Microsoft Entra ID is a cloud-based identity and access management solution. It's a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services, such as Microsoft 365, Dynamics 365, and Microsoft Azure.
For more information, see What is Microsoft Entra ID?
Why do I get "No subscriptions found" when I try to access the Microsoft Entra admin center or the Azure portal?
To access the Microsoft Entra admin center or the Azure portal, each user needs permissions with a valid subscription. If you don't have a paid Microsoft 365 or Microsoft Entra subscription, you will need to activate a free Azure account or establish a paid subscription. All Azure subscriptions, whether paid or free, have a trust relationship with a Microsoft Entra tenant. All subscriptions rely on the Microsoft Entra tenant (directory) to authenticate and authorize security principals and devices.
For more information, see How Azure subscriptions are associated with Microsoft Entra ID.
What's the relationship between Microsoft Entra ID, Microsoft Azure, and other Microsoft services, such as Microsoft 365?
Microsoft Entra ID provides you with common identity and access capabilities to all web services. Whether you're using Microsoft services, such as Microsoft 365, Power Platform, Dynamics 365, or other Microsoft products, you're already using Microsoft Entra ID to help turn on sign-on and access management for all cloud services.
All users who are set up to use Microsoft services are defined as user accounts in one or more Microsoft Entra instances, providing these accounts access to Microsoft Entra ID.
For more information, see Microsoft Entra ID Plans & Pricing
Microsoft Entra paid services, such as Enterprise Mobility + Security (Microsoft Enterprise Mobility + Security) complement other Microsoft services like Microsoft 365, with comprehensive enterprise-scale development, management and security solutions.
For more information, see The Microsoft Cloud.
By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Owner role for Azure resources. An Owner can use either a Microsoft account or a work or school account from the directory that the Microsoft Entra or Azure subscription is associated with. This role is also authorized to manage services in the Azure portal.
If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. For more information, see Assign Azure roles using the Azure portal.
By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Global Administrator role for the directory. This user has access to all Microsoft Entra directory features. Microsoft Entra ID has a different set of administrator roles to manage the directory and identity-related features. These administrators will have access to various features in the Azure portal. The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains.
For more information, see Assign a user to administrator roles in Microsoft Entra ID and Assigning administrator roles in Microsoft Entra ID.
No. This isn't currently available.
To optimize connectivity between your network and the Microsoft Entra admin center and its services, you might want to add specific Microsoft Entra admin center URLs to your allowlist. Doing so can improve performance and connectivity between your local- or wide area network. Network administrators often deploy proxy servers, firewalls, or other devices, which can help secure and give control over how users access the internet. Rules designed to protect users can sometimes block or slow down legitimate business-related internet traffic. This traffic includes communications between you and Microsoft Entra admin center over the following URLs:
- *.entra.microsoft.com
- *.entra.microsoft.us
- *.entra.microsoftonline.cn
For more information, see Using Microsoft Entra application proxy to publish on-premises apps for remote users. Additional URLs that you should include are listed in the article Allow the Azure portal URLs on your firewall or proxy server.
You can usually leave an organization on your own without having to contact an administrator. However, in some cases this option won't be available and you'll need to contact your tenant admin, who can delete your account in the external organization.
For more information, see Leave an organization as an external user.
You can connect your on-premises directory to Microsoft Entra ID by using Microsoft Entra Connect.
For more information, see Integrating your on-premises identities with Microsoft Entra ID.
You only need to set up single sign-on (SSO) between your on-premises directory and Microsoft Entra ID. As long as you access your cloud applications through Microsoft Entra ID, the service automatically drives your users to correctly authenticate with their on-premises credentials.
Implementing SSO from on-premises can be easily achieved with federation solutions such as Active Directory Federation Services (AD FS), or by configuring password hash sync. You can easily deploy both options by using the Microsoft Entra Connect configuration wizard.
For more information, see Integrating your on-premises identities with Microsoft Entra ID.
