Microsoft Entra Unified Cloud Identity. Identity Still Depends on Stored Credentials.

Vendor and Product Reality

Microsoft Entra is the rebranded and expanded successor to Azure Active Directory. The core directory service, Entra ID, holds identity records for hundreds of millions of enterprise users and brokers authentication for Microsoft 365, Azure, Dynamics, GitHub Enterprise, and the catalog of pre-integrated SaaS applications that Microsoft has accumulated over fifteen years of federation work. Conditional Access evaluates risk signals — device compliance via Intune, sign-in risk from Identity Protection, network location, user risk — and gates token issuance accordingly. Passwordless authentication is supported through Windows Hello for Business, FIDO2 security keys aligned to the WebAuthn specification, certificate-based authentication, and the Microsoft Authenticator app with phishing-resistant push.

Around the core directory, Microsoft has built a deliberate product family. Entra Verified ID issues and verifies W3C Verifiable Credentials anchored to Decentralized Identifiers, with ION on Bitcoin as the original anchoring layer and a current pivot toward did:web and did:jwk for production deployments. Entra External ID consolidates the former Azure AD B2C and B2B paths into a single tenant model for customer and partner identity, supporting OIDC, SAML, and social-IDP federation at consumer volume. Entra Permissions Management, acquired from CloudKnox, performs cloud infrastructure entitlement management across Azure, AWS, and GCP. Entra Internet Access and Entra Private Access extend the platform into Security Service Edge territory. SCIM 2.0 provisioning, OIDC, OAuth 2.1, SAML 2.0, and the Microsoft Graph API give downstream applications a documented surface to consume.

The deployment posture is dominant. Entra ID is the default identity plane for organizations on Microsoft 365, which is to say most of the enterprise market. The certifications include FedRAMP High, ISO 27001, SOC 2 Type II, and the regional sovereign-cloud variants. The platform is, on its own terms, a complete identity management product. None of the analysis that follows disputes that. The structural question is what identity primitive the management is built on.

Architectural Gap

Every Entra authentication outcome is, at the cryptographic layer, a signature. An OIDC id_token is a JWT signed with RS256 or ES256 using a key held in Microsoft's signing infrastructure. A SAML assertion is XML-DSig signed with the same class of primitive. A Verified ID presentation is a Verifiable Credential JWT or a JSON-LD proof signed by the issuer's DID-bound key. A FIDO2 attestation is an ECDSA signature produced by the security key's private material. A Windows Hello for Business assertion is signed by a TPM-bound asymmetric key. The relying party validates the signature against a public key obtained through OIDC discovery, federation metadata, or a DID document. The trust chain everywhere terminates in RSA, ECDSA, or EdDSA.

Two consequences follow. The first is the post-quantum migration cliff. Shor's algorithm breaks RSA and the elliptic-curve discrete-logarithm problem in polynomial time on a sufficiently large fault-tolerant quantum computer. NIST has finalized ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) as post-quantum signature replacements, and CNSA 2.0 mandates migration on a defined timeline. Microsoft has begun publishing PQC guidance and is staging support for hybrid signatures, but the installed base of relying parties — every SAML application configured against Entra federation metadata, every OIDC client configured against the v2.0 discovery document, every Verified ID verifier holding a cached DID document — assumes classical signatures and will not validate ML-DSA or SLH-DSA without a coordinated upgrade cycle that runs on the relying-party side, not just on the issuer side. The harvest-now-decrypt-later threat applies to every signed token captured in transit today.

The second consequence is that the identity primitive is a stored artifact even when the artifact is well-protected. A FIDO2 key stores a private key in a secure element. Windows Hello stores a biometric template plus a device-bound key in the TPM. The Authenticator app stores a registration secret. Verified ID credentials are issued artifacts that the holder must store. Conditional Access wraps these credentials in additional risk evaluation, but if the credential is removed, replayed, or cloned in a way that the device-binding does not catch, the policy engine has no underlying continuity primitive to fall back on. The directory is the source of truth, and the directory is a database. The structural gap is the dependency on stored authoritative material rather than on derived behavioral continuity.

