Microsoft Entra service description
Microsoft Entra ID is Microsoft’s cloud-based identity and access management solution, which helps your employees and guest users sign in securely and access resources such as Microsoft apps (for example, Microsoft 365 and Azure), thousands of pre-integrated popular SaaS apps (for example, ServiceNow, Google apps), and any custom-build cloud or on-premises web apps. It offers security capabilities like single sign-on, multifactor authentication, Conditional Access, and lifecycle management to protect organizations against identity compromise.
Available plans
For the purposes of this article, a tenant-level service is an online service that is activated in part or in full for all users in the tenant (standalone license and/or as part of a Microsoft 365 or Office 365 plan). Though some tenant services are currently not capable of limiting benefits to specific users, appropriate subscription licenses are required for use of each online service. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.
To view how users benefit from Microsoft 365 features, download the Microsoft 365 Comparison table for Enterprise and Frontline Workers Plans or the Microsoft 365 Comparison table for Small and Medium Business Plans.
For detailed plan information on subscriptions that enable users for Microsoft 365 features and are currently available in European Economic Area (EEA) countries and Switzerland, see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.
Feature availability
Microsoft Entra features are always evolving and expanding. Refer to our official pricing page for the latest list of features.
Microsoft Entra ID
Microsoft Entra ID is a cloud-based identity and access management service that your employees can use to access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see Quickstart: Create a new tenant in Microsoft Entra ID.
To learn the differences between Active Directory and Microsoft Entra ID, see Compare Active Directory to Microsoft Entra ID. You can also refer to Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft 365.
Available plans
- Microsoft Entra ID Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
- Microsoft Entra ID P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
- Microsoft Entra ID P2. In addition to the Free and P1 features, P2 also offers Microsoft Entra ID Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
Plan Availability
| Feature | Microsoft 365 E3 | Microsoft 365 E5/E5 Security Add-on1 | Office 365 E1/E3/E5, Microsoft Teams Enterprise / Teams EEA | Enterprise Mobility & Security E3 | Enterprise Mobility & Security E5 | Microsoft 365 F1/F3 | Microsoft 365 F5 Security Add-on2 | Microsoft 365 F5 + Compliance Add-on | Microsoft Teams Essentials | Microsoft 365 Business Basic/Standard | Microsoft 365 Business Premium |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Entra ID Free | No | No | Yes | No | No | Yes | No | No | Yes | Yes | No |
| Microsoft Entra ID Plan 1 | Yes | No | No | Yes | No | Yes | No | No | No | No | Yes |
| Microsoft Entra ID Plan 2 | No | Yes | No | No | Yes | No | Yes | Yes | No | No | No |
Feature Availability
For feature availability information, see Microsoft Entra Plans and Pricing | Microsoft Security.
Learn more
For more information, see What is Microsoft Entra ID?
Microsoft Entra Permissions Management
Microsoft Entra Permissions Management (Permissions Management) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities, for example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle.
For more information, check out the following resources:
- Microsoft Entra Permissions Management
- Microsoft Entra Permissions Management FAQ, for links to more resources.
Microsoft Entra ID Protection
Microsoft Entra ID Protection is a feature of the Microsoft Entra ID P2 plan that lets you protect, detect, and remediate your compromised identities. Entra ID Protection is powered by trillions of signals to detect potential vulnerabilities affecting your organization's identities. These risks are assessed via a real-time ML engine that evaluates risky users, sign-ins, and workload identities. Users can configure automated responses to detected suspicious actions that are related to your organization's identities, and secure access via policy enforcement.
How do users benefit from the service?
In today's digital landscape, IT admins and SecOps analysts face an ever-increasing volume of sophisticated cyber threats. Entra ID Protection offers a consolidated view of flagged users and risk events, powered by machine learning algorithms, providing security professionals with actionable insights. Users benefit from seamless and automatic protection through risk-based policies, ensuring a robust defense against identity threats.
Benefits
- Reduce time and resources needed to investigate and remediate security incidents.
- Reduce manual intervention from risk-based Conditional Access policies that automatically protect users.
- Reduce account compromise.
How is the service provisioned/deployed?
By default, Microsoft Entra ID Protection features are enabled at the tenant level for all users with a Microsoft Entra ID P2, or trial license enabled. For information about the free trial, see Microsoft Entra Plans and Pricing. To enable this feature, follow these steps:
- Review existing reports.
- Plan for conditional access risk policies—register for multifactor authentication (MFA) for self-remediation, configure named locations in Conditional access, add VPN ranges to Defender.
- Configure your MFA and conditional access policies for tracking sign in and user risk.
