Azure AD Management: Complete Entra ID Guide

Managing Users and Groups at Scale

Effective identity management becomes critical as organizations grow — manual account provisioning does not scale beyond a few dozen users.

User Lifecycle Management

Manage the full user lifecycle from onboarding to offboarding:

1. Automated provisioning — Use identity governance features or HR-driven provisioning to automatically create and update accounts when employees join, move between departments, or leave.
2. Bulk operations — For migrations or large changes, use the Microsoft Entra admin center's bulk upload feature or Microsoft Graph API to create, update, or delete multiple accounts in a single operation.
3. Access reviews — Schedule quarterly access reviews to ensure users still need the permissions they have. Identity Governance can automatically revoke access when reviews are not completed.
4. Offboarding — When employees leave, disable the account immediately, revoke all active sessions, and convert the mailbox to shared (if using Exchange Online). Delete the account after the retention period expires.

Group Policies and Role-Based Access

Groups are the primary mechanism for managing access permissions — assign access to groups, not individuals.

Best practices for group management:

• Use a naming convention (e.g., SG-Department-AppName-Role) to keep groups discoverable and auditable
• Apply conditional access policies to groups rather than individual users for consistent enforcement
• Use Privileged Identity Management (PIM) for just-in-time role activation, reducing standing privileges
• Regularly audit group memberships using access reviews or Microsoft Graph reports to detect stale or over-provisioned access

Strengthening Security with Entra ID

Identity is the new security perimeter — according to Microsoft's 2024 Digital Defense Report, over 600 million identity attacks occur daily, making identity protection the most critical security investment.

Multi-Factor Authentication Setup

MFA is the single most effective control against account compromise. To implement it in Entra ID:

1. Choose authentication methods — Prioritize phishing-resistant methods: FIDO2 security keys, Windows Hello for Business, or the Microsoft Authenticator app with number matching. Avoid SMS-based MFA where possible due to SIM-swap risk.
2. Create conditional access policies — Require MFA for all users accessing cloud applications. Apply stricter rules for admin roles, sensitive data access, or unfamiliar sign-in locations.
3. Configure combined registration — Enable the combined security information registration experience so users can set up MFA and SSPR in a single flow.
4. Monitor MFA adoption — Use the Authentication methods activity report in the Entra admin center to track registration rates and identify users who have not yet enrolled.

Threat Monitoring and Response

Identity Protection uses machine learning to detect and respond to identity-based threats in real time.

Key monitoring capabilities:

• Risk-based conditional access — Automatically require MFA or block access when a risky sign-in is detected (e.g., impossible travel, anonymous IP, unfamiliar sign-in properties)
• Microsoft Sentinel integration — Forward sign-in and audit logs to Microsoft Sentinel for correlation with other security signals and automated incident response
• Sign-in and audit logs — Review logs for failed login patterns, unusual application consent grants, and administrative changes. Set up alerts for high-severity events like Global Administrator role assignments
• Identity Secure Score — Track your identity security posture using the Identity Secure Score dashboard, which provides prioritized recommendations

Integrating Applications with Entra ID

Application integration delivers the most visible user experience improvement — SSO eliminates password fatigue and reduces credential-related security incidents.

Single Sign-On Configuration

The platform supports SSO for over 5,000 pre-integrated SaaS applications and custom applications using standard federation protocols:

• SAML 2.0 — The most common protocol for enterprise SaaS integrations (e.g., Salesforce, ServiceNow, AWS Console)
• OpenID Connect / OAuth 2.0 — Preferred for modern web and mobile applications
• Password-based SSO — For legacy applications that do not support federated authentication
• Application Proxy — Publish on-premises web applications externally without opening inbound firewall ports

To add an application: navigate to Enterprise Applications in the admin center, select "New application," search the gallery, configure SSO, and assign users or groups.

Managing Application Permissions

Controlling application access to organizational data is essential for preventing data leakage and shadow IT.

• Consent framework — Configure whether users can grant consent to application permissions themselves or whether admin consent is required. For sensitive permissions (e.g., reading all users' mailboxes), always require admin consent.
• App roles — Define granular roles within applications and assign them to users or groups to control feature-level access
• Permission classification — Classify permissions as low, medium, or high impact. Allow user self-service consent only for low-impact permissions.
• Regular permission audits — Review the Enterprise Applications blade quarterly to identify apps with excessive permissions or low usage, and revoke access where appropriate

Azure AD vs. Microsoft Entra ID: What Changed

The rebrand changed the product name and admin portal location, but the underlying technology and APIs remain the same.

All existing configurations, policies, and app registrations continue to work without modification. The primary change for administrators is adopting the new admin center and migrating scripts from the deprecated AzureAD PowerShell module to the Microsoft Graph PowerShell SDK.

Frequently Asked Questions

Is Azure Active Directory the same as Microsoft Entra ID?

Yes. Microsoft renamed Azure Active Directory to Microsoft Entra ID in October 2023. The service, features, licensing tiers, and APIs remain identical — only the branding and admin portal URL changed.

What is the difference between on-premises Active Directory and Entra ID?

On-premises Active Directory (AD DS) manages identities within your local network using protocols like Kerberos and LDAP. Microsoft Entra ID is a cloud service that uses modern protocols (SAML, OAuth, OpenID Connect) and is designed for SaaS applications and internet-facing resources. Most organizations use Entra Connect to keep identities synchronized.

How much does Microsoft Entra ID cost?

The free tier is included with any Microsoft cloud subscription. The P1 tier (included with Microsoft 365 E3) adds conditional access and self-service password reset. P2 (included with Microsoft 365 E5) adds Identity Protection, Privileged Identity Management, and access reviews. P1 costs approximately $6/user/month and P2 costs approximately $9/user/month.

Can Entra ID replace on-premises Active Directory entirely?

For cloud-first organizations, yes. If all applications are SaaS or cloud-hosted and devices are managed through Intune, on-premises AD is not required. However, organizations with legacy applications that require Kerberos or NTLM authentication will typically need a hybrid setup with Entra Connect for the foreseeable future.

How do I migrate from Azure AD PowerShell to Microsoft Graph?

Microsoft deprecated the AzureAD and MSOnline PowerShell modules in March 2024. Migrate by installing the Microsoft Graph PowerShell SDK (Install-Module Microsoft.Graph), mapping your existing cmdlets to Graph equivalents using Microsoft's cmdlet mapping reference, and updating your automation scripts accordingly.