Editor’s Note: Given the fast-paced nature of technology, it is possible that some of the information presented in this article is out of date, or incomplete, in some fashion. The author periodically reviews and revises this article to ensure information contained within is as accurate as possible.
This article analyzes the features and benefits offered by Microsoft’s Entra ID “Free” edition, as well as the potential drawbacks and challenges of adopting Microsoft’s cloud platform. You’ll also learn more about the impact of these constraints on your overall security posture.
Microsoft provides services to secure devices, extend single sign-on (SSO) access to network appliances, and manage entitlements. There are many interwoven, segmented services in the Microsoft 365 and Defender product portfolios. It’s important to understand what each Entra ID SKU provides, and what’s gated off. Making an informed decision about your requirements will determine the value of “free.” Consider that the ultimate goal for Microsoft is to tie customers to a vertically integrated suite of tools, which can limit flexibility while raising costs and management overhead.
What Is Entra ID?
Entra ID is a cloud directory service that extends Active Directory (AD) identities to Microsoft® Azure, Microsoft web applications (like Microsoft 365™), and external SSO apps. It’s also a cloud directory for organizations that don’t use AD but would like to use Microsoft Office.
Entra ID Free is a cloud directory for Office 365 with limited features and no device management beyond what Active Directory (AD) delivers for Windows endpoints. It notably lacks modern entitlement management. Entra integrates AD users through Azure AD Connect and cloud sync, but the deployment options are limited. Organizations that require managed domain services and don’t have an on-premises Active Directory Domain Service (AD DS) environment must subscribe to Azure Active Directory Domain Services (Azure AD DS). Note that Entra ID isn’t a cloud replacement for on-prem Active Directory. It won’t manage your systems, especially non-Windows OSs.
Note: Premium licenses are a prerequisite to federate with identity providers (IdPs) like Google.
Benefits of Entra ID Free
There are several benefits for Microsoft users with simple configurations and few users. Entra ID Free has the following features:
- The ability to sync Active Directory via Entra ID Connect
- Basic RBAC user and group management
- Multi-factor authentication (MFA) with passwordless options for Windows only
- Sync with up to 500,000 directory objects
- SSO for external SaaS applications using Microsoft identities
- Self-service password change for cloud users only (this does not include password resets that write back to on-prem AD)
- The ability to Sync with Entra ID Connect (which is a Microsoft utility designed to bridge the gap between on-prem AD and Entra ID)
- View basic reporting on their substrate identity management solution with Security Information and Events Management (SIEM) connectivity.
- Use basic security and usage reports
- Use automated user provisioning to Microsoft and other SaaS apps
- Pay for advanced features to meet future requirements
Entra ID Free offers basic SSO functionality that’s essential for organizations using AD to access Microsoft’s portfolio of cloud services. It’s also essential (and prerequisite) for cloud-first organizations to access the M365 suite, but it lacks interoperability with other IdPs. For example, Entra ID Free doesn’t allow AD users to access Google Workspace. That may be acceptable for Microsoft-only infrastructures, but leaves little room to ever change direction.
Drawbacks of Entra ID Free
Significantly, Entra ID omits features deemed necessary by security experts for cloud-based identity management. Entra ID Free remains remarkably similar to when it was introduced for limited SSO in 2014. However, the silos between endpoints, data protection, and user identity are dissolving in response to the evolving tactics of sophisticated threat actors. That results in a stagnant security posture that is no longer sufficient to address today’s security concerns as attackers have adapted to move laterally more rapidly than ever. The free edition of Entra ID maintains undesirable boundaries between IT and security operations to mitigate these threats.
Microsoft cordons off Entra ID features that protect identities everywhere they exist in addition to the associated security and compliance controls. It’s impossible to follow Microsoft’s best practices for Entra ID without subscribing to either Premium 1 (P1) or Premium (P2) as well as Intune to manage your devices. P1 and P2 are necessary for SSO into on-premise Windows applications. There’s also an extra cost to use identities external to the Microsoft ecosystem. Several identity governance features were removed from P2 and gated off into a separate SKU that’s an add-on to Entra ID’s Premium plans. There’s always an upsell to get specific features.
Many IT shops adopt Microsoft because products “work well together.” Unfortunately, you must pay to fully integrate Entra ID with AD and Windows Server roles such as NPS for network authentication behind the firewall. Even Intune is a separate product that has its own console and interface. Navigating your options can be a complicated undertaking that’s even given rise to websites dedicated to demystifying its licensing. Further, implementing Entra ID’s enterprise features (and even AD integration) could compel you to hire specialized consultants.
The next section explores how gated licensing impacts your ability to reach your operational and security objectives and manage identities throughout your entire infrastructure.
