Insights
Customer Identity & Access Management Decentralized Identity Fraud Prevention Identity & Access Management Identity Governance and Administration Passwordless Authentication Privileged Access Management Zero Trust
Research
Leadership Compass Whitepaper Executive View Advisory Note Leadership Brief Buyer's Compass Rising Star Blog
Advisory
Advisory Services Meet our Advisors Strategy Navigator Success Stories
Events
EIC 2025 Identity Fabric ID 2025 Webinars
Videos
All latest videos cyberevolution 2024 European Identity and Cloud Conference 2024 KuppingerCole Webinars KuppingerCole Analyst Chat
Membership
About Professional Expert Corporate
KC Open Select
Policy Based Access Management Intelligent SIEM Platforms Data Governance Cloud-Native Application Protection Platforms Zero Trust Network Access Unified Endpoint Management Attack Surface Management API Security & Management
Company
About us Success Stories People Jobs Newsroom Cybersecurity Council Contact us
Become a Member
Insights
Customer Identity & Access Management
Decentralized Identity
Fraud Prevention
Identity & Access Management
Identity Governance and Administration
Passwordless Authentication
Privileged Access Management
Zero Trust
See all insights
Research
Leadership Compass
Whitepaper
Executive View
Advisory Note
Leadership Brief
Buyer's Compass
Rising Star
Blog
See all research
Events
EIC 2025
Identity Fabric ID 2025
Webinars
See all webinars
European Identity and Cloud Conference 2025
European Identity and Cloud Conference 2025
Join Europe's leading event for the future of digital identities and cybersecurity from May 6 - 9, 2025, in Berlin, Germany! EIC 2025 will take place in a hybrid format, bringing together IT professionals - virtually and on site.
To the Event Agenda Overview
Identity Fabric Impact Day 2025
Identity Fabric Impact Day 2025
Identity Fabric Impact Day is a premier one-day practice-oriented event for IAM professionals, security leaders, and solution providers to gain real-world insights into Identity Fabrics and modern identity management. Unlike broad conferences, Identity Fabric Impact Day focuses on practical strategies, hands-on learning, and expert-led discussions to help organizations strengthen security, improve efficiency, and drive digital transformation. Attendees will connect with 100+ CISOs, IAM experts, IT security professionals, and solution providers, explore cutting-edge identity solutions, and gain actionable knowledge from KuppingerCole analysts and industry leaders. Whether you're optimizing your IAM strategy, exploring new technologies, or seeking expert guidance, Identity Fabric Impact Day delivers the insights and connections needed to stay ahead in the evolving identity landscape.
To the Event Call for Speakers
Videos
All latest videos
cyberevolution 2024
European Identity and Cloud Conference 2024
KuppingerCole Webinars
KuppingerCole Analyst Chat
See all videos
Advisory
Advisory Services Success stories
Advisory Services

KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.

See Advisory Services
Contact our advisors

E-mail info@kuppingercole.com

Meet our Advisors
Boehringer Ingelheim, a leading pharmaceutical company, sought to enhance its Identity and Access Management (IAM) capabilities in the digital age. We collaborated to develop a strategic IAM roadmap in just five months, aligning their IT infrastructure with their global leadership position.
View Case Study
Global chemical company revamped its Identity and Access Management with KuppingerCole's IAM strategy: guidance, assessment, roadmap. Enhanced security and efficiency.


View Case Study
Membership
About Professional Expert Corporate
Your gateway to Identity Security excellence

Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.

Learn More
Your Free 7-Day Trial: Power Up Your IAM & Cybersecurity Expertise

Get instant access to our complete research library.

Get Started for Free
Stay ahead of industry trends and make informed decisions

Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.

Learn More
Your Free 7-Day Trial: Power Up Your IAM & Cybersecurity Expertise

Get instant access to our complete research library.

Get Started for Free
Elevate your expertise and expand your professional network

Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.

Learn More
Your Free 7-Day Trial: Power Up Your IAM & Cybersecurity Expertise

Get instant access to our complete research library.

Get Started for Free
Empower your team with the knowledge and connections to drive change

Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.

