Azure identity management security overview

Identity management is the process of authenticating and authorizing security principals. Microsoft Entra ID provides comprehensive identity and access management for applications and resources across your organization. This article covers core Azure identity management features that help protect access to resources.

Single sign-on

Single sign-on (SSO) enables users to access multiple applications and resources with a single user account and password. Users sign in once and can access all their applications without repeated authentication. Microsoft Entra ID supports SSO for thousands of SaaS applications and on-premises web applications.

Microsoft Entra ID extends on-premises Active Directory into the cloud, enabling users to sign in with their organizational account to ___domain-joined devices, company resources, and integrated applications. SSO reduces password fatigue and improves security by minimizing exposed credentials.

Learn more:

• What is single sign-on in Microsoft Entra ID?
• Plan a single sign-on deployment

Multifactor authentication

Microsoft Entra multifactor authentication (MFA) adds a critical second layer of security by requiring two or more verification methods. MFA helps protect against unauthorized access while maintaining a simple sign-in experience for users.

Verification methods include:

• Microsoft Authenticator app
• Windows Hello for Business
• FIDO2 security keys
• Certificate-based authentication
• OATH tokens (hardware and software)
• SMS and voice call

Microsoft Entra ID P1 and P2 licenses support Conditional Access policies that enforce MFA based on user, ___location, device, and application context.

Learn more:

• How Microsoft Entra multifactor authentication works
• Plan a Microsoft Entra multifactor authentication deployment

Azure role-based access control

Azure role-based access control (Azure RBAC) provides fine-grained access management for Azure resources. With Azure RBAC, you can grant users the minimum permissions needed to perform their jobs.

Azure RBAC includes built-in roles:

• Owner: Full access to all resources, including the right to delegate access
• Contributor: Create and manage all types of Azure resources, but can't grant access
• Reader: View existing Azure resources
• User Access Administrator: Manage user access to Azure resources

You can also create custom roles tailored to your specific needs.

Learn more:

• What is Azure role-based access control (Azure RBAC)?
• Azure built-in roles
• Assign Azure roles using the Azure portal

Application Proxy

Microsoft Entra application proxy enables secure remote access to on-premises web applications without requiring VPN connections. Application Proxy publishes applications like SharePoint sites, Outlook Web App, and IIS-based apps to external users while maintaining security through Microsoft Entra ID authentication and Conditional Access policies.

Application Proxy supports SSO and can integrate with existing on-premises authentication methods.

Learn more:

• Microsoft Entra application proxy overview
• Publish on-premises apps with Microsoft Entra application proxy

Privileged Identity Management

Microsoft Entra Privileged Identity Management (PIM) helps you manage, control, and monitor privileged access to important resources. PIM provides just-in-time (JIT) privileged access, reducing the risk of excessive or unnecessary permissions.

With PIM, you can:

• Provide time-bound access to Azure and Microsoft Entra roles
• Require approval to activate privileged roles
• Enforce multifactor authentication for role activation
• Require justification for role activation
• Receive notifications for privileged role activations
• Conduct access reviews to ensure users still need privileged roles
• Generate audit reports for compliance

Learn more:

• What is Microsoft Entra Privileged Identity Management?
• Plan a Privileged Identity Management deployment

Identity Protection

Microsoft Entra ID Protection detects potential vulnerabilities and risky activities affecting your organization's identities. It uses machine learning to identify anomalous sign-in behaviors and user activities.

Identity Protection provides:

• Risk-based Conditional Access: Policies that respond to detected risks in real-time
• Risk detection: Identification of suspicious activities, including anonymous IP address usage, atypical travel, and malware-linked IP addresses
• Investigation tools: Reports and dashboards for analyzing risks
• Automated remediation: Risk-based policies that can automatically require password changes or block access

Learn more:

• What is Microsoft Entra ID Protection?
• Investigate risk with Identity Protection

Microsoft Entra access reviews

Microsoft Entra access reviews enable efficient management of group memberships, access to enterprise applications, and privileged role assignments. Regular access reviews help ensure users have only the access they need.

Access reviews support:

• Automated reviews: Scheduled recurring reviews with customizable frequency
• Delegated reviews: Business owners and managers can review access for their teams
• Self-attestation: Users can confirm they still need access
• Recommendations: Machine learning suggests which users should lose access based on sign-in activity
• Automated actions: Remove access automatically when reviews complete

Learn more:

• What are Microsoft Entra access reviews?
• Plan a Microsoft Entra access reviews deployment

Hybrid identity management

For organizations with on-premises Active Directory, Microsoft provides hybrid identity solutions to synchronize identities between on-premises and cloud environments.

Microsoft Entra Connect (maintenance mode) synchronizes on-premises AD DS identities to Microsoft Entra ID. It runs on an on-premises server and provides:

• Directory synchronization for users, groups, and contacts
• Password hash synchronization or pass-through authentication
• Federation integration with AD FS
• Health monitoring

Microsoft Entra Cloud Sync is the modern, cloud-based synchronization solution that uses lightweight provisioning agents:

• Simplified deployment with lightweight agents
• Support for multi-forest disconnected environments
• High availability with multiple agents
• Cloud-based configuration and management

Microsoft recommends Cloud Sync for new hybrid identity deployments.

Learn more:

• What is Microsoft Entra Cloud Sync?
• Choose the right sync client for Microsoft Entra ID

Device registration

Microsoft Entra device registration enables device-based Conditional Access policies. Registered devices receive an identity that authenticates the device during user sign-in. Device attributes can enforce Conditional Access policies for cloud and on-premises applications.

When combined with mobile device management (MDM) solutions like Microsoft Intune, device attributes are enriched with configuration and compliance information. This enables Conditional Access rules based on device security and compliance posture.

Learn more:

• Plan your Microsoft Entra device deployment
• Microsoft Entra joined devices
• Microsoft Entra hybrid joined devices

External identities

Microsoft Entra External ID provides identity management for customer-facing applications and B2B collaboration. External ID supports consumer sign-up and sign-in with social accounts (Facebook, Google, LinkedIn) or email-based credentials.

For B2B collaboration, External ID enables secure sharing of applications and resources with external partners while maintaining control over your corporate data. External users authenticate with their home organization or supported identity providers.

Learn more:

• Microsoft Entra External ID overview
• B2B collaboration overview

Next steps

• Azure security best practices and patterns
• Network security overview
• Threat detection and protection
• Key management in Azure