Microsoft Entra ID Reviews

I have had multiple use cases for Entra ID during my previous position as a system administrator. In that role, I was responsible for managing around three thousand users within our organization, including some external parties, which brought the total user count to approximately ten thousand. Entra ID is a cloud-based solution designed for identity and access management. In our organization, we primarily employed it to maintain user groups for authentication purposes. Additionally, we had on-premises applications that required registration within Entra ID, enabling us to provide a single sign-on solution for these applications, granting access to our users.

Entra ID boasts several other features as well. For instance, we utilized a security feature called NFA to enhance user security. We also implemented a conditional access policy, tightly integrated with Microsoft Intune. This policy allowed us to define specific access rules based on user locations. This means that if a user was located in a particular branch, they would be granted access to certain services while others would not. Such configurations were established within our conditional access policy in Entra ID.

At times, we needed to provide temporary access to certain users as administrators. For instance, our compliance team might require access to check compliance reports or logs for a limited period, which we facilitated by granting access for one or two hours. Within Entra ID, we have a functionality known as Security Score, which we utilize to assess and benchmark the security of our organization. This helps us identify potential risks and areas for security enhancement.

Among the tools we employ, Intune plays a crucial role. With Intune, we effectively managed our Windows, iOS, and Android devices. We could establish compliance policies and configuration settings for both Entra ID and Intune, ensuring a consistent and secure user experience across different devices and platforms.

Entra ID can be deployed using a hybrid model for organizations with a significant on-premises presence, or in a fully cloud-based setup for those that do not.

Entra ID offers a unified interface for managing user access.

In addition to the Single Sign-On provided by Entra ID, we also offer a biometric option through Windows Hello.

In the admin center, we can locate the dashboard. Recently, Microsoft has made significant improvements. Previously, searching for a username required navigating to the user test section. However, presently, I've observed that Microsoft has enhanced the search scenario. Now, by simply searching for the username on our web page, it will display the username along with all associated details. Furthermore, we have password identity management, group management, and application registration options available. We also support on-prem authentication, specifically rescoping authentication like NTLM, which is an older authentication method. However, if we register our application with Entra ID, we can easily enhance the security of our authentication through modern authentication methods. These security features are available within the admin center.

Verified ID, in fact, is obtained when we create or subscribe within Entra for the initial time. Therefore, it is a default setting on Microsoft that provides us with a default domain. However, if we perform this on Microsoft.com, we need to append that tenant and subsequently verify it. This, of course, necessitates the addition of certain DNS entries to incorporate our customized domain into Entra ID. Consequently, we have the capacity to include up to 500 domains within a single tenant.

We are three global admin users. As such, we are responsible for maintaining our company's tenants. Occasionally, the security or compliance teams need to assess the current status. For instance, we might have a project requiring a vendor to have access for a specific duration. In such cases, we can readily grant customized access to that user for the designated period. Post this duration, access will be automatically revoked. Hence, we can manage these settings through permission management.

Microsoft has indeed introduced new features. For instance, we now have the ability to create a multitude of users or add members to a group all at once. To facilitate this, they have developed a custom script. By including the object ID of the user in an Excel or CSV file and importing that file, the system will automatically add the users. Entra ID is particularly time-saving, as it allows us to add 100 users in just 30 seconds using the group method. If we were to create the group manually, it would take one to two hours per user.

In my situation, not all users are motivated. The IT division and the technicians might be up to date with the latest technology. However, when we consider the finance or sales personnel, their primary focus is on their business sales. They lack knowledge of IT or technologies. As a result, when we introduce a new solution and onboard their users to that system, we encounter certain issues. Nevertheless, through integration and training, we established the necessary procedures for logging in and working, which eventually became acceptable. Entra ID has played a significant role in making the user experience more seamless.

As an administrator, we sometimes observe a discrepancy between Microsoft Intune and Entra ID – these are distinct solutions, each with its own licensing subscription. On occasion, these two solutions are combined into a single service, or conversely, certain services might be removed. Such situations can create conflicts for administrators. A few days ago, I noticed that certain aspects like the Microsoft Compliance and Microsoft Security tabs were missing when accessing Entra ID. It appears that some services have been removed from Entra ID and new ones have been introduced, which wasn't communicated to us. I would appreciate receiving notifications regarding the removal of services from specific tabs, along with information about their replacements. This would allow us to plan our logins accordingly. Microsoft offers two portals – the classic portal and the modern portal. When using the classic portal, we promptly receive notifications about its upcoming transition to the modern portal after a designated date. However, no such notifications were provided for Entra ID. In my quest to locate security and compliance checking features within Entra ID, I discovered that the options were seemingly absent. Subsequent Google searches revealed that these features had been consolidated under a single solution.

We are receiving false security alerts on the dashboard. We have set up a conditional access policy that restricts access based on the user's location. However, we have observed that there are instances when Microsoft's AI might be generating these false alerts. This is causing users to be blocked from accessing their accounts. When we reached out to these users, they confirmed that they hadn't visited the specified area or country in the last seven to ten days. Despite this, they are receiving notifications to reset their passwords, with a warning of being locked out. Microsoft should work on enhancing its machine-learning algorithm to prevent unnecessary lockouts of users.

