Microsoft Entra ID Reviews

We run in a hybrid model. We have our Active Directory on-premise directory services that we provide. We basically went to Azure so we could provide additional capabilities, like single sign-on and multi-factor authentication.

We are running in a hybrid environment. It is not completely cloud-native. We sync our on-premise directory to the cloud.

It definitely has improved our security posture, certainly from providing that second factor of authentication. It provides more visibility. We can see all facets of the business, e.g., when people are logging into our resources. This solution makes it highly visible to us.

It enhanced our end user experience quite a bit. Instead of the days of having to contact the service desk with challenges for choosing their password, users can go in and do it themselves locally, regardless of where they are in the world. This has certainly made it a better experience accessing their applications. Previously, a lot of times, they had to remember multiple usernames and passwords for different systems. This solution brings it all together, using a single sign-on experience. 

Is this specific to Azure? No. We have had other IdPs that gave us that same experience, but we have more apps that are integrated into Azure today from single sign-on than we had previously. Having that one handy "my apps" page for folks to go to as their one source for being able to gain access to all their apps is a much better experience from my point of view.

• Azure Application Proxy
• Single sign-on capabilities for SAML
• OAuth integrated applications
• The multi-factor authentication piece was desirable.
• Defender for Identity, as of recently.
• Some of the services, like Microsoft MCAS solution. 

These features offer additional layers of security, which is kind of what we were looking for. 

Some of the self-service password utilities certainly helped, given the scenario of the world today with COVID-19 and lockdowns. We certainly benefited from being able to say, "Have our users changed their password remotely." When they connect to the VPN, then sync them back up with the domain. So, that was very beneficial for us as well.

The thing that is a bit annoying is the inability to nest groups. Because we run an Azure hybrid model, we have nested groups on-premise which does not translate well. So, we have written some scripts to kind of work around that. This is a feature request that we have put in previously to be able to use a group that is nested in Active Directory on-premise and have it handled the same way in Azure. That is something that is actively being worked on. 

One of the other things that we felt could be improved upon is from an Application Proxy perspective. We have applications native to SSH, and we want to be able to do app proxy to TCP/IP. It sounds like that is actively on the roadmap now, which was amazing. It makes us very excited that it is coming, because we do have use cases with that as well.

I have been using it for a few years now.

The stability has been pretty rock solid. For the first time, we have seen some instability over the last month. I know there were some issues with Microsoft in terms of one of their stacks. That was something that they addressed pretty quickly though. We were appraised of the issues by our technical account manager, so we were in the know. We weren't left in the dark when something happened, and it was remediated pretty quickly.

We have about five to six folks whose main role is to manage identity, and that is my team at the company. However, we also have administrators all over the globe, handling service desk tickets, e.g., resetting passwords. There are about 30 or 40 people, if you include that level of things. However, from a global admin perspective, we probably have a total of eight people.

It is certainly scalable. Whether you are connecting to a local on-premise directory services organization, or if you are using B2B and B2C. This is part of the vision: At some point, leverage some of the B2B features that we have appointed to us in Azure, which we don't do today. This is certainly something that we are looking at internally as a potential for moving forward. 

We are managing 7,000 to 8,000 users within Azure AD.

This is room for growth.  

We are part of the DPP program. So, we talk to the identity folks at Microsoft on a weekly basis, who are amazing. It has been such a great experience with those folks.

The technical support that we get through the GTP program is amazing. Microsoft Premier Support is pretty good as well. We have called them, but typically we don't have the type of issues that we are calling all the time for. We have a pretty savvy team, and just being plugged into the GTP team has helped us understand new features which are coming out, whether we are part of an active preview or attending an evening where they are doing a webinar to introduce new features to us. The cool thing about that is you do have that line of sight if you need to ask questions or get technical answers. Between our technical account manager and our GTP partner, we do relatively well without having to open too many cases.