Learn More
Your Free 7-Day Trial: Power Up Your IAM & Cybersecurity Expertise

Get instant access to our complete research library.

Get Started for Free
KC Open Select
Policy Based Access Management
Intelligent SIEM Platforms
Data Governance
Cloud-Native Application Protection Platforms
Zero Trust Network Access
Unified Endpoint Management
Attack Surface Management
API Security & Management
See all topics
Discover and compare cybersecurity solutions

Goodbye guesswork, hello confident decisions

Optimize your decision-making process with the most comprehensive and up-to-date market data available.

Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.

Configure your individual requirements to discover the ideal solution for your business.

Visit KC Open Select
Company
About us Success Stories People Newsroom Cybersecurity Council Contact us
Discover Our Passion for Advancing Identity and Security
We are specialized in the strategic management of digital identities, privileges, authentication, and access control as well as cybersecurity and business resilience.​
Read more about our philosophy
Analysts & Advisors

Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.

Business Team

Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.

Meet the Team
Cybersecurity Council
With the Cybersecurity Council, we bring together world-class information security professionals in leading positions from across many industries and schools of thought to exchange and discuss how to secure the rapidly growing cyber economy. The results of these fruitful discussions will flow into every of our services.
Learn more
Basic contact information
KuppingerCole Analysts AG
Wilhelmstr. 20-22
65185 Wiesbaden
Germany
info@kuppingercole.com
Linkedin Linkedin
Twitter Twitter
Facebook Facebook
YouTube YouTube
Instagram Instagram
Contact us
See all locations
All Research
Executive View

Why don't you like this?

I like this
I don't like this

Microsoft Entra Suite

Anne Bailey
This KuppingerCole Executive View looks at the Microsoft Entra Suite, a complete Zero Trust user access solution to secure employee access across the organization. The Microsoft Entra Suite takes an identity-centric zero trust approach to applying adaptive access policies to protect all employee identities and secure their access to all resources and applications (SaaS, websites, and on-premises), from anywhere (on-premises and remote) in the organization. The products included in the Suite are Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection and Microsoft Entra Verified ID.

1 Introduction

Today’s enterprise has very different needs when securing access for employees than it did a decade ago. A clear rise in cloud deployments alongside legacy and on-premises resources has dissolved the traditional perimeter of security, accelerated by remote work and increasing needs for remote access. The threat landscape is evolving, producing more frequent and more sophisticated attacks. Often, the security systems that organizations have put in place cannot sustain the required employee traffic, nor the volume and advanced nature of cyberattacks.

Security concepts and technologies have advanced to address these needs, and there are clear strategies in combining them for most effective outcomes. Organizations must come to terms with the fact that identity is the common foundation in all digital interactions, and it is both the great enabler of smooth business as usual and a critical security factor. For operations to be as efficient and secure as possible, appropriate, least privilege access must be provided to authorized users, from appropriate locations, to specific resources. The Identity Fabric is a concept to help organizations make this a reality.

A simplified view of the KuppingerCole Identity Fabric seen in figure 1 demonstrates the variety of identities on the far left, for which identity and access must be managed to target systems on the far right. A non-exhaustive list of identity management capabilities, services, and tools are in the center. An ambidextrous ability to integrate these identity services to modern digital and SaaS services as well as back to legacy applications is a must, delivered via an API layer and with connectors, scripts, and code.

A strong Identity Fabric requires secure connectivity and access management to legacy services, on-premises resources, and internet resources. Ideally organizations would choose or migrate to modern approaches for enabling remote access and internet access, like leveraging zero trust network access (ZTNA) instead of VPNs.

Simplified view of the KuppingerCole Identity Fabric, representing identity for everyone (and everything), from anywhere, to anything

Figure 1: Simplified view of the KuppingerCole Identity Fabric, representing identity for everyone (and everything), from anywhere, to anything

ZTNA provides secure access controls and authentication, ensuring secure and encrypted network communication. ZTNA is a key component within SSE, providing secure access while SSE manages the secure connection to network and private and cloud resources.