I have been using Microsoft Entra ID for five years.

Entra ID is a cloud-based solution. Microsoft, in fact, operates multi-zone data centers which greatly reduce the possibility of service outages. However, this year we have experienced a significant amount of downtime. For instance, we encountered Exchange Online issues in Bangladesh. They source their authentication from either the Singapore or Indian data centers. Unfortunately, there were several instances of problems in this area this year, about two or three times. We faced communication as well as mail-sending problems. While their Service Level Agreement is supposed to be 99.99 percent uptime, it seems to be closer to 99.98 percent. Interestingly, for the past four years, we did not encounter any such issues. Strangely, this year, these problems began around the time of the Russian incident. It's possible that backend issues, perhaps related to cybersecurity, contributed. Additionally, Microsoft laid off ten thousand employees this year, and after this restructuring, we started facing these issues.

I would give the scalability a ten out of ten.

The quality of technical support depends on both the issue at hand and the expertise of the assisting engineer. In certain cases, they might be unable to provide assistance, leading us to resolve the issues on our own.

We previously used the on-premise version of Active Directory before switching to Entra ID.

The initial setup for Entra ID is simple when opting for a full cloud deployment. We only need to onboard the users and enter the license. However, in a hybrid scenario, we require network connectivity from on-premises to the cloud. Additionally, a separate server is necessary to synchronize the users with the cloud. This process is time-consuming and intricate to manage.

I implemented Entra ID for three to four companies in Bangladesh. Additionally, for on-premises Active Directory deployments, I handled more than ten to fifteen projects. In the capacity of a vendor, I collaborated with a company that served as a local partner of Microsoft.

The deployment involves four or five teams, including IT, Networking, and Security.

To facilitate hybrid implementations, we need the support of an architect to design the servers.

As Entra ID is a subscription service, a payment is required for each user every month. To access its features, purchasing the license is necessary. Initially, upon creating the tenant, a complimentary subscription for either 30 or 90 days is provided. After this trial period, it's mandatory to choose a subscription. Entra ID is relatively expensive compared to other solutions. There are free alternatives available for managing and providing authentication. However, considering a comprehensive range of solutions under one umbrella, Entra ID stands out. It offers additional benefits such as one terabyte of OneDrive and SharePoint storage, along with Microsoft Teams integration. The cost covers various applications and extra features, providing good value for the investment.

Entra has P1 and P2 licenses that are bundled with lots of applications.

I would rate Entra ID a nine out of ten.

Since Entra ID is cloud-based, remote users or branches need to ensure that they have a stable internet connection to access our environment.

Maintenance for cloud solutions is generally not obligatory. This is due to the automatic functionality that activates when users are enabled. However, if a license expires, we must either seek assistance from Microsoft or renew all licenses, subsequently testing the new licenses. Occasionally, for maintenance, especially when dealing with our own custom applications and enabling single sign-on with Entra ID users, we require assistance both from Microsoft and our mitigation team. This is because each application has its own authentication method, often resulting in compliance issues. To address this, discussions with the mitigation personnel are necessary, and we may need to allocate time for aid from a Microsoft engineer. In certain instances, collaboration with Microsoft vendors from the integration team is essential. Apart from these situations, the process remains fairly straightforward.

We primarily use the solution for user integration; we have many users around the globe and use it for authentication syncing in Microsoft 365 and SSO, and the product provides a single point of use. Our environment encompasses many offices around the world. 

As we have a hybrid deployment, providing our engineers access rather than allowing them direct access to our Azure AD server is easier, reducing our security concerns. Our end users can also reset passwords themselves without going through our support or services teams.

The solution saves us a lot of time for our IT department and others. Taking into account onboarding, IT, and HR concerns, Azure AD gives us 50% time savings weekly.

Azure AD saves us a lot of money. 

Overall, the solution positively affects the employee user experience in our organization. We can manage all kinds of activities and other MS products from a single pane of glass, including users, endpoints, roles and permissions, mail, and more. This ease of management ensures a positive experience for our end users.  

Single sign-on, license management, and role management are the most valuable features. Integration with Microsoft 365 is also very valuable. 

Azure AD provides a single pane of glass for managing user access, which makes the user sign-on experience very consistent; users can access multiple applications with the same credentials.  

The single pane of glass makes the security policies we apply consistent.  

We use Azure AD Verified ID to onboard remote employees, and it's pretty quick.  

Verified ID is excellent for privacy and control of identity data; many options, such as multi-factor authentication, are available. 

We have used the solution's Permission Management, which provides good visibility and control over identity permissions. It's an easy feature to operate, and the portal is intuitive.

The custom role creation function could be improved as it's somewhat tricky to use. 

We've been using Azure AD for over five years. 

The product is stable. 

Azure AD is a scalable solution; we have around 10,000 end users managed by 12 to 15 engineers. 

The technical support team is good; I rate them eight out of ten.

