Microsoft Entra ID Reviews

We have a variety of use cases. The first thing we use it for is Microsoft 365 services. We utilize the single sign-on capability, for use with other SaaS applications. We use MFA, and use it as an identity provider, in general. We make use of the B2B Federation functionality based on Active Directory, as well.

We use a hybrid Azure Active Directory that works in conjunction with our on-premises Active Directory.

Azure AD has security features that have definitely helped to improve our security posture. Our hybrid environment makes it very easy for us to control when we need to integrate with third-party solutions. Normally, we do not allow integration with our on-premises systems and by requiring the third parties to integrate through Azure Active Directory, it gives us an extra layer of security. There is one-way communication from our on-premises Active Directory, which helps to secure our main controllers.

Another thing that we use extensively is conditional access, on top of the Azure Active Directory multi-factor authentication. We are quite happy with the metrics and reports, as well as the logging of risks, such as attempts to sign in from different areas.

So far, we haven't had any incidents. We've seen some attempts to steal our identities or to log in using our credentials but the security provided by this product, including conditional access and MFA, has stopped these attempts. From a security perspective, we are quite happy.

Overall, our security posture has improved, especially when we are talking about MFA. We have MFA deployed on-premises for all of our critical applications. Moving beyond this, to the cloud, I cannot imagine dealing with all of these different SaaS products without having AD or another cloud identity provider in place. We could use a competing product but definitely, we cannot survive solely with our on-premises solution.

This solution has improved our end-user experience, in particular, because of the single sign-on feature. Our users can quite easily begin working. For example, I've worked with other SaaS solutions and one thing that users complain about is the additional steps required for MFA. Some of the non-tech-savvy end-users sometimes struggle, but overall, I would say the experience is quite good.

We are a group of companies and have different Active Directory Forests and domains. Using Azure Active Directory, collaboration is much easier for us because we are able to configure it at the cloud level.

The most valuable feature is its ability to act as an identity provider for other cloud-based, SaaS applications. In our bank, this is the main identity provider for such features. Not on Office 365 applications, but on others like Salesforce.

The B2B Federation functionality is not perfect and could be improved. It is not on the same level that we could have if it were being used on-premises. It offers a different experience, which is a bit complicated and has some additional drawbacks.

The MFA has some limitations compared to the legacy version. We still use our on-premises version because it works with our legacy applications using certain protocols. 

I think that as Microsoft is going to the cloud, they are turning off the on-premises features too quickly because the functionality is not yet at par.

I would like to see more features included, such as some surrounding the lifecycle of licenses, and access management for non-Azure cloud applications

We have been using Azure Active Directory for approximately three years.

Prior to working with this company, I worked for Microsoft and I used Azure Active Directory as a user over a period of four to six years.

I'm pretty happy with the stability of this product. In all of the time that I have used it, I do remember a couple of instances where there was downtime. However, these did not last for a significant length of time.

I can recall that it went down one time, for approximately four hours, in several years. SLAs are definitely met by Microsoft.

Scalability-wise, it works for us. We haven't had any problems and it is quite scalable.

Our company has 4,000 employees, so it isn't very large but so far, so good.

There are two people who are administrators that are involved in the managing and administration of Azure AD. I do not have administrative rights. Rather, I am set up for viewing only. 

In general, I would rate Microsoft support a seven out of ten. Sometimes we needed to speak with different people about the same problem, and each time, we had to describe the situation from scratch.

I have no experience with other B2B Federation solutions, so I can't compare Azure Active Directory in this regard.

Our initial setup was complex in some ways and easier in others. The complexity stemmed from the fact that we are a bank, and the security team chose the most complex deployment. Because the security people chose the most complex options, they are missing things. For example, self-service password reset is not working for us because it's one-direction communication.

In summary, our initial setup was complex because it was chosen as such. Although it is the most secure, we are missing some benefits that we would have if we had chosen a different setup.

The deployment itself was not very long. However, the planning stage was lengthy because of the in-depth discussions with the security team. Overall, the deployment took perhaps two weeks or less.

Our deployment strategy was a rather high-level approach and considered that our primary identity provider is on-premises AD, which means that we were able to take some of the details from there. We did not have to consider everything from scratch. For example, our password hash is one-way, so there are no writebacks. We defined it this way because it's quite secure. Similarly, we needed integration with third parties, such as other cloud providers. This meant that we were not afraid if something is breached because there would be no impact on our Active Directory. The only impact from a problem would be at the Azure Active Directory level.

The cost of Azure AD is one of the biggest benefits, as it is available for use free of charge when you start with Office 365. It comes with the basic version of it and you can move to the more expensive plans with additional features, but these are still very competitive compared to other vendors.

By comparison, other vendors offered an independent MFA product but at quite an expensive price. With Microsoft, it was already included in the price. The bundling approach that Microsoft uses is good; although competitors may offer a more compelling solution, we already have access to the one from Microsoft at no additional cost.

We evaluated some other products from an MFA perspective but I have no hands-on experience with them. I received many good recommendations about both Okta and Ping Identity solutions.