We had a different identity provider at one point in time. At the time that we were looking at identity providers, Microsoft really wasn't there from a technical perspective. They are there now, far surpassing some of the things that we have done in the past. So, it was a no-brainer for us. We are very much a Microsoft organization. Primarily, it is the operating system of choice, not only for endpoint service, but it was a pretty good deal to move over and leverage some of the licensing and whatnot for our end users.

From an IdP perspective, we had Okta for quite some time. We had some limitations with Okta that we were looking at Azure to handle. I got pulled in kind of mid-project. I am not really sure when the decision was made, or how it was made, but certainly cost was a factor. We were already licensed for a lot of what was needed to go with Azure, where we were paying Okta separate licensing fees. So, we saved money by switching from Okta to Azure.

The initial setup would have been complex if it had not been for being part of the GTP program. We have gotten a lot of value out of that program in terms of cross-training our team members, catching up on any new features that come out as well as any of the gotchas that the Microsoft team has seen. So, those have benefited us quite a bit.

The deployment probably took six to eight months. Standing up Azure and sinking your directory services, like creating a connector, takes minutes. We could stand that up in the day. What took time was taking all of the applications that we have throughout the environment, migrating them across and doing integrations with single sign-on. You need to have conversations with different application owners as well as potentially pulling in some vendors to do some of the configuration. There may be some apps which are not as straightforward as others, but we thought that the experience was pretty straightforward (to a point) where we can handle a lot of the work ourselves.

When we needed Microsoft, we were able to reach out, talk to them, and get the assistance that we needed. That was super beneficial to us.

There are a lot less calls to our service desk. For some of the traditional, "Hey, I need to reset my password," or "Hey, I'm locked out." So, we're seeing a lot of that self-service, gaining access to the different apps, and having it all be integrated with Azure will take away some of the headache. For example, "I don't know what my password is for GitHub," or, "I don't know what password is for Slack." We are like, "Well, it's the same password that you use every day." So, that has dropped call volume.

If you have a different IdP today, I would take a close look at what your licensing looks like, then reevaluate the licensing that you have with Microsoft 365, and see if you're covered for some of this other stuff. Folks sometimes don't realize that, "Oh, I'm licensed for that service in Azure." This becomes one of those situations where you have the "aha" moment, "Oh, I didn't know we can do that. Alright, let's go down this road." Then, they start to have conversations with Microsoft to see what they can gain. I would recommend that they work closely with their TAM, just to make sure that they are getting the right level of service. They may just not be aware of what is available to them.

We look to gain new features when updating licensing. Every time we go to negotiate an enterprise agreement, we are looking at:

• What are the benefits?
• What are we getting back from Microsoft?
  
  They are very good at working with us to get what we are looking for in terms of working on packaging for pricing.

We did not evaluate other options. The decision was pretty easy. When we initially looked at Okta years ago, Microsoft was also one of the folks that we looked at. Okta was a little more advanced than some of the gallery apps. Then, Microsoft made a huge play and added more gallery-type apps. That helped us quite a bit to move things along.

For others using Azure ID, take cookie online training. They are widely available, free, and give you a very good idea of what path you need to go to. So, if you want to take some professional training to become a guru, then you know what classes to go take and the fundamentals that you need to take before you get into that class. So, I highly recommend taking the video term.

I come from an Active Directory background for more than 20 years. Coming into Azure was actually great. We had somebody leave the company who was managing it, and they said, "Hey David, I know you are working for this other pocket of the business. How would you like to come back to the identity platform?" I said, "Absolutely." So, it was easier for me to come up to speed in several of the advanced areas of Azure, e.g., conditional access policies. We are starting down a zero trust methodology, which has been very exciting for me.

I would give it a solid eight (out of 10). It has a lot of the features that we are looking at. I don't think there are any tools out there that will give you that one magical wand with everything that you are looking for, but certainly this comes close. Microsoft has been working with us to help us through some of the new features and additions that are coming.

The use case for this solution is the access to Office 365, Azure subscriptions, and several software as a service platforms as well as other SaaS-developed applications that we provide access to, such as, OpenID Connect, OAuth, or SAML.