Positive

We previously used an in-house Active Directory and Okta Workforce Management. Azure AD is more affordable, has the benefit of being a Microsoft product, and allows single sign-on from the same page. Onboarding products is more manageable with Azure AD, and we prefer to use the Microsoft suite rather than mixing and matching from multiple vendors.  

The initial setup was straightforward. 

Azure AD is worth the money and provides us with an ROI. 

The pricing is good; it's not cheap but very reasonable. 

I rate the solution nine out of ten, and I recommend it. 

Microsoft Entra ID serves as an identity protector and service privilege manager.

It has enabled my organization to build a secure environment for user login and asset access. We can enable secure user logins and access to assets.

When we implement app access with Microsoft Entra ID, it gives us confidence that we have secure authentication for our applications.

With privilege identity management, we can grant or escalate rights to a role for a short duration of time and not forever. It is a great feature. It is useful to validate the escalation of privileges. 

Federation on access service principle and the ability to be passwordless in certain use cases are valuable. Federated identity management is a great feature for the zero-trust model. 

Microsoft Entra ID could benefit from more fine-tuned rights. It is necessary to prevent granting an application or user broad access rights. A more precise approach would allow for specific rights, limited to certain contexts within the organization.

I have been using Microsoft Entra ID for three years.

Microsoft Entra ID efficiently responds to numerous requests, and we have not faced significant connectivity issues, making it reliable.

Their customer support is good.

Positive

I have not used any other solution. I was previously using Azure AD. About two years ago, it was renamed to Microsoft Entra ID.

I would rate Microsoft Entra ID a nine out of ten.

We have it synced to our on-premises Active Directory environment where we have some Active Directory servers. We use it for authentication into our cloud apps. We use it for SSO. Because it is connected to our Office 365 tenant, we use it for single sign-on for applications that support it. 

We also use it to evaluate risky sign-ins or risky activity for users. If there are user sign-ins from a geographic location that they would not normally sign in from, we get a notification for it, and we can investigate what is going on with a user's ID, if the person is actually there or not, and if we need to take any action on it.

Entra ID has primarily helped with security and some level of organization of our user environment and application access for staff.

Entra provides a single pane of glass for managing user access to some degree. We still have to use local Active Directory management for certain items or troubleshooting. It does not seem to extend management and troubleshooting down to the endpoint level or have the same sort of granularity as managing Active Directory directly from an Active Directory server.

Entra ID has helped to save time. It has saved four to eight hours of staff member's time per week.

In some ways, Entra ID has saved us money because using it for single sign-on for third-party applications means that we do not have to use a third-party solution such as Okta or OneLogin. It is a default solution. It comes out of the box, and it works with multiple applications, which means that we do not have to go the route of having a third party to have that same type of solution for us. In that sense, it does save us money, but I do not know how much it has saved because I have not priced out Okta or any of the other solutions. I imagine it is a fairly substantial amount that they would charge per user per month times the number of our users.

Syncing with our on-prem Active Directory is valuable because we do not have to keep multiple identities for each of our staff members. We can easily evaluate login risks and provide access for SSO via 365 into applications, such as Salesforce, and other things that we run our business on.

Certain aspects of the user interface can be rather clunky and slow. It can sometimes be circular in terms of clicking a link for a risky user sign-in and seeing what the risky login attempts were. It takes you in a circle back to where you started, so drilling down into details, especially if you are not in it every day and it is one of many tools that you use, can be difficult. It can be difficult to track down the source of an issue.

There should be better integration or support for FSMO roles and cross-tenant force management. If you want to enable it, it is tricky when you add Entra ID into the mix for domain sync or directory sync.

I have been using this solution for five years.

The Entra ID and Azure Active Directory support is quite good. Sometimes, it may take a little bit of time to get past tier one basic questions and basic pointing to support articles and talk to somebody who looks at your configuration and starts to understand what your specific challenges are, but once you get to that next tier of support, it seems like you are able to get answers very quickly.

I would rate their support an eight out of ten. A ten out of ten would be where you make one phone call and all solutions are given.

Positive

We did not have single sign-on capabilities for our SaaS apps. Prior to implementing our Azure environment, we did not have a cloud identity provider. It was all on-premises.

I was involved in the deployment and initial setup of Entra ID. It was not that difficult. It had medium difficulty. There is a Microsoft way of doing things. Microsoft certainly seems to have made things easier since then. Whenever I go back into the system, it looks like some of the usability improvements are there. 

I believe that we also contacted Azure support a number of times during our deployment, and they were quite helpful. They were helpful up to the point where I got contacted by a product manager for Azure Active Directory at the time, and they were able to walk us through some of the implementation challenges we had, so Microsoft, at least for us as we were adopting Azure and Azure Active Directory, had a lot of hands on help with getting set up. They are open to feedback as well. The implementation was about as difficult as I expected an implementation to be. It was not certainly a turnkey where it just works right out of the box, but I have had more difficulty implementing other Microsoft solutions.

