Microsoft Entra Unified Cloud Identity. Identity Still Depends on Stored Credentials.
by Nick Clark | Published March 28, 2026
Microsoft Entra ID unified enterprise identity across Azure, Microsoft 365, and third-party applications with conditional access policies, passwordless authentication methods, and verifiable credentials. The identity management is comprehensive. But every authentication flow ultimately terminates in a credential: a certificate, a FIDO2 key, a phone-based authenticator, or a biometric template matched against an enrolled record. The credentials are better protected than ever. They are still stored artifacts that can be compromised. The structural gap is whether identity can exist without persistent credentials, derived instead from accumulated behavioral continuity validated through trust slope functions.
Entra ID's conditional access engine, cross-cloud federation, and verified credentials initiative represent substantial investment in identity infrastructure. The gap described here is about the identity primitive, not about management quality.
Credentials are better protected, not eliminated
Entra ID offers passwordless authentication through Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app. These reduce reliance on passwords. But they replace one credential type with another. A FIDO2 key stores a private key. Windows Hello stores a biometric template and a device-bound key. The Authenticator app stores registration secrets. The credentials changed form. They did not disappear.
Conditional access policies evaluate risk signals before granting access: device compliance, location, sign-in risk, and user risk. These policies add layers of validation around the credential. But the credential remains the foundation. Remove the credential and the identity system has nothing to authenticate against.
Verified credentials shift the format, not the model
Entra Verified Credentials implements decentralized identity standards, allowing users to present verifiable claims without exposing the underlying identity data. This is a genuine advance in privacy-preserving authentication. But verified credentials are still issued credentials: digital artifacts that were created at enrollment time and must be stored by the holder.
A verified credential that is lost, stolen, or revoked requires reissuance from the original issuer. The identity depends on the continued existence of the credential artifact. The format is better. The structural dependency on stored material persists.
What keyless identity addresses
Keyless identity derives identity from accumulated behavioral continuity rather than stored key material. A device proves its identity through a dynamic hash chain anchored in locally-sourced unpredictability, validated through trust slope continuity with its behavioral history. There is no credential to store, steal, or revoke. The identity primitive is the device's own continuity.
Entra's conditional access engine could evaluate trust slope continuity as an authentication signal alongside its existing risk signals. The identity primitive would shift from stored credentials to behavioral continuity, eliminating the class of attacks that depend on credential theft.
