In July 2023, Microsoft announced one of its most significant rebrandings: Azure Active Directory (Azure AD) became Microsoft Entra ID. If you're confused about what this means for your organization, you're not alone.
This guide clarifies what changed, what stayed the same, and what actions (if any) you need to take.
What Is Microsoft Entra ID?
Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. It's the same service previously called Azure Active Directory—the rebrand didn't change the underlying technology.
Entra ID provides:
- Single sign-on (SSO) to thousands of applications
- Multi-factor authentication (MFA) for secure access
- Conditional Access policies for risk-based security
- Identity governance for access reviews and entitlements
- B2B and B2C identity for external users and customers
If you were using Azure AD before July 2023, you're now using Entra ID. No migration required.
Why Did Microsoft Rename Azure AD?
Microsoft's stated reasons for the rebrand:
- Reduce confusion with Windows Server Active Directory - Many IT pros confused Azure AD with on-premises AD, despite them being completely different products
- Align with Entra product family - Microsoft launched Entra as a category for identity and network access products
- Emphasize cloud-native identity - Distance from the "Active Directory" legacy perception
The Entra family now includes:
| Product | What It Does |
|---|---|
| Entra ID | Cloud identity management (formerly Azure AD) |
| Entra ID Governance | Identity lifecycle and access reviews |
| Entra External ID | Customer and partner identity (B2C/B2B) |
| Entra Permissions Management | Cloud permissions discovery and remediation |
| Entra Verified ID | Decentralized identity credentials |
| Entra Internet Access | Secure web gateway (SWG) |
| Entra Private Access | Zero-trust network access (ZTNA) |
What Changed vs What Stayed the Same
Changed (Branding Only)
| Old Name | New Name |
|---|---|
| Azure Active Directory | Microsoft Entra ID |
| Azure AD Free | Microsoft Entra ID Free |
| Azure AD Premium P1 | Microsoft Entra ID P1 |
| Azure AD Premium P2 | Microsoft Entra ID P2 |
| Azure AD External Identities | Microsoft Entra External ID |
| Azure AD B2C | Microsoft Entra External ID (B2C) |
| Azure AD Connect | Microsoft Entra Connect |
What Stayed the Same
- All functionality - Every feature works exactly as before
- APIs and endpoints - All URLs, APIs, and PowerShell commands unchanged
- Pricing - License costs and tiers remain the same
- Your tenant - No migration, no data movement, no disruption
- Integration - All apps connected to Azure AD still work
- Admin portals - Same portals, new labels
Do I Need to Do Anything?
For most organizations: No immediate action required.
Update Documentation (Optional)
If you have internal documentation referencing "Azure AD," consider updating it to "Entra ID" to avoid confusion for new employees.
Update Training Materials (Optional)
Training content mentioning Azure AD should be updated, especially for new hires unfamiliar with the old name.
No Technical Changes Needed
- PowerShell scripts -
AzureADmodule still works - Microsoft Graph API - All endpoints unchanged
- SAML/OIDC integrations - No reconfiguration needed
- Conditional Access policies - Continue working
- License assignments - No changes
Entra ID vs On-Premises Active Directory
This is the confusion Microsoft hoped to address. Here's the definitive comparison:
| Aspect | On-Premises AD (AD DS) | Microsoft Entra ID |
|---|---|---|
| Deployment | Your data center | Microsoft cloud |
| Primary protocol | LDAP, Kerberos | SAML, OAuth, OIDC |
| Device management | Group Policy | Intune, Conditional Access |
| Authentication | NTLM, Kerberos | Modern authentication |
| Directory structure | OUs, domains, forests | Flat structure |
| Replication | Multi-master between DCs | Microsoft managed |
| Trust relationships | AD trusts | B2B collaboration |
Can They Work Together?
