If your business runs on Microsoft 365, you're already using Microsoft Entra ID. You may not know it by that name. You may not know it's running at all. But every time one of your staff logs into Outlook, opens a Teams meeting, or accesses a SharePoint file, Entra ID is the system deciding whether to let them in.
That makes it the most important security layer in your entire Microsoft environment - and one of the least understood by the business owners and managers responsible for it.
Passwords are no longer the perimeter of your business. Identity is. And Microsoft Entra ID is where that perimeter lives.
We explain what Microsoft Entra ID is, what it does, why it matters for NZ businesses in 2026, and what the risks look like when it's not properly configured or managed.
Microsoft Entra ID - formerly known as Azure Active Directory, or Azure AD - is Microsoft's cloud-based identity and access management platform. It's the system that manages who your staff are, what they're allowed to access, and under what conditions.
Every Microsoft 365 tenant has an Entra ID directory. If you have a Microsoft 365 subscription - Business Basic, Business Standard, Business Premium, or any enterprise tier - Entra ID is running in the background right now, governing every login across your organisation.
The rename from Azure Active Directory to Microsoft Entra ID happened in July 2023. It wasn't just a rebrand. It reflected a significant expansion of the platform's scope - from a directory service that managed user accounts into a comprehensive identity and network access platform that governs not just users, but devices, applications, workloads, and increasingly, AI agents.
Basically, Entra ID is the gatekeeper. It's the system that answers the question "should this person be allowed to access this resource right now?" - and it answers that question millions of times a day across your environment, for every login, every file access, every application connection.
There's a concept in modern cybersecurity that most business owners have heard of but fewer truly understand: Zero Trust. The core principle is simple - never trust, always verify. Don't assume that because someone is inside your network, they should have access to everything on it.
Entra ID is the engine that makes Zero Trust practical. It evaluates every access request against a set of conditions - who is the user, what device are they on, where are they logging in from, what's the risk level of this sign-in - and makes a real-time decision about whether to allow, challenge, or block access.
This matters because the traditional security perimeter - the firewall around your office network - is no longer where your data lives. Your data lives in Microsoft 365, in SharePoint, in OneDrive, in Exchange Online. Your staff access it from home, from cafes, from phones, from devices you don't manage. The network perimeter is irrelevant when your data is in the cloud and your people are everywhere.
The new perimeter is identity and identity-based attacks are the dominant threat facing NZ businesses right now.
Password-based attacks are now reaching 4,000 per second globally, according to Microsoft's 2025 Digital Defense Report. In early 2026, a significant campaign dubbed UNK_SneakyStrike specifically targeted more than 80,000 Microsoft Entra ID accounts using automated password spraying tools. These attacks aren't targeting your firewall. They're targeting your logins.
If Entra ID isn't properly configured, those attacks have a much higher chance of succeeding.
Entra ID isn't a single feature - it's a platform with multiple distinct capabilities that work together to govern access across your Microsoft environment. Understanding these capabilities is the first step to understanding whether yours are properly configured.
At its most basic, Entra ID is a directory of every user in your organisation - their accounts, their credentials, their group memberships, their assigned roles, their connected devices. Every Microsoft 365 user you've ever created, every shared mailbox, every service account, every guest user you've invited to collaborate - they all live in Entra ID.
This directory is the foundation everything else is built on. If the directory is messy - accounts that weren't disabled when staff left, guests with broader access than they need, service accounts with excessive permissions - the security controls built on top of it are working against a compromised foundation.
Entra ID handles how users prove who they are. Password only. Password plus MFA. Passwordless authentication using the Microsoft Authenticator app. Certificate-based authentication. Each method has different security implications, and Entra ID is where those policies are set and enforced.
Multi-factor authentication (MFA) is the single highest-impact security control available to NZ SMEs - and it lives in Entra ID. Whether MFA is required for all staff, some staff, or none is a configuration decision made in Entra. Whether legacy authentication protocols that bypass MFA entirely are still enabled is a configuration decision made in Entra.
These are some of the most consequential security decisions in your entire environment, and they're made - often by default, often without deliberate review - inside Entra ID.
Conditional Access is one of Entra ID's most powerful capabilities and one of the most underused by NZ SMEs. It allows you to define rules that govern access based on conditions - not just "does this person have the right password?" but "is this person logging in from a managed device, from an expected location, at an expected time?"
Examples of what Conditional Access can enforce:
Require MFA for all admin accounts regardless of location
Block access from countries your business has no operations in
Require a compliant device for access to sensitive data
Force a password change if a sign-in is flagged as high-risk
Allow access from personal devices only to non-sensitive applications
For NZ SMEs on Microsoft 365 Business Premium, Entra ID P1 - which includes Conditional Access - is already included in the licence. If you're not sure whether Conditional Access is included in your current licence, get in touch - we'll tell you exactly what you have.
