Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Microsoft Entra ID Tenant Starters Guide: Understanding Identity Management and Licensing

GregorWohlfarter's avatar
May 29, 2024

Introduction

Microsoft Entra ID Tenant is a cloud-based identity and access management service that helps you manage your organization's users, devices, applications, and resources[1]. It is a powerful and flexible solution that enables you to securely connect your employees, customers, and partners to the digital resources they need, while protecting your organization from unauthorized access and identity threats. In this guide, you will learn the basics of Microsoft Entra ID Tenant, how to access and use it, how to manage licenses for different Microsoft products and services, and how to address some common challenges and scenarios related to identity management and licensing.

 

What is Microsoft Entra ID Tenant?

Microsoft Entra ID Tenant is the new name for Azure Active Directory, the cloud-based identity and access management service that is part of the Microsoft cloud platform[2]. Microsoft Entra ID Tenant is more than just a directory service, it is a comprehensive identity platform that provides a range of features and capabilities, such as[3]:

  • User management: You can create and manage user accounts, either manually, through bulk import, or by synchronizing with your on-premises Active Directory. You can also assign roles and permissions to users, either directly or through groups, to control their access to resources and tasks.
  • Authentication and authorization: You can enable single sign-on (SSO) and multi-factor authentication (MFA) for your users, to simplify and secure their login experience[4]. You can also use conditional access policies to enforce context-aware and risk-based access rules, such as requiring MFA for certain locations, devices, or applications.
  • Application management: You can register and manage applications that use Microsoft Entra ID Tenant as their identity provider, either Microsoft or third-party applications[5]. You can also integrate with other identity providers, such as social media accounts, to allow your users to sign in with their existing credentials.
  • Identity protection: You can monitor and detect suspicious activities and identity risks, such as compromised credentials, sign-in anomalies, or malicious attacks[6]. You can also use identity governance features, such as access reviews, entitlement management, and privileged identity management, to ensure that your users have the right level of access at the right time[7].
  • Identity and access management (IAM) for developers: You can use Microsoft Entra ID Tenant as a platform to build secure and scalable applications that leverage the Microsoft identity ecosystem. You can use various tools and protocols, such as Microsoft Graph, OpenID Connect, OAuth 2.0, and SAML, to integrate with Microsoft Entra ID Tenant and access its APIs and data[8].

Microsoft Entra ID Tenant is the foundation of Microsoft 365, Azure, and Dynamics 365, and it also supports other Microsoft products and services, such as Power Platform, Microsoft Teams, and SharePoint. By using Microsoft Entra ID Tenant, you can benefit from a unified and consistent identity experience across the Microsoft cloud, as well as a seamless integration with other cloud and on-premises solutions.

 

How to access Microsoft Entra ID Tenant?

You can access Microsoft Entra ID Tenant through three different portals, depending on your needs and preferences. These are:

  • The Microsoft 365 admin center: This is the main hub for managing your Microsoft 365 subscription, including users, groups, billing, and security[9]. You can use this portal to perform basic identity and access management tasks, such as creating and managing user accounts, assigning licenses, enabling SSO and MFA, and configuring domains and applications[10]. You can access the Microsoft 365 admin center at https://admin.microsoft.com
  • The Azure portal: This is the main hub for managing your Azure resources, including virtual machines, databases, storage, and networking[11]. You can use this portal to perform advanced identity and access management tasks, such as creating and managing custom roles, setting up conditional access policies, registering and managing applications, and using identity protection and governance features. You can access the Azure portal at https://portal.azure.com
  • The Entra admin center: This is the main hub for managing your Entra ID Tenant settings, including domains, applications, identity providers, and policies. You can use this portal to perform specific identity and access management tasks, such as adding and verifying domains, configuring SSO and MFA settings, managing application registrations and permissions, and configuring identity provider settings. You can access the Entra ID Tenant portal at https://entra.microsoft.com

To access any of these portals, you need to have a user account in your Entra ID Tenant, and you need to have the appropriate role and permission to perform the tasks you want to do[12]. You can sign in to any of these portals using your Entra ID Tenant credentials, which are usually in the format of username@domain.com, where domain.com is the domain name of your Entra ID Tenant. You can also use your Microsoft account, if you have one, to sign in to the Azure portal or the Entra ID Tenant portal, as long as your Microsoft account is associated with your Entra ID Tenant.

 

How to manage licenses with Microsoft Entra ID Tenant?