My advice for anybody who is considering Azure Active Directory is that if they are going to use other Microsoft services, like Office 365, then it's no brainer. It's the perfect solution for situations like this.

If you're using a different stack, like Google, and you choose a different cloud provider like Google or Amazon, then if you are using Microsoft, it is still good to use Azure Active Directory. The costs are relatively cheap compared to others.

However, if you're not using Microsoft products, then I would suggest that you could look to other vendors like Okta, for example. I had quite a few good references regarding Okta and the Ping Identity products. Ultimately, you are free to choose but from a cost perspective, Microsoft is great.

I would rate this solution a nine out of ten.

We use  Azure Active Directory to provide all the identity services for all of our applications.

As a company, you want effective identity and access management. You are able to achieve this with Azure Active Directory, you are able to manage everything, such as building user provisioning into third-party applications, or single sign-on, and tools to mitigate threats or risky sign-ins. There are a lot of features that are provided.

The solution has some great features, such as identity governance, and user self-service. The Outlook application is very good and is used by a lot of people even if they are using Google services.

Azure Active Directory could improve by having an authentication service for laptops or desktop computers running Mac and Linux operating systems. They currently have authentication capabilities for Microsoft Windows. Having this capability would benefit people because in today's world everybody is working from the home environment.

I have been using Azure Active Directory within the past 12 months.

The solution is stable. There was one global outage that lasted approximately four hours in the past year.

Microsoft has different kinds of support you can have. If you pay then you will receive premium support which is very good.

I have previously used Google G Suite.

The initial setup is straightforward.

Azure Active Directory is more expensive than Google, but the capabilities they provide are superior.

I have evaluated SalePoint which is another very good product for collaboration that is available on the B2C platform.

The people who are considering Azure Active Directory should look at it as a whole because even if their company is using G Suite, they will still have to go to Office 365 for accounting and finance users who are very familiar with MS Excel and still want to use it. I see most of the companies that are using G Suite will have Office 365 for certain services. There is no need to have two services, a single Office 365 platform will provide all the capabilities needed.

I rate Azure Active Directory a nine out of ten.

I was a consultant. I recently changed my job (seven days ago). Most of my customers did everything in Azure. They used Azure Active Directory Domain Services (AD DS) as well as Active Directory Federation Services (ADFS) to sync a user's profile using AD Connect and a federated model. So, they could access an application on-premises as well as in a cloud. 

I am now a CTO for a big hospital. I manage Azure AD for all hospitals as the CTO. They also use Office 365 across all four of their hospitals. 

The solution is hybrid cloud. We have the Active Directory on-premises and Active Directory Domain services in Azure. This is where I use AD Connect (or sync server) to sync the user's profile.

Azure AD has features that have helped improve security posture. From a security point of view, they integrated with Okta, which is one of the integrations that we used for a customer's use case. From there, their entire security posture is managed and integrated with Azure.

It gave better visibility on our customers' security posture - the way that they configure users, configure their end user computing, and multi-factor authentication. This is where they get better visibility and manageability through this particular solution.

A use case that we did for an end user in a manufacturing organization: We used WVD with biometric authentication because 1,500 processes need to happen in a process. The user didn't want to use a login using their credentials. They wanted to use fingerprinting or tap their ID. That is where we integrated with the authentication. Now, they can process in a couple of hours, and they run those 1,500 processes every day. This changed their login process, which improved the manufacturing process. This helped a lot for their high deployment.

In my current organization, it is connected only for Office 365. We are getting into other services that Azure has to offer, but that has not yet started. The first use case that we are going to do is backup and recovery through Azure AD.

We are trying to do backup for some Tier 1 applications through Commvault. We will use that data to restore within the Azure environment or Azure Virtual Network (VNet), recovering all the applications. We then make sure that we have the capability for recovering those applications end-to-end. This is where Azure AD will play a huge role, so we don't have to come down to on-premises for authentication.

• The authentication process, e.g., multi-factor authentication.
• Directory Domain Services.
• Azure AD Connect (sync services).

The biggest thing is if they could integrate with their IPS/IDS processes as well as have integration with another app, like a third-party application. Varonis was another solution that my customers are trying to integrate with ADFS. For some reason, they were seeing some difficulties with the integration. There is a case open with Microsoft on this particular thing.

The only issue is the OU is not properly synced. Therefore, you have to do a manual sync sometimes or you might lose the connector due to AD Connect or sync servers.

I have been using it for a couple of years.

I haven't seen any major issues. 

We had a customer with roughly around 80,000 users. They had three SMEs or FTEs managing their Active Directory environment or solution.

Maintenance-wise, we need at least two FTEs for backup, making sure that we have the right coverage 24/7.

I think we can add more systems to make sure that we can connect. The documentation provides more detail about the sizing information for OVA files or AD Connect files on the server. So, you have those kinds of capabilities built into the scalability.

Before, we used to manage most technical issues. For example, if there was a critical thing that had to happen, then we would open a case. The support that we used to get from Microsoft was great because we were a Gold partner with Microsoft, so we had good access for the technical team.

We don't use the technical support too much because we have engaged a partner for my current organization. 