It is a central point where we provide the cloud lock-in for our company. We focus the multi-factor authentication within Azure AD before jumping to other clouds or software as a service offerings. So, it is the central point when you need to access something for our company within the cloud. You go to Azure AD and can authenticate there, then you move from there to the target destination or the single sign-on.

Azure AD added a different layer. We were able to add multi-factor authentication for cloud applications, which was not possible before. We also may reduce our VPN footprint due to the Azure AD application proxy. We have a central point where we have registered our software as a service applications that we obtain from other providers or the applications that we host ourselves.

The most valuable feature is the possibility to create multi-tenant applications alone, or in combination with Azure Active Directory B2C. So, you can provide access to applications for your external partners without having to care about the accounts of external partners, because they will stick it in there as an AD tenant. That is the feature that I like the most.

The solution has features that have helped improve our security posture: 

• A tagging mechanism that we use for identifying who is the owner of an application registration. 
• Conditional access and multi-factor authentication, which are adding a lot to security. 
• The privileged identity management feature that has arisen off privileged access management. This is helping a lot when providing access to certain roles just-in-time. 

They are also still developing several other features that will help us.

It does affect the end user experience. It depends on where they are. When they are within the corporate network, then they already have a second factor that is automatically assigned to them. When they are outside of the company, that is when they have to provide a second factor. That is mostly a SMS message. Now, with the Microsoft Authenticator app that you can install on your mobile phone, we are shifting towards that. This has reduced errors because you may just say that you confirm a message on your mobile phone instead of typing the six-digit code, hoping that you are still in time, and that you entered it correctly. So, it does affect our employees. We try to be up-to-date there.

Mostly, it affects security. It is an obstacle that you have to climb. For example, if you have to enter the code in from the SMS message, then you have to wait for the SMS message to arrive and copy the code, or you have to transfer the code from the SMS message into the field. We reduce that workload for employees by having them be able to receive a message on their phone, then confirm that message. So, security is less of an obstacle, and it is more natural.

The user administration has room for improvement because some parts are not available within the Azure AD portal, but they are available within the Microsoft 365 portal. When I want to assign that to a user, it would be great if that would be available within the Azure AD portal.

It would be awesome to have a feature where you can see the permissions of a user in all their Azure subscriptions. Right now, you have to select a user, then you have to select the subscription to see which permissions the user has in their selected subscriptions. Sometimes, you just want to know, "Does that user have any permissions in any subscriptions?" That would be awesome if that would be available via the portal.

I have been using it for more than two years now.

The stability is very good. They had a problem recently that was hopefully the exception. 

I am looking forward to the adjustment of the SLA that they increased from 99.9 percent to 99.99 percent. With this increase, which should happen on the first of April (not an April joke), this should be a huge improvement for the visibility towards the world because this is a commitment by Microsoft, saying, "We are taking care of Azure AD." I think that is a very good thing.

From my point of view, it scales very well. There are different possibilities to take care of it, depending on what you want to achieve. Lately, they introduced something like administration units, where you can achieve that even a bit further to restrict the access of your administrator to a certain group. So, that should be really helpful for even better scaling.

One company has around 50,000 users and another company has around 200 users. For the bigger company, there are several people involved, three to four people. They are taking care of application registrations as well as the Azure AD Connect synchronization to see if there are any errors, then clear those errors. However, it is mostly the application, registration, and configuration of the Azure AD.

The technical support is great. We have access to a special unit within Microsoft where we have additional support besides the technical support. So, it has been really good working with Microsoft.

We have other tools: 

• Red Hat SSO
• OpenID Connect
• OAuth
• Azure Domain Federation.

We just removed the Azure Domain Federation (AD FS), thanks to the Azure AD.

Deployment time really depends on how you set up your Azure AD. You might: 

• Want to set up Azure AD Connect, then the process takes longer. 
• Just use Azure AD, then the process is much faster. 
• Directly connect to another source of truth, then there is something in-between. 

