Microsoft Entra ID for Berlin SMBs: Beyond the Azure AD Rebrand

If you’ve been using Microsoft’s identity products for any length of time, you’ve probably noticed that “Azure Active Directory” is now called Microsoft Entra ID. The rebrand happened in 2023, but many organisations are still unclear on what changed — and more importantly, what Entra ID actually offers beyond basic user login management.

For Berlin SMBs running Microsoft 365, Entra ID is likely already part of your subscription. Whether you’re using it effectively is a different question.

What Entra ID Is (And Isn’t)

Entra ID is Microsoft’s cloud-based identity and access management (IAM) platform. It handles:

• User authentication for Microsoft 365, Azure, and thousands of integrated SaaS apps
• Multi-factor authentication (MFA) enforcement
• Conditional Access — policies that control when and how users can authenticate (e.g., block access from outside Germany, require compliant devices)
• Single Sign-On (SSO) to third-party apps
• Device identity management (when paired with Intune)
• Privileged identity management for admin accounts

What it’s not: a replacement for your on-premise Active Directory (if you have one). Entra ID is cloud-first. If you have an on-premise AD, the two connect via Entra Connect (formerly Azure AD Connect) — but they’re separate systems with different capabilities.

The Plan Tier That Matters

Entra ID comes in tiers. What you get depends on your Microsoft 365 plan:

• Entra ID Free — included with all Microsoft 365 plans. Covers basic SSO, MFA, and user management. Sufficient for very small teams with simple setups.
• Entra ID P1 — included with Microsoft 365 Business Premium and Enterprise E3. Adds Conditional Access, group-based access management, and self-service password reset. This is the tier most SMBs should be on.
• Entra ID P2 — included with Enterprise E5 or as an add-on. Adds Privileged Identity Management (PIM) and Identity Protection with risk-based Conditional Access. Typically relevant for larger organisations or those with elevated compliance requirements.

The most common issue we see: organisations running Microsoft 365 Business Basic (Entra Free) who think they’re protected because they have Microsoft — but are missing Conditional Access entirely.

The Features That Actually Reduce Risk

Conditional Access

This is the most underused and highest-value feature in Entra ID P1. Conditional Access lets you define rules like:

• Require MFA for all users (not just admins)
• Block access from countries your team doesn’t operate in
• Require a compliant, Intune-managed device for access to sensitive apps
• Block legacy authentication protocols (which bypass MFA)
• Require MFA step-up for admin roles

A properly configured Conditional Access policy set eliminates the vast majority of credential-based attacks. It’s one of the highest-leverage security controls available at the Microsoft 365 Business Premium price point.

MFA Enforcement — Done Properly

“We have MFA” and “MFA is properly enforced” are not the same thing. Common gaps:

• MFA enabled but not required — users who never set it up can still authenticate without it
• Legacy protocols not blocked — Exchange ActiveSync and IMAP bypass MFA by design in older configurations
• Admin accounts exempt — because someone found it inconvenient
• No Conditional Access — MFA can be bypassed via certain attack paths if Conditional Access isn’t also configured

Privileged Identity Management (P2)

PIM allows you to make admin roles time-bound and approval-gated. Instead of an administrator having permanent Global Admin access, they request elevation when needed, get approved, and the access expires automatically.

For Berlin companies with NIS2 obligations, PIM is directly relevant to the access management controls required under Article 21.

Entra ID and GDPR

Entra ID stores user identity data — names, email addresses, authentication logs, device records. For Berlin companies subject to GDPR, this has implications:

• Data residency — by default, Microsoft stores Entra ID data in the EU for European tenants, but this should be verified for your specific tenant configuration
• Audit logs — Entra ID audit and sign-in logs are retained for 30 days by default (P1) or up to 180 days (with Diagnostic Settings to a Log Analytics workspace or Storage Account). For compliance purposes, extended retention is typically required.
• Data subject requests — Entra ID provides tools for exporting user data to satisfy GDPR access requests

Common Misconfiguration Patterns in Berlin SMBs

When auditing Microsoft 365 environments for new clients, we consistently find the same issues:

• Global Admin accounts used for day-to-day work (should be emergency-only, separate accounts)
• No Conditional Access policies configured despite having P1 licences
• Legacy authentication not blocked (opens MFA bypass paths)
• MFA enabled for some users but not enforced organisation-wide via policy
• No alert on admin account sign-in from unfamiliar location or device
• Guest access open by default with no review process

None of these are difficult to fix. All of them represent meaningful risk until they are.

Next Steps

If you’re running Microsoft 365 Business Premium or higher and haven’t had your Entra ID configuration reviewed, it’s worth doing. An IT security audit covers Entra ID configuration as part of the broader identity and access review.

If you’re still on Microsoft 365 Business Basic and wondering whether the upgrade to Business Premium is justified — for most Berlin SMBs, it is. The security capabilities alone (Defender for Business + Entra ID P1 + Intune) typically justify the price difference compared to the cost of a single security incident.

We cover Microsoft 365 setup, migration, and ongoing management for Berlin businesses. If you have questions about your current configuration, the contact page is the fastest way to reach us.