Organizations must assess what’s feasible to spend per user and balance that reality against productivity gains and security obligations. It can be difficult (and often confusing) to forecast your needs when licensing is complex and required features are gated off into higher licensing tiers. Buying more than your need to obtain a few required features is a Faustian bargain that can significantly impact IT departments and budgets, especially when more services are added. Entra ID, Intune, and Microsoft’s Defender security stack can satisfy complex, exhaustive identity and access management (IAM) use cases and security requirements if the reference architecture is followed. That, however, also makes it nearly impossible to switch to other vendors. Entra ID “free” is the starting point.
SSO and Provisioning Limitations
Here are a few examples to consider about how licensing factors in. First, let’s examine authentication and access control for your applications, both on-premise and SaaS:
- It’s not possible to have SSO for domain-bound applications without P1, P2. The same holds true for accessing resources behind the firewall via integrated Windows authentication.
- Group assignments to applications will require P1 or P2.
- Attribute-based access control (ABAC) and dynamic groups that automate and safeguard entitlements management are unavailable. There’s no continuous access evaluation.
- You cannot utilize external IdPs without paying more.
- Security configurations are limited to the security defaults with Entra ID Free with per user settings versus group management. Per Microsoft, “Authentication methods and configuration capabilities may vary by subscription.”
- Conditional access for Zero Trust security is limited to P1, P2. This capability is also deemed essential by Microsoft for privileged access management in AD. You’ll have to upgrade immediately just to have the baseline level of security that Microsoft advises.
Image credit: Microsoft
- HR-driven provisioning is unavailable outside of P1, P2
- Self-service password changes with on-premise write-back requires P1, P2
- Advanced group management driven by policies and rules requires P1, P2
- Advanced security and usage reports for compliance reporting requires P1, P2
- Cross-tenant user synchronization is unavailable
No Device Management
Identity is the new perimeter, and it’s not possible to protect identities without also managing devices through mobile device management (MDM) or GPO-like policies. The device is a substrate for the user, their activities, and your organization’s data. CrowdStrike found that 25% of attacks occur on devices without any endpoint protection and 71% of attacks are malware free once the adversary is in the environment. These types of attacks lack traditional indicators of compromise and are easier to hide among standard IT traffic. Endpoint Detection and Response (EDR) security cannot safeguard against inadequate IAM security practices.
Now, consider that Entra ID Free won’t manage devices. It becomes necessary to enroll in Intune, which accrues significant price increases per user. There are even multiple Intune SKUs and add-ons. It’s easy for admins to suddenly find themselves heavily oriented toward Microsoft.
Overall, Entra ID Free can be a useful tool for admins looking to introduce their organization to cloud-based infrastructure. However, it ultimately requires a number of additional authentication solutions to serve as a core IdP. For instance, Entra ID doesn’t natively authenticate users to their Wi-Fi networks or hardware via RADIUS or LDAP. That holds true for P1, P2.
Organizations either have to maintain a parallel system for authentication or invest in additional server infrastructure and configurations — a sequence of activities that isn’t free. Siloed identities complicate identity practices, increase technical overhead, and enlarge the attack surface area. Monoculture also increases the risk of lateral movement during an attack.
As previously noted, Entra costs more when it’s used to govern and manage external IDs through Entra ID. There are additional charges applied for MFA from external IDs. Costs will rise organically as your organization grows and the velocity of authentications increases.
“Free” is a relative term. Entra ID Free helps organizations with a small number of users and devices to manage Microsoft applications and SaaS services, but security is inherently lacking when those resources are being accessed using untrusted devices. Gaps in services and dependencies on the Windows platform may increase your workload and make implementation much more difficult. Then, you’ll have to manage Entra ID or Entra ID + AD in perpetuity.
Working toward Zero Trust security and compliance with ever expanding regulations obligates someone in your organization, or a trusted advisor, to become an expert in Microsoft licensing. Licensing and product bundles change and are rebranded with some regularity. Your team will also have to make many determinations to live within your budget. It’s not strictly about subscriptions — you’ll also have to account for implementation costs and TCO.
The variety of cloud services from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of enterprise configurations and resulting complexity that many enterprises encounter. The complexity is ongoing: Azure uses role-based access control (RBAC) for security. RBAC can be labor-intensive and requires ongoing maintenance for a least privilege access model. An additional SKU is generally necessary to add automations to lifecycle workflows. Adding Intune into the mix means mastering ConfigMgr, due to limitations in the Intune web console.
IT teams must also set up best practices for Entra ID, some of which are critical due to the potential for phishing to be used to compromise identities. Plan on spending extra time to focus on those critical Entra ID settings, in spite of your subscription level. For example, Entra ID’s default settings permit all users to access the Entra ID admin portal and register custom SSO applets (My Apps). Attackers are actively exploiting this workflow in phishing exploits, which can bypass MFA in some circumstances. Entra ID Free is unsuitable for quality security.
