Microsoft Entra ID is Microsoft’s cloud identity and access management service — the system that decides who can sign in to your Microsoft 365 tenant and what they can reach once they do. It is the new name for Azure Active Directory, renamed in 2023. The technology underneath did not change; the label did.
If you run a business on Microsoft 365, you already use Entra ID every day, whether you know the name or not. Every login to Outlook, Teams, SharePoint and OneDrive is authenticated by it. It is also, increasingly, the single most important security control you own. This post explains what it actually is, what the licensing tiers unlock, and why identity has quietly become the perimeter you most need to defend.
The rename: Azure AD became Microsoft Entra ID in 2023
In July 2023, Microsoft renamed Azure Active Directory to Microsoft Entra ID. The product, the APIs, the sign-in URLs, the licences — all of it kept working. Service plan names like “Azure Active Directory Premium P1” were rebadged as “Microsoft Entra ID P1”, but your existing subscriptions carried across without action. Microsoft folded the identity product into a broader family called Microsoft Entra, which also covers Entra Permissions Management, Entra Verified ID and Entra Internet Access.
One point of confusion worth clearing up: Entra ID is not the same thing as the on-premises Active Directory you might run on a Windows Server domain controller. On-prem AD (the one with domains, organisational units and Group Policy) still exists and still carries the Active Directory name. Entra ID is the cloud directory behind Microsoft 365. Many businesses run both and synchronise between them using Entra Connect. So when someone says “we got rid of AD”, ask which one they mean — they almost certainly still have Entra ID.
What Microsoft Entra ID actually is
At its core, Entra ID is a directory and an authentication engine. It holds the identities for your organisation and brokers access to applications. Strip away the marketing and there are a few building blocks worth understanding.
Users and groups
Every staff member has a user object — their account, their email, their licence assignments, their sign-in history. Groups bundle users together so you can assign licences, app access and policies in bulk rather than one person at a time. Security groups control access; Microsoft 365 groups also create a shared mailbox, calendar and SharePoint site. Getting your group structure right early saves a lot of pain later, because almost everything else hangs off it.
App registrations and single sign-on
Entra ID is also where third-party applications connect to your tenant. When you sign in to Xero, Canva or a line-of-business app using your Microsoft account, that app is registered against Entra ID and trusts it to verify who you are. This is single sign-on (SSO): one identity, one set of credentials, one place to enforce policy. SSO is not just convenient — it is a security win, because it means staff are not inventing weak passwords across a dozen separate logins, and you can cut access to everything by disabling one account when someone leaves.
Conditional Access and MFA
This is where Entra ID stops being plumbing and becomes a genuine security tool. Multi-factor authentication (MFA) requires a second proof of identity — typically an approval in the Microsoft Authenticator app — on top of the password. Conditional Access is the policy engine that decides when to demand it. You can require MFA for all users, block sign-ins from outside Australia, force a compliant device for admin accounts, or step up authentication when a login looks risky.
We have written a full walkthrough on Conditional Access policies in Microsoft 365, so we will not repeat it all here. The short version: Conditional Access is the difference between MFA being a blanket annoyance and being a targeted, risk-aware control. It is the single highest-value thing most Melbourne SMEs can turn on.
Security defaults versus Conditional Access
Microsoft offers two ways to enforce baseline identity security, and the distinction matters.
Security defaults are a free, all-or-nothing switch available to every tenant. Turn them on and Microsoft enforces MFA for all users, requires it for admins, and blocks legacy authentication protocols that bypass MFA entirely. For a very small business with no internal IT, security defaults are far better than nothing and should be enabled if you have nothing else.
The catch is that they are rigid. You cannot exclude a service account, you cannot vary policy by location or device, and you cannot tune the risk thresholds. The moment you need that flexibility — and most businesses do once they grow past a handful of staff — you move to Conditional Access, which requires Entra ID P1 or higher. You cannot run both at once: enabling Conditional Access means switching security defaults off.
| Control | Security defaults | Conditional Access |
|---|---|---|
| Cost | Free, all tenants | Requires Entra ID P1+ |
| MFA enforcement | All users, no exceptions | Targeted by user, group, app, location |
| Block legacy auth | Yes | Yes, configurable |
| Device and location rules | No | Yes |
| Risk-based policies | No | Yes (with P2) |
| Best for | Micro-businesses, no IT | Any SME that has grown past a few staff |
Entra ID P1 and P2 licensing
Most of the security value lives behind paid licences. Entra ID comes in a free tier (bundled with any Microsoft 365 subscription), plus two paid plans: P1 and P2. P1 is included in Microsoft 365 Business Premium, which is the plan we steer most clients towards. P2 is included in the larger enterprise E5 suites or can be bought as an add-on.
What P1 unlocks
P1 is the workhorse tier. It gives you Conditional Access, self-service password reset that writes back to on-prem AD, group-based licence assignment, and the ability to enforce device compliance. For the overwhelming majority of Melbourne SMEs, P1 — via Business Premium — is the right baseline.