Onboarding new employees and allowing them to be productive on day one is one of the most challenging scenarios for organizations. It requires trustworthy and privacy-respecting identity verification capabilities and streamlined identity lifecycle processes enabling easy and secure access to all resources needed. For many organizations, these processes are highly manual and disconnected from HR systems and user directories. In order to ensure least privilege access, it is imperative to unify and automate access rights management across all applications, including legacy on-premises resources.

A smart combination of technologies doesn’t just deliver a handful of use cases, it exponentially adds value and security, bringing the organization closer to a unified, cohesive identity fabric.

Although organizations recognize the need to modernize their security concepts and technologies, they need support to get to a complete Zero Trust user access solution. In a 2024 KuppingerCole survey, 84.3% of organizations list Zero Trust as one of their top three cybersecurity initiatives, but over 50% of organizations expect challenges integrating zero trust network access (ZTNA) with their existing infrastructures. This indicates a high awareness and motivation to adopt security best practices, but need support in architecting it to be effective with the combination of legacy and cloud-based resources.

The Microsoft Entra Suite is a set of products designed to build on each other to secure access to employees. It combines the security principles of the Identity Fabric (providing appropriate access to everyone, everywhere, to everything), zero trust (principle of eliminating implicit trust within networks by continuously verifying every stage of a digital interaction) and zero trust network access (ZTNA, applying zero trust and least privilege principles to network access), and the security service edge (SSE, designed to provide robust security for users accessing the web, cloud services, and private applications).

2 Product Description

Microsoft Entra Suite is a complete Zero Trust user access solution for the workforce. It helps protect employee identities and secure their access to any app or resource, regardless of where people choose to work.

This suite addresses the secure access needs of any employee (on-premises or remote) from anywhere (on-site locations and remote), with any platform and device, to any data, apps, or resources (SaaS, websites, and on-premises). Rather than working with discrete sets of products to secure access, the Microsoft Entra Suite converges access policies across identities, endpoints, and private and public networks for a unified zero trust approach.

The Microsoft Entra Suite secures employee access for any employee, anywhere, to any device, image courtesy of Microsoft

Figure 2: The Microsoft Entra Suite secures employee access for any employee, anywhere, to any device, image courtesy of Microsoft

The Microsoft Entra Suite is comprised of five products: Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection, and Microsoft Entra Verified ID.

  1. Microsoft Entra Private Access enables identity-centric zero trust network access (ZTNA) to on-premises applications and resources using dedicated tunnel gateways using TLS to enforce Conditional Access controls. Private Access allows organizations to replace legacy VPN with ZTNA to securely connect users to any private resource (any app, any port, any protocol), resources and non-web apps (including RDP, SSH, SMB, and FTP), without exposing full network access to all resources. It is built on Zero Trust principles to protect against cyber threats and mitigate lateral movement while enabling advanced app segmentation and adaptive access. Without making any changes to their apps, organizations can extend Conditional Access policies to their network using identity-centric access controls and enable single sign-on (SSO) and multifactor authentication (MFA) across all private apps and resources. Through Microsoft’s global private network, organizations can give their users a fast, seamless access experience that balances security with productivity.

    The global private wide area network provides a globally distributed proxy covering 70 Azure regions and more than 170 edge sites. Latency is minimized by eliminating additional hops. Flexible support of IP addresses and range, fully qualified domain names (FQDNs), service principal names (SPNs) for private apps, and/or wildcard suffixes for the Domain Controllers.

  2. Microsoft Entra Internet Access enables secure access to all internet, SaaS applications, and resources while protecting the organization against internet threats using a secure web gateway (SWG). With Internet Access, organizations can secure access to all internet and SaaS apps and resources while protecting the organization against internet threats, malicious network traffic, and unsafe or non-compliant content with an identity-centric secure web gateway (SWG). Microsoft Entra Internet Access enforces unified access controls through a single policy engine to minimize the risk of cyberthreats and close security gaps. It protects users, devices, and resources with capabilities such as universal continuous access evaluation (CAE), web content filtering, cloud firewall, threat protection, and transport layer security (TLS) inspection, so you no longer need to manage multiple network security tools.