It really depends on your situation. I would say it takes between an hour and a week.

For the company, I didn't set it up. I did set it up for myself, but that was a simplified situation and I found the process to be straightforward.

Make sure that you get the most out of your Office 365 licenses for Azure AD. If you have additional concerns for users who don't have an Office 365 license, consider Azure AD Premium P1 and P2. Be aware that you have to evaluate your license usage beforehand.

Consider the usage of Azure AD Premium P1 and P2 when you are not assigning Microsoft or Office 365 licenses. This is really important to get access to good features, like conditional access, privilege identity management, and accessory use.

I would rate Azure AD as a nine out of 10.

BDO is a network of firms and a firm is what we call a country. So, we are present in about 160 countries. I am involved in BDO Global, which is not really a firm in the sense that we don't deal directly with clients, but BDO Global hosts IT services for all those 160 countries. A couple of those solutions are a worldwide audit solution that our firms use for financial audits for customers. We have a globally running portal solution, which firms are using to collaborate with our customers directly. All these services are basically based on Azure AD for authentication and authorization. This has been a lifesaver for us, because BDO firms are legally independent, so, we don't have a single identity store worldwide, like other big companies potentially do. We created an IAM solution based on Azure AD that ties all 160 dispersed identity stores back into one. We use that to give access to our services that we run globally.

Azure AD doesn't really give you a version. You just need to take the version as-is because it is a service that Microsoft delivers as a SaaS service. So, we don't have a lot of influence over the version that we use.

Besides tying together all authentications for our 160 countries, it has also been instrumental in getting the collaboration going between our firm countries since normally they are quite isolated. Also, their IT firms are quite isolated. So, Azure AD has made sure that we can collaborate with each other in multiple different systems: the global portal, the Audit application, and Office 365. This allows us to collaborate closer together, even though we are still separated as different countries.

Because it is an identity store, it handles all our authentication. We also use it with a combination of conditional access, which is a way to limit people's authentication or authorization based on where they are, the compliance of their device, and on a whole bunch of other variables that we can set. So, it definitely has been influential as well on the security side. Because it is a SaaS, you have central management over that. You can see all the logins and get reports on who signs in from where. 

There is a lot of artificial intelligence in Azure AD that can monitor behavior of users. If users behave in a strange way, then the authentication can be blocked. For example, if you have a user logging in from China, but it looks like the same user is logging in from America just a few seconds apart. That is a seemingly risky behavior that Azure AD flags for you, then you can block that behavior or have the user provide you with a second factor of authentication. So, there are a lot of security features that come with Azure AD too.

In our scenario, we use a lot of the business-to-business (B2B) features in Azure AD, which allows us to tie multiple Azure AD instances together. That is what we heavily use because every firm or country has their own Azure AD instance. We tie those together by using the B2B functionality in Azure AD. So, that is the most valuable part for us right now.

It has been very instrumental towards a lot of services we run, especially on the single sign-on side. For example, we have 160 countries that all run their own IT but we still are able to provide users with a single sign-on experience towards global applications. So, they have a certain set of accounts that they get from their local IT department, then they use exactly the same account and credentials to sign into global services. For the user, it has been quite instrumental in that space. It is about efficiency, but also about users not having to remember multiple accounts and passwords since it is all single sign-on. Therefore, the single sign-on experience for us has been the most instrumental for the end user experience.

We are using a whole bunch of features:

• We are using privileged identity management, which is also an Azure AD feature. This allows us to give just-in-time, just enough access to privileged accounts. For example, normally you have a named account and you get a few roles based on that named account. If that is a very privileged role, that role always sits on your account all the time. When your account is compromised and the role is on the account, the people that compromise your account have that role. With privileged identity management, I can assign a role to a certain account for a specific amount of time and also for a specific amount of privileges, e.g., I can give somebody global administrator access, then revoke that after an hour automatically. So, when his/her account gets compromised, that role is not present anymore. 
• We use conditional access. 
• We use access reviews, which is basically a mechanism to access reviews on Azure AD groups automatically. So, the group owner gets a notification that they need to review their group member access, and they use that to do reviews. That is all audited and locked. For our ISO process, this is a very convenient mechanism to audit your group access.