What P2 adds
P2 includes everything in P1 and layers on the more advanced controls:
- Identity Protection — machine-learning detection of risky sign-ins and compromised accounts, feeding risk signals into Conditional Access so you can automatically force a password reset or block a suspicious login.
- Privileged Identity Management (PIM) — just-in-time, time-limited access to admin roles. Instead of leaving five people as permanent Global Administrators, they request elevation when needed, it expires automatically, and every activation is logged and approvable.
- Access reviews — scheduled recertification so access does not quietly accumulate over years.
PIM alone is a strong reason for any business with multiple administrators to consider P2. Standing admin rights are one of the most common findings we see in security assessments.
Why identity is the new perimeter for SMEs
The old model of security assumed a hard outer wall — a firewall at the office, with everything inside it trusted. That model died when work moved to the cloud and to homes across the metro. Your data now lives in Microsoft 365, accessed from laptops, phones and home networks that your firewall never sees. The only thing standing between an attacker and your email, files and finance system is whether they can prove they are an authorised user. That proof is identity, and Entra ID is where it is enforced.
This is why attackers no longer bother breaking through walls — they log in. Credential theft, phishing and token replay are the dominant intrusion methods against Australian SMEs precisely because a valid login bypasses everything else. The Australian Cyber Security Centre (ACSC) puts multi-factor authentication front and centre in its guidance for exactly this reason.
A real-world shape of the problem: a manufacturing business in Dandenong we work with had MFA switched on for office staff but had quietly left it off for a shared accounts-payable mailbox, because “it was easier”. That mailbox was the one an attacker phished, and from it they sat reading invoice threads for a fortnight before attempting a payment redirection. Nothing was breached at the network layer. The gap was an identity exception nobody had reviewed. Conditional Access with no carve-outs, plus PIM on the admin accounts, would have closed it.
How Entra ID maps to the Essential Eight
The Essential Eight is the ACSC’s baseline of eight mitigation strategies, and two of them are pure identity controls that Entra ID delivers directly.
Multi-factor authentication is one of the eight outright. Entra ID with Conditional Access is the standard way Australian businesses meet it for Microsoft 365 and connected apps. Restrict administrative privileges is another, and this is where PIM earns its keep — just-in-time elevation and access reviews are precisely what the maturity levels ask for as you move up from Maturity Level One. Entra ID also contributes to the broader picture through sign-in logging and audit trails that support detection and response.
If Essential Eight alignment is on your radar — and for any business touching government contracts or cyber insurance it should be — Entra ID configuration is a large part of the work. Our Essential Eight compliance service treats identity hardening as the first thing to fix, because it is the cheapest, fastest control with the largest blast-radius reduction.
Getting it right
Entra ID ships with sane-ish defaults, but “switched on” and “configured properly” are different things. The common failures we see across Melbourne tenants are predictable: MFA with too many exclusions, legacy authentication still enabled, no Conditional Access despite paying for P1, Global Administrator handed out like sweets, and break-glass accounts that either do not exist or are not protected. Each of these is a quiet open door.
TechAssist is a Melbourne-based MSP, founded in 2014, with thirteen Australian-employed engineers and a 24/7 NOC in Tecoma. We run Microsoft 365 and Entra ID hardening as standard onboarding for managed clients, because identity is the control that prevents the largest category of incidents we are called to clean up. Per-user fixed monthly pricing means this work is in scope, not a surprise invoice.
Frequently asked questions
Is Microsoft Entra ID free?
There is a free tier bundled with every Microsoft 365 subscription, which covers basic users, groups and SSO. The security controls most businesses need — Conditional Access (P1), and Identity Protection and PIM (P2) — require paid licences. P1 is included in Microsoft 365 Business Premium, which is what we recommend for most SMEs.
Do I still need on-premises Active Directory?
It depends. Many businesses have moved entirely to the cloud and run Entra ID alone. Others keep on-prem AD for legacy applications or file servers and synchronise it to Entra ID with Entra Connect. There is no requirement to keep on-prem AD if nothing depends on it, and removing it can simplify management considerably.
What happened to my Azure AD settings after the rename?
Nothing broke. The rename in 2023 was cosmetic at the product level — your policies, users, app registrations and licences all carried across. The portal now refers to Microsoft Entra ID and some menus moved, but no reconfiguration was required.
Should I use security defaults or Conditional Access?
If you have no internal IT and no Entra ID P1 licences, enable security defaults today — it is far better than nothing. Once you have P1 (via Business Premium) and need to handle service accounts, location rules or device compliance, move to Conditional Access. You cannot run both simultaneously.
Talk to us about identity
Identity is the control most worth getting right and the one most commonly left half-configured. If you are not sure what your tenant is actually enforcing, our Microsoft 365 and cybersecurity teams can audit your Entra ID setup, close the gaps and align it to the Essential Eight. Get in touch and we will tell you plainly where you stand.