  3. Microsoft Entra ID Governance supports provisioning, identity lifecycle management and automation, and access governance capabilities. It ensures that the right people have appropriate access to the right apps and resources at the correct time.

    Identity provisioning is primarily supported via open standards such as SCIM, LDAP, and interfaces to SQL databases. There is automated provisioning and deprovisioning into the Microsoft ecosystem (including SharePoint Online sites, Microsoft Active Directory, Microsoft Teams, and Microsoft Entra ID).

    Workflows for lifecycle management can be built and triggered manually or automatically. There is also support for lifecycle management of guest users. It also integrates privileged identity management for mitigating risks of privileged access entitlements that provide critical access to important resources in the organization.

  4. Microsoft Entra ID Protection is an advanced identity solution that blocks identity compromise in real time using high-assurance authentication methods, automated risk and threat assessment, and adaptive access policies powered by advanced machine learning.

    Sign-in behavior is detected and categorized into three tiers by machine learning algorithms. The decision engine ingests threat intelligence and telemetry to yield a real-time risk level and decision (allow, require, block, or restrict). This risk information is fed back into Conditional Access to apply adaptive access policies to the user for automatic remediation, with options for manual remediation.

    Risks that are detected on an identity are tracked, with three key reports provided to administrators (risky detections, risky sign-ins, and risky users). Data can be collected and processed in SIEM and other tools using graph-based APIs.

  5. Microsoft Entra Verified ID is a managed verifiable credentials service based on open standards that enables real-time identity verification in a secure and privacy respecting way. Included in the Microsoft Entra Suite are premium Verified ID capabilities, starting with Face Check.

    Face Check can be used in conjunction with a strong partner network of best-in-breed identity verification for customized identity verification scenarios. Verified ID’s partner network includes Au10tix, LexisNexis, Vu, Onfido, Jumio, Idemia, and Clear. User onboarding or any high-value transactions (i.e., account reset request, global admin access request) can trigger an identity verification flow with Face Check, verifying the user’s identity with facial matching against a government-issued document or an employee directory picture. The process is respecting the end user’s privacy as no personal data is ever exchanged or exposed during the verification. The user is in control of his data and can securely store his verified credentials in his identity wallet like the Microsoft Authenticator app for example.

Differentiators

Because these five products work as one integrated solution, the Microsoft Entra Suite makes it easy to protect employees’ identities and secure access to any app or resource, regardless of where people choose to work—from the office, from home, or on the go. The Microsoft Entra Suite enables one unified Conditional Access policy engine that reasons over identity, endpoint, and network, allowing organizations to make real-time, automated access decisions based on conditions including location, device, application, and membership.

This convergence of identity and network access for employees enables a coordinated approach to use cases such as employee onboarding, modernizing remote access, and securing access to internet resources. Because Conditional Access is at the core of the Microsoft Entra Suite, the same policies are leveraged across the organization to manage access to different resources.

Onboarding employees requires streamlined identity lifecycle processes, ensuring secure and seamless access for employees to all necessary resources on day one. The identity of new hires can easily be verified remotely thanks to Verified ID and ID Governance automatically assigns access packages and allows users to request access to resources with the necessary approval processes.

Remote access must be robust and fit-to-purpose, instead of relying on legacy solutions like VPNs that often provide blanket access. Microsoft Entra Private Access establishes individual tunnels for each user-to-resource access. Organizations can segment their traditional network-based access to specific private apps such as remote desktop or RDP. Instead of having one access profile for all private applications, they can create multiple “proxies” of those applications with the Global Secure Access enterprise apps profiles to apply different policies to different apps. Paired with Conditional Access policies, they have a powerful and fine-grained way to secure their private resources. Taking a Zero Trust approach to network access reduces the organization’s attack surface and mitigates lateral threat movement. Private Access enables organizations to require MFA to access on-prem resources when employees are working from the corporate network, which is often a security gap as many corporate networks are built with implicit trust. Using fit-for-purpose tools for like Private Access and Internet Access that rely on the same source of Conditional Access policies reduces operational complexity.

