2.11 Microsoft Entra ID (Azure Active Directory)
Key Takeaways
- Microsoft Entra ID (formerly Azure Active Directory/Azure AD) is Microsoft's cloud-based identity and access management service.
- Entra ID provides authentication (proving identity) and authorization (granting access) for cloud applications and resources.
- Key features include Single Sign-On (SSO), Multi-Factor Authentication (MFA), Conditional Access, and Application Management.
- Entra ID is different from on-premises Active Directory Domain Services (AD DS) — it uses HTTP/HTTPS protocols instead of Kerberos/LDAP.
- Azure AD Connect synchronizes identities between on-premises AD DS and Microsoft Entra ID for hybrid identity scenarios.
Microsoft Entra ID (Azure Active Directory)
Quick Answer: Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud identity service. It provides authentication, SSO, MFA, Conditional Access, and application management. It is NOT the same as on-premises Active Directory Domain Services (AD DS).
What Is Microsoft Entra ID?
Microsoft Entra ID — formerly known as Azure Active Directory (Azure AD) — is Microsoft's cloud-based identity and access management (IAM) service. It enables employees, partners, and customers to sign in and access resources.
Who Uses Entra ID?
| User Type | How They Use Entra ID |
|---|---|
| IT Administrators | Control access to apps, enforce MFA, automate user provisioning |
| App Developers | Add SSO and identity features to applications |
| Microsoft 365 users | Every Microsoft 365 subscription includes an Entra ID tenant |
| Azure subscribers | Every Azure subscription is associated with an Entra ID tenant |
Authentication vs. Authorization
Understanding the difference between authentication and authorization is critical:
| Concept | Definition | Entra ID Role |
|---|---|---|
| Authentication (AuthN) | Proving WHO you are (identity verification) | Validates credentials (password, MFA, biometrics) |
| Authorization (AuthZ) | Determining WHAT you can do (access level) | Grants access based on roles and permissions |
On the Exam: Authentication = "Who are you?" Authorization = "What can you do?" Entra ID handles authentication. Azure RBAC handles authorization.
Key Features
Single Sign-On (SSO)
SSO enables users to sign in once with one account and use that credential to access multiple applications and resources. This reduces password fatigue and the number of credentials users must manage.
Multi-Factor Authentication (MFA)
MFA requires two or more verification methods:
- Something you know — Password
- Something you have — Phone, hardware token, authenticator app
- Something you are — Fingerprint, face recognition
Starting October 2025, Microsoft requires MFA for ALL Azure portal, CLI, and PowerShell access.
Conditional Access
Conditional Access policies are "if-then" statements that enforce access controls based on signals:
| Signal | Example |
|---|---|
| User or group | Apply to specific users or departments |
| Location | Block access from certain countries |
| Device | Require compliant or domain-joined devices |
| Application | Protect specific apps differently |
| Risk level | Respond to sign-in risk detected by Identity Protection |
Example policies:
- "If a user signs in from outside the corporate network, THEN require MFA"
- "If a user accesses a financial application, THEN require a compliant device"
- "If a sign-in risk is high, THEN block access"
Passwordless Authentication
Microsoft Entra ID supports passwordless authentication methods:
- Microsoft Authenticator app — Approve sign-in requests on your phone
- FIDO2 security keys — Physical hardware keys
- Windows Hello for Business — Biometric (face/fingerprint) or PIN
Entra ID vs. On-Premises AD DS
| Feature | On-Premises AD DS | Microsoft Entra ID |
|---|---|---|
| Protocol | Kerberos, LDAP, NTLM | HTTP/HTTPS (SAML, OAuth, OpenID Connect) |
| Structure | Forests, domains, OUs | Flat structure (tenants) |
| Device management | Group Policy | Intune, Conditional Access |
| Authentication | Kerberos tickets | OAuth tokens, SAML assertions |
| Location | On-premises servers | Cloud-based (Microsoft-managed) |
| Queried via | LDAP | REST API (Microsoft Graph) |
Hybrid Identity with Azure AD Connect
Azure AD Connect (now Microsoft Entra Connect) synchronizes user identities between on-premises AD DS and Microsoft Entra ID. This enables hybrid identity, where users can use the same credentials to access both on-premises and cloud resources.
Synchronization methods:
| Method | Description |
|---|---|
| Password hash sync | Hash of the password is synced to Entra ID. Users authenticate in the cloud. |
| Pass-through authentication | Authentication request is forwarded to on-premises AD. Password never leaves on-premises. |
| Federation (ADFS) | Authentication is handled entirely by on-premises Active Directory Federation Services. |
On the Exam: Azure AD Connect is the answer when a question describes a scenario where a company wants users to use the same credentials for both on-premises and cloud resources.
Entra ID Editions
| Edition | Key Features | Included With |
|---|---|---|
| Free | SSO, basic user management, basic reports | Azure subscription |
| P1 | Conditional Access, self-service password reset, hybrid identity | Microsoft 365 E3 |
| P2 | Identity Protection, Privileged Identity Management, access reviews | Microsoft 365 E5 |
| Entra ID Governance | Lifecycle workflows, entitlement management, access reviews | Add-on license |
What is the primary difference between authentication and authorization?
Which Entra ID feature uses "if-then" policies to enforce access controls based on user, location, device, and risk signals?
Which tool synchronizes identities between on-premises Active Directory and Microsoft Entra ID?
Which protocol does Microsoft Entra ID use for authentication?