Cuir in eagar

Comhroinn trí


Frequently asked questions about Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity and access management solution. It's a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services, such as Microsoft 365, Dynamics 365, and Microsoft Azure.

For more information, see What is Microsoft Entra ID?

Help with accessing Microsoft Entra ID and Azure

Why do I get "No subscriptions found" when I try to access the Microsoft Entra admin center or the Azure portal?

To access the Microsoft Entra admin center or the Azure portal, each user needs permissions with a valid subscription. If you don't have a paid Microsoft 365 or Microsoft Entra subscription, you will need to activate a free Azure account or establish a paid subscription. All Azure subscriptions, whether paid or free, have a trust relationship with a Microsoft Entra tenant. All subscriptions rely on the Microsoft Entra tenant (directory) to authenticate and authorize security principals and devices.

For more information, see How Azure subscriptions are associated with Microsoft Entra ID.

What's the relationship between Microsoft Entra ID, Microsoft Azure, and other Microsoft services, such as Microsoft 365?

Microsoft Entra ID provides you with common identity and access capabilities to all web services. Whether you're using Microsoft services, such as Microsoft 365, Power Platform, Dynamics 365, or other Microsoft products, you're already using Microsoft Entra ID to help turn on sign-on and access management for all cloud services.

All users who are set up to use Microsoft services are defined as user accounts in one or more Microsoft Entra instances, providing these accounts access to Microsoft Entra ID.

For more information, see Microsoft Entra ID Plans & Pricing

Microsoft Entra paid services, such as Enterprise Mobility + Security (Microsoft Enterprise Mobility + Security) complement other Microsoft services like Microsoft 365, with comprehensive enterprise-scale development, management and security solutions.

For more information, see The Microsoft Cloud.

What are the differences between Owner and Global Administrator?

By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Owner role for Azure resources. An Owner can use either a Microsoft account or a work or school account from the directory that the Microsoft Entra or Azure subscription is associated with. This role is also authorized to manage services in the Azure portal.

If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. For more information, see Assign Azure roles using the Azure portal.

By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Global Administrator role for the directory. This user has access to all Microsoft Entra directory features. Microsoft Entra ID has a different set of administrator roles to manage the directory and identity-related features. These administrators will have access to various features in the Azure portal. The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains.

For more information, see Assign a user to administrator roles in Microsoft Entra ID and Assigning administrator roles in Microsoft Entra ID.

Is there a report that shows when my Microsoft Entra user licenses will expire?

No. This isn't currently available.

How can I allow Microsoft Entra admin center URLs on my firewall or proxy server?

To optimize connectivity between your network and the Microsoft Entra admin center and its services, you might want to add specific Microsoft Entra admin center URLs to your allowlist. Doing so can improve performance and connectivity between your local- or wide area network. Network administrators often deploy proxy servers, firewalls, or other devices, which can help secure and give control over how users access the internet. Rules designed to protect users can sometimes block or slow down legitimate business-related internet traffic. This traffic includes communications between you and Microsoft Entra admin center over the following URLs:

  • *.entra.microsoft.com
  • *.entra.microsoft.us
  • *.entra.microsoftonline.cn

For more information, see Using Microsoft Entra application proxy to publish on-premises apps for remote users. Additional URLs that you should include are listed in the article Allow the Azure portal URLs on your firewall or proxy server.

Help with hybrid Microsoft Entra ID

How do I leave a tenant when I'm added as a collaborator?

You can usually leave an organization on your own without having to contact an administrator. However, in some cases this option won't be available and you'll need to contact your tenant admin, who can delete your account in the external organization.

For more information, see Leave an organization as an external user.

How can I connect my on-premises directory to Microsoft Entra ID?

You can connect your on-premises directory to Microsoft Entra ID by using Microsoft Entra Connect.

For more information, see Integrating your on-premises identities with Microsoft Entra ID.

How do I set up SSO between my on-premises directory and my cloud applications?

You only need to set up single sign-on (SSO) between your on-premises directory and Microsoft Entra ID. As long as you access your cloud applications through Microsoft Entra ID, the service automatically drives your users to correctly authenticate with their on-premises credentials.

Implementing SSO from on-premises can be easily achieved with federation solutions such as Active Directory Federation Services (AD FS), or by configuring password hash sync. You can easily deploy both options by using the Microsoft Entra Connect configuration wizard.

For more information, see Integrating your on-premises identities with Microsoft Entra ID.

Does Microsoft Entra ID provide a self-service portal for users in my organization?