The initial setup was so straightforward. The documentation is good. There were no problems deploying it. We did the deployment for one customer in less than an hour. Another customer took some time because it is more like a process for change management. Otherwise, the actual installation, download, and configuration took less than a couple of hours.

My previous company's focus was on how to integrate a customer's Active Directory with Okta, how to integrate it with MFAs, and how to integrate with security IMs.

The deployment was easy to do and integrate with on-premises. So if it was a small- or medium-sized customer, we could bring them into the cloud in no time. Also, we could start looking into other applications that the customer could use: Docker containers or DevOps. This is where we spent most of the time, i.e., with customer design.

Every hospital with Office 365 comes with Active Directory Domain Services so you need to sync all your users. That is how the implementation is done today.

At my previous employer, most of our customers' application deployment used Ruby on Rails in their AWS environment and were looking for an authentication process. So, we installed Active Directory or ADFS in Azure for a specific client. Then, all applications would get authenticated to Azure Active Directory and synced from their on-premises environment. 

There was another client for whom we installed Azure Directory Domain Services, which synced with their on-premises data and federated model so we could get the single sign-on. We then installed Azure VMware Solution in Azure for their expanding or extending their on-premises VMware architecture.

We created a questionnaire where we documented the customer's current environment. For example, customers wanted to sync the amount of users. We then used that questionnaire to take care of the prerequisite before we even started deploying this solution.

The whole deployment process should take less than one FTE.

It provides an organization flexibility to move towards the public cloud, so their workload can be upstream. They can see that they don't have to come down to their on-premises for any authorization authentications. That is where we were seeing more development environments, staging environments, and DevOps environments, as most of our customers were pushing towards the public cloud, which would then be integrated with their Azure Active Directory.

The licensing model is straightforward. I don't think there are any issues with the E3 license or E5 license.

We had a customer with very traditional architecture in AWS. We spun up the ECP instance, then installed and replicated the Active Directory. Other than that, I don't think we had another customer who was going in a different direction.

We have a budget for Q4 2021. By Q1 2022, we are hoping to get one hospital completely in Azure by 2022.

The only way to learn about the value that Azure brings to the table is if a customer can use as an evaluation copy or license. Then, they can integrate and push the development OUs or the test OU to make sure that they can integrate with the MFAs.

I would rate this solution as an eight or nine (out of 10).

Azure Active Directory is similar to an on-premises access control system, but the service and data are hosted in the Azure cloud. Previously, everyone used to have Windows servers built as domain controllers for Active Directory to store their employee data. This assumed the role of a database for their employees.

With Azure Active Directory, which is in the cloud, you have the same functionality and there isn't much of a difference. The defining point is that you have access to online, cloud-based resources, such as Office 365.

In my company, as well as others, we had already implemented the on-premises Active Directory for our infrastructure. We leverage Azure Active Directory to synchronize the existing on-premises details to the cloud so that it creates an identity in Azure, which allows it to be used for other SaaS-based solutions.

This is the kind of solution that I feel you cannot run an organization without using.

Going forward, I expect that this solution will help to eliminate our on-premises infrastructure. Perhaps in the next few years, many companies will question their need for on-premises infrastructure and implement a purely cloud-based position. It will be a pay-as-you-go service.

Using this solution has affected our end-user experience because it enables and supports the Office 365 products that Azure provides. It is indirectly linked to all of the Office 365 solutions.

This is a feature-rich solution.

It offers features that improve our security posture such as multifactor authentication, which is the second layer of protection that is used when we log into the cloud.

The documentation, and the way that people are notified of updates, are things that can be improved. I'm a big fan of Microsoft products but the way they document is not that great.

I have been using Azure Active Directory for the past four years.

This solution was implemented approximately five years ago, before I joined the company.

We use this product on a daily basis. In fact, it is constantly being used and we don't have any problems with stability.

The scalability is good, and it is one of the reasons that we opted for a cloud solution.

We have more than 60,000 employees in the company and it scales very nicely. If more employees join the company then our usage will increase.

There are a variety of roles including administrators and different users. We have between 200 and 300 administrators.

Technical support from Microsoft is excellent.

We have had multiple issues where technical support has been needed. For example, the other day, we had a problem with synchronization. One of the user licenses was not synchronized properly and when we identified the root cause, it showed that the profile was not linked to the Active Directory Account. That was the main problem.

For us, it's constant improvement. Once a problem has been resolved, we document it accordingly so that it doesn't reoccur. Essentially, we don't want to have the same story again.

We also have Active Directory implemented on-premises, and it synchronizes with our cloud solution. The traditional Active Directory is what we used before this.

I was not responsible for the initial setup but my feeling is that it is not very straightforward. From a technical perspective, I expect that it is somewhat complex.

The deployment took approximately six weeks. We are a large company with more than 60,000 employees and I expect that for a smaller company, with perhaps 100 or 200 employees, it might take a day or two to complete.

One of the senior engineers in my organization was responsible for deployment. We also had assistance from Microsoft consultants. Between five and ten people were required for the deployment because it's a larger company.

There is no maintenance that needs to be done on our part. However, we have between 10 and 15 people who closely work on Azure Active Directory. 

