A long-form deep dive into Microsoft Entra ID for Australian small and mid-sized businesses. Covers what Entra ID is, the difference between Free and Plan 1, Conditional Access, passwordless sign-in, pricing in AUD, and a side-by-side look at what an account compromise looks like with and without Entra ID configured.
Microsoft Entra ID: the identity layer your business is probably missing
You are probably already paying for it. Most Perth businesses have never configured it. Here is what you are missing, and what it costs when you find out the hard way.
The short version
You are probably already paying for Microsoft Entra ID. It ships inside every Microsoft 365 Business licence, including Business Basic. Most Perth businesses have never opened it.
Entra ID is the identity layer that controls who gets into your Microsoft environment, from which devices, and under what conditions. Without it configured, a stolen password is all an attacker needs. With it set up properly, a stolen password is almost useless.
This guide unpacks what Entra ID actually is, what the difference between the free version and Plan 1 looks like in practice, and what a compromised account looks like with and without it protecting your business.
Prices in this guide are indicative AUD figures current as of May 2026 and are subject to change. Always confirm with your licensing partner before purchase.
Your cloud identity platform
Microsoft Entra ID (formerly Azure Active Directory, or Azure AD) is Microsoft's cloud-based identity and access management service. Think of it as the front door to your Microsoft 365 environment and every app connected to it.
When a staff member signs in to Outlook, Teams, SharePoint, or any Microsoft 365 app, they are authenticating through Entra ID, whether they know it or not. The question is not whether you are using it. The question is whether you have configured it to actually protect you.
Who it is for: Any Australian business running Microsoft 365, including those on Business Basic, Business Standard or Business Premium. If you have Microsoft 365, you have Entra ID. The feature set you can access depends on your licence tier.
Who it is not for: Businesses not using Microsoft 365 or those running a purely on-premises Active Directory environment, although even then, Entra ID Connect can bridge the two.
Where it sits in the Microsoft 365 lineup
| Licence | Entra ID tier included |
|---|---|
| Microsoft 365 Business Basic | Entra ID Free |
| Microsoft 365 Business Standard | Entra ID Free |
| Microsoft 365 Business Premium | Entra ID Plan 1 (significant upgrade) |
| Microsoft 365 E3 | Entra ID Plan 1 |
| Microsoft 365 E5 | Entra ID Plan 2 (full feature set) |
The free tier covers basic single sign-on and MFA. Plan 1 adds Conditional Access, which is where the real security value lives. This guide covers both tiers and is clear about which features require Plan 1.
What you actually get
Stripped of the marketing language, here is what Entra ID puts in your hands. Features tagged Plan 1 require Entra ID Plan 1, which is included in Microsoft 365 Business Premium.
Single sign-on (SSO)
Staff sign in once and get access to all connected apps, including Microsoft 365, Salesforce, Xero, DocuSign, Adobe and hundreds of others, without separate usernames and passwords for each. Fewer passwords means fewer weak passwords and fewer resets.
Multi-factor authentication (MFA)
Adds a second check (authenticator app, SMS, or hardware key) on top of the password. Microsoft data shows MFA blocks over 99.9 per cent of automated credential attacks. Available on the free tier, but without Conditional Access it is an all-or-nothing toggle.
Conditional Access
The most important feature in Plan 1, and the one most Perth businesses are missing. Set rules around when and how MFA is required: only when someone logs in from outside Australia, or from an unmanaged device, or outside business hours. Staff on managed devices sign in without friction. Attackers get blocked.
Passwordless sign-in
Supports Windows Hello for Business, the Microsoft Authenticator app and FIDO2 security keys, all of which replace the password entirely. Staff tap their fingerprint or approve a phone prompt. No password to phish, no password to steal.
Self-service password reset
Staff reset their own passwords securely without calling IT. For a business of 20 to 50 people, this typically saves 30 to 60 minutes of IT time per week and eliminates the awkward workaround of IT emailing temporary passwords.
Identity protection & sign-in risk
Entra ID analyses every sign-in attempt for risk signals: unusual location, impossible travel, anonymised IP address, leaked credentials and more. High-risk sign-ins can be blocked automatically or challenged with additional verification.