Yes, Microsoft Entra ID provides you with the Microsoft Entra ID Access Panel for user self-service and application access. If you're a Microsoft 365 customer, you can find many of the same capabilities in the Office 365 portal.
For more information, see Introduction to the Access Panel.
Yes. The Microsoft Entra ID P1 or P2 edition provides you with Microsoft Entra Connect Health. Microsoft Entra Connect Health helps you monitor and gain insight into your on-premises identity infrastructure and the synchronization services.
For more information, see Monitor your on-premises identity infrastructure and synchronization services in the cloud.
(For example, is it possible to use Microsoft Entra self-service password reset (SSPR) with password write-back and not store passwords in the cloud?)
This example scenario doesn't require the on-premises password to be tracked in Microsoft Entra. This is because you don't need to synchronize your Active Directory passwords to Microsoft Entra ID to enable write-back. In a federated environment, Microsoft Entra single sign-on (SSO) relies on the on-premises directory to authenticate the user.
Password write-back operates in real time.
For more information, see Getting started with password management.
Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment.
For more answers to password-related questions, see Password management frequently asked questions.
What can I do if I can't remember my existing Microsoft 365 / Microsoft Entra password while trying to change my password?
For the above scenario, there are a couple of options. You can use the self-service password reset (SSPR) if it's available. Whether SSPR works depends on how it's configured. For more information about resetting Microsoft Entra passwords, see How does the password reset portal work.
For Microsoft 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.
For Microsoft Entra accounts, admins can reset passwords by using one of the following:
Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?
Microsoft Entra ID uses a more sophisticated strategy to lock accounts. This is based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack.
For certain (common) passwords that get rejected, does this apply to passwords used only in the current directory?
Rejected passwords return the message 'This password has been used too many times'. This refers to passwords that are globally common, such as any variants of "Password" and "123456".
Will sign-in requests from dubious sources (botnets, for example) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?
We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.
Where can I find a list of applications that are pre-integrated with Microsoft Entra ID and their capabilities?
Microsoft Entra ID has more than 2,600 pre-integrated applications from Microsoft, application service providers, and partners. All pre-integrated applications support single sign-on (SSO). SSO lets you use your organizational credentials to access your apps. Some of the applications also support automated provisioning and de-provisioning.
For a complete list of the pre-integrated applications, see the Azure Marketplace.
With Microsoft Entra ID P1 or P2, you can add and configure any application that you want. Depending on your application's capabilities and your preferences, you can configure SSO and automated provisioning.
For more information, see Single sign-on SAML protocol and Develop and plan provisioning for a SCIM endpoint.
Microsoft Entra ID provides several ways for users to view and access their applications, such as:
- The Microsoft Entra access panel
- The Microsoft 365 application launcher
- Direct sign-in to federated apps
- Deep links to federated, password-based, or existing apps
For more information, see End user experiences for applications.
What are the different ways Microsoft Entra ID enables authentication and single sign-on to applications?
Microsoft Entra ID supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Microsoft Entra ID also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.
For more information, see Identity fundamentals and Single sign-on for applications in Microsoft Entra ID.
Microsoft Entra application proxy provides you with easy and secure access to on-premises web applications that you choose. You can access these applications in the same way that you access your software as a service (SaaS) apps in Microsoft Entra ID. There's no need for a VPN or to change your network infrastructure.
For more information, see How to provide secure remote access to on-premises applications.
With Microsoft Entra Conditional Access, you can assign a unique access policy for each application. In your policy, you can require multifactor authentication always, or when users aren't connected to the local network.
For more information, see Securing access to Microsoft 365 and other apps connected to Microsoft Entra ID.
Use Microsoft Entra ID to automate the creation, maintenance, and removal of user identities in many popular cloud SaaS apps.
For more information, see What is app provisioning in Microsoft Entra ID?.
No. Microsoft Entra ID doesn't support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Microsoft Entra Domain Services instance on your Microsoft Entra tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity.
For more information, see Configure secure LDAP for a Microsoft Entra Domain Services managed domain.