Everyone uses a cloud solution to reduce the on-premises infrastructure cost and maintenance. In the coming years, there will be a lot of returns or a lot of cost-cutting that will happen.

The licensing is good and it is really easy to manage. We make sure that we only enable the licenses that are needed for the users, rather than enabling licenses in a blanket fashion. Basically, we only enable the features that are required for each of the users.

There are no costs in addition to the standard licensing fees.

Microsoft is a vendor that is always one step ahead.

The biggest lesson that I have learned is to read the documentation properly and thoroughly. Microsoft is great, but the documentation is sometimes updated and we aren't notified. This means that anytime you apply any solution, just make sure that you follow the proper guidance and always test before deployment.

I would rate this solution a nine out of ten.

Azure AD is where our primary user data is stored. We get a feed-in from our HCM solution and it creates our users, and then that's where we store all of their authorizations, group memberships, and other relevant details.

We access it through the Azure Portal.

This product has helped improve our security posture because it allows a tie-in into the Microsoft Azure Sentinel product very easily and seamlessly. From a security standpoint, you have the option of conditional access, the option of identity protection, and those types of things. We have incorporated those right into our offering.

Overall, security-wise, this solution has allowed us to be more flexible. When you had just Active Directory and it was an on-premise solution, you had to do a lot of manipulation to get SaaS products working. You had to do a lot of customizing and those types of things. With Azure Active Directory, it's more configuration than it is customization. This allows us to be a lot more flexible, which brings about efficiency, better security, and other benefits.

Azure Active Directory has also improved our end-user experience.

Before, most companies including ours would use a customized username that would have random characters for a user. This is different from Azure Active Directory, which uses what looks like the email address as your username. In fact, it can be set up as a genuine email address. Where it differs is on the back end, where it has a unique ID, but on the front end, it's more readable and it's better understandable.

From my user experience, the sign-on is seamless as you go through and use any of Microsoft products. Everything ties right into it, and then as you set up your different applications that are tied into Azure Active Directory, and get the single sign-on, everything becomes a whole lot easier to connect into. From a user experience, it's improved it drastically.

For provisioning users, you start by registering an application as either an enterprise application or a custom application. You can set up from within Azure Active Directory how it is that users connect to it. Microsoft has done a great job with providing a lot of application templates that help to connect and add it into the cloud. Almost every application that you could think of is there. From that point, you can set up provisioning.

To assist with provisioning, they have great documentation. From an admin perspective, much of the work is done for you. After the applications are connected to Azure Active Directory, you assign users and groups, provisioning users via API calls, which is how it's done on the back end, and it ties in using service accounts. Then, you can create a group that has the appropriate permissions such as write permission, full admin rights, or contributor rights, and then provision users into those groups. The system automatically handles it for you at that point.

This product is easy to use.

The features that we use day in and day out are single sign-on, group capabilities, and provisioning capabilities. All of these are very useful.

This product has features such as Conditional Access that improve our security posture. Conditional access gives access only through a timeframe. We have certain policies that we set up, which could be a certain amount of time or it could be a certain type of access. These are examples of types of conditional access.

Another example of a security feature that helps us is Identity Protection, which will perform the automatic detection and remediation of risks.

We also have the ability to go in and investigate any risks using data within the portal, and it's all automated. It's nice in that sense.

These features have significantly improved our security posture and time for remediation. It would be difficult to estimate a time improvement in terms of a percentage, but being that it's automated and there is a portal that displays the risks in real-time, it's a very significant change. Previously, we had to go through and look at logs and those types of things, which was time-consuming compared to using the portal.

We also use multi-factor authentication, which is very useful because that gives another layer of security protection for our users. You have to have some sort of device that you can use to provide that second factor, and not just your username and password.

The provisioning capability is a two-edged sword because it is very useful, but it also needs some improvement. When you start to deal with legacy applications, provisioning is not as intuitive. Legacy applications, a lot of times, were based on an on-premise Active Directory and you had to use it to provision users or grant access to the product. I don't know of a way to make Azure Active Directory act as an on-premises version to connect to those legacy applications.

The speed and responsiveness of the technical support are things that could use some improvement.

We have been using Azure Active Directory since October of 2018, nearly three years ago.

The stability is not too bad. It's usually other issues that go on within Microsoft Azure. Whenever Microsoft Azure is down, the Azure Active Directory service sometimes can be down intermittently, depending on where things are at.

It is important to remember that it's not always the Azure Active Directory component that is down. Rather, a lot of the time, there is an app that is tied into Azure Active Directory causing the problem. I think we've had one incident in the last year that was tied directly to Azure Active Directory, where it was down from a SaaS perspective.

This solution scales very well. We were able to tie into our previous company and then bring on all of those users in a very quick amount of time. This included making sure that they could all log in and get access. We haven't really had any issues from that standpoint.

In terms of the users, you can add B2B and you can add B2C, as well. Scalability-wise, it's been good for us. We have between 15,000 and 20,000 users, which is fully scaled at the moment.

We have plans to do further B2B, as we work with our retail partners. We have a lot of retail partners, which is how our business model is structured, and that's something that we're planning on adding and moving forward with.

