Microsoft Entra ID (formerly Azure AD) Security for UK Businesses
Microsoft Entra ID is the identity and access management system at the core of Microsoft 365. Every time a user signs in to Outlook, Teams, SharePoint, or any other Microsoft 365 service, Entra ID authenticates their identity and determines what they...
Overview
Microsoft Entra ID (formerly Azure AD) is the identity platform at the heart of every Microsoft 365 tenant. It manages user accounts, enforces Conditional Access policies, monitors sign-in risk, and provides Privileged Identity Management. Entra ID P1 — included in M365 Business Premium — enables the most important security features for UK SMEs.
Learn about M365 securityMicrosoft Entra ID is the identity and access management system at the core of Microsoft 365. Every time a user signs in to Outlook, Teams, SharePoint, or any other Microsoft 365 service, Entra ID authenticates their identity and determines what they are permitted to access. Securing Entra ID is the single most important step in protecting a Microsoft 365 environment — because compromising it gives an attacker access to everything.
What Is Microsoft Entra ID?
Microsoft Entra ID — rebranded from Azure Active Directory (Azure AD) in 2023 — is Microsoft's cloud-based identity and access management platform. It is the directory service for Microsoft 365, storing user accounts, groups, devices, and application registrations, and providing authentication and authorisation services for all Microsoft and integrated third-party applications.
For UK SMEs using Microsoft 365, Entra ID is automatically provisioned as part of the subscription. Every Microsoft 365 user account exists in Entra ID. Every sign-in to a Microsoft 365 service is authenticated by Entra ID. Every permission granted to access SharePoint, Teams, or Exchange flows through Entra ID.
The rename from Azure AD to Entra ID reflects Microsoft's expansion of the platform beyond Azure cloud services into a broader identity security portfolio that now includes governance, permissions management, and identity verification products.
Why Entra ID Is the Primary Target for Attackers
Identity is the new perimeter. When corporate networks were the boundary of IT, attackers needed to breach the network to reach company data. Cloud-based platforms like Microsoft 365 have moved the boundary to identity — and Entra ID is the gatekeeper.
The consequences of a compromised Entra ID account are severe. An attacker with a valid set of credentials gains access to email (enabling them to intercept financial transactions, read confidential communications, or conduct Business Email Compromise fraud), files in SharePoint and OneDrive, and potentially other connected applications — from line-of-business software to cloud services that trust Microsoft's authentication.
According to Microsoft's own data, over 95% of identity attacks are conducted using stolen credentials — typically harvested through phishing. The 2025 UK Cyber Security Breaches Survey identified phishing as the most common attack vector for UK businesses, and Business Email Compromise (BEC) — which relies on compromised Microsoft 365 accounts — cost UK businesses an estimated £190 million in 2024.
Key Security Features Within Microsoft Entra ID
Multi-Factor Authentication (MFA)
MFA is the most impactful Entra ID security control. It requires users to prove their identity using a second factor — a push notification to Microsoft Authenticator, a TOTP code, or a hardware security key — in addition to their password.
Microsoft's data shows MFA blocks more than 99.99% of automated credential attacks. Even if an attacker obtains a user's password through phishing or a data breach, they cannot complete authentication without the second factor.
MFA should be enforced via Conditional Access policies rather than legacy per-user MFA settings. Conditional Access provides more granular control — for example, requiring MFA when signing in from outside the corporate network but not when on a trusted office connection. See our MFA setup guide for configuration details.
Entra ID Protection (formerly Azure AD Identity Protection)
Entra ID Protection is an advanced risk-based security feature included in Microsoft Entra ID P2 (available in Microsoft 365 Business Premium via the included Entra ID P1 licence). It uses Microsoft's global threat intelligence to evaluate the risk of every sign-in attempt.
Risk signals include impossible travel (a user appearing to sign in from Sheffield and Singapore within minutes), known malicious IP addresses, anonymous browsing, and password spray attack patterns. When high-risk behaviour is detected, Entra ID Protection can automatically block the sign-in, force a password reset, or require MFA — without requiring manual intervention from an administrator.
Privileged Identity Management (PIM)
Privileged Identity Management, available in Entra ID P2, controls how and when elevated permissions are used within your Microsoft 365 tenant. Rather than administrators holding permanent Global Admin access — which is a significant risk if their account is compromised — PIM requires them to activate their elevated role on-demand, with approval and time limits.
PIM also provides an audit log of all privileged role activations, which is valuable for compliance with ISO 27001 and other frameworks that require access control records.
Self-Service Password Reset (SSPR)
SSPR allows users to reset their own Microsoft 365 passwords without calling IT support, using pre-registered verification methods (phone, email, authentication app). This reduces helpdesk load and ensures users can recover access quickly.
From a security perspective, SSPR should be configured to require at least two verification methods, and administrators should be excluded from SSPR — admin password resets should always go through a formal, attended process.
Entra ID Audit and Sign-In Logs
Entra ID maintains comprehensive logs of all authentication events — successful sign-ins, failed sign-ins, MFA challenges, risk events, and administrative actions. These logs are invaluable for detecting attacks and investigating incidents.
By default, sign-in logs are retained for 30 days (Entra ID P1) or 90 days (Entra ID P2). For longer retention — required for ISO 27001, many regulatory frameworks, and cyber insurance purposes — logs should be exported to Microsoft Sentinel or a third-party SIEM.
Common Entra ID Security Weaknesses in UK SME Tenants
AMVIA's Microsoft 365 security audits consistently identify the same configuration weaknesses across UK SME tenants.
No MFA enforcement: Many businesses have MFA available but not enforced. Users who have not registered for MFA sign in with password only, leaving their accounts fully exposed to credential attacks.