This complexity exists due to the amount of scenarios Microsoft supports, down to the granular requirements of large enterprises. It has also woven trials and upsells into admin settings workflows such as self-service password reset (SSPR). This blurs the lines between what’s possible to configure and what’s not within your reach. For example, a “Free” tier admin sees the option to configure SSPR, but will be prompted to assign a premium tier license to users if there’s a desire to have the password write-back to AD. SSPR only works for cloud users.
A small or medium-sized enterprise (SME) should consider whether it’s ready for and can afford this platform.
Azure and Vendor Lock-In
IT teams that are centered around AD expand Microsoft’s presence in their infrastructure by adopting Entra ID. Any SME that adopts Entra ID and other Azure products becomes more deeply embedded in Microsoft “monoculture” over time as custom configurations and more integrations occur. This is fine for some organizations that have deeper expertise in Microsoft platforms. They accept the vendor risk of standardizing all essential IT infrastructure and operations with a sole partner.
Sometimes, a combination of Entra ID and third-party services, such as JumpCloud, is more optimal. This next section outlines how JumpCloud integrates with and extends Microsoft systems through its open directory platform.
An Open Directory Platform
JumpCloud’s open directory platform provides value lock-in and enables you to choose any best-of-breed solution you want. For instance, your organization might prefer Google Workspace over M365 or choose identity and endpoint protection from CrowdStrike instead of Defender. You can connect users to any resource, from any location, from trusted devices, with the appropriate permissions, while abiding by Zero Trust principles. The platform provides SSO and device management, as well as compliance and reporting, to access and secure resources.
SSO to Everything
The open directory accepts third-party identities from Google, LDAP, Microsoft AD and Entra ID, Okta, and a wide variety of authentication protocols. Every authentication method is protected by MFA through either Push MFA with the JumpCloud Protect™ app or TOTP options. A phishing-resistant credential is also available to secure the user console. Conditional access policies are optional, and JumpCloud offers a decentralized password manager and vault to protect user credentials for situations when SSO is not an option.
The supported protocols include:
Users are provisioned through either importing accounts or attributes (and even Entra ID group assignments) from another directory or integrations with popular HRIS systems. There’s no “tax” placed on having basic interoperability or using external identities. SSPR is also available without raising your license requirements. Access to applications is managed through groups with automated entitlement controls by using attribute-based access control. ABAC reduces management overhead and the possibility of introducing errors such as wasting licenses on inactive users. It’s Zero Trust by virtue of continuously verifying user attributes, which serves as a security control to avoid insider threats or forgotten user accounts.
JumpCloud uses dynamic groups to automatically organize users and devices using basic attributes. The next phase will include operators to create compound queries, which will increase admin efficiency even further and streamline device and identity lifecycle management.
Device management is included at no added cost for Android, Apple products, Linux, and Windows. It includes MDM, pre-built policies (such as full disk encryption), and a commands queue. Windows admins can even utilize PowerShell scripts for batch jobs. Zero-touch deployments are available for Macs and iPads/iPhones with Windows Out of Box Experience (OOBE) as another option to stage devices and onboard users. Remote Access is built into the platform, for several operating systems, providing further cost-savings and value. There are options for remote assistance as well as a remote, interactive command line so that troubleshooting can occur in the background without interrupting your users.
Provisioning devices is streamlined. Users will soon be able to “Sign In With JumpCloud” to auto provision and associate their JumpCloud account to their device with default account permissions. The JumpCloud agent will sync their JumpCloud password back to their device.
There’s also the option for cross-OS patch management, including browser version control.
Reporting and Data Services
All JumpCloud tenants include Directory Insights and System Insights to provide telemetry that follows identities everywhere they exist and all pertinent user activities. JumpCloud also provides multiple pre-built reports for compliance purposes and management.
Available reports include:
- Users to Devices: Returns all user attributes and device associations for each user.
- Users to RADIUS Server: Returns all user attributes and associations to RADIUS Servers for each user.
- Users to LDAP: Returns all user attributes and associations to LDAP resources for each user.
- Users to Directories: Returns all user attributes and associations to directories for each user.
- User to SSO Applications: Returns all user attributes and SSO application associations for each user.
OS Patch Management Policy: Provides a clear view of each of their device’s status relative to the OS policies that they have deployed.
Get Started with JumpCloud
Note: Don’t just think about where you are today, consider where you’re headed.
Entra ID Free is a prerequisite to access Microsoft cloud apps, extends AD to the web, and can provide an economic choice for SSO into cloud resources. However, it leaves gaps in manageability and security that defers costs, which could become substantial, at a later date. Subscriptions align with features, not use cases, and will make upgrading necessary.
JumpCloud’s device management isn’t an additional cost, but some features are optional. Simply sign up for a trial today to get started from a single admin console. Pricing is based on workflows that will help you to get things done, not gated features or upsells.