Guest & external access
Invite external users (clients, contractors, auditors) into your Microsoft 365 environment with a guest account. They use their own Microsoft, Google or social login. You control which resources they can see and can remove access instantly.
Pros and cons
No vendor is perfect. Here is what works and what doesn't.
What works well
- Already in your licence. Most M365 businesses are paying for at least the free tier. Plan 1 is included in Business Premium at no extra cost.
- Conditional Access is genuinely powerful. When configured well, it is the single highest-value security control available to an SMB.
- Passwordless is achievable. Unlike enterprise-only tools, Entra ID passwordless works on any M365 Business licence with modern devices.
- Single pane of glass. One admin portal to manage identity, MFA, guest access and app connections across the whole business.
- ASD Essential Eight aligned. Plan 1 directly addresses Essential Eight controls: MFA (ML1 and ML2), restrict admin privileges, and patch applications.
Where it falls short
- Free tier has no Conditional Access. The single biggest gap in the free version.Upgrade to Business Premium to get Plan 1, the single most impactful security upgrade for most SMBs. See our Microsoft 365 service.
- Easy to misconfigure. A Conditional Access policy set up incorrectly can lock everyone out or leave gaps.StartCloud designs and tests policies in report-only mode before applying them. Get in touch.
- Plan 2 features are enterprise-only. Privileged Identity Management and advanced Identity Protection require Plan 2, which sits in E5 pricing.
- MFA fatigue attacks are a real risk. Without number matching turned on, push notifications can be approved accidentally.We configure number matching by default in every Entra ID deployment.
Pricing in real Perth dollars
Entra ID Free is included in all Microsoft 365 Business licences at no additional charge. Entra ID Plan 1 is included in Microsoft 365 Business Premium, which lists at approximately A$37.00 per user per month on an annual commitment (or ~$44/user/month month-to-month). If you are on Business Basic or Standard and want Plan 1 without upgrading your full licence, you can add Entra ID Plan 1 as a standalone add-on.
| Option | Approximate AUD cost | What you get |
|---|---|---|
| Entra ID Free (included in all M365 plans) | Included | SSO, basic MFA, SSPR, guest access |
| Entra ID Plan 1 (in M365 Business Premium) | ≈ $37/user/month (full licence) | Everything in Free, plus Conditional Access, sign-in risk, passwordless, hybrid join |
| Entra ID Plan 1 (standalone add-on) | ≈ $9/user/month add-on | Plan 1 features only, added to existing M365 Basic or Standard |
| Entra ID Plan 2 (M365 E5 only) | Enterprise pricing | Plan 1 plus Privileged Identity Management and advanced Identity Protection |
Indicative figures only. Prices are current as of May 2026 and subject to change. Always confirm with your licensing partner before purchase.
Who gets the most from it
Professional services firms
Law firms, accounting practices and consulting businesses with staff working from home, court, or client sites. Conditional Access lets partners work from anywhere on their managed laptop without MFA friction, while blocking any sign-in attempt from an unrecognised device or unusual location.
Businesses with high staff turnover
Hospitality, retail and trades businesses where staff come and go regularly. Entra ID lets IT disable an account and revoke access to every app and device in a single action. No forgotten shared passwords, no ex-staff still in the payroll system a month later.
Businesses chasing Essential Eight maturity
Plan 1 directly addresses MFA (Maturity Level 1 and 2) and restrict admin privileges requirements. For most Perth SMBs, configuring Entra ID properly is the fastest path to demonstrable Essential Eight progress. StartCloud's Essential Eight assessment shows where you stand before and after.
Remote and hybrid teams
Staff on personal devices at home, or connecting from client offices and co-working spaces. Conditional Access can require a compliant device (managed by Intune) for access to sensitive apps like finance or HR, while allowing lighter access from personal devices for email and Teams.
Teams recovering from a credential compromise
After a phishing attack or credential breach, Conditional Access and identity protection policies can be tightened quickly: block all legacy authentication, enforce MFA everywhere with no exceptions, and require password resets on affected accounts. Without Plan 1, your options are very limited. Managed Security can help.
