The Entra Family

The directory your organization already has.

Entra ID is the cloud identity service that Microsoft 365 and Azure both run on. Users, groups, app registrations, service principals, managed identities, Conditional Access policies, role assignments - all of it lives in your tenant here. It speaks OIDC, OAuth 2.0, and SAML, so any modern app can integrate with it.

If you only learn one piece of the family first, learn this one. Everything else hangs off it.

Identity for everyone outside your organization.

External ID is the unified product for customer and partner identity - both the consumer CIAM scenarios that used to live in Azure AD B2C, and the B2B guest collaboration that lived in Azure AD B2B. One product, two tenant configurations: external tenant for customer-facing apps, workforce tenant for partner collaboration on top of your employee directory.

It is the path Microsoft now points new customer-facing projects at. Azure AD B2C is still supported for existing customers but closed to new ones.

A managed Active Directory domain in the cloud, for workloads that can't speak modern protocols.

Some workloads still need Kerberos, NTLM, LDAP, or Group Policy - typically lift-and-shift Windows workloads, legacy line-of-business apps, or applications that bind to a domain at startup. Entra Domain Services gives you a Microsoft-managed AD-compatible domain in your Azure virtual network, synchronized from your Entra ID tenant. No domain controllers to operate.

Distinct from on-prem AD DS and distinct from Entra ID itself. It is a third thing, built specifically to bridge the gap.

Automating "joiner, mover, leaver" and the access reviews around it.

ID Governance is the workflow layer on top of Entra ID. It owns four big features:

• Lifecycle workflows for onboarding, role changes, and offboarding - assign groups and licenses automatically when a user joins; remove them when they leave.
• Entitlement management for self-service access packages - users request a bundle of groups, apps, and SharePoint sites; an approver (or policy) decides.
• Access reviews that periodically ask managers or resource owners "should this person still have this access?" - with auto-revoke if no one responds.
• Privileged Identity Management (PIM) for just-in-time role elevation, so admins are only admins for the minutes they actually need to be.

The pitch is to replace "stale access piling up forever" with a continuously reviewed surface.

Cloud Infrastructure Entitlement Management across Azure, AWS, and GCP.

Permissions Management discovers every identity (human and workload) across your cloud accounts, observes what permissions they actually use, and recommends scoping the unused ones away. The category is CIEM - the permissions-management counterpart to SIEM - and the goal is least privilege, enforced from data instead of from documents.

It spans the three big public clouds, not just Azure - which is the part that makes it distinctive within the Entra family. If your organization runs in more than one cloud, the entitlement sprawl problem is the same regardless of brand.

Zero Trust Network Access to internal apps and resources, without a VPN.

Private Access is Microsoft's ZTNA - Zero Trust Network Access. Instead of putting a user "inside the network" via VPN, it brokers an identity-aware connection to one specific resource the user is authorized for, evaluated against Conditional Access on every session. Internal apps, SMB shares, RDP, SSH - private endpoints reachable without the user ever joining a network they shouldn't be on.

The replacement narrative for the corporate VPN is the headline. The deeper story is application-level access control replacing network-level access control.

An identity-aware Secure Web Gateway for SaaS, Microsoft 365, and the open internet.

Internet Access is the outbound counterpart to Private Access. It is a Secure Web Gateway tied to your Entra ID identities - web content filtering, threat protection, and policy enforcement on the traffic your users send to SaaS and the internet. Conditional Access decisions extend to which sites a user can reach, from which device, on which network.

Particularly tuned to Microsoft 365 traffic, since Microsoft owns both ends. It is the SSE half that pairs with Private Access to cover the full inbound/outbound story.

Issue and verify portable digital credentials based on open standards.

Verified ID is Microsoft's implementation of verifiable credentials - cryptographically signed claims about a person (employment, certification, education) that the holder stores in a wallet and can present to anyone, anywhere, without the verifier having to contact the issuer. Built on W3C standards (Verifiable Credentials, Decentralized Identifiers).

The model is different from the rest of the family. Where Entra ID is a central directory you sign in to, Verified ID is a peer-to-peer attestation system: an issuer signs a credential, the user holds it, a verifier checks the signature. Useful for onboarding flows ("prove your employment at your previous employer"), high-assurance scenarios, and reusable identity proofing.