We have a custom solution now running to tie all those Azure ADs together. We use the B2B functionality for that. Improvements are already on the roadmap for Azure AD in that area. I think they will make it easier to work together between two different tenants in Azure AD, because normally one tenant is a security boundary. For example, company one has a tenant and company two has a tenant, and then you can do B2B collaboration between those, but it is still quite limited. For our use case, it is enough currently. However, if we want to extend the collaboration even further, then we need an easier way to collaborate between two tenants, but I think that is already on the roadmap of Azure AD anyway.

I have been using it for about six years.

The stability has been very good because it is an underpinning service for many things that Microsoft does:

• The underpinning identity store for Office 365.
• The underpinning identities over Azure services. 

So, the stability has been very good. We haven't had major issues with Azure AD so far.

On the global side, we have around two to three FTEs aligned to this. On the firm side, in the countries, FTE's are aligned to managing identity as well. These FTE numbers differ per firm. In our case, there are about two to three FTEs who are aligned to this. That is normally probably not what you would need, but since we run some custom code around this to be able to do the B2B process, we need about two to three FTEs.

Scalability is not a problem. We don't have to control that because Microsoft does it as a SaaS. However, we have never seen any real performance issues on the authentication stuff. I think they handle that under the hood. Since it is such an important service for them, they keep the scalability quite well. We don't have any scaling concerns. We also can control the scale. It is basically taken care of because it is a SaaS.

It is fully deployed to about 80,000 people worldwide.

We have Microsoft Premier Support, which has been quite good. It is quick. We are mostly into the engineering group quite quickly, and that has been good. I think they also have non-paid support, which has somewhat lower response time SLAs, but we have Premier Support.

Before, we only used local Active Directories because we were not in the cloud. Currently, in BDO Global, we are 100 percent cloud. So, we use Azure AD only.

We haven't run any other solutions than Azure AD.

The initial setup is a relatively straightforward process because Microsoft gives you a lot of guidance on how to do it. They also have a tie-in with local Active Directory. So, if you are running a local Active Directory, you can easily integrate it with Azure AD. It is also one of the more powerful features of the solution because it is a SaaS solution, but you can still tie it in with your local identity store. That makes it quite powerful because many companies, before they go to the cloud, have a local identity store, e.g., Active Directory. Microsoft has a very easy process and some tooling to make it integrate with Azure AD, so your local identities, you can still be leading, but you can sync all those identities up to Azure AD quite easily and keep the identity storage up to date.

We are exclusively using Azure AD in BDO Global. In other BDO countries, most countries use local Active Directory in combination with Azure AD.

If you look at it from a BDO country perspective, you have everything up and running in about a week, if not quicker. In our global setup, that took a little bit longer, because we had to create a solution to synchronize multiple Azure ADs towards the global one. We did that via B2B, so our setup took a little bit longer as it also involved some custom development. If you only deploy Azure AD from a single company perspective, then it should be a relatively quick process.

Deployment is not that hard because it is a SaaS solution, so you don't have to deploy any infrastructure. All that is taken care of by the solution itself. It is a matter of configuring first-time use, then setting up a sync between your own identity store and Azure AD, which is quite an easy process. If you read through the documentation, then you can have that sync running in about a day.

We mostly did the implementation and the custom coding ourselves in combination with people from Microsoft.

The ROI has been quite good because we looked at competitors as well, Ping and Okta, but their license fees were quite high. Also, Azure AD can meet all our use cases. In the beginning, we only used the free version, so that was quite cheap to run. We had some custom code that we needed to develop, but that was due to our specific use case. Overall, the return on investment has been very positive. The solution is not very expensive to run. It is quite stable. For us, it brings a whole lot of capabilities to provide people with a single sign-on experience across the world.