Entra ID provides Single Sign-On across the Microsoft ecosystem and thousands of connected third-party applications. Staff sign in once and access everything they're authorised for - without re-entering credentials for each application.
This is both a productivity feature and a security one. SSO means credentials aren't being entered repeatedly across multiple applications, reducing the opportunity for credential theft. It also means access can be revoked centrally - when a staff member leaves, disabling their Entra account removes access to everything connected to it in a single action.
Entra ID P2 includes Identity Protection - a capability that uses machine learning to analyse sign-in behaviour and flag anomalies. Logins from unfamiliar locations. Sign-ins that follow a pattern consistent with credential stuffing. Accounts that appear to have been compromised. These signals are surfaced as risk events that can trigger automated responses - require additional verification, block access, force a password reset.
For businesses that can't afford 24/7 security monitoring but want automated detection of identity-based threats, Identity Protection adds a meaningful layer of defence.
Entra ID Governance includes Access Reviews - automated, scheduled reviews of who has access to what, prompting managers or users to confirm whether access is still required. For businesses trying to manage the kind of permission drift we covered in our post on cloud drift management, access reviews are the mechanism that keeps permissions from accumulating beyond what's needed.
Entra ID doesn't operate in isolation. It sits at the centre of a broader Microsoft security ecosystem - connected to the following components, each of which depends on Entra for identity and access governance:
Intune - manages every device that accesses your environment - enforcing compliance policies, pushing updates, and enabling remote wipe if a device is lost or stolen.
Purview - governs your data - classifying, labelling, and protecting sensitive information across your Microsoft environment and ensuring compliance with the Privacy Act 2020 and other regulatory obligations.
Defender - provides threat protection across email, endpoints, identities, and cloud apps - detecting and responding to threats that traditional antivirus misses entirely.
Azure - is the underlying cloud infrastructure everything runs on - including your M365 tenant, Entra identities, and all security tooling, whether you're actively managing Azure resources or not.
Microsoft 365 - is the licensing layer that determines which of these capabilities your business can actually access. Most NZ SMEs on Business Premium are already paying for Entra P1, Intune, and Defender - and not using them.
M365 Workloads - Exchange, SharePoint, OneDrive, and Teams - are where your data lives and where most attacks are aimed. Every one of them is governed by Entra ID access policies.
Understanding how these pieces connect is what separates businesses that use Microsoft 365 as a productivity tool from those that use it as a genuine security platform.
Understanding Entra ID's capabilities is one half of the picture. Understanding what happens when those capabilities aren't properly configured is the other.
If MFA isn't enforced universally - if certain accounts, certain applications, or certain authentication flows are excluded - those gaps are what attackers look for. A single unprotected admin account is sufficient for a full environment compromise. The UNK_SneakyStrike campaign in early 2026 specifically exploited tenants where MFA wasn't consistently enforced, using automated password spraying to find the accounts that were still protected only by a password.
Legacy authentication protocols - Basic Auth, SMTP Auth, older Exchange protocols - don't support MFA. If they're still enabled in your tenant, an attacker with a valid username and password can authenticate using these protocols and completely bypass your MFA policies. Microsoft has been progressively disabling legacy authentication across its services, but many NZ tenants still have it enabled for specific accounts or applications without realising the security implication.
As we covered in our post on configuration drift, permissions in Entra ID drift over time. Staff accumulate roles they no longer need. Former staff accounts remain active. Guest users retain access long after the collaboration that required it has ended. Admin roles get assigned during a project and never revoked.
Each of these represents an account with more access than it should have - and accounts with excessive permissions are significantly more valuable to an attacker who compromises them.
Conditional Access is only effective if it covers the scenarios it needs to cover. Policies configured for one scenario that leave gaps in another - covering browser access but not legacy protocols, covering most users but with exceptions that expand over time - provide a false sense of security. The gaps are what get exploited.
External collaboration in Microsoft 365 - inviting partners, contractors, or clients as guest users - is a common and legitimate business practice. Entra ID governs that access. When guest accounts aren't reviewed and cleaned up, they become persistent access pathways for individuals who may no longer have any legitimate relationship with the business.
Entra ID comes in tiers, and the security capabilities available to your business depend on your Microsoft 365 licence. This is one of the most common gaps NSP sees - businesses that are paying for a licence tier that includes significant Entra security capabilities and not using them.
Entra ID Free is included with all Microsoft 365 subscriptions. It covers basic user management, MFA, and single sign-on. It's the starting point, not the destination.
Entra ID P1 is included with Microsoft 365 Business Premium - the licence tier NSP recommends as the minimum security baseline for NZ SMEs. P1 adds Conditional Access, self-service password reset, hybrid identity support, and group-based access management. For most SMEs, P1 covers the majority of what's needed to implement a strong identity security posture.