It is good. We have Office 365 E3, and then that is tied in with Azure Active Directory. I believe that we only have to pay for our technician-level access or IT department access for Azure Active Directory Premium, which I am sure they call Entra Premium P2 licensing, so it is not a very large cost. We just adopted that, and that gives us a lot of insights into user security that we would not otherwise have. 

We looked at Okta. We looked at Cisco Duo. We looked at OneLogin. I believe that there was some cost that we would have to bear if we had adopted them. Okta looked like a very good solution, but Azure AD came integrated out of the box with our Azure environment and our 365 environment, so we decided to move forward with it instead.

We have started using Permission Management. We have not fully rolled it out yet. We have also not used Verified ID. It is something that is a little tough to implement because the documentation is not necessarily there yet. We have just started touching the surface of it.

I would rate Entra ID an eight out of ten. It is a good product. It works out well for an organization of our size. We are fairly small, and we have limited IT resources. We are able to use Entra ID for permissions management and access management. I am trying to learn more about secure access and secure edge type of solutions that Entra has. At this Microsoft event, the demos in Demo Theater 3 have been overflowing and overcrowded to some crazy degrees, so there is definitely demand for it. Microsoft can put these demos in a larger room because there is a lot of demand for it.

We use Azure AD to manage all endpoints, including laptops, desktops, mobile devices, such as iPads and iPhones, and users. We can disable accounts, create accounts, reset passwords, maintain access, and manage permissions.

Azure AD is essential to our organization. Our users need to use their Azure AD credentials to log into their computers every morning, and we also manage user accounts in Azure AD. As a result, we cannot function without Azure AD.

We use Entra's conditional access to restrict access to our system from overseas users. This means that users can only log in from Canada and the United States.

Our zero-trust strategy uses conditional access to verify users and prevent unexpected traffic, such as attacks from Russia. This makes our strategy more robust and secure.

We use Entra's conditional access in conjunction with Microsoft Endpoint Manager to limit user logins from Canada and the USA. We also limit devices that can log into the network to only those located in Canada.

Entra has helped our IT administrators save an hour of time per day.

Entra has helped our organization save money.

We used to use on-premises Active Directory. Now, we use Azure Active Directory. The main difference is that users can now reset their own passwords in Azure AD. This is a positive improvement, as it saves time and hassle for both users and IT staff. I believe that this has had a positive impact on our employee experience.

User and device management is the most valuable feature.

I would like Azure AD to provide features similar to check-in on-prem AD. The fetch-all service is the only one that is not currently available on Azure AD.

The technical support has room for improvement.

I have been using Azure AD for five years.

I give Azure AD's stability an eight out of ten.

I give Azure AD's scalability an eight out of ten.

The basic support from Microsoft is not good.

Negative

We previously used the on-premises Microsoft Active Directory. However, we have since switched to Azure Active Directory, which is a cloud-based solution. Azure AD is more flexible and scalable than on-premises AD, and it allows us to save money on hardware costs. This is because we no longer need to purchase and maintain our own servers. Instead, we can simply use the servers that are provided by Microsoft.

The initial deployment was straightforward and took two months to complete. We switched over to the new system and then set up a number of additional features, such as enterprise applications and multi-factor authentication. This took an additional month, for a total of three months. We followed the instructions from Microsoft step-by-step. The deployment required two full-time employees from our organization and three from our partner.

The implementation was completed with the help of an MSP.

We have seen a significant return on investment since switching to Azure AD. Our monthly costs have decreased from $5,000 to $100.

The price is affordable, and we pay around $100 per month.

Both Okta and Azure AD are great solutions. I know that many people use Okta, but my concern is that we are also using Microsoft products on the endpoint. This means that our users use Windows, and it makes more sense to use a front-end and back-end Microsoft solution.

I give Azure AD a nine out of ten.

Azure AD requires very minimal maintenance.

I recommend Azure AD. The solution is straightforward.

I use it to manage users and devices in my environment. 

I'm also using it to control access to different services that we have and to manage and register applications. It is used to control access to applications that we use in our company. I do a lot of applications in Azure Active Directory, and then I also have a hybrid configuration in my environment. I'm able to sync my on-premise users in the cloud so they can have the benefit of cloud infrastructure while maintaining access control to provide them access to the services that they need in Azure.

The product provides very good time savings. It also allows for a high level of security.

We get alerts when something has happened and it's easy for me to find the issue. It makes it easy to reset passwords. 

We have all the security features in one place and we have log analytics and diagnostics as well. It's very good for identity governance. 

We have an unlimited number of users that we can register. We can register more than five hundred thousand objects. That is wonderful for us.

We can have an audit and we can easily audit logs. I'm able to know when the user logged in and what program they used. I can track everything. I can see activities and denial of access. 

I can create many users at one time using Excel. When we have a lot of people that join, I can just use Excel to perform the deployment of the platform by creating a user. It makes onboarding easier. 

We can manage access and onboarding by teams. It allows us to maintain privilege identity management.

The Entra admin center is also fabulous. 

The product provides a single pane of glass for managing user access. Everything is there. I can monitor from there. I can create a single sign on from there. I can create MFA (multifactor authentication) directly from the portal. I have more than two thousand devices that I manage and I can do everything centrally. 