Compared to other big vendors over the past six years, I think we are close to saving $5 million on FTEs and licensing, which is substantial.

MS has a free version of Azure AD as well. So, if you don't do a lot of advanced stuff, then you can use the free version, which is no cost at all because it is underpinning Office 365. 

Some of the services that I mentioned, like conditional access, privileged identity management, and access reviews, come with a certain premium license per user. We negotiated those license fees in what we call a GEA. This is a global Microsoft contract that we have. So, the pricing seems to be quite fair. If I compare it to its competitors, Azure AD is a lot cheaper.

Because Microsoft gives it to you as a SaaS, so there are no infrastructure costs whatsoever that you need to incur. If you use the free version, then it is free. If you use the advanced features (that we use), it is a license fee per user. 

Premier Support is an added cost, but they do it based on the amount of services that you consume. We don't have it specifically for Azure AD because we run a lot of Microsoft technologies. We have an overall Premier Support contract, which is an additional cost. 

We looked at many different vendors for identity because our identity store is quite complicated within BDO, because you don't have that single identity store across all the countries like you see in many other global companies. So, we had a strategy. We looked at other products that could potentially do the same. However, the features that Azure AD gave us the option to do this as we wanted to do it. The other tools that we looked at, Okta and PingFederate, were not able to do the same thing for us back in the day. This is especially because we have many different identity stores within the BDO countries that have to be under the control of those countries. BDO Global cannot and is not allowed to control those identities. We need to allow the countries to control those identities themselves, but we still need a way to tie those altogether on the global side. Azure AD was the only solution that could do that for us.

From a BDO Global perspective, we don't. The firms and countries own their identities and the management around them, and they also need full control on those identities. We as BDO Global are not even allowed to control those, but we do need to provide them with single sign-on experiences. So, Azure AD is the service that allow us to do that. 

Our primary use case was about that control, which is a very specific use case because countries need to control their own identity stores and we are not allowed to control that from a global perspective. Specifically, the control requirement and still being able to have that single sign-on experience led us to Azure AD. The other big vendors that we looked at couldn't do that.

This solution is a prerequisite with some of the bigger Microsoft services, so if you want to use Office 365, Dynamics, etc., then you need Azure AD. However, it is also quite good to use for other services as well because they are currently supporting tens of thousands of other applications that you can sign into with an Azure account. So, it is not only for Microsoft Office, and I think that is probably a misconception in many people's heads. You can use it for many other cloud services as well as a single sign-on solution. My biggest point would be that it can be used for Microsoft services, but people tend to forget that you can also use it for many other services. In that sense, it is just an identity store that you can use across many services, not only Microsoft.

It continues to be one of our primary fundamental services around authentication, so we will keep using it in the future. We are planning to reduce the amount of custom code that we need to tie all these things together. Microsoft has a few things on the roadmap coming up there. We hope that we can decrease the amount of custom code that we need to run around this. The custom code is mostly about synchronizing identities from 160 countries to us. Microsoft will bring some stuff out-of-the-box there so we can hopefully decrease the custom code. It is a fundamental solution for us for identity and single sign-on, so we definitely plan to keep using it.

The biggest thing we learned is that the security boundaries are shifting from what used to be networks, firewalls, and data centers that you owned yourself. The security boundary is more shifting to identity in these cases because people are using cloud services. They use a single identity, and in this case, Azure identity to sign into those cloud services. You are not always controlling where people are signing in from anymore because those services live in the cloud. Where you used to have servers running in your data center, you had far more control on the network, firewalls, and all that stuff to keep those services secure. You now have to rely much more on the identity because the services are running in the cloud. You don't always have control over the network, so people can sign in from every device.

The security boundary is really shifting towards identity. Azure AD gives you a lot of options to secure your identity in a proper way. We use multifactor authentication, the conditional access piece, and privileged identity management, which are all services that Azure AD provides and quite hard to implement on a traditional Active Directory. 

I would rate this solution as 10 out of 10. It is instrumental to everything that we do.

It underpins our application authentication and security requirements for internal users.

