Understanding Microsoft Entra ID: Premium Features (AZ-104)
In a previous post we reviewed the basic configuration and operation of Entra ID and how they differ from Active Directory Domain Services. Microsoft offer a Free version of Entra ID for use with Microsoft 365, Azure and other Microsoft services. They also offer premium licenses that offer additional features. In this post we will look at the differences between the licenses and some of the features offered.
Microsoft Entra ID Plans
The Microsoft Entra ID P1 or P2 tier provides extra functionality as compared to the Free version. As the name suggests, premium versions have an additional per user cost. There are 2 levels of premium licensing that Microsoft offer Microsoft Entra ID P1 and P2.
Premium Features Overview
Microsoft provides a free trial period that can be used to experience the full functionality of the Microsoft Entra ID P2 edition.
Some features are only available to organizations with P2 licenses these include Privileged Identity Management (PIM) and Identity Protection
Privileged Identity Management (PIM) allows for the configuration of additional security measures for privileged users, e.g. administrators. This functionality enables the designation of both permanent and temporary administrators. Additionally, it establishes a policy workflow that is activated whenever administrative privileges are required for specific tasks.
Identity Protection provides advanced features for monitoring and safeguarding user accounts. Users are able to define risk policies and sign-in policies, as well as review user behavior and flag potential risks.
Alongside these features there are others that are available to both P1 and P2 users. These features include:
Password reset with writeback. Self-service password reset adheres to the Active Directory on-premises password policy. Allowing for replicated passwords back to on-premises. Wit
Conditional Access: This feature allows you to configure conditional access for important resources based on specific criteria such as Device, Group, or Location.
Advanced security reports and alerts. Monitor and protect access to your cloud applications with detailed logs showing anomalies and inconsistent access patterns. Machine learning-based reports provide insights to enhance security and address potential threats.
Self-Service Group Management: This feature enables group owners to manage their respective groups, including accepting membership requests and managing group memberships. To allow users to request to join a security group or Microsoft 365 group, and for owners to approve or deny such requests, a Microsoft Entra ID P1 or P2 license is required.
Multi-factor authentication. Multi-factor authentication (MFA) features are provided to Microsoft 365 and Microsoft Entra ID users and administrators at no additional cost. With premium licenses, full MFA capabilities extend to both on-premises applications and cloud services.
Cloud Apps
As mentioned previously, when deploying Microsoft cloud services like Intune or Azure, Microsoft creates an Entra ID tenant to provide authentication and authorization into the services. It is possible to share a single Entra ID directory across these services when an organization as multiple Microsoft service subscriptions allowing for a centralized identity service.
Services like Azure Web Apps or Azure Functions also allow custom applications to use Microsoft Entra ID for Authentication and Authorization. By using Entra ID you can ensure that the centralized identity service is used and only users with valid user accounts can access your websites and web services.
Custom Domains
When first provisioned Entra ID has an onmicrosoft.com domain name, Microsoft allows organizations to add custom domains to their directory, providing a seamless and branded experience for users. By verifying and configuring custom domains, administrators can ensure that users log in with familiar email addresses, such as nick@contoso.com, rather than generic Microsoft-provided onmicrosoft.com domain.
Adding custom domain to EntraID tenent
To set up a custom domain, administrators need to add the domain to the Microsoft Entra ID and verify ownership by adding DNS records at the domain registrar. Once verified, the custom domain can be used for user principal names (UPNs) and email addresses, making it easier for users to remember their login credentials and reducing confusion. This integration supports seamless authentication across Microsoft 365, Azure, and other Microsoft cloud services, enabling consistent access and management.
Microsoft Entra Domain Services
Microsoft Entra Domain Services provides managed domain services Kerberos authentication, group policy, domain join and LDAP (lightweight directory access protocol). Allowing you to use these services without the need to deploy and manage domain controllers in the cloud or creating site-to-site VPNs (virtual private network) between Azure and your on-premises domain controllers for authentication.
Domain Services integrates with your Microsoft Entra tenant, allowing users to sign in with their existing credentials and use existing groups and accounts for resource access. These features simplify moving on-premises resources to Azure.
Microsoft Entra Domain Services, included in the Microsoft Entra ID P1 or P2 tier, offers domain services like Group Policy management, domain joining, and Kerberos authentication to your Microsoft Entra tenant. These services are fully compatible with on-premises AD DS, eliminating the need for additional domain controllers in the cloud.
Microsoft Entra Domain Services Overview (source: Microsoft Entra ID)
Even without local AD DS, you can use Microsoft Entra Domain Services as a cloud-only service. It provides similar functionality without needing domain controllers on-premises or in the cloud. For example, an organization can create a Microsoft Entra tenant, enable Microsoft Entra Domain Services, and set up a virtual network between on-premises resources and the Microsoft Entra tenant. This allows all on-premises users and services to use domain services from Microsoft Entra ID.
Microsoft Entra Domain Services provides several benefits for organizations. Administrators don't need to manage, update, and monitor domain controllers, nor do they need to deploy and manage Active Directory replication. Additionally, there’s no need to have Domain Admins or Enterprise Admins groups for domains that Microsoft Entra ID manages.
If you choose to implement Microsoft Entra Domain Services, you need to be aware of the service's current limitations. These include only supporting the base computer Active Directory object, not being able to extend the schema for the Microsoft Entra Domain Services domain, having a flat organizational unit (OU) structure without support for nested OUs, and having built-in Group Policy Objects (GPOs) for computer and user accounts that cannot target OUs. Additionally, Windows Management Instrumentation filters and security-group filtering are not supported for built-in GPOs.
Further Reading
Premium Licensing: Microsoft Entra Plans and Pricing
MFA : Microsoft Entra multifactor authentication overview
App Service Config : Configure your App Service app to use Microsoft Entra login
Custom Domains: Add your custom domain
Entra Domain Services: Overview of Microsoft Entra Domain Services