Yes! Most enterprises use both:
┌─────────────────────────────────────────────────────────────┐
│ On-Premises Active Directory │
│ (Legacy apps, file servers, printers, domain-joined PCs) │
└─────────────────────────────────────────────────────────────┘
│
Entra Connect (sync)
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Microsoft Entra ID │
│ (Microsoft 365, SaaS apps, cloud resources, remote work) │
└─────────────────────────────────────────────────────────────┘
Microsoft Entra Connect (formerly Azure AD Connect) synchronizes identities between on-premises AD and Entra ID, enabling:
- Same username/password for cloud and on-premises
- SSO to cloud apps using on-premises credentials
- Hybrid identity scenarios
Entra ID License Tiers
Free
Included with Microsoft 365 subscriptions:
- Basic user management
- SSO to Microsoft apps
- Basic security defaults
P1 ($6/user/month)
- Conditional Access
- Self-service password reset
- Dynamic groups
- Application proxy
- Cloud app discovery
P2 ($9/user/month)
Everything in P1, plus:
- Identity Protection (risk-based policies)
- Privileged Identity Management (PIM)
- Access reviews
- Entitlement management
Governance Add-on
Available separately or with E5:
- Lifecycle workflows
- Extended access reviews
- Custom security attributes
Common Entra ID Tasks
Create a Conditional Access Policy
Block sign-ins from risky locations:
- Go to Entra admin center > Protection > Conditional Access
- Click + New policy
- Assignments:
- Users: All users (exclude emergency access accounts)
- Cloud apps: All cloud apps
- Conditions > Locations: Selected locations (block countries)
- Access controls:
- Grant: Block access
- Enable policy and save
Enable MFA for All Users
- Go to Entra admin center > Protection > Authentication methods
- Configure methods (Authenticator app, FIDO2, etc.)
- Create Conditional Access policy requiring MFA
- Or enable Security Defaults (free tier)
Set Up SSO for a SaaS App
- Go to Enterprise applications > + New application
- Search for app in gallery (Salesforce, Zoom, etc.)
- Configure SAML or OIDC settings
- Assign users or groups
- Test sign-in
PowerShell and CLI Updates
Microsoft is transitioning from the AzureAD module to Microsoft.Graph:
Legacy (Still Works)
# Install Azure AD module
Install-Module AzureAD
# Connect
Connect-AzureAD
# Get users
Get-AzureADUser
Recommended (Microsoft Graph)
# Install Microsoft Graph module
Install-Module Microsoft.Graph
# Connect
Connect-MgGraph -Scopes "User.Read.All"
# Get users
Get-MgUser
Azure CLI
# Still uses 'ad' subcommand (unchanged)
az ad user list
az ad group list
az ad app list
Security Best Practices for Entra ID
1. Enable Security Defaults (Minimum)
Free feature that enforces:
- MFA registration for all users
- MFA for admins always
- Block legacy authentication
2. Implement Conditional Access (P1+)
Create policies for:
- Require MFA for all users
- Block legacy authentication protocols
- Require compliant devices
- Block risky sign-ins
3. Use Privileged Identity Management (P2)
- Just-in-time admin access
- Require approval for sensitive roles
- Time-bound role assignments
- Access reviews for privileged users
4. Monitor with Identity Protection (P2)
- Real-time risk detection
- Automated remediation
- Risky user and sign-in reports
- Integration with SIEM
5. Regular Access Reviews
- Quarterly reviews of group memberships
- App assignment reviews
- Guest user reviews
- Privileged role reviews
Migration Considerations
Moving from On-Premises AD to Cloud-Only
If you're considering eliminating on-premises AD:
- Inventory legacy apps - Identify apps requiring LDAP/Kerberos
- Migrate apps to modern auth - SAML, OIDC where possible
- Consider Entra Domain Services - Provides AD DS in Azure for legacy apps
- Plan device transition - Move from domain-joined to Entra-joined
- Test extensively - Pilot with a department before full migration
Entra Domain Services (Managed AD)
For apps that require traditional AD protocols but you don't want to manage domain controllers:
| Feature | On-Premises AD | Entra Domain Services |
|---|---|---|
| Management | You manage DCs | Microsoft managed |
| Protocols | Full AD DS | Subset (LDAP, Kerberos, NTLM) |
| Schema extensions | Supported | Not supported |
| Group Policy | Full control | Limited |
| Trust relationships | Supported | One-way to Entra ID |
| Cost | Hardware + licensing | ~$109/month (Standard) |
Troubleshooting Common Issues
Users Can't Sign In
- Check user status in Entra admin center
- Verify license assignment
- Review Conditional Access policies
- Check for risky sign-in blocks
- Review sign-in logs for error codes
SSO Not Working
- Verify app is assigned to user
- Check SAML/OIDC configuration
- Review certificates (not expired)
- Test with Entra diagnostic tools
- Check app-specific requirements
Sync Issues (Entra Connect)
- Check Entra Connect health
- Verify sync service is running
- Review connector errors
- Check for duplicate attributes
- Verify network connectivity to Azure
Key Takeaways
- The rebrand is cosmetic - Azure AD and Entra ID are the same service
- No migration needed - Your tenant, data, and configurations are unchanged
- APIs unchanged - Existing integrations continue working
- Update documentation - Help new team members avoid confusion
- Consider the Entra family - New products worth evaluating for security
The rename from Azure AD to Entra ID reflects Microsoft's strategic direction toward comprehensive identity and access management. While the branding changed, the technology you depend on remains stable and fully compatible.