As far as scaling, going up, or going down, our numbers of Azure Active Directory users are pretty much what they're going to be for the next couple of years. That said, our B2B is definitely going to increase over the same period.

We use Covenant Technology Partners as the first level of technical support. Most of our support tickets actually get escalated from them up to the Microsoft product team.

The Microsoft product team's service is hit or miss, which is something that Microsoft can improve on. They are sometimes slower to react than we would like, but for the most part, they do take our tickets and work on them as they can, to try to figure out ways of remediation.

We did not have any solution prior to this; it was simply an on-premises Active Directory. We were spinning up something brand new to move forward. Being managed saves a lot of time and effort. We migrated our users over from the Active Directory that the prior owners had, but they managed it all, we did not.

It was very easy to get set up and running. Basically, you log into the Azure portal, you have your tenant that you're already connected into, you add a domain and then you just go. You add your first user and then you continue from there.

Our deployment started in October of that year, we had our first users within a week, and then we pretty much provisioned all of our users within a month. It was a pretty quick turnaround.

At the time of deployment, we were in the middle of a divestiture. As such, our implementation strategy included spinning up a brand new Active Directory so that we could start to migrate our users over from our previous owners into a new one that we would control. Consequently, we started from scratch.

I know that a lot of companies are not doing that. Rather, many are starting with an Active Directory and then moving into Azure Active Directory, but for us, it was a clean slate. We then started to incorporate methods of synching with our previous owner so that we could get all of the data from them and continue to march towards a separation.

We brought in consultants only because we didn't have the manpower at the time when we got started. I believe there was one other person besides myself, we were both at the director level, and neither of us had been given the time to build out our teams by that point. The third-party consulting company that we brought in assisted us to help us and assist us in getting everything set up and built out.

The company was Covenant Technology Partners and our experience with them was very good. They were able to help us get everything set up and running right away. Overall, it went very smoothly.

With respect to day-to-day maintenance, we have a lot of it automated. We've tied it into ServiceNow and a lot of our user additions, modifications, deletions, and other operations are things that we have automated via ServiceNow workflow.

I do have a team of three engineers under a manager that currently manages it, but they don't spend any more than probably 5% of their time, daily, dealing with it.

It is difficult to estimate our return when we didn't own anything beforehand. There is no real basis for comparison. That said, the automation capabilities cut down manual provisioning, manual adding, removing, deletion, editing, and those types of things, of user fields. I would say those are the big savings, and it's helpful that you can easily do the automation tie-in into Azure Active Directory.

Anytime you are dealing with Microsoft and licensing, it is always interesting. We have various levels of their licensing, which includes users on different levels of their enterprise offering. For example, some are on E3, whereas others are on E5. The differences between them have to do with the various features that we use.

We're a Microsoft Teams company and we use it not only for collaboration and instant messaging, but we also use it as our phone system. We did all of that together, so when we spun up Azure Active Directory, we also spun out Microsoft teams to use as our phones and flipped off of an old PBX system. It's been very useful but the licensing can be complicated when you get into the retail partners and guests. But for the most part, Microsoft has done a good job of explaining the different levels and what we need and has given us the proper licensing.

There are no additional fees for Azure Active Directory.

We did not evaluate other vendors. Our plan was to implement Microsoft Azure as our cloud solution, as well as go forward with Azure Active Directory. That was the plan from the get-go.

I know that Okta was out there, as well as a couple of other options, but that was never really a consideration for us.

The biggest lesson that I have learned from using this product is that because it is a SaaS solution, it's easy to get set up and configured. It doesn't take a lot of overhead to run and quite honestly, the security on it is getting better. Microsoft continues to pump more security features into it.

My advice for anybody who is considering Azure Active Directory is that if you have Microsoft products that you are currently already using, I would definitely recommend it. This is a solution that seamlessly ties into your Office products, and into any Microsoft product, and it's really easy to manage. You can spin it up quickly, implement it, and get going right away. You are able to tie into your on-premise Active Directory as well. At that point, you can start to sync those two to manage all of your users and all of your groups in one place.

Overall, this is a good product and to me it's perfect but at the same time, nothing is perfect.

I would rate this solution a nine out of ten.

I use it for managing identities, access, and security in a centralized way. I help other people use this product.

Using Azure AD has improved our security posture overall, more than anything I've ever worked with.

It enables end-users to be more secure without it actually affecting their work. Usually, security solutions makes it harder for them, so many start using other solutions instead, solutions that are not managed or monitored by the organization. But when we use Azure AD's Conditional Access, for example, as long as they behave, users don't even notice it.

The passwordless feature means they don't even need to have a password anymore. It's easier for users to be more secure. You can invite anyone to collaborate in a secure way. 

Passwordless sign-in, which is one of the new features where you no longer need to have a password, is one of the great features. Passwords have always been hard for end-users, but not so hard to bypass for bad guys. It often doesn't matter how complex or long your password is. If a bad guy can trick you into giving it to him or can sniff your keyboard or your network, or access it through malware, your password doesn't matter anyway. So all the complexity, length of the password, and having to regularly change it is hard for users, but it doesn't stop hackers. And that's what makes passwordless so valuable.