During the pandemic, it helped us carry on working securely as a business.

Azure Active Directory hugely improved our organization’s security posture. The ability to control access to resources has vastly improved.

We very much like Conditional Access. We also like the risky sign-ins and Identity Protection. These features provide us the security that lets us fulfill our security requirements as a company.

Azure Active Directory features have helped improve our security posture. The remote working has been a massive help during the pandemic.

The solution has made our end user experience a lot easier and smoother.

On-premise capabilities for information and identity management need improvement but I know these are in pipeline.

I have been using it for five or six years.

The stability has improved over the last two to three years.

It has fantastic scalability. Globally, we have about 80,000 users. 

In each territory there are on average around 40 people managing the solution on the admin side. We also have SMEs for the harder tasks. Then you have people, like me, who are architects and determine approach and create designs.

Microsoft Premier Support is very good. We make good use of it. 

The free support is okay.

For mobile device management we used to have MobileIron and Blackberry. Those products have been removed in favour of Intune and Azure AD features. Other legacy security services will be removed in preference for the Azure equivalents. Strategically, Azure AD makes more sense for us. Cloud first is the strategic direction within my company.

It is a predeployed solution, creating the links between the on-premise system and SaaS system is moderately easy.

Our deployment took a month.

For a non-complex organization, the deployment process would be a lot easier than it is for a complex organization. There are a lot of business processes that need to be determined as well as a lot of conversations. The technology side of things is the easy bit. It is the design that takes awhile.

It was all done internally and using Microsoft Partners

We have only really bought into the solution over the last 12 months or so. We expect to see cost returns in the next 12 months.

If you get rid of all the products providing features that Azure suite can provide, then it makes sense cost-wise.

Microsoft Premier Support is an additional cost to the standard licensing fees.

Azure Active Directory and its feature set under a single vendor are unique in our market.

Compared to how it was five years ago, the solution is has really matured.

Make sure that business requirements are understood upfront and a design is in place before any services are deployed. Ensure the people deploying it understand the capabilities and implications of choices.

I would rate this solution as a nine out of 10.

I use Microsoft Entra ID daily as an end customer in an enterprise environment. We are using it for very simple use cases such as authenticating with SSO to third-party solutions.

In a lot of situations, it is easy and free or almost free to use Microsoft Entra MFA.

It could be better if a simple member could understand more easily the prices of the products and packages offered by Microsoft. Additionally, after the first three years of a bigger package, renewal prices could be more transparent as they tend to increase significantly.

I have been working with Microsoft Entra ID for approximately five years.

I haven't had any bad experiences with its stability in the last five years. It works consistently, and any downtime can be monitored through Microsoft State Data Monitor.

Our customers are small businesses, so scalability is not a significant concern for us.

I have a direct contact with the Microsoft Hungarian team. They manage our problems, especially on the enterprise side, and I have heard no negative feedback regarding their response times or SLAs.

Positive

The setup experience was not difficult and I would rate it as eight out of ten. It just required some time to set everything up correctly.

We consulted with the Microsoft Hungarian team for any enterprise-level issues.

Initially, customers can get good prices for a three-year package, but renewal prices tend to increase significantly. If a customer looks for an alternative solution after three years, we often find it cheaper or the same as continuing with Microsoft.

I've worked with the Microsoft Tensor Solution and CI Mentech. We also considered other authentication systems like Ping, Kaseya, and Symantec VIP. In terms of SASE, I've had experience with Netskope, Cloudflare, and Palo Alto.

If you consider SASE aspects, Microsoft Entra is not a leader solution. There are stronger competitors in SASE, like Netskope and Palo Alto, and it may not be the best idea to rely solely on Microsoft solutions if your operation runs on Microsoft.

I'd rate the solution five out of ten.

Microsoft Entra ID has made our organization more secure. 

The tool's most valuable feature is conditional access. 

The product needs to improve its support.

I have been working with the product for five years. 

Microsoft Entra ID is stable. 

