What is our primary use case?
The primary use in my organization is for identity and identity security management. In our case, it's in our hybrid infrastructure, where it's not the cloud-native option; it's based on on-prem identity infrastructure on the cloud. We use it to manage our identity in a multi-cloud scenario.
We use it also for our software developers for credentialing. They use a single credential, and they can use multiple platforms, like, GitHub, Google Cloud, AWS, et cetera.
The product is connected to our security operation setups.
We also use it in our organization to on and off-board the users constantly. It helps strengthen our permission management and privilege access management. For example, if one of our engineers or users needs temporary sole permission to perform an action, we use the product to temporarily grant that security role, or that extra permission that will last a certain amount of time. After the desktop is completed, the permissions are revoked. That way, users do not have a sensitive role constantly enabled.
What is most valuable?
The overall identity management and lifecycle management capabilities are great. We can support our entire operation. For example, we can create an onboarding package for the users so that at the right moment they have everything that they need and access to exactly what they need when they need it, and this will help our transition team when new users start. They can have the password, credentials, et cetera, all accelerated while making sure there are no security gaps.
Entity management is great. We can provide access for short amounts of time as needed.
When we develop applications, we leverage Entra ID to create an application like an identity so we can tailor the security posture of an application that is often used or exposed on the public internet for customers.
To summarize, identity lifecycle management, privileged access management, and identity and credential management for developers and applications are all the best aspects of the product, in a nutshell.
Entra ID provides a single pane of glass for managing user access as well HRID of API capability for third-party integration. The single pane of glass positively affects the consistency of the user's sign-on experience. That is one of the strongest points. Using a single pane of glass and then adding HID, like a gatekeeper for identity, is very helpful. The user now knows what they expect when they authenticate an application or they authenticate a portal or simply consume Microsoft Office since the experience is very consistent. It's always the same. Our support knows when, in which scenario, and what could be a problem and then quickly can help the user to overcome an issue. The single pane of glass actually is the beauty of the product.
Security policies can now be very consistent and very granular and can be completed in specific ways for individual users. For example, there is a way to tailor your security experience for certain container reviews. A sensitive user, a high-risk user, or a developer, can have a custom mail detail or security policy that will impact only them while the rest of the standard users will not be affected by an end security policy since their workloads wouldn't require that.
The portal is really handy. It's exactly what you would expect it to be. The management center is very comprehensive. We've had no problems with the useability of the admin access and the capability of the product offering.
This solution removes a lot of burdens, especially for us as cyber engineers. With a few clicks, we can create and target certain users. It will provide inputs and insights on scenarios and security settings. It will send warnings before we enable policies to let us know what might be affected. It helps us on the front end to avoid security configuration mistakes. That's for the sake of security as well as the user, who could otherwise be blocked every now and then by an incorrect security policy.
We use Entra ID's conditional access feature to enforce fine tune and adaptive access controls. We use that for user identity and to protect workflows. In EntraID, an application in the directory, it's considered an identity, even if it is an application. Therefore, we can create a policy for users as well as for applications where it will authorize access only if certain conditions are made. We use that extensively.
The conditional access feature positively affects the robustness of a zero-trust strategy to verify users. We use the conditional access feature in conjunction with the Microsoft Endpoint Manager.
We can use combined security products that fit with the product. It's very effective. It ensures security overlap.
I'm working with a verified ID as well. Users can use that single identity to access what they need and to configure the software developer pipeline to use that Microsoft-managed ID to push and pull code from restart to the application. If you have multiple other solutions, for instance, GCP, you can use that federated credential to manage software and code regardless of the cloud provider that is used by using the unique identity. This makes the work of developers more secure since they only need one ID. Otherwise, they will put on a piece of paper, their username and password for each application that requires access. With this solution, you have one identity secured to move them all, and it's easier for the developer who can be more productive while staying more secure.
We've used the product to onboard or move new employees. That's part of the identity lifecycle workflow that we are experiencing. It's probably the number one product for HR management when it comes to user onboarding. It helps onboard and offboard remote workers with ease. After all, not all departments require the same applications, for instance. With this product, we create the prerequisites by creating an access package.
Verified ID is good when it comes to privacy and control of identity data. Privacy control is a mix of responsibilities between the organization and Microsoft Cloud, of course. There is full transparency with Microsoft covering this data, however, nothing is perfect. If Microsoft changes something, since they are linked, it may affect performance.
The visibility and control for permission management are excellent. Integrations are becoming more and more native. It helps reduce our surface risk when it comes to identity permissions. When in combination with Microsoft Sentinel, it's really feature-rich. I can also create reports for when management wants to assess problem areas.
It's helped to save time for your IT admin waiters or HR department. There is a reduction of recurring tasks by up to 50% to 70% compared to the legacy solution. It's tricky to contemplate how much money is being saved, however.
The product has affected the employee user experience in a positive way. The organization is very happy with it.
What needs improvement?