Microsoft Entra ID Tenant allows you to manage licenses for different Microsoft products and services that your organization uses. Licenses are the way that Microsoft charges you for using its cloud services, and they also determine the features and capabilities that you and your users can access. There are two types of licenses that you need to be aware of:

  • Office licenses: These are the licenses that enable you to use the Microsoft 365 suite of products and services, such as Outlook, Word, Excel, PowerPoint, OneDrive, SharePoint, and Teams. There are different plans and editions of Microsoft 365, such as E3 and E5, that offer different levels of functionality and security[13]. You can assign Office licenses to your users individually or in bulk, or you can use group-based licensing to automatically assign licenses to members of a group. You can also view and manage your Office license inventory, usage, and expiration, and purchase or cancel licenses as needed. You can use the Microsoft 365 admin center to manage Office licenses.
  • Entra ID Tenant licenses: These are the licenses that enable you to use the Microsoft Entra ID Tenant features and capabilities, such as conditional access, identity protection, identity governance, and IAM for developers. There are different plans and editions of Entra ID Tenant, such as free, P1, P2, and Entra ID Governance, that offer different levels of functionality and security[14]. You can assign Entra ID Tenant licenses to your users individually or in bulk, or you can use group-based licensing to automatically assign licenses to members of a group. You can also view and manage your Entra ID Tenant license inventory, usage, and expiration, and purchase or cancel licenses as needed. You can use the Azure portal or the Entra ID Tenant portal to manage Entra ID Tenant licenses.

It is important to note that Office licenses and Entra ID Tenant licenses are separate and independent from each other, and they have different pricing and billing models. You can have users who have only Office licenses, only Entra ID Tenant licenses, both, or neither. You can also have different combinations of Office and Entra ID Tenant licenses, depending on your needs and preferences. For example, you can have users who have Microsoft 365 E3 and Entra ID Tenant P1 licenses, or users who have Microsoft 365 E5 and Entra ID Tenant free licenses. You can also have users who have no Office licenses, but have Entra ID Tenant P2 licenses, or users who have no Entra ID Tenant licenses, but have Office licenses.

 

What are the benefits and drawbacks of having a multi-tenant setup?

A multi-tenant setup is when you have more than one Entra ID Tenant in your organization, and you use them to manage different sets of users, devices, applications, and resources. For example, you might have a main Entra ID Tenant for your corporate users and resources, and a separate Entra ID Tenant for your external partners and customers[15]. You might also have multiple Entra ID Tenants for different regions, divisions, or subsidiaries of your organization.

There are some benefits and drawbacks of having a multi-tenant setup, and you need to weigh them carefully before deciding whether to use it or not.

 

Some of the benefits are:

  • Increased isolation and security: You can use different Entra ID Tenants to isolate and protect different sets of users, devices, applications, and resources from each other, and to enforce different security policies and controls for each Entra ID Tenant. For example, you can use different MFA and conditional access settings for your corporate and external users, or you can use different identity protection and governance features for your different regions, divisions, or subsidiaries.
  • Increased flexibility and customization: You can use different Entra ID Tenants to tailor and customize different sets of users, devices, applications, and resources to meet your specific needs and preferences. For example, you can use different domains, applications, identity providers, and policies for each Entra ID Tenant, or you can use different plans and editions of Entra ID Tenant for each Entra ID Tenant.
  • Increased scalability and performance: You can use different Entra ID Tenants to scale and optimize different sets of users, devices, applications, and resources to handle different workloads and demands. For example, you can use different regions, availability zones, and service levels for each Entra ID Tenant, or you can use different resource quotas and limits for each Entra ID Tenant.

 

Some of the drawbacks are:

  • Increased complexity and overhead: You have to manage and maintain multiple Entra ID Tenants, which can increase the complexity and overhead of your identity and access management tasks. For example, you have to create and manage user accounts, assign licenses, register and manage applications, and configure settings and policies for each Entra ID Tenant, and you have to keep track of the different Entra ID Tenants and their relationships and dependencies.
  • Increased cost and inefficiency: You have to pay for and use multiple Entra ID Tenants, which can increase the cost and inefficiency of your identity and access management tasks. For example, you have to purchase and assign licenses, allocate and consume resources, and monitor and troubleshoot issues for each Entra ID Tenant, and you might have to deal with license and resource wastage, duplication, and inconsistency across different Entra ID Tenants.
  • Decreased user experience and collaboration: You have to use multiple Entra ID Tenants, which can decrease the user experience and collaboration of your identity and access management tasks. For example, you have to sign in and switch between different Entra ID Tenants, use different credentials and profiles, and access different applications and resources for each Entra ID Tenant, and you might have to deal with login and access issues, confusion, and frustration across different Entra ID Tenants.

 

How to best handle identities and access across tenants?

