Frequently asked questions about Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity and access management solution. It's a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services, such as Microsoft 365, Dynamics 365, and Azure.

For more information, see What is Microsoft Entra ID?

Help with accessing Microsoft Entra ID and Azure

Why do I get "No subscriptions found" when I try to access the Microsoft Entra admin center or the Azure portal?

To access the Microsoft Entra admin center or the Azure portal, each user needs permissions with a valid subscription. If you don't have a paid Microsoft 365 or Microsoft Entra subscription, you will need to activate a free Azure account or establish a paid subscription. All Azure subscriptions, whether paid or free, have a trust relationship with a Microsoft Entra tenant. All subscriptions rely on the Microsoft Entra tenant (directory) to authenticate and authorize security principals and devices.

For more information, see How Azure subscriptions are associated with Microsoft Entra ID.

What's the relationship between Microsoft Entra ID, Azure, and other Microsoft services, such as Microsoft 365?

Microsoft Entra ID provides you with common identity and access capabilities to all web services. Whether you're using Microsoft services, such as Microsoft 365, Power Platform, Dynamics 365, or other Microsoft products, you're already using Microsoft Entra ID to help turn on sign-on and access management for all cloud services.

All users who are set up to use Microsoft services are defined as user accounts in one or more Microsoft Entra instances, providing these accounts access to Microsoft Entra ID.

For more information, see Microsoft Entra ID Plans & Pricing

Microsoft Entra paid services, such as Enterprise Mobility + Security (Microsoft Enterprise Mobility + Security) complement other Microsoft services like Microsoft 365, with comprehensive enterprise-scale development, management and security solutions.

For more information, see The Microsoft Cloud.

What are the differences between Owner and Global Administrator?

By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Owner role for Azure resources. An Owner can use either a Microsoft account or a work or school account from the directory that the Microsoft Entra or Azure subscription is associated with. This role is also authorized to manage services in the Azure portal.

If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. For more information, see Assign Azure roles using the Azure portal.

By default, the person who signs up for a Microsoft Entra or Azure subscription is assigned the Global Administrator role for the directory. This user has access to all Microsoft Entra directory features. Microsoft Entra ID has a different set of administrator roles to manage the directory and identity-related features. These administrators will have access to various features in the Azure portal. The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains.

For more information, see Assign a user to administrator roles in Microsoft Entra ID and Assigning administrator roles in Microsoft Entra ID.

Is there a report that shows when my Microsoft Entra user licenses will expire?

No. This isn't currently available.

How can I allow Microsoft Entra admin center URLs on my firewall or proxy server?

To optimize connectivity between your network and the Microsoft Entra admin center and its services, you might want to add specific Microsoft Entra admin center URLs to your allowlist. Doing so can improve performance and connectivity between your local- or wide area network. Network administrators often deploy proxy servers, firewalls, or other devices, which can help secure and give control over how users access the internet. Rules designed to protect users can sometimes block or slow down legitimate business-related internet traffic. This traffic includes communications between you and Microsoft Entra admin center over the following URLs:

  • *.entra.microsoft.com
  • *.entra.microsoft.us
  • *.entra.microsoftonline.cn

Help with hybrid Microsoft Entra ID

How do I leave a tenant when I'm added as a collaborator?

You can usually leave an organization on your own without having to contact an administrator. However, in some cases this option won't be available and you'll need to contact your tenant admin, who can delete your account in the external organization.

For more information, see Leave an organization as an external user.

How can I connect my on-premises directory to Microsoft Entra ID?

You can connect your on-premises directory to Microsoft Entra ID by using Microsoft Entra Connect.

For more information, see Integrating your on-premises identities with Microsoft Entra ID.

Does Microsoft Entra ID provide a self-service portal for users in my organization?

Yes, Microsoft Entra ID provides you with the Microsoft Entra ID Access Panel for user self-service and application access. If you're a Microsoft 365 customer, you can find many of the same capabilities in the Office 365 portal.

For more information, see Introduction to the Access Panel.

Help with password management

Can I use Microsoft Entra password write-back without password sync?

(For example, is it possible to use Microsoft Entra self-service password reset (SSPR) with password write-back and not store passwords in the cloud?)

This example scenario doesn't require the on-premises password to be tracked in Microsoft Entra. This is because you don't need to synchronize your Active Directory passwords to Microsoft Entra ID to enable write-back. In a federated environment, Microsoft Entra single sign-on (SSO) relies on the on-premises directory to authenticate the user.

How long does it take for a password to be written back to Active Directory on-premises?

Password write-back operates in real time.

For more information, see Getting started with password management.

Can I use password write-back with passwords that are managed by an admin?

Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment.

For more answers to password-related questions, see Password management frequently asked questions.

What can I do if I can't remember my existing Microsoft 365 / Microsoft Entra password while trying to change my password?

For the above scenario, there are a couple of options. You can use the self-service password reset (SSPR) if it's available. Whether SSPR works depends on how it's configured. For more information about resetting Microsoft Entra passwords, see How does the password reset portal work.

For Microsoft 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.

For Microsoft Entra accounts, admins can reset passwords by using one of the following:

Help with security

Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?

Microsoft Entra ID uses a more sophisticated strategy to lock accounts. This is based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack.

For certain (common) passwords that get rejected, does this apply to passwords used only in the current directory?

Rejected passwords return the message 'This password has been used too many times'. This refers to passwords that are globally common, such as any variants of "Password" and "123456".

Will sign-in requests from dubious sources (botnets, for example) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?

We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.

Help with application access

How do users sign in to applications using Microsoft Entra ID?

Microsoft Entra ID provides several ways for users to view and access their applications, such as:

  • The Microsoft Entra access panel
  • The Microsoft 365 application launcher
  • Direct sign-in to federated apps
  • Deep links to federated, password-based, or existing apps

How do I require multifactor authentication for users who access a particular application?

With Microsoft Entra Conditional Access, you can assign a unique access policy for each application. In your policy, you can require multifactor authentication always, or when users aren't connected to the local network.

For more information, see Securing access to Microsoft 365 and other apps connected to Microsoft Entra ID.

Can I set up a secure LDAP connection with Microsoft Entra ID?

No. Microsoft Entra ID doesn't support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Microsoft Entra Domain Services instance on your Microsoft Entra tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity.

For more information, see Configure secure LDAP for a Microsoft Entra Domain Services managed domain.