Sometimes with this solution, since our old API can have some latency and short links if you want to enable permission on a system application can be some delays. For example, sometimes, when a user requires their access, sometimes it's not happening in real-time; they just wait a couple of minutes before the TCI really provides it. Sometimes this can create confusion if a user an engineer or a developer believes that the solution is broken. The solution is not broken. It just sometimes has a delay. That is something that I encourage Microsoft to fix. During the pandemic, we had a lot of conditions with the remote workers. So when the capacity increased, there could be latency. However, that is a Microsoft scalability problem that they have to address at a certain point. That said, it's not a dealbreaker.
It would be good to have more clarity around licensing. It's a bit technical for those strictly dealing with budgets.
I would like to see a little bit of improvement in the resiliency of the platform. Entra ID has a global point of presence worldwide, however, if one node goes down in a geographical location, it has a global impact. Sometimes even a simple certificate that is not renewed on time can cause global issues. Microsoft should improve global operations and sandboxing. So if one of the nodes is down in Asia, it won't take down the United States as well. The redundancy and the resiliency of the product should be improved over the global geographical scale of the product.
In terms of features, at the moment, the solution is covering everything. I don't see a new feature needed aside from improving their API.
For how long have I used the solution?
I've been using the solution since 2015 or 2016. I've used it since before the name change.
Buyer's Guide
Microsoft Entra ID
May 2024
Learn what your peers think about Microsoft Entra ID. Get advice and tips from experienced pros sharing their opinions. Updated: May 2024.
772,679 professionals have used our research since 2012.
What do I think about the stability of the solution?
Overall, the product is stable. It's 99.9% stable.
What do I think about the scalability of the solution?
In my current organization, we have around 100 users on the solution. However, we have B2B integrations that include 3,000 to 4,000 users.
Microsoft does scale up to hundreds of thousands of objects. The solution scales well.
If you need more than fifty thousand objects that can be created in a single tenant they can be created within an additional directory.
How are customer service and support?
Microsoft offers different tiers of support according to the licensing model. The support is great. Generally, at first, you get a general engineer. They'll tell you to go and check an article. I tend to tell them the issue and lay out the problem and ask them not to send me an article since I am an expert. then I'll get to a second-phase engineer that can help. However, once you get to the right person, support is excellent.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have experience with One Identity, SharePoint, SharePointIQ, and InsightID.
I like how this product has a view on a single pane of glass. Out of the box, it can serve multiple types of organizations that may have multi-cloud strategies. It also has good third-party integration and reporting capabilities. Everything we need to start is right in one solution.
We do have Okta, which we are phasing out. We use it for some B2C scenarios. It's an excellent product and has solved problems for us over the years.
How was the initial setup?
When you set it up the product, there's always a combination of business people, decision-makers, and IT people, and I always encourage business and decision-makers to read the Microsoft adoption framework for Entra VNS Ready. So that way the decision makers have an idea of how to use the product and which features are required. Then we start with the technical part.
We should basically start always with an assessment. How many users do you have? Which one is the office license model? And so on and so forth. When the assessment is done and when we have an idea of the topology of the user, we can start the design. We ask, okay, would you like to be cloud native? Would you like to have a hybrid model where you have an on-prem identity shipped to the cloud? And based on the decision, we'll start by usually setting up Azure AD Connect.
Azure AD Connect is a solution that's on-prem. We'll onboard the identity on the cloud and all the security tokens that come with it. Then, of course, we start to plan the identity migration.
Based on the call on existing users, the next design is to onboard a lifecycle identity for the new commerce that will join and for people that will lead. It's important to read the Microsoft architecture and adoption framework for InsightID. And based on that, then we go into the nitty gritty technical decisions.
The setup can be handled by one person. However, once you begin to integrate it with 95% of the organization and need to touch messaging systems and mail systems, you'll need to collaborate with others. If you are using the Internet and SharePoint, you need an Internet engineer. You likely need a few people to assist.
The maintenance aspect is not difficult. It's a SaaS and Microsoft handles most of the burden. You just need to perform hygiene rather than maintenance, for example, removing people you no longer need. While maintenance is mostly taken care of, people should pay attention to the Azure cloud as Azure can cause security holes with changes.
What was our ROI?
We have witnessed a return on investment, however, it's hard to quantify. Definitely, in the long run, there's a benefit to leveraging the product.
What's my experience with pricing, setup cost, and licensing?
Decision-makers dealing with budgets will sometimes struggle to really understand the kind of license that's needed. When you are doing multi-cloud the costs can be a little bit higher. It may not be cost-effective if you do not how to use the platform.
The price point is pretty high.
However, for Android and Office users, it's very useful to have.
What other advice do I have?
We use a hybrid approach on-prem. We have some log applications and some legacy applications that require us to have an active directory as a primary identity source of view. This means that we ship our identity to the cloud, however, we don't have a vice-versa mechanism.
I'd advise potential new users should investigate by creating a POC free of charge. Microsoft offers free credits for POCs. These can be extended for a certain amount of time.
I'd encourage anyone to contact a Microsoft representative and set up a POC and get training material and really evaluate the product first. Once you use it, there's no going back.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.