Summary
How Microsoft's cloud identity platform has become a key target of antitrust investigations across three continents
Microsoft's Entra ID, the identity management service that determines who can access what across millions of organisations worldwide, has become a key target of antitrust investigations spanning the United States, European Union, and United Kingdom. What began as a cloud directory service has evolved into a mandatory authentication system that forces customers to remain within Microsoft's ecosystem.
The identity service, formerly known as Azure Active Directory, now sits at the heart of regulatory scrutiny because of its unique position: organisations that want to use Microsoft 365 have no choice but to use Entra ID for authentication. Antitrust authorities call this a classic case of using dominance in productivity software to control the identity management market.
The FTC's Focus on Identity Management
The US Federal Trade Commission launched a broad antitrust investigation into Microsoft in November 2024, examining the company's cloud computing, software licensing, and cybersecurity practices. According to sources familiar with the probe, as reported by ProPublica, Entra ID is a specific focus of the agency's investigation.
The FTC's interest in Entra ID stems from complaints that Microsoft's licensing terms and bundling practices make it harder for rival authentication and cybersecurity companies to compete. The investigation has been conducting interviews with Microsoft competitors and has issued a civil investigative demand compelling the company to turn over information about its identity management practices.
Entra ID’s bundling practices are at the centre of the FTC’s antitrust concerns.
Chinese hackers targeted State Department officials and Russian operatives infiltrated federal agency emails through Microsoft's products, giving the FTC investigation fresh urgency. When a single vulnerability can compromise organisations globally, the concentration of so much critical infrastructure in Microsoft's hands poses systemic risks that regulators cannot ignore.
"The FTC views the fact that Microsoft has won more federal business even as it left the government vulnerable to hacks as an example of the company's problematic power over the market," according to a person familiar with the probe who spoke to ProPublica.
European Investigations Intensify
Across the Atlantic, European regulators are pursuing their own comprehensive examination of Microsoft's practices. In February 2024, The Information reported that European Union antitrust regulators began investigating whether Microsoft prevents customers from buying security software that competes with its own offerings.
The EU investigation gained further momentum in September 2024 when Google filed its first-ever antitrust complaint against Microsoft with the European Commission. The complaint, detailed on Google's Cloud blog, alleges that Microsoft's restrictive licensing practices cost European businesses and public sector organisations up to €1 billion annually.
Google’s antitrust complaint argues Microsoft’s licensing practices cost EU organisations up to €1 billion annually.
"Microsoft's strategy is simple," Amit Zavery, Google Cloud's head of platform, told The Register. "It leverages a software monopoly to lock customers into Azure."
Entra ID: The Unavoidable Gatekeeper
Microsoft's Entra ID has become what industry observers describe as a "must-have" service with no viable alternatives for organisations using Microsoft 365. The service's deep integration with Microsoft's productivity suite creates technical dependencies that make switching to alternative identity management solutions prohibitively complex and expensive.
Entra ID has no real alternatives for Microsoft 365 customers, creating unavoidable vendor lock-in.
The monopolistic nature of this arrangement was starkly illustrated by Mikkel Naesager, CISPE executive advisor on business models, who stated: "If you want to use Microsoft 365 services, for instance, you have to use Entra ID to activate them. There's no ability to have a competing identity management and swap it out. We have been unable to make any headway there."
Microsoft's forced bundling gave the company massive market share in identity management. According to IDC data, Microsoft controlled 23.8% of the $13.6 billion identity and access management market in 2021, with its nearest competitor Okta holding just 9.2% market share. This dominance has only grown as more organisations adopt Microsoft 365.
A Critical Security Vulnerability Exposes Systemic Risks
The dangers of over-reliance on centralised identity systems became starkly apparent in July 2025 when security researcher Dirk-jan Mollema discovered what he called "the most impactful Entra ID vulnerability I will probably ever find."
The flaw, designated CVE-2025-55241 and assigned the maximum severity score of 10.0, could have allowed attackers to impersonate any user, including Global Administrators, across virtually any Entra ID tenant globally. The vulnerability stemmed from a combination of undocumented "Actor tokens" used by Microsoft's internal services and a critical oversight in the legacy Azure AD Graph API that failed to validate tenant boundaries.
A single Entra ID flaw (CVE-2025-55241) could have let attackers impersonate any user worldwide, including Global Admins.
"Attackers could craft these [actor] tokens in ways that tricked Entra ID into thinking they were anyone, anywhere," explained Roei Sherman from cloud security firm Mitiga in the company's analysis of the vulnerability. The exploitation would bypass multi-factor authentication, Conditional Access policies, and logging systems, leaving virtually no trail of the incident.
When attackers can compromise millions of organisations worldwide through a single flaw in Entra ID—from small businesses to critical infrastructure providers—critics say Microsoft has concentrated too much power in one system.
Microsoft patched the vulnerability within days of disclosure and claimed its internal telemetry found no evidence of exploitation. Critics argue the incident proves how dangerous it is to concentrate so much digital infrastructure in a single company's control.
Market Dominance and Revenue Generation
The scale of Microsoft's identity management business is staggering. More recent data shows over 32,571 companies globally using Entra ID, though experts believe this significantly undercounts Microsoft's true dominance as it artificially separates various Microsoft identity products.
Microsoft's bundling strategy has proven financially lucrative. The company's security products, bundled with enterprise software licences, generated more than $20 billion in cyber sales in 2023 alone. The Intelligent Cloud division, which includes many of these services, generated $105 billion in revenue for Microsoft's fiscal 2024.