The single pane of glass affects the consistency of the security policies we apply. It is easy for me to have access to the panel, and I can have a great view of what is going on in my Active Directory. I have a security score. I have the number of groups, number of applications, and number of devices right in front of me, in one place. This makes it easy for me to monitor it and check everything. 

There are good tutorials available for learning more about the product.

We are using the conditional access feature. We also leverage multi-factor authentication so that we can verify users by phone number, for example. It helps us verify effectively. The conditional access feature works well with Microsoft Endpoint Manager.

We use the verified ID to onboard new employees efficiently. We can now onboard in less than 30 minutes. It's also great for privacy and control.

The employee user experience has been positive. When they submit a ticket, it gets resolved in less than 15 minutes. It's very impressive.

I haven't had any issues with the product.

I've been using the product for three years.

The stability is wonderful. I'd rate it 9.5 out of ten. It's the best.

The scalability is good. It's very scalable. 

I've only reached out to technical support once when I was trying to access our agreement account. They set up a meeting and guided me through how to connect to it. I had a positive experience. 

I have used other cloud technologies like AWS or Google Cloud and they don't have the type of active directory where I can control everything. Azure is very powerful.

Previously, all of our active directory was on a Windows Server on-prem. Managing it was not easy. Finding user accounts, going to log in to the Windows server, going to log in to the active directory, et cetera, that previous process was too long. Now, it's easy. Now, you can log in and you have everything in front of you. 

With the old system, we needed to configure it and we were using Okta and we had a combination of many, many tools to be able to get results. Now, we can assign the role directly from OneClick, and we can also use the PowerShift LiveGuard template and it's easy. 

The product is easy to set up. You can set up an entire organization in one day. 

There is no maintenance needed. Microsoft takes care of everything. We just make sure that we check the synchronization. Even if there is a sync error, we will receive a notification. Usually, it fixes itself and syncs every hour.  

We handled the setup in-house.

We've saved more than 20 hours per week. The product is saving us a lot of time. It cut time spent by 45% to 50%. It's also saved us money as we only pay for what we use.

We pay monthly, and we only pay for what we use.

We are a Microsoft customer. 

I'd advise potential new users to read the documentation and make sure that they know what they are doing before they begin providing access to users. If they don't follow the requirements of their company before creating users, they could have a data breach or provide the wrong access.

You can have a centralized solution that provides secure access. You can manage everything from one portal. Azure makes it easy.

I'd rate the product ten out of ten.

The use cases typically include external customer authentication, which we do, and by customers, I mean our hotel partners. There is basic user authentication and the ability to isolate those users based on a particular security environment, whether they are coming from a PCI environment, lab environment, corp environment, etcetera. Each of those has to pass through specific security, so everything that your Active Directory or Windows AD is solving on-premise is essentially the use case, except for the external customer situation which was the one thing that made me look at Entra ID. Unfortunately, the way Entra ID works created a major security issue that I cannot go into regarding guest users for our tenant. We are now trying to fix that.

We tried to stand it up as a PoC, and we went back and forth with Microsoft on it for a few months. We never got to a resolution because there is an architectural design issue with the service itself, and Microsoft is not going to change their service for us. We tried to use it, and then we gave up, killed it, and went back to the original plan, which was to use Okta. Our goal is to eventually completely get out of the Microsoft Identity ecosystem and move over to Okta.

We do not use Entra ID anymore. We have moved away from Entra ID. We could not justify it from a business standpoint. That is the crux of the situation. We now have a solution that can meet all of our business needs.

Microsoft Entra does not provide a single pane of glass for managing user access. It is not fully featured yet. There are some things within that Entra ID administrator portal, but it is not as robust as simply going to Entra ID service and then going to different features that it has to maintain identities. It is not even a single pane of glass if you look at how Microsoft does identity between Entra ID, Azure Resource Manager, and M365 itself. I know that they are trying to fix the situation between Entra ID and M365, but the subscription-level identity access controls need to be moved out of the subscription level and need to be globally managed from the identity provider. I am sure there was a design choice for that, but it just does not work when you are a company of our scale because we just cannot keep managing individual resources, so we would like to centralize the identity system.

I used Microsoft Entra Permission Management in a very specific scenario but because we are a hybrid environment, we often found ourselves fighting with cloud groups. We moved a lot of security groups into Entra from our Windows AD environment. We have a lot of stuff that has been built upon that for the past 20 years. Not being able to have Windows Active Directory security groups that are synced to Entra ID to control access to resources was a big pain for us. We would have had to create a cloud group and then add all the members of those on-prem security groups to it, so we did not even bother with it. When you have a company of our age and our size and you have nested security groups, there is a lot of linkage there, and it is not attainable. 

