Microsoft Azure · Software · YoctoIT tech page

Entra ID

Identity as the perimeter: SSO, MFA, Conditional Access and governance — the first line of defense of every Microsoft shop.

FOCUS · IDENTITY FIRSTThe perimeter is no longer the network: it's who you are, where you enter from, with which device
YoctoIT material for clients and partners · Microsoft, Azure, Entra, Defender and the other products mentioned are trademarks of Microsoft Corporation.
01 · What it is

Microsoft Entra ID, made clear.

Entra ID (formerly Azure AD) is the center of Microsoft identity: single sign-on across thousands of apps, MFA and passwordless, Conditional Access evaluating every access (user, device, risk, location) and identity governance for the lifecycles. In the hybrid-work world, this is where security is won or lost.

99%
of identity-based attacks blocked by MFA (Microsoft figure)
CA
Conditional Access: every login evaluated on risk, device and context
PIM
privileges elevated on a timer: the permanent admin no longer exists
Microsoft Entra ID
OFFICIAL MICROSOFT BRANDING · ENTRA ID
CONSOLE REALE · ENTRA CONDITIONAL ACCESS · FONTE: MICROSOFT LEARN
REAL CONSOLE · ENTRA CONDITIONAL ACCESS · SOURCE: MICROSOFT LEARN
02 · How to use it well

The things that make the difference.

The identity perimeter

Apps: M365, SaaS, on-premeverything behind a single login
MFA/passwordless
Conditional Access
PIM
who you are · in what context · with what powers
Entra IDthe brain of the decisions
Identity governancelifecycles and recertifications
Every access is an informed decision

Conditional Access baseline

The policies that close 95% of the risk: MFA everywhere, legacy auth off, compliant devices.

Clean hybrid

Sync with on-prem AD, password hash and SSPR: the two worlds aligned without duplicates.

Privileges with an expiry

PIM on admin roles: just-in-time elevation, approved and tracked.

Recertifications

Periodic access reviews: who doesn't use a permission loses it. Automatically.

03 · In depth

Conditional Access architected

CA policies are built on signals (user/group, app, device compliance from Intune, risk from Identity Protection, network) and controls (MFA, compliant device, limited session): the base set blocks legacy auth, enforces MFA and phishing-resistant for admins, with break-glass accounts excluded and monitored. PIM elevates roles just-in-time with approvals; access reviews recertify; Entra ID Protection raises the risk and the policies react.

  • Baseline CA — legacy auth blocked + MFA everywhere: 80% of the risk gone at once
  • Phishing-resistant — FIDO2/passkeys for privileged and finance users: phishing blunted
  • PIM — roles activated on a timer with approval: the permanent admin abolished
  • Identity Protection — user/session risk among the signals: the adaptive policy
  • Break-glass — two accounts outside CA, monitored: lock-out made impossible
  • Access review — periodic recertifications: permissions that expire
04 · Numbers and lifecycle

The numbers that matter.

99,9%
of identity attacks blocked by MFA (Microsoft)
0
permanent admins with PIM at full speed
8h
the typical JIT elevation duration
Kill chain
interrupted at login: the real perimeter is here
Identity is the new firewall: we design CA in rings, put PIM on the privileges and the break-glass in the safe.
05 · Use cases

Where it really pays off.

Concrete zero trust

The first pillar, implemented in weeks.

Access compliance

Who accesses what, provable for the audit.

Onboarding/offboarding

The automated lifecycle: the former employee really leaves.

The first hour of every incident is about identity: we secure the perimeter that matters.