Every Microsoft 365 business has Microsoft Entra ID running underneath their setup, whether they know it or not. It was called Azure Active Directory until Microsoft rebranded it in 2023. Most IT providers still use both names interchangeably, which adds to the confusion.
Here's what it actually does and why it's worth understanding.
What Entra ID is in plain terms
Entra ID is the system that manages who your staff are, what they're allowed to access, and how they prove their identity when they log in. Every time someone in your business opens Outlook, Teams, or SharePoint, Entra ID is running in the background, checking whether this is the right person, whether they should have access to this resource, and whether they're logging in from a trusted device.
You don't interact with it directly. It just happens. The question is whether it's configured to work for you, or just running on defaults.
Three capabilities that most businesses aren't using properly
Single sign-on is the most immediately practical. Entra ID connects to thousands of business applications: Salesforce, Slack, DocuSign, Xero, and hundreds more. When it's configured, staff log in once with their Microsoft account and move between connected applications without entering separate passwords. For IT administrators, the bigger benefit is provisioning and deprovisioning: when someone leaves, disabling their Entra ID account cuts off access to every connected application simultaneously, rather than requiring separate action in each one.
Conditional access is where the security value is. Conditional access policies are rules that run automatically: require MFA when logging in from outside the office; block logins from countries you don't operate in; restrict access to compliant devices only. These policies are set once and then enforce themselves without any ongoing IT involvement. Conditional access is available from Microsoft 365 Business Premium (around £19.70 per user per month at current UK pricing), which includes Entra ID P1.
The basic level of Entra ID, included with Microsoft 365 Business Basic and Standard, covers user accounts, single sign-on, and MFA. That's the core and it's included. You don't need a premium licence to get the most important capabilities.
Two gaps I find in nearly every Microsoft 365 business
The first: MFA isn't fully deployed. Entra ID supports MFA out of the box. In many businesses I review, it's enabled for some users but not all, usually because someone was excluded during initial rollout and nobody followed up. The accounts without MFA are the ones that get compromised.
The second: guest accounts are unmanaged. When you share a SharePoint site, a Teams channel, or a file with someone outside the business, Entra ID creates a guest account for them. Over two or three years, businesses accumulate hundreds of these: former suppliers, clients from concluded projects, contractors who left. Nobody removes them because nobody has a process for it. An annual guest account audit takes less than an hour and is worth doing.