It is great for mom-and-pop shops or small businesses that are truly coming into the enterprise ecosystem and that have not come from a legacy environment. Current statistics show that 99% of the world that was in an Active Directory authentication environment is still in the Active Directory or Windows AD authentication environment and just supplementing Okta, so we are not doing anything new. A previous Microsoft employee that I talked to said that in the last decade, there has literally been only one customer to get fully off their hybrid environment and go fully into Entra, and it took them over ten years. Therefore, Microsoft needs to focus more on Entra and fix not only the design flaws but also address a lot of the customers' needs. It has a lot of potential specifically around taking business from IIQ for some of those UAR workflows, identity workflows, etcetera. Their biggest competitor is Okta, and Okta is currently the better solution.

We have been trying not to use the solution. It is used for a specific use case, which is around authenticating M365, and we are trying to see if we can get out of using it, but that is only because our environment is extremely complicated. Entra ID is not battle-tested or stable enough to support a business of our size. There are some design issues specifically around support for legacy services. We used to be part of Microsoft, so we have about 15-year-old services sitting in our data center that still need to use legacy LDAP authentication. The way we currently have the environment set up is for one very specific domain. I am using a domain for specific context here to keep it simple. We have 36 Active Directory domains, and that does not include the child. We follow the least privileged access model. Our environment currently consists of using AD Connect to synchronize objects from our corporate tenant into Entra ID, and then from Entra ID, we wanted to stand up Azure domain services as a possibility for retiring legacy LDAP services. The issue with Entra ID specifically is that the way it replicates objects out of its database into the Azure domain services Active Directory tenant or Active Directory service is that it uses the display name. This is a bad practice, and it has been known as a bad practice even by Microsoft over the past decade, so the design is not good. The issue with replicating based on the display name is that when you are coming from an environment that uses a least privilege access model, where you want to obfuscate the type of security account being used by hiding it behind a generic display name, instead of myusername_da, myusername_ao, etcetera, to have an idea of what accounts are being used when they are logging in, it is unable to reconcile that object when it creates a new domain. If they all have the same DM, you end up with quadruplicates of each user identity that was replicated to it from the directory. Those quadruplicates or their same account names, as well as the display names within the cloud domain services directory, have a unique identifier with the original account name attached. What that does is that it not only breaks that LDAP legacy authentication, but it also drives up the cost for your customers because you are paying for each additional seat, additional user objects that are created, or additional users. You also cannot tell any of those accounts apart unless you dive deep into the user object to peel back what type of account that is to map it back to what came from on-prem itself, so the service is completely useless. What we have done in our case is that we do not really need Entra ID. We have Okta, so we use an Okta LDAP endpoint. That does exactly what we need in using SCIM, which is the technology that is able to take identities from multiple dynamic providers and merge them together into a single record. It is able to act as an official LDAP endpoint for the business, so legacy apps work. We do not have a problem. Microsoft could learn from that.

Entra should allow for external MFA providers rather than forcing you into a walled garden and the Microsoft ecosystem. Flexibility is a big thing, especially for companies of our size. A big issue for us is that we want the identity to be in Entra for sure, but we want it to come from Okta. We want the authentication and stuff to work, but we want Okta to control the PIM rules. We want it to do the MFA and all those things, but Entra does not play nice with others. Okta has engineered some ways to get it done, but it is not as full-featured as we would like it to be. Microsoft should do what they do with some other partners such as Nerdio and Jamf where they have their own version of a service, but they are still partnering with those other companies to at least add options on the market.

Fully customizable UARs and Azure Secure Identity Workflows would be great. Currently, you can do it if you cobble together a bunch of Azure functions and use Sentinel. If you are sending logs to Sentinel and are able to match patterns and run automation based on that, it would be great. They can help with a solution that abstracts away a lot of that complexity across multiple services into exactly what IIQ does. I could definitely foresee Entra being the choice for identity for pretty much all cloud providers if they can focus on the areas that SailPoint's IIQ does. A big pain point for a business of our size by being in Okta is that we do not have the same workflows that we have between IIQ and AD. With the amount of data that our company generates, we wanted Sentinel. I had their security department onboard, and it was going to be millions a month just to use Sentinel, but we could not use it, so we decided to leverage Splunk and a few other SIEM providers. 

They should also stop changing the name of the product.

We used it for a few months.

Microsoft's support has been so bad when we have had issues in Azure that we recently poured 24 million dollars out of our spend for Azure, cut our unified support agreement with them, and sent it to somebody else. I would rate their support a zero out of ten. It is so bad. We probably never had a support engineer solve our problem. Usually, I or somebody else in the company has to reverse engineer service to try and find the solution. The things that we find are not even documented on the Microsoft site. The second way is to pull the information from the blog of some old guy who found the same issue and ended up solving it. 

People on the support side at Microsoft just read from a runbook and then send us to another part of the world where they ask us the same question, read from a runbook, and then we repeat ourselves, so we sent all that support to Insight. They were happy, and they were way cheaper. It only cost us less than four million. It was significantly cheaper. Our leadership is like, "Wow! IT actually saved us money this year."

Negative

We were using Active Directory, and we will never get off AD. There is too much legacy stuff for us to even bother getting off AD. It is a very mature product. It would be crazy for us to leave Windows Active Directory for something else, even Okta. There are core things that we need to function a certain way, so Entra ID just does not make sense. Entra sometimes even has access issues and replication delays with identity and adding objects to a new access control list within its platform or service.