If you have a multi-tenant setup, you might need to handle identities and access across different Entra ID Tenants, depending on your scenarios and requirements. For example, you might need to allow your users to access applications and resources in different Entra ID Tenants, or you might need to share your applications and resources with users in different Entra ID Tenants. There are different ways to handle identities and access across tenants, and you need to choose the best one for your situation. Some of the ways are:

  • Guest users: You can invite users from other Entra ID Tenants to be guest users in your Entra ID Tenant, and you can assign them roles and permissions to access your applications and resources[16]. Guest users can use their own credentials and profiles to sign in to your Entra ID Tenant, and they can use SSO and MFA to access your applications and resources. Guest users can also use their own licenses and subscriptions to access your applications and resources, or you can assign them your licenses and subscriptions, depending on your settings and preferences. You can use the Azure portal or the Entra ID Tenant portal to invite and manage guest users.
  • B2B collaboration: You can use the business-to-business (B2B) collaboration feature of Entra ID Tenant to enable cross-tenant collaboration and access for your users and applications. B2B collaboration allows you to establish trust relationships between different Entra ID Tenants, and to use federation and SSO to enable seamless and secure access for your users and applications[17]. B2B collaboration also allows you to use conditional access and identity protection to enforce context-aware and risk-based access rules for your users and applications. You can use the Azure portal or the Entra ID Tenant portal to enable and manage B2B collaboration.

     

Figure 1 Securing the Future of B2B Collaboration: A Visual Representation of Enhanced Security Measures in Workforce and Business Partner Interactions

  • B2C identity: You can use the business-to-consumer (B2C) identity feature of Entra ID Tenant to enable cross-tenant identity and access for your customers and partners. B2C identity allows you to create and manage user accounts for your customers and partners in your Entra ID Tenant, and to use various identity providers, such as social media accounts, to allow them to sign in with their existing credentials[18]. B2C identity also allows you to use user flows and custom policies to customize and control the user experience and access for your customers and partners. You can use the Azure portal or the Entra ID Tenant portal to enable and manage B2C identity.
  • Azure Lighthouse: You can use the Azure Lighthouse feature of Azure to enable cross-tenant management and access for your resources and services. Azure Lighthouse allows you to delegate and manage access to your resources and services across different Entra ID Tenants, and to use a single pane of glass to view and manage your resources and services across different Entra ID Tenants[19]. Azure Lighthouse also allows you to use role-based access control (RBAC) and Azure Policy to enforce granular and consistent access rules for your resources and services. You can use the Azure portal or the Azure Lighthouse portal to enable and manage Azure Lighthouse.

     

Figure 2 Navigating the Azure Lighthouse: A Comprehensive Illustration of Multitenant Management, Delineating the Foundation, Control Plane, Options and Emerging Scenarios

 

Summary

In this guide, we have introduced the key concepts and features of Microsoft Entra ID Tenant, a cloud-based identity and access management service that helps you manage your organization's users, devices, applications, and resources. We have explained the purpose and benefits of using Entra ID Tenant, the identity fundamentals, the trust relationships between Entra ID Tenant and Azure subscriptions, the licensing model for Entra ID Tenant, the benefits and drawbacks of having a multi-tenant setup, and the best practices for handling identities and access across tenants. We have also shown how to get a new tenant and how to use Azure Lighthouse to manage multiple tenants. We hope this guide has helped you understand and appreciate the power and flexibility of Microsoft Entra ID Tenant.

References

 

[1] What is Microsoft Entra ID? - Microsoft Entra | Microsoft Learn

[2] New name for Azure Active Directory - Microsoft Entra | Microsoft Learn

[3] Introduction to identity - Microsoft Entra | Microsoft Learn

[4] Authentication vs. authorization - Microsoft identity platform | Microsoft Learn

[5] Manage access to apps - Microsoft Entra ID | Microsoft Learn

[6] What is Microsoft Entra ID Protection? - Microsoft Entra ID Protection | Microsoft Learn

[7] Microsoft Entra ID Governance - Microsoft Entra ID Governance | Microsoft Learn

[8] What is identity and access management (IAM)? - Microsoft Entra | Microsoft Learn

[9] Microsoft 365 admin center - Overview - Microsoft 365 admin | Microsoft Learn

[10] Microsoft Entra setup guides - Microsoft 365 admin | Microsoft Learn

[11] What is the Azure portal? - Azure portal | Microsoft Learn

[12] Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn

[13] Compare Office 365 Enterprise Pricing and Plans | Microsoft 365

[14] Microsoft Entra ID licensing - Microsoft Entra | Microsoft Learn

[15] Multitenant organization capabilities in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

[16] Quickstart: Add a guest user and send an invitation - Microsoft Entra External ID | Microsoft Learn

[17] Overview - External ID in workforce tenants - Microsoft Entra External ID | Microsoft Learn

[18] What is Azure Active Directory B2C? | Microsoft Learn

[19] What is Azure Lighthouse? - Azure Lighthouse | Microsoft Learn

Updated May 29, 2024
Version 2.0
No CommentsBe the first to comment