Microsoft's bundling strategy has been particularly effective in the government sector. A ProPublica investigation found that Microsoft offered federal agencies free upgrades to advanced cybersecurity features, including enhanced Entra ID capabilities, during trial periods. Once agencies became dependent on these services, switching to alternatives became prohibitively expensive when the free trials ended.
Microsoft’s “free sample” strategy locks government customers into Entra ID upgrades, displacing rivals and boosting Azure.
Microsoft's offer not only displaced some existing cybersecurity vendors but also took market share from cloud providers like Amazon Web Services, as the government began using products that ran on Azure, Microsoft's own cloud platform.
Former Microsoft sales leaders involved in these efforts candidly described the strategy to ProPublica as being like "a drug dealer hooking a user with free samples," knowing that federal customers would be effectively locked into the upgrades once installed.
The CISPE Settlement: A Partial Victory with Major Omissions
The most significant regulatory action to date came through the Cloud Infrastructure Services Providers in Europe (CISPE), which filed a formal complaint with the European Commission in November 2022. The complaint accused Microsoft of anti-competitive licensing practices that made it economically unviable for European customers to choose non-Azure cloud providers.
In July 2024, Microsoft and CISPE reached a settlement worth approximately €22 million. Under the agreement, Microsoft committed to developing an enhanced version of Azure Stack HCI for European cloud providers and to provide more favourable licensing terms for CISPE members.
However, Microsoft's settlement failed to address key issues. Most significantly, the agreement explicitly acknowledged that it could not resolve Entra ID's integration with Microsoft 365.
The CISPE deal left Entra ID’s integration with Microsoft 365 untouched, highlighting regulators’ biggest unresolved concern.
Francisco Mingorance, CISPE's Secretary General, described the settlement as a "significant victory for European cloud providers" but acknowledged its limitations. "Microsoft has nine months to make good on its commitment by offering solutions that allow fair licensing terms for its productivity software European cloud infrastructures," he stated.
Microsoft's settlement also excluded major cloud providers including Amazon Web Services, Google Cloud Platform, and AliCloud from its benefits.
🖐 Strengthen your position in licensing negotiations. Learn more: Microsoft Enterprise Agreement Negotiation.
Technical Barriers and Commercial Reality
While Microsoft maintains that its systems provide "open APIs, enabling seamless integration with third-party identity services like Ping and Okta," industry analysts and customers report that whilst integration is technically possible, the complexity and cost barriers make it commercially unviable for most organisations.
Microsoft's complex licensing structure creates multiple tiers of functionality:
Microsoft Entra ID Free (basic features)
Microsoft Entra ID P1 (enhanced features)
Microsoft Entra ID P2 (advanced security)
Microsoft Entra Suite (comprehensive solution)
Microsoft Entra ID Governance (advanced governance capabilities)
Organisations requiring advanced identity management features must pay additional licensing costs, making switching to alternatives even less attractive.
Microsoft makes switching costly and complex. Simple policies like "only allow managed devices" work seamlessly in Entra ID but require extensive setup in competing products like Okta, including certificate deployment via mobile device management systems and device trust policy configuration.
Industry Reactions and Stakeholder Responses
Competitors have been increasingly vocal about Microsoft's practices. During UK Competition and Markets Authority hearings, Google criticised Microsoft's restrictive licensing, arguing it creates technical dependencies through Active Directory that make switching prohibitively difficult.
Microsoft's dominance hits smaller competitors hardest. The number of customers that competitors like Okta can claim is "just a drop in the digital authentication ocean" compared to Microsoft's reach.
Historical Context and Market Control
Microsoft turned its Office dominance into cloud control by tying identity management to productivity software. The company recognised that identity systems, once installed, become nearly impossible to replace without disrupting an entire organisation's security infrastructure.
While customers can switch email providers or document editors relatively easily, replacing an identity system requires reconfiguring every application, device, and security policy in an organisation.
Potential Regulatory Outcomes
Regulators are considering breaking up Microsoft's identity empire. Among the potential remedies:
In the United States:
Separation of identity services from productivity software
Enhanced interoperability requirements for identity management systems
Requirements to unbundle Entra ID from Microsoft 365
Data portability requirements for identity data
In the European Union:
Mandated easier integration with third-party identity providers
Technical interoperability requirements for identity management
Potential unbundling of Entra ID from Microsoft 365
Pricing transparency requirements
The Trump administration may scale back the FTC's pursuit of Microsoft, but European regulators show no signs of backing down. Google's complaint with the European Commission is still pending, and the UK's Competition and Markets Authority continues its own investigation.
🖐 Achieve better outcomes in Azure-related contracts. Discover how: Microsoft Azure Contract Negotiation.
The Stakes
These investigations threaten Microsoft's most lucrative business model. For years, the company has used Office's popularity to force customers into its entire ecosystem, with Entra ID serving as the digital chokepoint. Regulators now question whether any single company should control so much of the world's digital infrastructure.
Remote work and cloud computing have made identity systems more critical than ever. Every login, every file access, every security decision flows through services like Entra ID. When one company controls these digital gates, a single security flaw like the CVE-2025-55241 vulnerability can threaten millions of organisations worldwide.
Entra ID has become the chokepoint of global digital infrastructure, where a single flaw can endanger millions of organisations.
If regulators force Microsoft to unbundle Entra ID from Microsoft 365, they would eliminate a business model that generates tens of billions in revenue. Competitors sense an opportunity. Customers might finally have real choices in identity management, ending Microsoft's control over enterprise computing.
The stakes go beyond Microsoft's profits. Entra ID now controls access to everything from corner shop emails to Pentagon files. When one company's software failure can cripple millions of businesses worldwide, regulators are asking whether Microsoft has simply grown too powerful to ignore.