2.11 Microsoft Entra ID (Azure Active Directory)
Key Takeaways
- Microsoft Entra ID (formerly Azure Active Directory / Azure AD) is Microsoft's cloud-based identity and access management (IAM) service.
- Entra ID handles authentication (proving identity) and integrates with Azure RBAC for authorization; it is the trust anchor for every Azure subscription and Microsoft 365 tenant.
- Core features tested on AZ-900: Single Sign-On (SSO), Multi-Factor Authentication (MFA), Conditional Access, passwordless sign-in, and external (B2B/B2C) identities.
- Entra ID is NOT on-premises Active Directory Domain Services (AD DS): it is a flat tenant using SAML/OAuth/OpenID Connect over HTTPS, not a hierarchy using Kerberos/LDAP.
- Microsoft Entra Connect (formerly Azure AD Connect) synchronizes identities for hybrid scenarios using password hash sync, pass-through authentication, or federation.
Quick Answer: Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud identity service. It authenticates users and apps, then SSO, MFA, and Conditional Access decide how. It is the directory behind every Azure subscription and Microsoft 365 tenant — and it is NOT the same as on-premises Active Directory Domain Services (AD DS).
What Microsoft Entra ID Is
Microsoft Entra ID — renamed from Azure Active Directory (Azure AD) in 2023 — is Microsoft's cloud-based identity and access management (IAM) service. Every Microsoft 365 subscription and every Azure subscription is backed by an Entra tenant: a dedicated, isolated instance of the directory that holds users, groups, devices, and app registrations. One organization can have multiple tenants, but a given Azure subscription trusts exactly one tenant for sign-in.
A frequent AZ-900 trap is conflating the tenant with the subscription. The tenant is the identity boundary (who can sign in); the subscription is the billing and resource boundary (what gets deployed and paid for). Moving a subscription to a different tenant changes which directory authenticates its users.
Authentication vs. Authorization
The single most-tested identity concept on AZ-900 is the difference between the two:
| Concept | Question it answers | Handled by |
|---|---|---|
| Authentication (AuthN) | "Who are you?" | Entra ID verifies credentials (password + MFA, certificate, biometric) |
| Authorization (AuthZ) | "What are you allowed to do?" | Azure RBAC grants permissions on resources after sign-in |
Authentication always happens first; authorization is evaluated only after identity is proven. Entra ID owns authentication; RBAC (covered in 2.12) owns authorization on Azure resources.
Core Capabilities
Single Sign-On (SSO)
SSO lets a user sign in once and reach many apps without re-entering credentials. Fewer passwords means fewer reset tickets and a smaller attack surface (no sticky-note passwords).
Multi-Factor Authentication (MFA)
MFA demands two or more factors from different categories:
- Something you know — password or PIN
- Something you have — phone, authenticator app, FIDO2 key
- Something you are — fingerprint or facial recognition
Two passwords are not MFA — both are the "something you know" category. Microsoft is enforcing MFA in phases: Phase 1 (Azure portal, Entra admin center, Intune admin center) began rolling out in 2024; Phase 2, covering Azure CLI, Azure PowerShell, the Azure mobile app, IaC tools, and ARM REST APIs, started October 1, 2025, with an optional deferral to July 1, 2026. Expect AZ-900 to treat MFA as the default expectation for admin access.
Conditional Access
Conditional Access policies are "if-then" rules that evaluate signals at sign-in:
| Signal | Example policy |
|---|---|
| Location | Block sign-in from outside approved countries |
| Device state | Require a compliant or hybrid-joined device |
| Application | Force MFA only for the finance app |
| Sign-in risk | Block when risk is High; require MFA when Medium |
Conditional Access requires an Entra ID P1 license and is a flagship Zero Trust control.
Passwordless Sign-In
Entra ID supports Microsoft Authenticator approvals, FIDO2 security keys, and Windows Hello for Business (PIN/biometric) — stronger than passwords because there is no shared secret to phish.
Entra ID vs. On-Premises AD DS
| Feature | On-Premises AD DS | Microsoft Entra ID |
|---|---|---|
| Protocols | Kerberos, LDAP, NTLM | SAML, OAuth 2.0, OpenID Connect over HTTPS |
| Structure | Forests → domains → organizational units (OUs) | Flat tenant (no OUs, no Group Policy) |
| Device control | Group Policy | Intune + Conditional Access |
| Query interface | LDAP | Microsoft Graph REST API |
| Hosting | Customer servers | Microsoft-managed cloud |
Hybrid Identity with Entra Connect
Microsoft Entra Connect (formerly Azure AD Connect) syncs on-premises AD DS into Entra ID so users keep one set of credentials. Three sign-in methods:
| Method | Where the password is validated |
|---|---|
| Password hash sync (PHS) | In the cloud (a hash of the hash is synced); the simplest, most resilient option |
| Pass-through authentication (PTA) | On-premises AD DS validates; password never leaves the datacenter |
| Federation (AD FS) | A separate on-premises AD FS farm handles all authentication |
On the Exam: When a scenario says "same credentials for on-premises and cloud," the answer is Entra Connect / Azure AD Connect, not Azure Arc or Azure Policy.
Entra ID Editions
| Edition | Adds | Typically licensed with |
|---|---|---|
| Free | SSO, user/group management, basic security defaults | Any Azure subscription |
| P1 | Conditional Access, self-service password reset (SSPR), dynamic groups, hybrid | Microsoft 365 E3 |
| P2 | Identity Protection, Privileged Identity Management (PIM), access reviews | Microsoft 365 E5 |
| Entra ID Governance | Lifecycle workflows, entitlement management | Add-on license |
A common distractor: PIM and Identity Protection require P2, while Conditional Access and SSPR require P1.
External Identities: B2B and B2C
Entra ID is not limited to employees. Business-to-Business (B2B) collaboration invites external partners as guest users so they sign in with their own organization's credentials yet receive scoped access to your apps and resources — you never manage their passwords. Business-to-Consumer (B2C) (and its successor, Microsoft Entra External ID) is a separate customer-identity service for public-facing apps, supporting social logins such as Google or Facebook. On AZ-900, "let partners use their existing credentials" points to B2B guest accounts, while "customers sign up for my app with a social account" points to B2C / External ID.
Why It Matters for AZ-900
The AZ-900: Microsoft Azure Fundamentals exam delivers roughly 40-60 questions in about 45 minutes of answering time, scored on a scale of 1000 with 700 required to pass, and costs about USD 99 (regional pricing varies). The exam's identity domain weights Entra ID concepts heavily, so distinguishing authentication from authorization, recognizing Entra Connect for hybrid identity, and knowing which features live in Free vs. P1 vs. P2 are reliable point-earners.
Quick Recall Checklist
- Tenant = identity boundary; subscription = billing/resource boundary.
- AuthN before AuthZ; Entra ID does AuthN, RBAC does AuthZ.
- Two passwords are not MFA; mix factor categories.
- Entra Connect = hybrid identity sync (PHS / PTA / Federation).
- P1 unlocks Conditional Access + SSPR; P2 unlocks PIM + Identity Protection.
On the AZ-900 exam, what is the relationship between authentication and authorization in Entra ID?
A company wants employees to use the same username and password for both their on-premises servers and Azure resources. Which tool achieves this?
Which licensing tier is required to create Conditional Access policies in Microsoft Entra ID?
Which combination is genuine multi-factor authentication (MFA)?