The product needs to improve support. There are many steps before you get to someone who can solve the issues. 

Neutral

Microsoft Entra ID's deployment is easy. 

Microsoft Entra ID helps save money since you don't need a second MFA solution. I rate it a nine out of ten. 

Azure AD helps us manage application and hybrid identities.

I like Azure AD's conditional access policies. Microsoft Entra provides a single pane of glass for managing user access, improving the overall user experience. 

The workflow management for registering new applications and users could be improved.

I have used Azure AD for about eight years.

Azure AD is stable.

Azure AD is scalable. 

Azure AD is so stable and easy to administer that we don't need to contact support. 

Setting up Azure AD is straightforward. 

I rate Azure Active Directory a nine out of ten. You should use premium licenses or Azure directly whenever possible to take advantage of the new security features since E3. 

Azure AD is primarily used as the backend for all Microsoft Office 365 user accounts and licensing, as well as for securing those accounts. Endpoint Manager is also utilized, which is part of domain control in the cloud, even though it is not Azure AD.

Azure AD has enabled the organization to set up single sign-on to all applications and has consolidated everything to a single cloud authentication for users. This saved a lot of time by not having to administer accounts in multiple systems, and it has also made it easy to control user identity for all cloud and internal applications. Security features such as attack surface rules and conditional access rules are also highly valuable and help the organization feel safe with all its user accounts. The Entra conditional access feature is used to enforce fine-tuned and adaptive access controls, and it is perfect for verifying users in line with the Zero Trust strategy. Overall, Azure AD enabled the organization to control one set of accounts and policies for everything, providing a huge benefit.

The security features, such as attack surface rules and conditional access rules, are the most valuable aspects of Azure AD.

The only improvement would be for everything to be instant in terms of applying changes and propagating them to systems.

I've been using this solution since 2017.

The stability of Azure AD is perfect.

Azure AD is highly scalable and enables the organization to control everything from one office.

The support channel for Azure AD is probably pretty good, although there was a strange experience with technical support once. Overall, the customer service and support would be rated as positive, with an eight out of ten rating.

Positive

I have never used any other products except Google Workspace, which is very intuitive but not comparable to an identity system.

The initial setup of Azure AD was quick and took just a workday or two, although tweaking it took about a week. The implementation of Azure AD probably took about 48 hours. In terms of maintenance, Azure AD doesn't require any maintenance as it is a cloud service that is always up to date.

At the time, we used contractors to set it up because it was new to us. If I was going to do it today, it wouldn't be that complex for me because I now know the ins and outs of it, but at that time, we contracted people to help us set it up so that we could do it with the best practice. We probably had just one contractor and then we just helped out.

For those looking to implement Azure AD in their organization for the first time, it would be recommended to get rid of the legacy Active Directory right away and go straight to Azure AD instead of starting out hybrid and having to wind that down. If local Active Directory isn't needed, it's best to move all authentication over to the cloud and scrap the Active Directory domain controllers. The Entra portal is a huge benefit as it provides a consolidated view of everything and makes it easier to navigate security, users, conditional access, and identity protection.

Microsoft has been consolidating the view to provide a single pane of glass. It has been more and more down to that. They're now out with something called Entra. It's the Entra portal, and it has a very consolidated view of everything I need to do. Microsoft Entra is basically Endpoint Manager, Microsoft Defender, and Azure Active Directory pulled together for an easy view and ease of navigation. I've started to use Entra a little bit. It has only been out for a little while, but it was created to simplify finding everything. So, instead of navigating through the portal at Azure, I've started using Entra. I like it a lot. At first glance, it looks very intuitive, especially based on how I've been navigating until now. 

What Entra is doing is a huge benefit. If you're starting up today, it's much easier to get into security, users and conditional access, and identity protection. They've consolidated most of the important things there. You can navigate to everything from there, but they draw forth the most important ones in a more intuitive way. They've done that, and what they've done with Entra is what was missing.

Overall, I'd rate Azure Active Directory an eight out of ten.