What the Keyless Identity Primitive Provides

Keyless identity derives the identity assertion from a hash-chain accumulator anchored in locally-sourced unpredictability and validated through a trust-slope continuity evaluation against a previously published descriptor. There is no long-lived private key on the device. There is no enrollment record in a directory whose compromise yields impersonation. The principal proves identity by demonstrating that its present chained state is the legitimate successor of its past chained states, and the relying party validates that proof against a continuity descriptor without holding any secret of its own.

The primitive is post-quantum by construction. The operations reduce to hash evaluation and symmetric authentication, both of which retain their security properties under Grover's algorithm with a straightforward doubling of the output width. There is no integer factorization, no discrete logarithm, no lattice short-vector problem in the hot path; the assertion does not need ML-DSA or SLH-DSA acceleration to remain secure on the day a quantum capability arrives. Because the assertion is stateful, replay is structurally detectable: a captured assertion does not authenticate any subsequent operating cycle because the chained state has moved on, and an adversary that did not observe the intervening states cannot construct a valid successor.

The primitive is also credential-free in the relevant sense. There is no artifact whose theft yields impersonation, no enrollment template whose database leak yields a class break, no signing key whose compromise compels mass revocation. The relying party's evaluation becomes a continuity check rather than a signature check, which means the same evaluation can be performed offline, at the edge, and across the federated boundaries that Entra already brokers. The identity primitive is the principal's own continuity, and the directory becomes a publication point for descriptors rather than a custodian of secrets.

Composition Pathway

Keyless identity composes with Entra rather than replacing it. The integration surfaces map cleanly onto Microsoft's existing protocol commitments. At the OIDC layer, the id_token can carry a continuity assertion as an additional claim alongside the existing signature, with relying parties opting into continuity validation as they upgrade. At the SAML layer, the assertion can be carried in an extension element or in an AttributeStatement that compliant verifiers consume while legacy verifiers continue to rely on the XML-DSig signature during the transition. At the Verified ID layer, the continuity assertion fits naturally into the W3C Verifiable Credentials data model as a proof type, since the data model already accommodates multiple proof formats per credential. SCIM provisioning is unchanged at the schema level; only the authentication of the provisioning channel is upgraded.

Conditional Access is the most natural insertion point. The policy engine already evaluates a multi-signal risk score before issuing tokens. A continuity-slope signal slots in alongside device compliance, sign-in risk, and user risk as an additional input that the policy author can require, score, or use as a tiebreaker. For high-assurance scenarios — privileged access workstations, government cloud, regulated industries — Conditional Access can require a continuity assertion at the policy level, refusing to issue a token unless the principal's continuity descriptor evaluates within tolerance. For consumer scenarios in External ID, continuity assertion replaces the password-and-recovery-email pattern with a primitive that does not generate the recovery-flow attack surface that account-takeover campaigns exploit.

Migration is incremental. Tenants opt into continuity validation per application, per Conditional Access policy, or per credential type. The federation metadata documents which assertion types are supported. Relying parties upgrade on their own timeline. The platform retains its OIDC, SAML, SCIM, and Graph API contracts unchanged at the envelope level while the primitive underneath those envelopes shifts from stored-key signatures to derived continuity assertions.

Commercial and Licensing

Adaptive Query offers the keyless identity primitive under licensing terms calibrated for platform-scale deployment. For Microsoft, the natural licensing structures are a platform license covering Entra issuance and verification across the tenant base, a co-development pathway for integration into Conditional Access and Verified ID, and an OEM pathway for incorporation into Windows Hello for Business and the Authenticator app. The reference implementation is available as a verifier library suitable for integration into the relying-party SDK distributions Microsoft already ships, and as an issuer-side service that fits behind the existing token-issuance pipeline.

The patent claims cover the continuity primitive, the trust-slope evaluator, and the composition with federated identity protocols. They do not encumber OIDC, SAML, SCIM, or the W3C Verifiable Credentials data model, all of which remain unchanged at the standards layer. The commercial proposition is that Entra's post-quantum migration, which is mandatory and on a fixed timeline, is converted from a defensive upgrade of signature algorithms into a structural upgrade of the identity primitive itself — one that closes the credential-theft attack class at the same time as it closes the quantum-cryptography attack class. Microsoft ships the upgrade once, on infrastructure it already operates, to a customer base that already trusts it.