We are not a typical company. We used to be part of Microsoft, so a lot of things that we inherited were very complex, and we also do things differently. For the old NT systems and SMB shares, we are still using Active Directory groups, and they work just fine. We have automation built around membership. We control the membership of those groups, the auditing of those groups, and everything else, so it does not make sense. It would be too much work to move us over to Entra ID.

I was involved in its deployment. It was complex, but that was not Microsoft's fault. That was our fault because we have a very complicated environment.

We have a hybrid environment. We were in IBM, but we pulled back. We have Oracle's cloud platform, and we have AWS as well as Azure, but 99% of our cloud workloads are all in AWS.

When we initially started, Microsoft was not there. The initial implementation strategy was to synchronize the Windows Active Directory corporate domain to Entra ID. That way, we had the identities and we could use the same AD connector to synchronize the AD distribution lists. The other side was the mailbox. 

We did not take the help of any integrator. It does not require much. You stand up your servers. You have a staging host with its own database, and then a sync host with its own database. You then hook them up and make sure you have all the permissions in your previous tenant.

Microsoft puts MSOL accounts in some default directory. You should be able to tell the agent to put the MSOL accounts in a more secure OU. For instance, the original recommendation, which has changed recently, when we set up the service was to use an enterprise admin to set up the agent, which generates a bunch of MSOL accounts. Those MSOL accounts ended up in our all users' organizations. When you have a company of our size, that is not the only MSOL account that exists in the directory, and it is really hard to tell those apart, so we have to look through the logs, see which MSOL account it is using, and move it into the proper OU for the on-prem domain. It would be nice if you could determine where that goes at the time of creation.

We were able to reclaim the money that we did not spend with Microsoft and spend it elsewhere. It is technically an ROI, an investment of our time in negotiating other deals.

Microsoft is so expensive. You know it is expensive when a Fortune 100 company like ours is complaining about the cost. That has been a big thing for me. When I really want to use an Azure service, it is very hard for me to justify the cost, especially with Microsoft support. 

To those evaluating Entra ID, I would say that if you are on Windows Active Directory, just stay on it.

I would rate it a five out of ten. It is not ready yet. It needs focus by Microsoft.

I am the Microsoft solution architect for our organization and we are in the process of testing Microsoft Entra ID. 

Microsoft Entra ID will serve as the identity provider for all services, including on-premises and other sources. For instance, it can be utilized to authenticate our in-house phone application, replacing the need for local active directory authentication. With Microsoft Entra ID, the local active directory becomes unnecessary for authentication purposes. As an illustration, even in services like Gmail, authentication through Microsoft Entra ID is possible. This presents an excellent option that is also user-friendly. 

Moreover, the system is uncomplicated, featuring a lightweight and non-hierarchical schema. In contrast to the conventional active directory with its organizational and sub-organizational structure, Microsoft Entra ID adopts a flat directory model, streamlining operations without hierarchies. While this approach offers advantages, it also comes with its drawbacks, such as its reliance on the cloud platform.

Microsoft Entra ID provides a unified interface where we can manage all of our entities. It utilizes a flat directory structure, allowing us to assign user access and group them using tags. For instance, when we create a user for the sales team, we simply apply a tag such as "sales," automatically adding that specific user to the sales group. This eliminates the need for the manual creation of containers and the manual grouping of users within a specific container. Everything is achieved through tagging, and streamlining the process, and is facilitated by the singular interface offered by Microsoft Entra ID.

We can easily apply security policies through a unified interface. Everything in Microsoft Azure can be utilized for server storage. Although it's within a single interface, there are options for differentiation. For instance, by clicking on the Microsoft Entra ID, we can access a distinct interface. Here, we have the ability to create, apply, and manage policies for various aspects, all from this specific interface.

The admin center helps us identify where there are issues and easily take action.

In Microsoft Azure, there is a tool called Intune, which serves as a device management tool. In the past, we encountered issues while managing all end devices through SSCM. This involved a constraint where any updates or policies could only be pushed if the device was connected to the office network. Essentially, users needed to physically connect their devices to the office network to receive updates or policy changes. However, with the introduction of Intune, a Microsoft Azure product, we transitioned all our devices to this platform. This allows us to create and directly push policies without the necessity of the device being on the corporate network. Users can now receive security updates, as well as different antivirus updates, even while working from home. This streamlined approach greatly simplifies endpoint maintenance, which also extends to mobile devices.

We do not utilize the Microsoft Entra ID conditional access feature for endpoint devices. Instead, we apply conditional access to specific groups. For instance, we have a team that requires access for a defined period. Additionally, certain types of vendors need access ranging from, for instance, two days to a few hours. In such cases, we employ the conditional access feature to grant the necessary access. We have employed this approach, and it has proven to be highly advantageous.

While we don't typically utilize the conditional access feature in combination with Microsoft Endpoint Manager from the user's standpoint, there are certain groups for which we do implement conditional access. For instance, within multiple teams, not all members are granted identical access. Various team levels enjoy distinct levels of access. It is in such scenarios that we employ the conditional access feature.