What a compromised account looks like
A staff member falls for a phishing email and hands over their Microsoft 365 password. Here is what happens next, with and without Entra ID Plan 1 configured.
| Stage | Without Entra ID configured | With Entra ID Plan 1 configured |
|---|---|---|
| Attacker gets the password | Signs straight in. No second factor required. Full access to email, Teams, SharePoint, and any connected app. | Conditional Access triggers MFA. Attacker cannot approve the prompt because they do not have the phone. Sign-in fails. |
| Attacker tries a new location or device | Still works. No location or device checks. Can log in from anywhere in the world. | Sign-in risk policy flags the unusual location. High-risk sign-ins are blocked automatically or require step-up verification. |
| Attacker accesses email | Reads all historical email. Searches for passwords, banking details, client data, board communications. | Blocked at login. Audit log records the failed attempt with IP address, location and device details. |
| Attacker pivots to other apps | Uses the same credentials to access connected apps: Xero, Salesforce, DocuSign, and any SSO-enabled service. | All apps protected by the same Conditional Access policy. Access denied across the board. |
| Business discovers the breach | Often days or weeks later, after the damage is done. No central audit trail. | Alert generated immediately. IT partner reviews the sign-in log and sees exactly what was attempted. |
Attacker gets the password
Without Entra ID
Signs straight in. No second factor required. Full access to email, Teams, SharePoint, and any connected app.
With Entra ID Plan 1
Conditional Access triggers MFA. Attacker cannot approve the prompt because they do not have the phone. Sign-in fails.
Attacker tries a new location or device
Without Entra ID
Still works. No location or device checks. Can log in from anywhere in the world.
With Entra ID Plan 1
Sign-in risk policy flags the unusual location. High-risk sign-ins are blocked automatically or require step-up verification.
Attacker accesses email
Without Entra ID
Reads all historical email. Searches for passwords, banking details, client data, board communications.
With Entra ID Plan 1
Blocked at login. Audit log records the failed attempt with IP address, location and device details.
Attacker pivots to other apps
Without Entra ID
Uses the same credentials to access connected apps: Xero, Salesforce, DocuSign, and any SSO-enabled service.
With Entra ID Plan 1
All apps protected by the same Conditional Access policy. Access denied across the board.
Business discovers the breach
Without Entra ID
Often days or weeks later, after the damage is done. No central audit trail.
With Entra ID Plan 1
Alert generated immediately. IT partner reviews the sign-in log and sees exactly what was attempted.
What it looks like day-to-day
Once Entra ID is configured properly, your team will not notice most of it. That is the point: security should not get in the way of work.
| Who | What they experience |
|---|---|
| Staff on a managed company laptop at the office | Sign in with Windows Hello (fingerprint or face). No password prompt, no MFA prompt. Conditional Access knows it is a trusted device on the company network. |
| Staff working from home on their company laptop | Sign in as normal. MFA prompt appears on their phone the first time each day. One tap and they are in. Conditional Access knows the device is managed even off-network. |
| Staff on a personal device | MFA required every session. Depending on the policy, some apps (eg HR or finance) may require the company laptop. Email and Teams are available. |
| An attacker with a stolen password | Cannot get past MFA. If they try from overseas, the sign-in risk policy blocks them automatically and generates an alert for IT. |
| IT admin when a staff member leaves | Disables the account in Entra ID. Immediately revokes access to all apps, devices and mailboxes. Mailbox preserved for handover. |
Getting it right from the start
Setting up Entra ID is not a single toggle. A misconfigured Conditional Access policy can lock every staff member out of their email at 8am on a Monday. We follow a structured process to make sure that does not happen.
Step 1. Licence and tenant review
We audit your existing Microsoft 365 tenant, confirm which Entra ID tier you are on, and identify any existing MFA or identity policies already in place. Many businesses have partial configurations left over from previous IT providers that need to be cleaned up before anything new is applied.
Step 2. MFA rollout
We enable MFA for all users and configure the Microsoft Authenticator app as the primary method. We include a staff communication and a short guide so the rollout generates one round of questions rather than an ongoing stream of helpdesk tickets.
Step 3. Conditional Access policies
We design and apply Conditional Access policies against your actual working patterns. For most Perth SMBs: require MFA for all sign-ins, block legacy authentication protocols, require a compliant or hybrid-joined device for access to sensitive apps, and block high-risk sign-ins automatically. Policies run in report-only mode first, are reviewed for two weeks, then enforced.