Securing and governing access to internet resources is a similar use case where ID Governance and Internet Access in combination yield exponential value. Rather than handling access management and network access as separate issues, converging governance of identities with managing secure internet access enables just-in-time (JIT) access to internet resources, extending least privilege access to web traffic and SaaS apps.

3 Strengths and Challenges

The Microsoft Entra Suite makes a strong case for converging security measures with identity management. The suite applies Identity Fabric thinking to achieve zero trust access for employees, following KuppingerCole best practice. Using the combination of fit-to-purpose technology such as secure web gateways (SWG) for internet access and cutting-edge innovation such as verifiable credentials for user-held and reusable credentials, the Microsoft Entra Suite prepares the organization to manage employee identities and access in a future-proof manner.

ID Governance is a core foundation of the Microsoft Entra Suite, and its capabilities should cover the majority of organizational requirements. Although baseline privileged access management is covered in ID Governance, it may not be sufficient for all organizations who need vaults, session management or log management. The provisioning capabilities to legacy applications, particularly the breadth and depth of connectors, should be expanded, as well as segregation of duties (SoD) functionality. Administrative usability could be improved by adding CI/CD support for creating custom workflows. There should be support wider cloud deployment options, including for hybrid cloud environments and sovereign clouds.

Overall, Microsoft Entra Suite is a strong choice for organizations using the Microsoft collection of products and services. This product suite for securing employee access and building a foundation of identity-centric zero trust access is a well-rounded and feature-complete choice. The integrated products help with better security, simpler user experience, and better operational and licensing efficiencies. It should be considered for organizations that choose to take a unified approach to managing and controlling access to all types of resources.

Strengths
  • Applies identity fabric approach to achieve zero trust access for employees.
  • Guides customers through a zero trust journey, beginning with baseline use cases and maturity and building to more complex and higher value use cases.
  • Security teams manage and govern access control policies for identities and networks in a single portal.
  • Microsoft Entra Private Access provides a more modern and fit-to-purpose solution than VPNs.
  • Single sign-on (SSO) using SAML, Kerberos, and additional methods can be enabled across the private network and resources.
  • Equips the employee with a foundational identity verification for future reuse.
    • Challenges
  • Provisioning abilities to legacy applications should be expanded.
  • Limited segregation of duties (SoD) support.
  • Privileged access management (PAM) support could be expanded.
  • CI/CD support for creating custom workflows is lacking.
  • Currently only available as multi-tenant, public cloud service.

    • 4 Related Research

    Leadership Compass: Identity Governance and Administration 2024 – 80832

    Leadership Compass: Identity and Access Governance 2024 – 80840

    Leadership Compass: Identity Fabrics 2024 – 81426

    Executive View: Microsoft Entra ID Governance – 81336

    5 Copyright

    © 2025 KuppingerCole Analysts AG. All rights reserved. Reproducing or distributing this publication in any form is prohibited without prior written permission. The conclusions, recommendations, and predictions in this document reflect KuppingerCole's initial views. As we gather more information and conduct deeper analysis, the positions presented here may undergo refinements or significant changes. KuppingerCole disclaims all warranties regarding the completeness, accuracy, and adequacy of this information. Although KuppingerCole research documents may discuss legal issues related to information security and technology, we do not provide legal services or advice, and our publications should not be used as such. KuppingerCole assumes no liability for errors or inadequacies in the information contained in this document. Any expressed opinion may change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Their use does not imply any affiliation with or endorsement by them.

    KuppingerCole Analysts supports IT professionals with exceptional expertise to define IT strategies and make relevant decisions. As a leading analyst firm, KuppingerCole offers firsthand, vendor-neutral information. Our services enable you to make decisions crucial to your business with confidence and security.

    Founded in 2004, KuppingerCole is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as technologies enabling Digital Transformation. We assist companies, corporate users, integrators, and software manufacturers to address both tactical and strategic challenges by making better decisions for their business success. Balancing immediate implementation with long-term viability is central to our philosophy.

    For further information, please contact clients@kuppingercole.com.