Authentication, single sign-on, and MFA |
Cloud authentication (Pass-through authentication, password hash synchronization) |
✅ |
|
Federated authentication (Active Directory Federation Services or federation with other identity providers) |
✅ |
|
Single sign-on (SSO) unlimited |
✅ |
|
Multifactor authentication (MFA) |
✅ |
|
Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations) |
✅ |
|
Certificate-based authentication |
✅ |
|
Service-level agreement |
✅ |
Applications access |
SaaS apps with modern authentication (Microsoft Entra application gallery apps, SAML, and OAUTH 2.0) |
✅ |
|
Group assignment to applications |
✅ |
|
Cloud app discovery (Microsoft Defender for Cloud Apps) |
✅ |
|
Application Proxy for on-premises, header-based, and Integrated Windows Authentication |
✅ |
|
Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication) |
✅ |
Authorization and Conditional Access |
Role-based access control (RBAC) |
✅ |
|
Conditional Access |
✅ |
|
SharePoint limited access |
✅ |
|
Session lifetime management |
✅ |
|
ID Protection (vulnerabilities and risky accounts) |
See Microsoft Entra ID Protection below. |
|
ID Protection (risk events investigation, SIEM connectivity) |
See Microsoft Entra ID Protection below. |
Administration and hybrid identity |
User and group management |
✅ |
|
Advanced group management (Dynamic groups, naming policies, expiration, default classification) |
✅ |
|
Directory synchronization—Microsoft Entra Connect (sync and cloud sync) |
✅ |
|
Microsoft Entra Connect Health reporting |
✅ |
|
Delegated administration—built-in roles |
✅ |
|
Global password protection and management – cloud-only users |
✅ |
|
Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory |
✅ |
|
Microsoft Identity Manager user client access license (CAL) |
✅ |
End-user self-service |
Application launch portal (My Apps) |
✅ |
|
User application collections in My Apps |
✅ |
|
Self-service account management portal (My Account) |
✅ |
|
Self-service password change for cloud users |
✅ |
|
Self-service password reset/change/unlock with on-premises write-back |
✅ |
|
Self-service sign-in activity search and reporting |
✅ |
|
Self-service group management (My Groups) |
✅ |
|
Self-service entitlement management (My Access) |
✅ |
Identity governance |
Automated user provisioning to apps |
✅ |
|
Automated group provisioning to apps |
✅ |
|
HR-driven provisioning |
Partial. See HR-provisioning apps. |
|
Terms of use attestation |
✅ |
|
Access certifications and reviews |
✅ |
|
Entitlement management |
✅ |
|
Privileged Identity Management (PIM), just-in-time access |
✅ |
|
Lifecycle workflows (LCW) |
✅ |
Event logging and reporting |
Basic security and usage reports |
✅ |
|
Advanced security and usage reports |
✅ |
|
ID Protection: vulnerabilities and risky accounts |
✅ |
|
ID Protection: risk events investigation, SIEM connectivity |
✅ |
Frontline workers |
SMS sign-in |
✅ |
|
Shared device sign-out |
Enterprise state roaming for Windows 10 devices isn't available. |
|
Delegated user management portal (My Staff) |
❌ |