To better understand the structure of Entra ID®, we explore each tier of their service offerings in a four-part series. This is part two of the series.
Each article covers the benefits of a particular service, as well as the drawbacks that come with each tier. Click here to read our previous blog on Entra ID Free, or this one which covers Entra ID’s Premium P2 Tier.
What Is Entra ID Premium P1?
Entra ID is a cloud-based user management platform often introduced to organizations via the purchase of a Microsoft 365™ license or Azure subscription. IT teams start their organizations with Entra ID Free or Microsoft 365 apps (since those are included with a subscription to either service), but that SKU has limited functionality. It’s not uncommon for organizations to upgrade their Entra ID instances to Premium P1 or P2 licenses just to get “that one thing” or consume other Microsoft services that require the Premium SKUs.
Entra ID Premium P1 can be used entirely on its own to manage Microsoft 365/Azure identities, as well as enact single sign-on (SSO) for pre-integrated web applications. It also integrates with Active Directory (AD) and has some federated authentication to interoperate with other identity provider (IdPs). It doesn’t manage devices or external identities without additional subscriptions from Microsoft or additional identity management solutions from other vendors.
This article evaluates Entra ID Premium P1’s capabilities as a standalone service, and explores how organizations can best utilize Entra ID Premium P1’s services.
Benefits of Entra ID Premium P1
Entra ID Premium P1 offers the following features:
- Includes all of the features listed for Entra ID Microsoft 365 apps with SharePoint limited access
- SSO for an unlimited number of pre-integrated SaaS applications with group assignment to applications
- Session lifetime management and continuous access evaluation
- Self-service application assignment to enable users to self-discover and request access to applications; this enables cloud app discovery
- Cloud app discovery (Microsoft Defender for Cloud Apps)
- The option for advanced group management
- On-premises write-back for all password changes
- Group-based access management and provisioning (comes with additional provisioning customization)
- HR-driven provisioning
- End user self-service
- Advanced usage reporting and fraud alerts
- Custom security attributes
- Application proxy for remote access to on-prem applications
- Multi-factor authentication (MFA) for on-premise applications
- Conditional access based on trusted IPs, device state, or location and group
- Automated password rollover for group accounts
- MDM auto-enrollment (out-of-box experience), self-service BitLocker recovery, additional local admin tooling to Windows Pro devices via Entra ID Join
- A service level agreement
- Microsoft Identity Manager (MIM) user client access license (Note: MIM is being phased out in favor of a new Governance SKU that’s an add-on to Entra Premium subscriptions.)
- Cross-tenant user synchronization
The premium features offered by Entra ID Premium P1 are attractive for Microsoft shops. However, there are drawbacks to consider with Entra ID Premium P1 as a holistic identity management solution.
Drawbacks of Entra ID Premium P1
Entra P1 integrates with on-premise Active Directory, but doesn’t include services that are required to prevent lateral movement by attackers throughout the Microsoft stack. Workarounds are required to utilize core network protocols to secure and manage access to network devices. Devices serve as the gateway to access resources to work and leaving devices unmanaged fails to achieve a Zero Trust security posture like Microsoft recommends. Entra P1 will not manage devices without additional subscriptions from Microsoft or a different M365 SKU that has Intune®.
Many admins just want to use MS Office, tighten up their security posture, and be business enablers by providing users with the solutions that they need. Organizations that adopt Microsoft become focused on rolling out its products instead of assisting business performance.
Microsoft licensing can be complex, and implementing best practices for Entra takes a lot of work. License management and pricing can be complex/unpredictable without understanding how everything interconnects and what features are included in each plan. Some features are gated off and require more services to run, including reporting for conditional access policies.
Many organizations may have to hire consultants to guide them through the migration. These challenges have given rise to a cottage industry of consultants. Otherwise deploying all of these features leads to reskilling and new hires at market rates. This is due to the breadth of configurations and resulting complexity that Microsoft’s enterprise features involve.
