Single Sign-On Configuration
Entra ID SSO eliminates password fatigue by providing one-click access to all connected applications through a single identity. Configuration options include:
- SAML-based SSO: For enterprise applications that support SAML 2.0 protocol
- OIDC/OAuth: For modern web and mobile applications
- Password-based SSO: For legacy applications that only support form-based login
- Linked SSO: For applications that handle their own authentication
The Entra ID app gallery includes pre-configured SSO templates for over 3,000 applications, reducing setup time to minutes for common SaaS tools.
Multi-Factor Authentication and Conditional Access
MFA and conditional access work together to enforce strong authentication based on risk signals like location, device state, and user behavior.
- MFA methods: Microsoft Authenticator app, FIDO2 security keys, SMS, phone call, and hardware tokens
- Conditional access policies: Require MFA only when risk is elevated (new location, unmanaged device, sensitive application)
- Risk-based policies: Entra ID Protection detects suspicious sign-ins and triggers step-up authentication automatically
Best practice: Enable security defaults for organizations without P1/P2 licensing, or build custom conditional access policies for granular control with premium licenses.
Privileged Identity Management (PIM)
PIM provides just-in-time privileged access, reducing the window of exposure for administrative accounts.
- Assign roles as "eligible" rather than "active" — administrators must activate their role before using it
- Require MFA and approval workflows for role activation
- Set time-limited role assignments that automatically expire
- Generate audit reports showing who activated which roles and when
PIM requires Entra ID P2 licensing but significantly reduces the risk of privilege escalation attacks.
Entra ID Pricing Overview
Entra ID is available in free and premium tiers with different feature sets.
| Tier | Key Features | Price (per user/month) |
|---|---|---|
| Free | Basic SSO, user management, MFA (security defaults) | Included with Microsoft 365 |
| P1 | Conditional Access, dynamic groups, self-service password reset | $6.00 |
| P2 | PIM, Identity Protection, access reviews, entitlement management | $9.00 |
Frequently Asked Questions
Do I need to migrate from Azure AD to Entra ID?
No migration is required. Azure AD was rebranded to Entra ID — all configurations, policies, and integrations continue to work. You should update documentation and scripts that reference the old Azure AD admin portal URL.
What is the difference between Entra ID P1 and P2?
P1 includes Conditional Access and dynamic groups. P2 adds Privileged Identity Management (PIM), Identity Protection with risk-based policies, and access reviews. P2 is recommended for organizations with strict security compliance requirements.
Can Entra ID manage non-Microsoft applications?
Yes. Entra ID supports SSO and provisioning for thousands of third-party applications through the app gallery, SAML, and SCIM protocols. It can also serve as the identity provider for custom-built applications using OIDC/OAuth.
How does Entra ID integrate with on-premises Active Directory?
Microsoft Entra Connect (formerly Azure AD Connect) synchronizes user accounts, groups, and passwords between on-premises Active Directory and Entra ID. This enables hybrid identity scenarios where users authenticate against cloud services using their existing directory credentials.
Is Entra ID suitable for managing cloud infrastructure access on AWS or GCP?
Yes. Entra ID can serve as a federated identity provider for AWS IAM (via SAML) and Google Cloud (via OIDC), providing centralized identity management across multi-cloud environments. Opsio helps configure these cross-cloud identity integrations as part of our Azure consulting services.
