What is Microsoft Entra ID?
Microsoft Entra ID (formerly Microsoft Entra ID (formerly Azure AD)) is Microsoft's cloud-based identity and access management service. Learn what it does, how it differs from on-premises AD, and key security concepts.
What is Microsoft Entra ID?
Definition
Microsoft Entra ID (formerly Azure Active Directory / Microsoft Entra ID) is Microsoft's cloud-based identity and access management (IAM) service. It provides authentication and authorization for Microsoft 365, Microsoft Azure, thousands of SaaS applications, and any application integrated via OAuth 2.0, OpenID Connect, or SAML.
Entra ID is the identity backbone of the Microsoft cloud and the most widely used cloud identity provider in the enterprise.
In simple terms:
Entra ID is what authenticates your users to Microsoft 365, Azure, and SaaS — and what attackers target to take over your cloud.
Why Entra ID Matters
- Authenticates over 600 million users across Microsoft 365, Azure, and SaaS.
- The single sign-on hub for most enterprises.
- Compromise gives attackers access to email, files, code, and cloud infrastructure simultaneously.
- In hybrid environments, often connected to on-premises Active Directory via Entra Connect — making compromise bidirectional.
Entra ID vs On-Prem Active Directory
| Aspect | Entra ID | Active Directory |
|---|---|---|
| Deployment | SaaS | On-premises |
| Protocols | OAuth, OIDC, SAML, WS-Fed | Kerberos, NTLM, LDAP |
| Objects | Users, Groups, Apps, Service Principals | Users, Computers, Groups, GPOs |
| Group Policy | No (use Intune for policy) | Yes |
| Schema | Fixed by Microsoft | Extensible |
| Trusts | B2B/B2C federation | Domain/forest trusts |
| Highest privilege | Global Administrator | Enterprise/Domain Admin |
They are different products with different security models, often connected via Entra Connect (sync) or Cloud Kerberos Trust (auth).
Core Components
Identity Objects
- Users — cloud-only, synced from AD, or guest (B2B).
- Groups — security groups, Microsoft 365 groups, dynamic groups.
- Devices — registered, joined, hybrid joined.
- Applications — App Registrations and Enterprise Applications.
- Service Principals — application identities in your tenant.
- Managed Identities — Azure-managed service principals for Azure resources.
Authentication
- Modern auth (OAuth 2.0 / OIDC) — primary.
- SAML — legacy SSO.
- WS-Federation — legacy.
- MFA — push, phone, FIDO2 / passkeys, Authenticator app.
- Passwordless — Windows Hello, FIDO2, Authenticator passkey.
Authorization
- Entra ID Roles — directory and service roles (Global Admin, User Admin, etc.).
- Azure RBAC — separate model for Azure resource management.
- Application permissions — delegated and application scopes.
- Conditional Access — policy engine evaluating context.
Governance and Protection
- Privileged Identity Management (PIM) — JIT role activation.
- Entra ID Governance — access reviews, lifecycle workflows, access packages.
- Identity Protection — risk-based detections (risky user, risky sign-in).
- B2B / B2C — collaboration and customer identity.
Authentication Flows
Interactive Logon
- User opens app, redirected to
login.microsoftonline.com. - Enters credentials, completes MFA, satisfies Conditional Access.
- Gets ID token + access token + refresh token.
- App accepts token; access continues per token lifetime.
Token Lifetime and CAEP
- Access tokens default ~1 hour.
- Refresh tokens longer-lived (up to 90 days).
- Continuous Access Evaluation (CAEP) can revoke tokens within minutes after risk events.
Common Entra ID Risks
- Global Administrator overuse — too many standing GAs.
- OAuth consent abuse — malicious apps requesting tenant-wide scopes.
- App Registration secrets / certificates with long lifetimes.
- Risky service principals with high privileges.
- Conditional Access gaps — legacy auth, break-glass, untouched users.
- Federation trust issues — Golden SAML, weak federation hardening.
- Hybrid sync compromise — Entra Connect server / MSOL_ account abuse.
- Guest user sprawl — long-forgotten B2B accounts.
- Risky users without action — Identity Protection signals ignored.
Real-World Examples
1. Midnight Blizzard (APT29) Targeting Microsoft (2024)
Initial password spray against a legacy non-MFA account. Pivoted via OAuth permissions to compromise executive mailboxes — a textbook Entra ID attack chain.