Missing Identity and Access Control Functionality
SSO to Everything
Entra P1 is designed to work in conjunction with a directory service and lacks features most organizations find necessary to achieve SSO to everything. For example, no matter the subscription tier, Entra ID lacks the ability to manage user access to networks via RADIUS or LDAP unless you pay Microsoft more money and use more of its services.
Note: Windows Hello doesn’t extend beyond Windows, limiting modern authentication.
Unfortunately, this ingrains many admins into Microsoft’s hybrid infrastructure, which is less than ideal for cloud-forward organizations looking to leave behind the time and cost of running server rooms. Additionally, AD’s RADIUS authentication is performed via an on-prem NPS server, which requires additional infrastructure and increases the attack surface area. Microsoft has also designated AD as a legacy technology that must be modernized and protected. Its reference architecture calls for numerous Defender security services on top of Entra ID Premium 2’s Identity Protection.
IT admins that are looking to move past legacy hardware will find that AD + Entra ID P1 isn’t the most ideal choice. Using P1 with AD leaves gaps in security posture and access management.
Microsoft Entra’s Governance SKU may be required to fully manage external identities. There are also a few ad hoc costs, such as a charge for authenticating external identities with its MFA. Features are geared toward advanced enterprise workflows and governance requirements.
Many IT administrators choose to implement their Entra instances in conjunction with a directory service. They often use on-prem AD, which syncs with Entra via Entra ID Connect, allowing users to leverage their AD credentials for SSO to web applications and Azure infrastructure. However, this leaves a device management gap for organizations that are also invested in systems beyond Windows (such as Android, macOS®, and Linux®). Organizations that adopt Entra ID will need to buy additional solutions to manage those endpoints, such as Microsoft’s Intune subscription. Unmanaged endpoints defeat the purpose of having strong access control.
Admins looking to use Entra ID Premium P1 as their directory typically choose it for its cloud-based Identity and Access Management (IAM) and security infrastructure. However, it’s not the only option and may not be the best fit for your organization. A cloud-based directory service should be able to modernize AD, provide access to every resource, and manage cross-OS devices. That combination of features is necessary to achieve a Zero Trust posture that makes identity the new perimeter with secure access to resources from all devices.
Open Directory Services
Organizations that are cloud-first, have external identities (such as Google Workspace), and devices other than Windows may find more value in JumpCloud. JumpCloud is an open directory platform that unifies identity, access, and endpoint management, regardless of the underlying authentication method or device ecosystem. It also integrates with AD.
In contrast to standalone Entra, the JumpCloud platform provides SSO to everything and includes environment-wide MFA. It supports the following network protocols:
- RESTful APIs
IAM is handled through groups using attribute-based access control, which helps to automate user lifecycle and entitlements management. Changes also flow seamlessly from other directories or human resource systems. Dynamic groups automatically organize users and devices using basic attributes. The next phase in JumpCloud’s product roadmap will include operators to create compound queries that will increase admin efficiency and streamline device and identity lifecycles.
Conditional access is optional in JumpCloud for organizations that require privileged access management (PAM), and several password-less authentication methods are supported. Those include JumpCloud Go, which provides a phishing-resistant credential for Macs and Windows. Linux support for Go is coming soon, and will be driven by customer demand.
Extend and Improve M365
JumpCloud’s M365 integration syncs Microsoft 365/Entra ID users into the directory. It can then serve as the source of truth and manage nearly all systems, applications, networks, file servers, Infrastructure-as-a-Service platforms, and more regardless of their location (on-prem, at other cloud providers such as AWS®, etc.). This way, admins can still leverage Entra ID Premium P1’s feature set while remaining untethered to legacy AD infrastructure and its rapidly rising costs.
Additionally, JumpCloud is platform agnostic, so organizations can implement unified endpoint management (UEM) in conjunction with their Entra ID Premium P1 instance. JumpCloud will also federate with upstream IdPs. The directory integrates with Entra ID Free, so organizations can still manage their Azure/Microsoft 365 users with a directory service entirely from the cloud.
JumpCloud also offers additional IT management options that extend its utility:
- A decentralized password manager
- Cross-OS patch management
- Remote Access tools for background troubleshooting and hands-on remote assistance
We also invite you to get started with JumpCloud today.