Excessive Global Administrator accounts: Tenants with many Global Admin accounts have a proportionally larger attack surface. Every Global Admin account that is compromised gives an attacker unrestricted access to the entire tenant. Best practice is a maximum of two to four Global Admin accounts, used only for administrative tasks.
Legacy authentication not blocked: Older protocols like basic SMTP and POP3 bypass MFA entirely. Tenants that have not blocked legacy authentication have a significant gap that attackers actively exploit.
Guest account sprawl: External guest accounts accumulate in Entra ID over time as external collaborators are granted access and then forgotten. Each guest account is a potential attack vector. Regular reviews and expiration policies should be in place.
No emergency access accounts: Without designated emergency access accounts (break-glass accounts) excluded from Conditional Access policies, a misconfigured policy can lock out all administrators from the tenant.
Unchanged default settings: Microsoft 365 tenants have a range of security settings that should be reviewed from the default state. Security Defaults (Microsoft's baseline protection) is a good starting point, but most businesses need more granular Conditional Access policies to replace it.
Entra ID Licensing Tiers Explained
| Feature | Entra ID Free (included with M365) | Entra ID P1 (included in M365 Business Premium) | Entra ID P2 |
|---|---|---|---|
| Basic MFA | ✓ (via Security Defaults) | ✓ | ✓ |
| Conditional Access | — | ✓ | ✓ |
| SSPR | — | ✓ | ✓ |
| Entra ID Protection (risk-based access) | — | Limited | ✓ |
| Privileged Identity Management | — | — | ✓ |
| Access Reviews | — | — | ✓ |
For most UK SMEs, Microsoft 365 Business Premium (which includes Entra ID P1) provides sufficient Entra ID security capability. Businesses with stricter governance requirements, larger user populations, or regulatory obligations may benefit from Entra ID P2 features.
How AMVIA Secures Entra ID for UK Businesses
Entra ID configuration requires expertise and ongoing attention. An initial configuration, however thorough, becomes stale as your business changes — new users join, roles evolve, applications are added, and the threat landscape shifts.
AMVIA's managed Microsoft 365 service includes comprehensive Entra ID management:
- Full audit of current Entra ID configuration against NCSC and Microsoft best practice
- MFA enforcement via Conditional Access for all users
- Legacy authentication blocking
- Guest account review and expiration policy implementation
- Emergency access account configuration
- Privileged role review and reduction
- Sign-in and audit log monitoring, with alerting on suspicious activity
- Quarterly configuration review
- Alignment with Cyber Essentials access control requirements
Our team includes Microsoft-certified security professionals with deep Entra ID expertise, supporting UK businesses from 10 to 500 users.
Key Points
What UK businesses need to know about Microsoft Entra ID.
Every M365 Tenant Has Entra ID
Entra ID Free is included in all M365 plans. Entra ID P1 (Conditional Access, PIM) is included in M365 Business Premium. Entra ID P2 adds risk-based access and identity protection.
Single Sign-On for Cloud Apps
Entra ID provides single sign-on (SSO) to thousands of third-party SaaS applications — reducing the number of separate credentials staff manage.
Identity Protection Detects Risk
Entra ID monitors sign-ins for risk signals — impossible travel, anonymous IP, leaked credentials — and can trigger step-up authentication or block access automatically.
Privileged Identity Management
PIM requires just-in-time elevation for admin roles — no permanent Global Admin assignments — with approval workflow and full audit logging.
Entra ID Security Checklist
Conditional Access policies configured — MFA and device compliance enforced
Privileged Identity Management (PIM) deployed — no permanent Global Admin assignments
Stale accounts reviewed and removed — former staff, contractors, test accounts
Guest access reviewed — B2B guest accounts audited and unnecessary ones removed
Self-service password reset enabled — users can recover accounts without IT assistance
Sign-in logs monitored — risky sign-ins reviewed and investigated
Frequently Asked Questions
They are the same product. Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023 as part of a broader rebranding of its security product portfolio. All functionality, licensing, and capabilities remain the same — only the name has changed.
Yes. All Microsoft 365 subscriptions include Microsoft Entra ID Free, which provides basic identity management including MFA via Security Defaults. Microsoft 365 Business Premium includes Entra ID P1, which adds Conditional Access, Self-Service Password Reset, and other advanced features. Entra ID P2 is available as an additional licence.
A compromised Global Admin account gives an attacker unrestricted access to the entire Microsoft 365 tenant — all mailboxes, all files, all settings. They can create new admin accounts, disable security features, exfiltrate data, and lock out legitimate administrators. This is why minimising the number of Global Admin accounts and enforcing MFA on all admin accounts is critical.
Signs of Entra ID compromise include: sign-ins from unusual locations, new accounts or applications created without your knowledge, changes to Conditional Access policies or MFA settings, email forwarding rules set on mailboxes, and alerts from Entra ID Protection. AMVIA's managed service monitors for all of these indicators continuously.
Yes. Cyber Essentials requires multi-factor authentication for all cloud services — which is enforced through Entra ID's Conditional Access. It also requires user access control (unique accounts, least privilege) and account management, both of which are managed through Entra ID. A properly configured Entra ID tenant is a significant step toward Cyber Essentials compliance.
Yes. Cyber Essentials requires multi-factor authentication for all cloud services — which is enforced through Entra ID's Conditional Access. It also requires user access control (unique accounts, least privilege) and account management, both of which are managed through Entra ID. A properly configured Entra ID tenant is a significant step toward Cyber Essentials compliance.
Secure Your Microsoft 365 Identity
AMVIA configures Entra ID — Conditional Access, PIM, and identity risk monitoring — as part of its comprehensive Microsoft 365 security service.