Step 4. Passwordless (for eligible businesses)
For businesses with modern Windows devices, we enable Windows Hello for Business and the Microsoft Authenticator passwordless method. Staff transition from password plus MFA to a single biometric or phone approval.
Step 5. Admin account hardening
Global Admin accounts are separated from day-to-day accounts, protected with a hardware FIDO2 key, and subject to the strictest Conditional Access policies. Break-glass emergency accounts are created, documented, and stored securely.
Step 6. Ongoing monitoring and review
We configure Entra ID sign-in logs to feed into your security monitoring. Each quarter, we review new Conditional Access policy recommendations from Microsoft Secure Score and apply them where relevant.
Common pitfalls
The mistakes we see most often when businesses try to configure Entra ID without expert guidance.
-
Turning on MFA without Conditional Access. Without it, MFA is a blunt tool. Staff get prompted constantly and start looking for ways around it. Adoption drops and security is worse than before.
-
Leaving legacy authentication enabled. Older email clients (Outlook 2013, basic IMAP/SMTP) bypass MFA entirely. Attackers know this and target these protocols specifically. Block legacy auth as part of any Entra ID deployment.
-
Using one admin account for everything. A Global Admin account that is also the daily-use account is a single point of catastrophic failure. Compromise that account and the attacker owns your entire tenant.
-
MFA fatigue attacks. Attackers flood a user with MFA push notifications hoping they approve one by accident. Number matching (requiring the user to type the number shown on screen) eliminates this. It is off by default and needs to be turned on.
StartCloud turns number matching on by default.
-
Never reviewing the sign-in logs. Entra ID generates detailed logs of every sign-in attempt, including failed ones. Without a regular review process, you are flying blind on who is attempting access to your environment.
Our security reporting service covers this.
-
Forgetting guest accounts. Guest accounts created for contractors and clients accumulate over time. Old guests with active access are a common audit finding and a real risk if their own accounts are compromised.
Should your business configure it?
Yes, immediately, and for free if you are already on any Microsoft 365 plan.
Entra ID Free with MFA enabled is a meaningful security improvement over no identity management at all. If you are on Microsoft 365 Business Premium, Entra ID Plan 1 is already in your licence and Conditional Access is the single highest-value control you are probably not using.
The investment is in configuration, not licences. A one-time Entra ID setup engagement covers MFA rollout, Conditional Access policies, admin account hardening and sign-in log monitoring. For most Perth SMBs, that configuration will prevent the most common type of breach: a stolen credential used to access your Microsoft 365 environment.
The alternative is leaving your front door open and hoping no one tries it.
Where StartCloud fits in
The licence is the start. Here is where we plug in next.
Configure Entra ID from scratch
Microsoft 365 setup & security
Ongoing monitoring & management
Managed Security service
Essential Eight assessment & uplift
Essential Eight engagement
Add Copilot once identity is sorted
StartAI Copilot deployment
Sign-in log monitoring & reporting
Security reporting service
Talk to the Perth team
Get in touch
Not sure what Entra ID tier you are on?
StartCloud runs a Microsoft 365 health check that covers identity, security and licence optimisation. Straight answers, no obligation.
Get in touchNo obligation. Straight answers. Perth-based team.
References
- Microsoft Entra ID product page
https://www.microsoft.com/en-au/security/business/microsoft-entra-id - Microsoft Entra ID pricing
https://www.microsoft.com/en-au/security/business/microsoft-entra-pricing - Entra ID Conditional Access documentation
https://learn.microsoft.com/en-us/entra/identity/conditional-access/ - Microsoft passwordless authentication overview
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless - Australian Signals Directorate: Essential Eight Maturity Model
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight - MFA blocks 99.9% of account compromise attacks
https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/ - Microsoft Entra ID Free vs Plan 1 vs Plan 2 comparison
https://learn.microsoft.com/en-us/entra/fundamentals/licensing
Document prepared May 2026 by StartCloud (Start Technologies Pty Ltd). Pricing and feature information is indicative only and current as of the date of preparation. Microsoft licensing changes frequently, so confirm with your licensing partner before any purchase decision.