Multi-factor authentication is good as it allows you to answer a notification or even an SMS or a phone call, but that has become more unsecure now because the bad guys are learning new way to bypass these methods. But using passwordless technology, you're not even using a password anymore. You're basically just signing a logon request without actually sending, typing or storing the password. This is awesome for any user, regardless of whether you're a factory worker or a CFO. It's secure and super-simple.

It also stops phishing, which is amazing. If someone tricks a user into going into the "Macrosoft" store or some other site that looks like the real site, they can trick the user into signing in there and then they can steal the password. But if the user is using passwordless, the passwordless solution would say, "Sorry, I don't have a relationship here. I can't sign in." In that way, it can stopping phishing, which is one of the most common attack vectors right now.

Another feature that has improved our security posture is Conditional Access where we can not only say "yes" or "no" to a sign-in, but we can also have conditions. We can say, "Sure, you can sign in, but you need to be part of the right group. You need to come from a managed client. You can't come in with a risky sign-in. You need to come in from a certain platform or a certain network." You can have a really complex set of rules and if those rules are not fulfilled you will not be able to sign in, or we can require MFA or even control the session. That is also a really good security feature.

The B2B feature is another good one where, if I want to give someone access to my my apps or data, instead of creating an account and a password and giving that info to the user, I can invite that user so he or she can use their own existing account. That way, I don't need to manage password resets and the like. The B2B feature enables collaborating with anyone, anytime, anywhere.

The Azure AD Application Proxy, which helps you publish applications in a secure way, is really good, but has room for improvement. We are moving from another solution into the Application Proxy and the other one has features that the App Proxy doesn't have. An example is where the the role you're signing in as will send you to different URLs, a feature that App Proxy doesn't have (yet).

With Azure AD, if you look in detail on any of the features, you will see 20 good things but it can be missing one thing. All over the place there are small features that could be improved, but these improvement is coming out all the time. It's not like, "Oh, it's been a year since new features came out." Features are coming out all the time and I've even contacted Microsoft and requested some changes and they've been implemented as well.

I have been using Azure Active Directory for close to eight years now.

The stability or availability is incredible. It's super-good. However, just the other week, there was an outage for a few hours, so it's not 100 percent. But in Microsoft's defense, that hasn't happened for a long time.

What I also usually point out to people is that if you host your own solution and things break in the middle of the night, who's going to look at it? With this solution, you know that in the first millisecond that something breaks, 10 people or 100 people are looking at it. You get constant feedback about what's going on and you usually get a full report afterwards about what actually happened and how they will prevent them in the future. They are really good at managing these outages.

I don't know what the uptime is, but it's still 99.999 or something like that. It's super-trustworthy, but it's not 100 percent. What is? Still, it's likely much better than a private on-premises solution could ever be.

In terms of scalability there are no limits. I have customers with 10 people and others with up to 300,000, and everything in between. There is no difference. I haven't had to think about memory or disk space or CPU in a long time because everything just works. It's super-scalable.

We have 100 customers and all of them use Azure AD. They are spread all over the world. In Sweden, where I'm from, we have government municipalities, we have private corporations, hospitals, manufacturing. Everybody needs this. It doesn't matter which market or which area you work in. I don't see a target audience for this. It's everyone.

Their tech support is pretty good, depending on who you end up talking to. If you open a support request, you can be asked quite basic questions at first: "Have you tried turning it on and off again?" Sometimes we need to go through five people to get the correct people, the people who know the problem area really well. We usually dig really deep into the area and learn al lot first. We need someone who is expert in this product and who knows exactly how that area of the product works. Sometimes it takes a while to get to the correct person, but once you get there, they're usually super-knowledgeable, super-friendly and quick to reply. It can be tricky to find the right person. But I suppose that is the same in any company. 

Over the years, we have built up a contact network so we can usually contact the right people right away, as we are a Microsoft partner. But because this review is for everyone, I would suggest that you keep asking until you'll end up at the right people.

Overall, Microsoft is really attentive. Previously, you could say, "Can you show me the roadmap for the next three years?" and they would say "Sure." They don't really do that anymore because they say, "It now depends on what you want." We can help influence Microsoft how to prioritize. They have daily and weekly meetings where they discuss "What do people want now? How should we prioritize?" It's a totally new Microsoft compared with a few years ago. If I see something missing, they usually come up with it pretty quickly.

I see people moving from other solutions into Azure AD because they're not satisfied with the other solutions. 

The initial setup is a straightforward process, for such a complex technology. Although there are a lot of moving parts involved in actually setting it up, it is quite easy.

I've set this up for many and, in general, it takes less than a day to get things up and running. Then, of course, there's tons of optional configuration to improve and secure things, but just getting it up and running takes less than a day.

The implementation strategy used to be helping them get to the cloud, by doing things like making sure that they clean up the accounts in the on-premises solution and setting up the synchronization rules. But nowadays, most of my customers are people who have Azure AD in place already. So now I'm trying to enable and configure and improve security configuration. For example, you don't have to set up the passwordless feature and you don't have to do multi-factor authentication. They are optional. So my task now is more one of improving their configuration and turning on security features. A lot of it is secure by default, but some features require you to configure and set them up.

