Describe the Identity and Access Management Capabilities of Microsoft 365
Entra ID provides a full suite of identity and access management capabilities, including the provisioning, role and privilege assignment, delegation, and retirement of identity. In addition to acting as an identity
store, Entra also enables policy-based access, secure authorization, auditing, and entitlement management.
The key features of Entra ID’s access, security, and entitlement management include the following:
- Conditional Access
- Multi-factor authentication
- Role-based access control
- Privileged Identity Management
- Access reviews
These features can be used to both secure and help automate identity processes.
Introducing Entra ID
Microsoft has recently rebranded the identity and access control features of the Microsoft 365 platform from Azure Active Directory to Entra ID. The exam may reference either product name. They are interchangeable. Microsoft’s licensing tables, administration portals, documentation, and exams (as well as this book) still largely reflect the Azure AD terminology, though it will slowly be updated from Azure AD to Microsoft Entra ID. For more information on the product branding updates, see https://www.microsoft.com/en-us/security/ business/microsoft-entra.
Entra ID requires licensing to activate certain advanced features. The following list describes the subscription licensing levels of Entra ID:
- Azure Active Directory Free: Available with a subscription to a commercial service, such as Dynamics, Intune, Azure, and the Power Platform. It includes on-premises directory synchronization, reports, and the ability for cloud users to reset their passwords without admin interaction.
- Office 365: Available with a subscription to an Office 365-based service (such as Exchange Online, SharePoint Online, Microsoft 365 Apps, or Teams), and includes everything in Entra ID Free, with some additional capabilities around multi-factor authentication and security defaults.
- Entra ID Premium Plan 1: Available as part of the Microsoft 365 F3 or Microsoft 365 E3 plan or acquired as an add-on for other plans in which it is not available. It includes Entra ID Free and Office 365 features, the ability to create dynamic groups based on a user property (such as a department), and Conditional Access policies to restrict access to specific services based on the sign-on properties of the user or device. It also includes the ability for on-premises synchronized users to reset their passwords in the cloud, which are written back to the local directory. Entra ID Premium Plan 1 was previously known as Azure AD Premium Plan 1. It is frequently written as Azure AD P1 or AADP1.
- Entra ID Premium Plan 2: Available as part of Microsoft 365 E5 or acquired as an add-on for other plans in which it is not available. It includes Entra ID P1 features, as well as the ability to structure Conditional Access policies based on the risk posed by a given user, calculated automatically against several conditions. Azure AD Premium Plan 2 also includes the Privileged Identity Management (PIM) service, which allows administrators to configure Just-in-Time access to roles and permissions when needed. Entra ID Premium Plan 2 is still largely known by its previous name, Azure AD Premium 2, and is commonly referred to as Azure AD P2 or AADP2.
- Microsoft Entra ID Governance: This new product offering includes features for lifecycle workflows, the new Verified ID features, machine-learning-assisted access reviews, and terms-of-use attestations. It is available as an add-on for both Entra ID Premium P1 and P2.
Now that you have a grasp of some of the features available as part of Entra ID, it’s time to talk about broader identity concepts.