Yes, Microsoft Entra ID provides you with the Microsoft Entra ID Access Panel for user self-service and application access. If you're a Microsoft 365 customer, you can find many of the same capabilities in the Office 365 portal.

For more information, see Introduction to the Access Panel.

Does Microsoft Entra ID help me manage my on-premises infrastructure?

Yes. The Microsoft Entra ID P1 or P2 edition provides you with Microsoft Entra Connect Health. Microsoft Entra Connect Health helps you monitor and gain insight into your on-premises identity infrastructure and the synchronization services.

For more information, see Monitor your on-premises identity infrastructure and synchronization services in the cloud.

Help with password management

Can I use Microsoft Entra password write-back without password sync?

(For example, is it possible to use Microsoft Entra self-service password reset (SSPR) with password write-back and not store passwords in the cloud?)

This example scenario doesn't require the on-premises password to be tracked in Microsoft Entra. This is because you don't need to synchronize your Active Directory passwords to Microsoft Entra ID to enable write-back. In a federated environment, Microsoft Entra single sign-on (SSO) relies on the on-premises directory to authenticate the user.

How long does it take for a password to be written back to Active Directory on-premises?

Password write-back operates in real time.

For more information, see Getting started with password management.

Can I use password write-back with passwords that are managed by an admin?

Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment.

For more answers to password-related questions, see Password management frequently asked questions.

What can I do if I can't remember my existing Microsoft 365 / Microsoft Entra password while trying to change my password?

For the above scenario, there are a couple of options. You can use the self-service password reset (SSPR) if it's available. Whether SSPR works depends on how it's configured. For more information about resetting Microsoft Entra passwords, see How does the password reset portal work.

For Microsoft 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.

For Microsoft Entra accounts, admins can reset passwords by using one of the following:

Help with security

Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?

Microsoft Entra ID uses a more sophisticated strategy to lock accounts. This is based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack.

For certain (common) passwords that get rejected, does this apply to passwords used only in the current directory?

Rejected passwords return the message 'This password has been used too many times'. This refers to passwords that are globally common, such as any variants of "Password" and "123456".

Will sign-in requests from dubious sources (botnets, for example) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?

We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.

Help with application access

Where can I find a list of applications that are pre-integrated with Microsoft Entra ID and their capabilities?

Microsoft Entra ID has more than 2,600 pre-integrated applications from Microsoft, application service providers, and partners. All pre-integrated applications support single sign-on (SSO). SSO lets you use your organizational credentials to access your apps. Some of the applications also support automated provisioning and de-provisioning.

For a complete list of the pre-integrated applications, see the Azure Marketplace.

What if the application I need is not in the Microsoft Entra marketplace?

With Microsoft Entra ID P1 or P2, you can add and configure any application that you want. Depending on your application's capabilities and your preferences, you can configure SSO and automated provisioning.

For more information, see Single sign-on SAML protocol and Develop and plan provisioning for a SCIM endpoint.

How do users sign in to applications using Microsoft Entra ID?

Microsoft Entra ID provides several ways for users to view and access their applications, such as:

  • The Microsoft Entra access panel
  • The Microsoft 365 application launcher
  • Direct sign-in to federated apps
  • Deep links to federated, password-based, or existing apps

For more information, see End user experiences for applications.

What are the different ways Microsoft Entra ID enables authentication and single sign-on to applications?

Microsoft Entra ID supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Microsoft Entra ID also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.

For more information, see Identity fundamentals and Single sign-on for applications in Microsoft Entra ID.

Can I add applications that I'm running on-premises?

Microsoft Entra application proxy provides you with easy and secure access to on-premises web applications that you choose. You can access these applications in the same way that you access your software as a service (SaaS) apps in Microsoft Entra ID. There's no need for a VPN or to change your network infrastructure.

For more information, see How to provide secure remote access to on-premises applications.

How do I require multifactor authentication for users who access a particular application?

With Microsoft Entra Conditional Access, you can assign a unique access policy for each application. In your policy, you can require multifactor authentication always, or when users aren't connected to the local network.

For more information, see Securing access to Microsoft 365 and other apps connected to Microsoft Entra ID.

What is automated user provisioning for SaaS apps?

Use Microsoft Entra ID to automate the creation, maintenance, and removal of user identities in many popular cloud SaaS apps.

For more information, see What is app provisioning in Microsoft Entra ID?.

Can I set up a secure LDAP connection with Microsoft Entra ID?

No. Microsoft Entra ID doesn't support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Microsoft Entra Domain Services instance on your Microsoft Entra tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity.

For more information, see Configure secure LDAP for a Microsoft Entra Domain Services managed domain.