2. SolarWinds Golden SAML
After compromising on-premises AD/ADFS, attackers forged SAML tokens to authenticate into Entra ID as any user without triggering MFA — bypassing cloud authentication entirely.
3. Storm-0558
State-aligned attackers stole an Entra ID signing key and forged tokens to access Microsoft 365 mailboxes.
4. Application Consent Phishing
A user is tricked into consenting to a malicious OAuth app with Mail.ReadWrite.All and Files.Read.All. Attacker reads mailbox and files persistently — even after password reset.
Entra ID Best Practices
Privilege
- Minimize Global Admin membership (Microsoft recommends fewer than 5 standing GAs).
- Use PIM for JIT role activation.
- Use least-privileged roles instead of Global Admin (e.g., User Admin, Application Admin) when possible.
- Break-glass accounts with hardware MFA, monitored on every use.
Authentication
- Enforce phishing-resistant MFA (FIDO2 / passkeys) for all admins.
- Block legacy authentication (POP, IMAP, basic auth).
- Enable Conditional Access based on user, device, location, app, risk.
- Enable CAEP for fast token revocation.
Apps and Consent
- Disable user consent to high-risk scopes; require admin consent.
- Inventory all enterprise apps quarterly.
- Rotate secrets / use certificates for confidential clients.
- Use Managed Identities for Azure workloads instead of secrets.
Identity Protection
- Act on risky user / risky sign-in signals automatically.
- Force password reset on confirmed compromise.
- Block high-risk sign-ins via Conditional Access.
Governance
- Use Access Packages for collaborative scenarios.
- Quarterly access reviews on privileged roles, groups, guests.
- Lifecycle workflows to deprovision automatically.
Hybrid
- Treat Entra Connect as Tier 0.
- Vault and protect MSOL_ accounts.
- Audit synced privileged accounts.
Detection
- Log all sign-ins, role changes, OAuth consent, app updates to SIEM.
- Detect OAuth abuse, federation changes, anomalous role activations.
- Use Identity Protection + Microsoft Defender for Identity integrations.
Entra ID Security Checklist
- Global Admin membership minimized?
- PIM enabled for all admin roles?
- Break-glass accounts hardened and monitored?
- Phishing-resistant MFA enforced for admins?
- Legacy auth blocked?
- Conditional Access covers all users and sensitive apps?
- User consent disabled for high-risk scopes?
- Enterprise apps and consent reviewed quarterly?
- Managed Identities used for Azure workloads?
- Identity Protection signals actioned?
- Access reviews scheduled and enforced?
- Lifecycle workflows automate deprovisioning?
- Entra Connect treated as Tier 0?
- Identity logs in SIEM with detections?
How Forestall Helps
Forestall integrates with Entra ID to surface:
- Identities with effective Global Admin reach (via roles, app permissions, group nesting).
- Risky service principals and OAuth apps.
- Conditional Access gaps and exemptions.
- Federation and hybrid sync risks.
- Attack paths from any user → Global Admin or privileged data.
Frequently Asked Questions
Is Entra ID the same as Microsoft Entra ID?
Yes — Microsoft renamed Microsoft Entra ID to Microsoft Entra ID in 2023. Same service, new branding.
Do I still need on-premises AD?
For most enterprises with Windows endpoints, yes — though many are reducing AD reliance with Entra Join + Intune.
What's the highest-impact Entra ID control?
Phishing-resistant MFA + minimal standing Global Admins + Conditional Access. These three together close most common compromise paths.
What replaces Group Policy in Entra-only environments?
Microsoft Intune (MDM) for device configuration and policy.
How dangerous is OAuth consent phishing?
Very. It bypasses MFA and persists across password resets. Disable user consent to high-risk scopes.
Conclusion
Microsoft Entra ID is the identity backbone of the Microsoft cloud and a top-priority target for modern attackers. Hardening it is a different exercise than hardening AD — different protocols, different roles, different risks — but the discipline is the same: minimize standing privilege, enforce strong authentication, govern apps and consent, monitor identity signals, and continuously map the paths attackers could take. Done well, Entra ID becomes a hardened front door rather than a cloud-wide single point of failure.
Map every privileged path in your Entra ID tenant.
Forestall surfaces Entra ID risks across roles, apps, and consent — and the paths to Global Admin.