Entra ID P2 adds Identity Protection and Privileged Identity Management - the capabilities that provide risk-based access decisions and just-in-time admin access controls. P2 is included in Microsoft 365 E5 and is available as an add-on for businesses that need the advanced capabilities without the full E5 investment.
If your business is on Business Premium and isn't using Conditional Access, you're paying for a capability you're not getting value from. A conversation with your IT provider about what your current licence includes - and what configuration would unlock that value - is worth having.
For NZ businesses with cyber insurance - or thinking about getting it - Entra ID configuration is directly relevant to your coverage.
As we covered in our post on the security baseline every NZ business needs before buying cyber insurance, underwriters are increasingly scrutinising MFA deployment and identity controls at both application time and claims time. A breach traced to an unprotected account, a legacy authentication pathway, or an excessive permission that should have been cleaned up is grounds for claim denial - not because of bad luck, but because the control the policy assumed was in place wasn't.
Entra ID is where those controls live. Whether they're properly configured determines whether they actually exist in the way your insurer expects them to.
Work through this checklist. If several of these apply, your Entra ID configuration warrants a structured review.
MFA not enforced for all users - some accounts or applications excluded
Legacy authentication protocols still enabled for any accounts or services
Admin accounts without time-limited or just-in-time access controls
No Conditional Access policies in place despite having Business Premium or above
Conditional Access policies that haven't been reviewed in more than 12 months
Guest accounts that haven't been audited in more than 6 months
Former staff accounts that may still be active
No access reviews running for privileged roles
Sign-in risk events not being monitored or actioned
Service accounts with broad permissions and no review schedule
If more than three of these apply, a cybersecurity assessment that includes a specific review of your Entra ID configuration is the practical next step.
Is Microsoft Entra ID the same as Azure Active Directory?
Yes - Microsoft Entra ID is the new name for Azure Active Directory (Azure AD), following a rebrand in July 2023. The underlying service is the same; the rename reflected an expansion of the platform's scope and Microsoft's broader Entra product family. If you see references to Azure AD in older documentation or settings, it refers to the same system now called Entra ID.
Do I already have Microsoft Entra ID?
If your business has any Microsoft 365 subscription - including Business Basic, Business Standard, or Business Premium - yes. Entra ID is included with every Microsoft 365 tenant. The version you have depends on your licence tier: Free with basic plans, P1 with Business Premium, P2 with E5.
What's the difference between Entra ID Free, P1, and P2?
Entra ID Free covers basic user management, MFA, and SSO. P1 adds Conditional Access, self-service password reset, and group-based access management - it's included with Business Premium and is the recommended minimum for NZ SMEs. P2 adds Identity Protection and Privileged Identity Management for risk-based access controls - included with E5 or available as an add-on.
What is Conditional Access and do we need it?
Conditional Access lets you define rules that govern how and when staff can access your Microsoft environment - requiring MFA from certain locations, blocking access from risky devices, or enforcing compliance requirements before access is granted. If you're on Business Premium, Conditional Access is already included in your licence. Whether you need it: yes. Most NZ SMEs with 10 or more staff benefit significantly from at least a basic Conditional Access configuration.
How does Entra ID relate to configuration drift?
Entra ID is where most permission drift happens in a Microsoft environment. MFA policies that were set up but never reviewed, Conditional Access policies with exceptions that expanded over time, guest accounts that weren't cleaned up, admin roles that were assigned for a project and never revoked - all of these represent Entra ID drifting from its intended configuration. Our post on cloud drift management covers this in detail.
What should we do if we think our Entra ID has been compromised?
Act immediately. Check sign-in logs in the Entra admin centre for unusual activity - logins from unexpected locations, at unusual times, or from unfamiliar devices. Check for auto-forwarding rules on affected email accounts. Change credentials for affected accounts from an unaffected device. Enable MFA if it isn't already active. Contact your IT provider or security team immediately and report to the NCSC at ncsc.govt.nz. Our post on how to know if your business has been breached covers the full response process.
Does NSP manage Microsoft Entra ID for clients?
Yes. Entra ID configuration, monitoring, and ongoing management is part of NSP's managed services delivery. This includes MFA policy configuration, Conditional Access design and implementation, access reviews, sign-in risk monitoring, and periodic configuration reviews to identify and remediate drift. If you're not sure what your current Entra configuration looks like, a cybersecurity assessment will map it clearly.
The question isn't whether Entra ID is running in your environment - it is. The question is whether it's configured to actually protect you.
Most NZ businesses on Microsoft 365 are using a fraction of what their licence includes. MFA policies with gaps, Conditional Access sitting unused, guest accounts that were never cleaned up and admin roles that were never revoked.
A 30-minute conversation with NSP will tell you exactly where your Entra ID configuration stands - what's working, what's drifted, and what's worth addressing first.
Or call us directly: 0508 010 101