With the licensing there are so many features involved, and different features for different licensing levels. Those levels include the free version, as well as Premium P1, Premium P2. My approach with my clients is usually, "What kind of licenses do you have? Okay, let's improve this, because you have it already. You're paying for it already. Why not use it?" 

The next step is, "These features are included in the licensing you don't have. Do you think it's worth it?" I talk to them, I explain them, and I demonstrate them. They will usually say, "Yeah, we need that one."

I don't know other solutions really deeply. I know of them, but I'm a specialist who is focused on this one. But I realize, when I talked to other specialists in other areas, that they are solving the same problem, so they usually have similar solutions.

What Microsoft is winning on is that people used to say, "Buy the best product, the best in class or best in breed for each area." But that has changed now. "Buy the best ecosystem" is the better approach. If I have Azure AD as my identity and access solution, and if I also use Microsoft Defender for Endpoint and the Defender for Office 365, and other Microsoft solutions, I can then go to one portal, one place, and see how my apps are doing, how my users are doing, how my devices are doing, and how my data is doing. You get this super-integrated ecosystem where everything talks to each other. That is the strength.

In my opinion Azure AD is a fantasic standalone product, but you have so much more benefit from using it together with other Microsoft solutions.

The user usually doesn't care if we use Microsoft or any other vendor's to protect his identity or his computer or his data. They just want to do their jobs. But as admin, I see the advantage of using the same provider. I can actually create a query saying, "Show me all users who logged in to Azure AD from a device with this operating system, accessing this application, and who have a risk on their device, where a document is classified as sensitive." I can do all of that in one query for identity application devices and the data. That's the strength, having that insight into everything. And when it comes to security and Azure AD, Microsoft has 3,000 full-time security researchers, and they spend over a billion dollars each year on security research alone.

What's amazing is that the CIA, the FBI, and these big companies or organizations are using Azure AD, and they have really high requirements for audits and protection. As a "regular" organization, you can get the same level of security without have to ask for it. You get to ride on the coattails of that amazing security without spending $1 billion yourself.

If another Microsoft customer is hit by something bad, Microsoft is going to stop it for the rest of its customers. If you're the first to get hit by new bad malware, that may be tough, but all of the other customers are instantly protected because different customers share threat intelligence, in a way. You get the benefit of all the security discoveries that Microsoft makes, instantly.

Talk to someone who knows a lot about it. Sure, you can look at everything on the docs.microsoft.com page, but it can be hard to understand what each feature is and the value it give you. Talk to someone who knows both licensing and technology, to understand what's there and what you should pay for and what you should not pay for.

There are also a lot of good videos out there, like sessions from Microsoft Ignite. You also have the Microsoft Mechanics video series on YouTube with a lot of videos. So if you like to learn through video, there's a lot available for you. You can also go to docs of Microsoft.com and search for Azure AD. You will get like a starting page where you can learn the identity and access basics or also how you integrate apps. There is a link collection with everything and anything you would like to know. Or you can call me.

We are Security advisors. We help people, we train people, we implement it for them, we document it, we teach them, and we talk at seminars. We sell our knowledge. We don't sell solutions. There are 25 people in our company and five to 10 people are working with Azure AD. It's not that we need five for our daily operations, it's just that's how many of us are working with it. In general, a company might need one to five people working on it. If I need to set up a feature for five people or 500,000 people I do the same steps. The thing that is different in bigger companies, is that you need to communicate, you need to educate, you need to write Knowledge Base articles, you need to inform the service desk. All of those things are just to prepare users. But that has nothing to do with Azure AD. The technology is super-simple. It's more that the process around it is different in different companies.

The use case for this solution is the access to Office 365, Azure subscriptions, and several software as a service platforms as well as other SaaS-developed applications that we provide access to, such as, OpenID Connect, OAuth, or SAML.

It is a central point where we provide the cloud lock-in for our company. We focus the multi-factor authentication within Azure AD before jumping to other clouds or software as a service offerings. So, it is the central point when you need to access something for our company within the cloud. You go to Azure AD and can authenticate there, then you move from there to the target destination or the single sign-on.

Azure AD added a different layer. We were able to add multi-factor authentication for cloud applications, which was not possible before. We also may reduce our VPN footprint due to the Azure AD application proxy. We have a central point where we have registered our software as a service applications that we obtain from other providers or the applications that we host ourselves.

The most valuable feature is the possibility to create multi-tenant applications alone, or in combination with Azure Active Directory B2C. So, you can provide access to applications for your external partners without having to care about the accounts of external partners, because they will stick it in there as an AD tenant. That is the feature that I like the most.

The solution has features that have helped improve our security posture: 

• A tagging mechanism that we use for identifying who is the owner of an application registration. 
• Conditional access and multi-factor authentication, which are adding a lot to security. 
• The privileged identity management feature that has arisen off privileged access management. This is helping a lot when providing access to certain roles just-in-time. 

They are also still developing several other features that will help us.