We have an access group where we define the access that each team will receive. Additionally, we have the Tier One, Tier Two, and Tier Three support teams, for which we have defined privileges based on their respective roles and responsibilities.

Microsoft Entra ID assists in saving several hours for our IT administrators and HR departments daily. This is particularly due to its unified interface. For instance, when we need to review certain logs, we can grant access to the HR team. They can easily retrieve logs detailing specific employee activities. This includes information such as individual browser usage duration and system activation records. These types of logs encompass the range of data generated on a daily basis from this platform.

Microsoft Entra ID has undoubtedly assisted in saving money for our organization. This is because we are not only utilizing the solution itself, but we can also incorporate our application server along with products such as software and solutions, including emails. Microsoft Entra ID is included as part of the package fee, which unequivocally contributes to cost and time savings. This is primarily due to the elimination of the necessity for an additional identity provider, as it is already encompassed within the package.

Our employees' user experience has improved with Microsoft Entra ID compared to the local Active Directory, which was occasionally slow, depending on the availability of our log-on server at the time. If it was unavailable, logging in was significantly slower, and we could get logged out. This is no longer the case, and now we can easily log in. 

The group assessment policy stands out as the most valuable feature. It allows us to create numerous groups and add multiple users to those specific groups. Managing these groups can become quite complex within the standard active directory procedures. For instance, when it comes to tasks like adding or removing users, especially if a user is checked out, it can be unclear whether someone needs to manually remove them from the active directory.

However, there exists an option that streamlines this process. This option automatically sends a notification to the user. We have the ability to define the email user in the designated field. Subsequently, the system will prompt us to confirm if continued access to this specific group is required for a few users. If this is a routine request, the system will retain the user in the group, ensuring their ongoing access. This particular feature proves to be incredibly useful in managing these scenarios.

The group policy structure options continue to change, and the naming conventions remain confusing when we access the cloud. 

The support is a bit slow. This is particularly challenging for the service engineers. For instance, opening a ticket takes a considerable amount of time to pinpoint the underlying issue. While high-severity tickets are resolved quickly, there are instances of lower-severity issues that still impact a specific group of users. Addressing these problems is taking longer than usual.

I would like to have the option if needed to use the hierarchy when setting up groups.

I have been using Microsoft Entra ID for three years.

Microsoft has really good SLAs and I can not remember the last time they went down. I would rate the stability of Microsoft Entra ID nine out of ten.

Scalability is quite simple, and the primary advantage of the cloud solution is its scalability; there isn't much to manage in this regard. Our growth remains unhindered because we don't have to impose limitations on ourselves when embarking on new projects or endeavors. Scalability is inherent, requiring only payment for additional resources if necessary. As there's no hardware involved, both scaling up and scaling down are easily achievable.

The support is slow to respond to and resolve minor issues.

Neutral

We are still using our standard Active Directory locally in our on-premises data center.

The complexity of the initial setup depends on the technique used. While it may seem a bit complicated, with the proper design, it becomes a non-issue. Each module has different procedures. For instance, the Defender module, which is a Microsoft service, serves as a part of the Entra ID, allowing us to block and control websites and provide security antivirus solutions. We have onboarded all our devices to Defender. Thus, the machine doesn't need to be part of Microsoft Entra ID, but migration is still possible.

Currently, we are in the midst of a project to onboard the devices to Microsoft Intune. We are transferring the devices from the local active directory, and this process is ongoing. For each device, specific scripts need to be executed, which can be a bit complex. The complexity often arises due to existing policies and applications. When everything is well-prepared, the onboarding process is smooth. This might be an easy task for a new organization, but for those already using a different solution, the migration process becomes a bit complex. Thorough testing is necessary, especially considering that policies tend to change over time.

This project has been running for more than two years and is still ongoing. The pilot phase alone is estimated to take about one and a half years due to various commitments. Unlike a company like Google, my organization operates differently; it encompasses multiple entities like the United Nations across various locations. Since the user count exceeds five thousand, we're being cautious and gradual in our migration. At present, we have migrated only around a hundred users for testing purposes. The migration of the remaining users is scheduled to occur soon.

The price is good, and we have no complaints.

I would rate Microsoft Entra ID nine out of ten.

Microsoft Entra ID is utilized throughout our entire environment. It serves as a singular identity provider for all aspects of our operations, including servers, applications, endpoints, and even external applications. For instance, we can authenticate third-party applications using Microsoft Entra ID.

The required number of personnel for maintenance depends on the size of the organization and the quantity of Microsoft products in simultaneous use. For instance, if we have Microsoft Entra ID solely for email and SharePoint online teams, and there are around five thousand users. In this scenario, I believe that dedicating approximately three to four individuals to Microsoft maintenance would be reasonable.

I recommend Microsoft Entra ID. Microsoft Entra ID can be utilized for third-party applications like AWS and Google as well. It's user-friendly, allowing us to authenticate the products or applications of our interest, even if they are not located in the same place as our origin; nonetheless, they will function seamlessly.