- Monitor and investigate based on operational needs.
Availability
Customers can acquire Microsoft Entra ID Protection by acquiring Microsoft Entra ID P2 or a subscription that includes Microsoft Entra ID P2.
Learn about Microsoft Entra ID Protection. For a quick overview video of Microsoft Entra ID Protection, see this video.
Microsoft Entra ID Governance
Microsoft Entra ID Governance is an identity governance solution that enables organizations to improve productivity, strengthen security, and more easily meet compliance and regulatory requirements. You can use Microsoft Entra ID Governance to automatically ensure that the right people have the right access to the right resources, with identity and access process automation, delegation to business groups, and increased visibility. With the features included in Microsoft Entra ID Governance, along with those in related Microsoft Entra, Microsoft Security, and Microsoft Azure products, you can mitigate identity and access risks by protecting, monitoring, and auditing access to critical assets.
Specifically, Microsoft Entra ID Governance helps organizations address these four key questions, for access across services and applications both on-premises and in clouds:
- Which users should have access to which resources?
- What are those users doing with that access?
- Are there organizational controls in place for managing access?
- Can auditors verify that the controls are working effectively?
With Microsoft Entra ID Governance, you can implement the following scenarios for employees, business partners, and vendors:
- Govern the identity lifecycle
- Govern the access lifecycle
- Secure privileged access for administration
Availability
Customers can acquire Microsoft Entra ID Governance by:
- Purchasing Microsoft Entra Suite.
- Purchasing the add-on offers if they meet the prerequisites. For information on prerequisites, see Microsoft Product Terms.
For more information on licensing, visit Microsoft Entra ID Governance licensing fundamentals.
For more information on the Microsoft Entra ID Governance feature, check out the following resources:
Microsoft Entra Workload ID
A workload identity is an identity you assign to a software workload (such as an application, service, script, or container) to authenticate and access other services and resources. The terminology is inconsistent across the industry, but generally a workload identity is something you need for your software entity to authenticate with some system. For example, in order for GitHub Actions to access Azure subscriptions the action needs a workload identity which has access to those subscriptions. A workload identity could also be an AWS service role attached to an EC2 instance with read-only access to an Amazon S3 bucket.
In Microsoft Entra, workload identities are applications, service principals, and managed identities.
An application is an abstract entity, or template, defined by its application object. The application object is the global representation of your application for use across all tenants. The application object describes how tokens are issued, the resources the application needs to access, and the actions that the application can take.
A service principle is the local representation, or application instance, of a global application object in a specific tenant. An application object is used as a template to create a service principal object in every tenant where the application is used. The service principal object defines what the app can actually do in a specific tenant, who can access the app, and what resources the app can access.
A managed identity is a special type of service principle that eliminates the need for developers to manage credentials.
Feature availability
| Capabilities | Description | Free | Premium |
|---|---|---|---|
| Authentication and authorization | |||
| Create, read, update, and delete workload identities | Create and update identities for securing service to service access | Yes | Yes |
| Authenticate workload identities and tokens to access resources | Use Microsoft Entra ID to protect resource access | Yes | Yes |
| Workload identities sign-in activity and audit trail | Monitor and track workload identity behavior | Yes | Yes |
| Managed identities | Use Microsoft Entra identities in Azure without handling credentials | Yes | Yes |
| Workload identity federation | Use workloads tested by external Identity Providers (IdPs) to access Microsoft Entra protected resources | Yes | Yes |
| Microsoft Entra Conditional Access | |||
| Conditional Access policies for workload identities | Define the condition in which a workload can access a resource, such as an IP range | Yes | |
| Lifecycle Management | |||
| Access reviews for service provider-assigned privileged roles | Closely monitor workload identities with impactful permissions | Yes | |
| Application authentication methods API | Allows IT admins to enforce best practices for how apps in their organizations use application authentication methods | Yes | |
| App Health Recommendations | Identify unused or inactive workload identities and their risk levels. Get remediation guidelines | Yes | |
| Microsoft Entra ID Protection | |||
| ID Protection for workload identities | Detect and remediate compromised workload identities | Yes |
Learn more
For more information, see What are workload identities?
Review the Frequently asked questions about Microsoft Entra Workload ID for more information and links to more resources.
Messaging
To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message center.
Licensing terms
For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
Accessibility
Microsoft remains committed to the security of your data and the accessibility of our services. For more information, see the Microsoft Trust Center and the Office Accessibility Center.
Learn more
For more information about Microsoft Entra ID and Microsoft Entra Permissions Management, check out the following resources: