Event details

The second webinar bridges theory to practice. Now that you know why unification matters, it’s time to learn how to get started. In this foundations panel session hosted by Identity Expert, Merill Fernando, Microsoft product leaders will walk through some core steps to implement a unified identity and network foundation using Microsoft Entra Suite:   

  • Automated provisioning to keep access rightsized from day one 
  • Device onboarding and compliance to allow only healthy, trusted access  
  • Replacing legacy VPNs and securing on-premises applications with Conditional Access policies  

You’ll see brief demos and get practical tips plus a live Q&A and get a sneak peek into some additional resources that can support your full deployment.

Speakers: Merill Fernando, Principal Product Manager; Jorge Lopez, Senior Product Manager; Nathan McNulty, MVP; Marilee Turscak, Senior Product Manager; Charles Lewis, Principal Tech Support Engineer; Ru Campbell, MVP 

 

This event is part of the Microsoft Entra Practitioner Webinar Series. Check out the other sessions in this series:

Pearl-Angeles
Updated Nov 13, 2025
entra suite

36 Comments

  • markorr321's avatar
    markorr321
    Occasional Reader
    Oct 10, 2025

    Good Morning,

    I have watched the webinar a couple of times between yesterday and today.

    I spent a better part of 90 days trying to convince a client to purchase the Entra ID Suite.

    One item of note if you’re interested in purchasing the full Entra ID Suite is that if you’re a M365 E5 customer you may be eligible for step up pricing to Entra ID Suite.

    We were able to get the cost per user down to $7.50 per user per month which is much more palatable than the MSRP cost.

    Thought I’d share that bit of information. Not sure if that pricing is still available or not but it was for us.

    I did have a question.

    Ru mentioned that something about going Entra ID joined as opposed to hybrid joined. I have had back to back clients that just when Hybrid joined because they had Active Directory and were essentially scared to go cloud only.

    I expressed to them that this just wasn’t true and Entra ID Suite could help them bridge this gap in instances where there might be an on-premise dependency.

    Is there any documentation anywhere about why you must go Hybrid Join as opposed to Entra ID joined? Perhaps a blog that breaks it down in small bite sized increments that stakeholders can understand? 

    Going Entra only is a hard sell. Can you help me with supporting documentation on how to sell it to my organization? 

     

     

    • avalport1's avatar
      avalport1
      Copper Contributor
      Nov 05, 2025

      Best practice and recommendations from MVP's is to go Entra ID joined.  Look at the Microsoft Cybersecurity Reference Architecture documentation https://aka.ms/MCRA , all the pages but I focus on pages 59 - 61 the most.  Also search for Zero Trust deployment plans.  Entra ID Suite is the operations wrapper around all these architecture components.  Every activity from an identity has six degrees of separation to these Microsoft tools and components. 

      Second recommendation:  Purchase the Microsoft 365 Copilot license for yourself and use the Research agent - its amazing.  Example response: 

      Microsoft Entra ID Join vs. Hybrid Azure AD Join: Key Differences and Why Cloud-Only Is the Future

      Microsoft’s latest guidance is clear: Hybrid Azure AD Join is a temporary bridge, not a long-term solution. The recommended end state for organizations is to move to Microsoft Entra ID Join (formerly Azure AD Join), which is cloud-native, requires no on-premises domain controllers for daily operation, and supports modern Zero Trust security models out of the box. In contrast, Hybrid Joined devices remain dependent on legacy Active Directory infrastructure, introducing complexity and technical debt.

      Core Comparison

      • Device Identity & Authentication:
        • Entra ID Join: Devices are joined only to Entra ID, with cloud-based authentication and no on-premises computer account.
        • Hybrid Join: Devices are joined to both on-prem AD and Entra ID, requiring dual identities and defaulting to on-prem authentication.
      • Infrastructure Dependence:
        • Entra ID Join: No domain controller needed for login or policy; works over the internet.
        • Hybrid Join: Requires connectivity to on-prem AD for authentication, often needing VPN for remote users.
      • Access to On-Prem Resources:
        • Both models support access, but Entra ID Join uses user SSO with some prerequisites. Hybrid Join offers full native access but retains legacy dependencies.
      • Management & Policy:
        • Entra ID Join: Managed via Intune/MDM, supporting modern provisioning and policy enforcement.
        • Hybrid Join: Supports both Group Policy and Intune, but with added complexity and potential policy conflicts.
      • Provisioning & User Experience:
        • Entra ID Join: Optimized for remote and modern deployment (e.g., Windows Autopilot), enabling users to log in from anywhere.
        • Hybrid Join: Maintains traditional domain join processes, which can slow down remote onboarding.
      • Security:
        • Entra ID Join: Aligns with Zero Trust, reduces legacy attack surfaces, and leverages modern security controls.
        • Hybrid Join: Inherits on-prem AD security risks and makes full Zero Trust harder to achieve.
      • Administrative Overhead:
        • Entra ID Join: Simplifies IT operations by removing the need for on-prem AD maintenance.
        • Hybrid Join: Requires managing both environments, increasing complexity and technical debt.
      • Long-Term Strategy:
        • Entra ID Join: Future-proof, scalable, and receives new features first.
        • Hybrid Join: Intended only as a stop-gap during migration to cloud-only identity.

      Addressing Common Concerns

      • On-prem apps and file shares:
        Entra ID–joined devices can still access most on-prem resources if user identities are synced and network connectivity is available. Only rare legacy cases require a computer’s AD account.
      • Group Policy reliance:
        Intune and MDM solutions now cover most policy needs, and Microsoft recommends using Hybrid Join only if legacy GPOs are truly required—while working to modernize policies.
      • Security:
        Entra ID Join is generally more secure, reducing attack surfaces and aligning with modern frameworks like Zero Trust. Hybrid Join retains legacy risks.
      • Migration approach:
        A phased migration is best: enable Hybrid Join for existing devices, but make all new devices Entra ID–joined. Over time, retire on-prem AD as blockers are addressed.
      • Legacy systems:
        For rare cases where legacy systems require AD, keep only those specific devices on-prem or use services like Azure AD Domain Services. Most users benefit from the simplicity and security of cloud join.

      Bottom Line

      Microsoft Entra ID Join is the strategic choice for organizations aiming to modernize, reduce complexity, and strengthen security. Hybrid Join is a valuable bridge, but not the destination. The sooner organizations embrace cloud-native identity, the more agile and secure their IT environment will be.

  • Pearl-Angeles's avatar
    Pearl-Angeles
    Icon for Community Manager rankCommunity Manager
    Oct 09, 2025

    Thank you everyone for your participation during today's webinar! Below is a list of questions & comments the panelists addressed during the live Q&A, along with associated timestamps: 

     

    Question – What’s the one metric you track weekly that proves foundations are working—and what do you look for in the trend? – answered at 46:04.

    Question – What are some of the most common mistakes people make when starting out with Conditional Access? – answered at 49:37.

    Question – Great session!! I want to get started with the trial of Entra Suite. The information here today was amazing, and a little overwhelming! :) When I start the 90 day trial, what do you recommend I start with? As a baseline, or starting point? – answered at 52:06. Here are a couple additional resources the from the panelists:


    Question – Is it possible to fully replace on premises Active Directory with Microsoft Entra? Is it recommended? How do we go about starting the migration? – answered at 56:33.

    Question – BYOD -- bring your own device -- is unavoidable and a standard part of how our company operates. How do we handle these situations? – answered at 58:57.

    Question – Is there a plan to incorporate the GSA client functionality into the Windows OS, like in the Defender agent for example?  – answered at 1:02:06.

    Comment – Non Entra-related but this lineup is incredible, Microsoft community royalty! Seriously, how does it feel to be this awesome, and how do you all keep delivering such high-quality knowledge to the community? I think I’m speaking on behalf of everyone when I say: thank you for all you do and for sharing your expertise so generously! – addressed at 1:03:16.

    Question – Can you elaborate on how Microsoft Entra Private Access helps to replace legacy VPNs with ZTNA, and how it is different from a traditional VPN? – answered at 1:04:47.

    Question – Any tips for dealing with a "rats nest" of CA policies? Is it best to start from scratch or try and identify the gaps and close them? – answered at 1:08:22.

    Question – If we're replacing VPN, what private app or apps we should onboard to Entra Private Access first? Which Conditional Access controls do you pair with it on day one? – answered at 1:13:30.

    Question – How does Entra Suite work with on-prem domain controllers? – answered at 1:14:55.

    Question – When can I get rid of AD with my servers? – answered at 1:17:22.

    Question – For long-term modernization, which approaches do you prefer for replacing Legacy LDAP-dependent auth apps (reverse-proxy SSO, OAuth/OIDC adapter, etc.), and what are typical pitfalls? For orgs with a vast on-prem presence for core applications that are mission critical. – answered at 1:19:59.

    Question – If we still have on-prem AD and aren’t ready to provision most users as cloud-only - can we still use ID Governance? – answered at 1:22:43.

    Question – What’s the most important mindset or principle that practitioners should embrace as they start their Zero Trust and identity journey? – answered at 1:24:44.

  • MarkWonsil's avatar
    MarkWonsil
    Copper Contributor
    Oct 09, 2025

    For office (small O) users, Entra is a nice fit. People generally have dedicated workstations and phones for phishing-resistant MFA. How can Entra help in the case of workers who move around the plant-floor, restaurant, or other scenarios where there are shared workstations where sharing a logged-in computer is the norm. How to you get to a Zero Trust posture in the shared-workstation environment? Thanks!

    • Nathan_McNulty's avatar
      Nathan_McNulty
      Copper Contributor
      Oct 09, 2025

      Fortunately, these devices are still able to managed and secured, but authentication in many of these environments is definitely a hard problem because Hello for Business has a limit of 10 logins, FIDO2 keys are far too expensive, and often phones aren't allowed.

      Auto logged-in computers can sometimes be switched to act more like kiosks ensuring email or timesheet access is logged out automatically. In other cases, blocking access to unnecessary resources might be more desirable. These devices are typically also more restricted on standard Internet access, so we do have opportunities for compensating controls.

      Outside of that, the new QR code sign-in or using Temporary Access Pass introduce some interesting ways to handle workflows that get away from standard passwords for specialized access. Sadly, there isn't a perfect solution for this yet, though I hope some day we get the ability to log in using a passkey from a phone like we can with Passwordless push :)

      • MarkWonsil's avatar
        MarkWonsil
        Copper Contributor
        Oct 10, 2025

        Thank you, Nathan. I think this is where Entra can really shine since this is also a layer 7 problem. We need identity to selectively allow people to various resources from the same workstation. As you mentioned, Windows Hello would be amazing, but that's authentication to the OS. Maybe something like secure profile switching in the browser might be better? And maybe not in one browser session but multiple browsers running at once secured by verifiable credentials using some biometric plus an NCF card that's cheaper than FIDO2 or phones.  I do look forward to any frontline security solutions as this is a very underserved market mostly because it is not easy. Thanks!!!

  • EnergyTZ's avatar
    EnergyTZ
    Occasional Reader
    Oct 09, 2025

    If a third-party application, such as HP’s WXP, uses a connector to access and import Entra ID groups, does Entra offer any controls or monitoring capabilities to ensure the process is legitimate, routinely used, and not potentially malicious? Additionally, if the third-party application becomes unused, retired, or uninstalled, can Entra detect this change and provide an overview to help identify and mitigate any unnecessary attack surface?

    • Nathan_McNulty's avatar
      Nathan_McNulty
      Copper Contributor
      Oct 09, 2025

      This appears like it is granting consent for a multi-tenant app to access resources in our tenant as the user who consents (based on this: https://learn.workforceexperience.hp.com/docs/entra-id-groups)

      Unfortunately, the controls we have over multi-tenant applications aren't as robust as single-tenant apps. We can definitely monitor usage and access through sign-in logs, and we can monitor deletion of the app in the audit logs. But as far as I know, we don't have controls over the credential types they use on their end or blocking by location if their services were compromised and abused :(

  • jbd88's avatar
    jbd88
    Copper Contributor
    Oct 09, 2025

    For long-term modernization, which approaches do you prefer for replacing Legacy LDAP-dependent auth apps (reverse-proxy SSO, OAuth/OIDC adapter, etc.), and what are typical pitfalls? For orgs with a vast on-prem presence with core applications that are mission critical.  

  • wolfkristen's avatar
    wolfkristen
    Copper Contributor
    Oct 09, 2025

    That’s the best idea: policy inventory

     

    can’t that be automated?

    • Heather_Poulsen's avatar
      Heather_Poulsen
      Icon for Community Manager rankCommunity Manager
      Oct 09, 2025

      Thanks for the question. Can you provide a little more clarity on what you are looking to automate?

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager
      Oct 09, 2025

      We appreciate your participation! The panelists discussed this question at 1:14:55 during the live Q&A.

  • papagolf's avatar
    papagolf
    Copper Contributor
    Oct 09, 2025

    Any tips for dealing with a rats nest of CA policies, is it best to start from scratch or try and identify the gaps and close them?

  • Welka's avatar
    Welka
    Copper Contributor
    Oct 09, 2025

    Non Entra-related but this lineup is incredible, Microsoft community royalty! Seriously, how does it feel to be this awesome, and how do you all keep delivering such high-quality knowledge to the community? I think I’m speaking on behalf of everyone when I say: thank you for all you do and for sharing your expertise so generously!