? Let us delve into the idea of introducing the new name by comparing certain product categories or perhaps individual services. At first glance no significant changes are evident except for the name change. For instance:
Azure Active Directory -> Microsoft Entra ID
Azure AD Identity Governance -> Microsoft Entra ID Governance
Azure AD External Identities -> Microsoft Entra External ID
The transformation appears to be an elegant rebrand, seamlessly substituting the name “Azure AD” with “Microsoft Entra ID”, accompanied by a nod to the authentic source - the venerable Microsoft trademark. Furthermore, there is a noticeable alignment of the interface with that of M365 both in terms of visual aesthetics and user experience. Nevertheless, this represents only one facet of the rationale behind this transformation. I would draw attention to certain emerging categories that have become notable following the announcement of Entra.
One of my points of interest is Microsoft Entra Verified ID which is included in the Microsoft Entra ID Free license at no additional cost. It was announced in 2021 as “Azure AD Verifiable Credentials” and functions as a decentralised verifiable credentials service built on open standards. As per Microsoft's announcement, they collaborate with members of the Decentralized Identity Foundation (DIF), the W3C Credentials Community Group, and the broader identity community to establish a Verifiable Credentials Interoperability profile. This profile aims to support standards-based issuance, revocation, presentation, and wallet portability. As global trends increasingly shift towards remote and hybrid work models there is a growing need for a solution that allows organisations to seamlessly issue and authenticate digital identities. This extends beyond their own staff to encompass the digital identities of temporary workers and partner organisations. In this context the development of Microsoft Entra Verified ID evidently seeks to address contemporary challenges with a particular emphasis on:
Streamlined onboarding - leveraging an open standards platform for decentralised identity the users receive digital identity controlled by themselves granting easy and secure access to all the resources they need for success in the role they have in the organisation.
Secure access to apps and resources – through instant verification of the users’ status and credentials the access is granted with the principle of least privilege, implanting confidence in accessing workplace resources. This facilitates seamless collaboration among employees, partners, contractors, and supports business-to-business (B2B) interactions.
Self-service account recovery – empowering the users an instant control over their own digital identity, a streamlined self-service process replaces traditional support calls and security questions which reduces the service calls and approval delay.
Microsoft Entra Permissions Management. An essential category within the Identity realm that should not be overlooked. It is part of Microsoft’s acquisition of CloudKnox and was announced in early 2022 as “CloudKnox Permissions Management”. This cloud infrastructure entitlement management (CIEM) product delivers control and visibility over permissions for any identity and resource across different cloud platforms including Microsoft Azure, Amazon Web Services, and Google Cloud Platform. Microsoft Entra Permissions Management serves as a comprehensive, unified platform for overseeing permissions for all identities which empowers the organisations to identify, monitor, and mitigate permission-related risks, fostering a Zero Trust security posture through the application of the principle of least privilege across their entire digital infrastructure. It strategically addresses identity risks through a comprehensive three-phase cycle: Discover & Assess, Remediate & Manage, and Monitor & Alert.
Microsoft Entra Workload ID (previously Azure AD Workload Identities). Every day, a wide range of resources necessitating identity authentication and authorisation are accessed in our workflow. Any authentication failure poses security risks and concerns for the organisation. Hence, we require solutions that streamline the identity management process. Microsoft Entra Workload ID, adhering to the principles of securing and adapting identity access, detecting compromised workload identities, and simplifying lifecycle management offers a suite of capabilities including:
Workload identity - assign an identity to software workloads.
Conditional Access - the conditions under which a workload may access a resource.
Identity protection - detect identity risk and report to SIEM tools.
Access review - Initiate access reviews to reduce privileged role assignment risks for workload identities.
Moving forward, let us mention the actual new features of Entra. Microsoft decided to include with the Entra product family network access and identity controls in a unified approach to protect the resources instead of breakout modules for each separate service. It is called Global Secure Access and includes Microsoft Entra Internet Access and Microsoft Entra Private Access.
Microsoft Entra Internet Access. Functioning as an Identity-oriented Secure Web Gateway for SaaS apps and internet traffic, it protects identities from threats and non-compliant internet content, thereby expanding Conditional Access to include network conditions. Furthermore, the M365 Internet Access component (in preview) provides protection against data leakage to other accounts or tenants. This includes a heightened precision in risk assessment based on user, location, and device, as well as features such as anonymous access and real-time threat detection.
Another enhancement within the Entra network framework is Microsoft Entra Private Access. This feature enables users to securely connect to corporate resources (on-premises and in the cloud) with the ability to enforce additional layers of security controls, such as Multifactor Authentication (MFA), device compliance checks, etc. Moreover, there are no constraints based on the user's location or the hosting location of the application - be it on-premises or in the public cloud.
Microsoft Entra Internet Access and Microsoft Entra Private Access both represent a significant advancement in the convergence of identity and network security. This progression has the potential to position Entra as a qualitatively distinct service when compared to Azure AD.
Speaking of the Entra family, let us highlight another product - Microsoft Entra ID for customers. Like Azure AD B2C it serves as a customer identity access management (CIAM) solution. However, what sets this new product apart beyond the rebranding? According to Microsoft: “There are no requirements for Azure AD B2C customers to migrate at this time and no plans to discontinue the current Azure AD B2C service”. The question arises: why maintain two seemingly identical products? Without getting into the deep technical details, it is apparent that Entra External ID simplifies the user experience. Unlike Azure AD B2C, it avoids Custom Policies and multiple authorities. The user flow is based on client ID with a single authority and no need for the configuration of XML elements. Microsoft provides users with the choice to streamline configuration without compromising preferences or previous implementations. This approach suggests a smooth transition rather than a sweeping overhaul.
What about licensing? Another important aspect of this rebranding strategy, besides the new features and capabilities, is the cost. It is clear that Microsoft is gearing towards bigger Entra profits. Thus, some of the old features remain with the same price tag, but others have their own licence plans. Here is a high-level comparison between Azure AD and Entra plans:
Azure AD | Microsoft Entra |
|---|---|
Azure Active Directory Free | Microsoft Entra ID Free |
Azure Active Directory Premium P1 | Microsoft Entra ID P1 |
Azure Active Directory Premium P2 | Microsoft Entra ID P2 |
Microsoft Entra ID Governance | |
Microsoft Entra Permissions Management | |
Microsoft Entra Workload ID |
The three new Entra plans are for features which were included previously with Azure AD P2 (or were in Preview), now they have their own price tag. We think that the same will happen with Global Secure Access and Entra Verified ID, essentially placing each Entra service in its own service plan.
Conclusion
Whether Microsoft Entra is merely a straightforward rebranding of Azure AD or signifies a call for a comprehensive service overhaul, the practical impact on users is minimal considering the preview features and the commitment to introducing new ones. A more compelling subject lies in the anticipated trajectory of the service development, given the substantial commitment to enhancing security capabilities through integrated control across diverse resources and layers. We will continue keeping an eye for new features and services of Microsoft Entra which already became an independent product family, distinct from the shadow of Azure AD.