Microsoft Entra ID (formerly Azure AD) for SME Security

What Is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory or Azure AD) is Microsoft's cloud-based identity and access management platform. Every Microsoft 365 tenant includes an Entra ID directory — it is where user accounts are created, where group memberships are managed, where authentication happens, and where access policies are configured. When a user signs in to Outlook, Teams, or SharePoint, it is Entra ID that authenticates them.

The rebrand from Azure Active Directory to Microsoft Entra ID happened in 2023. The underlying technology is the same — if you see references to Azure AD in documentation or settings, these refer to the same service now called Entra ID. The admin portal is now at entra.microsoft.com.

Entra ID Licence Tiers

Entra ID is available in three tiers. Entra ID Free is included in all Microsoft 365 plans — it provides basic user and group management, SSO for up to 10 applications, and basic security reporting. Entra ID P1 is included in Microsoft 365 Business Premium — it adds Conditional Access, Privileged Identity Management (PIM), and self-service password reset. Entra ID P2 is included in Microsoft 365 E5 — it adds Identity Protection (risk-based Conditional Access using machine learning to assess sign-in and user risk) and Identity Governance.

For most UK SMEs on Business Premium, Entra ID P1 provides the critical security capabilities — Conditional Access for MFA enforcement and device compliance, and PIM for admin account protection.

Conditional Access: The Core Security Control

Conditional Access is the most important security feature in Entra ID P1. It is a policy engine that evaluates every access request — checking who is trying to access, from which device, from which location, with what level of sign-in risk — and determines whether to grant access, require additional verification, or block. AMVIA configures Conditional Access as the primary mechanism for enforcing MFA, blocking legacy authentication, and requiring device compliance across all M365 applications.

Privileged Identity Management (PIM)

Privileged Identity Management addresses one of the most significant security risks in Microsoft 365: permanent admin role assignments. When an account is permanently assigned Global Administrator, it means that if that account is compromised at any time — through phishing, credential theft, or malware — the attacker immediately has unrestricted access to the entire M365 tenant. PIM replaces permanent assignment with just-in-time elevation.

With PIM, admin roles are not permanently active. When a user needs to perform an admin task, they request role activation — providing a justification, specifying a duration, and sometimes requiring approval from another admin. The role is active for the specified duration and then automatically expires. Every activation is logged, providing a full audit trail of who activated which admin role, when, for how long, and what they did. AMVIA configures PIM for all admin accounts as a standard part of its M365 security service.

Identity Protection and Risk Signals

Entra ID continuously monitors sign-in activity for risk signals. These include: sign-ins from anonymous IP addresses or known Tor exit nodes; impossible travel (a user appearing to sign in from two geographically distant locations within a timeframe that makes travel impossible); leaked credentials (Microsoft monitors dark web sources for credential dumps); and atypical sign-in properties (unusual device, location, or time).

With Entra ID P1, these risk signals can inform Conditional Access policies — for example, requiring step-up MFA when a sign-in is flagged as medium risk, or blocking access entirely for high-risk sign-ins. With Entra ID P2, full Identity Protection adds more sophisticated risk modelling and can automatically remediate low-risk events.

Key Considerations for UK SMEs

• Entra ID P1 (in M365 Business Premium) enables the most important security controls — Conditional Access and PIM
• Review and remove stale accounts regularly — former employees, contractors, and test accounts are attack surface
• Manage guest access carefully — Entra ID B2B allows external users into your tenant; review these accounts regularly
• Enable self-service password reset — reduces helpdesk burden and ensures users can recover accounts without IT assistance
• Monitor the Entra ID sign-in logs — they provide visibility of authentication activity and are essential for incident investigation

How AMVIA Can Help

AMVIA configures and manages Entra ID security as part of its Microsoft 365 security service. This includes Conditional Access policy configuration and management, PIM setup for all admin accounts, review and remediation of stale accounts and guest access, and monitoring of identity risk signals through AmviaIQ. For businesses migrating from on-premises Active Directory to Entra ID, AMVIA manages the identity migration as part of its M365 migration service. Contact AMVIA on 0333 733 8050.