It does affect the end user experience. It depends on where they are. When they are within the corporate network, then they already have a second factor that is automatically assigned to them. When they are outside of the company, that is when they have to provide a second factor. That is mostly a SMS message. Now, with the Microsoft Authenticator app that you can install on your mobile phone, we are shifting towards that. This has reduced errors because you may just say that you confirm a message on your mobile phone instead of typing the six-digit code, hoping that you are still in time, and that you entered it correctly. So, it does affect our employees. We try to be up-to-date there.

Mostly, it affects security. It is an obstacle that you have to climb. For example, if you have to enter the code in from the SMS message, then you have to wait for the SMS message to arrive and copy the code, or you have to transfer the code from the SMS message into the field. We reduce that workload for employees by having them be able to receive a message on their phone, then confirm that message. So, security is less of an obstacle, and it is more natural.

The user administration has room for improvement because some parts are not available within the Azure AD portal, but they are available within the Microsoft 365 portal. When I want to assign that to a user, it would be great if that would be available within the Azure AD portal.

It would be awesome to have a feature where you can see the permissions of a user in all their Azure subscriptions. Right now, you have to select a user, then you have to select the subscription to see which permissions the user has in their selected subscriptions. Sometimes, you just want to know, "Does that user have any permissions in any subscriptions?" That would be awesome if that would be available via the portal.

I have been using it for more than two years now.

The stability is very good. They had a problem recently that was hopefully the exception. 

I am looking forward to the adjustment of the SLA that they increased from 99.9 percent to 99.99 percent. With this increase, which should happen on the first of April (not an April joke), this should be a huge improvement for the visibility towards the world because this is a commitment by Microsoft, saying, "We are taking care of Azure AD." I think that is a very good thing.

From my point of view, it scales very well. There are different possibilities to take care of it, depending on what you want to achieve. Lately, they introduced something like administration units, where you can achieve that even a bit further to restrict the access of your administrator to a certain group. So, that should be really helpful for even better scaling.

One company has around 50,000 users and another company has around 200 users. For the bigger company, there are several people involved, three to four people. They are taking care of application registrations as well as the Azure AD Connect synchronization to see if there are any errors, then clear those errors. However, it is mostly the application, registration, and configuration of the Azure AD.

The technical support is great. We have access to a special unit within Microsoft where we have additional support besides the technical support. So, it has been really good working with Microsoft.

We have other tools: 

• Red Hat SSO
• OpenID Connect
• OAuth
• Azure Domain Federation.

We just removed the Azure Domain Federation (AD FS), thanks to the Azure AD.

Deployment time really depends on how you set up your Azure AD. You might: 

• Want to set up Azure AD Connect, then the process takes longer. 
• Just use Azure AD, then the process is much faster. 
• Directly connect to another source of truth, then there is something in-between. 

It really depends on your situation. I would say it takes between an hour and a week.

For the company, I didn't set it up. I did set it up for myself, but that was a simplified situation and I found the process to be straightforward.

Make sure that you get the most out of your Office 365 licenses for Azure AD. If you have additional concerns for users who don't have an Office 365 license, consider Azure AD Premium P1 and P2. Be aware that you have to evaluate your license usage beforehand.

Consider the usage of Azure AD Premium P1 and P2 when you are not assigning Microsoft or Office 365 licenses. This is really important to get access to good features, like conditional access, privilege identity management, and accessory use.

I would rate Azure AD as a nine out of 10.

The primary use case for Microsoft Entra ID is enterprise or company-wide system management. It allows us to join most systems, regardless of their location, to the active directory of the company's domain. This is particularly useful for managing PCs for remote workers and securing their devices.

Microsoft Entra ID has made managing users easier, as well as sending out policies and implementing restrictions. It simplifies the management of IT infrastructure.

The features I find most valuable are conditional access, privilege management, and dynamic groups. Conditional access allows us to set specific policies for security purposes. Privilege management enables us to assign specific roles to users, such as user administration, without giving everyone admin rights.

Microsoft often changes settings, and many features are scattered. It would be helpful if settings were grouped under a specific category, like authentication, to make it easier for beginners. The platform can be overwhelming for new users, so consistent organization of features is needed.

I have been working with Microsoft Entra ID for a good part of five years, migrating over from when it was previously named Azure Active Directory.

There can be outages or times when the portal is unresponsive, which is why I would rate the stability a seven.

I have not encountered any issues with scalability; it is for everyone. So, the scalability rating is ten out of ten.

I haven't raised any tickets with technical support, as I was part of the Microsoft technical support group.

Positive

No other solutions were used previously.

The initial setup is straightforward due to my experience, however, I would rate it a six or seven out of ten for someone new. Issues arise if users make incorrect choices during the out-of-box experience.

The deployment requires one person to create user profiles and assign relevant permissions, though two to three people may be needed for advanced features.

Business process-wise, Microsoft Entra ID makes managing users and IT infrastructure easier.

The pricing is fair compared to other products, and I would rate it a five out of ten for value for money.

No other solutions were evaluated.

For seamless integrations with other services, Microsoft Entra ID is likely the easiest tool. I would recommend it to others.

I'd rate the solution eight out of ten.