3.1 Microsoft Entra ID Foundations
Key Takeaways
- Microsoft Entra ID (formerly Azure Active Directory / Azure AD) is Microsoft's cloud-based identity and access management (IAM) service and identity provider.
- Entra ID is multi-tenant: every organization gets its own tenant (a dedicated directory instance) identified by a tenant ID and an initial onmicrosoft.com domain.
- It is the identity backbone for Microsoft 365, Azure, and thousands of SaaS apps via single sign-on (SSO) and the OAuth 2.0 / OpenID Connect / SAML protocols.
- Entra ID is NOT a cloud-hosted copy of on-premises Active Directory Domain Services — it has no domain join, LDAP, Kerberos, NTLM, OUs, or Group Policy.
- Identity is the primary security perimeter in Zero Trust; authentication proves who you are, authorization decides what you may access.
What Microsoft Entra ID is
Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. It was renamed from Azure Active Directory (Azure AD) in 2023, and the rename is one of the most heavily tested facts on SC-900 — if an answer choice says "Azure AD," it is usually the old name for the same product. Entra ID acts as an identity provider (IdP): a trusted system that authenticates users, apps, and devices and then issues security tokens that downstream services accept as proof of identity.
Entra ID is the identity backbone for:
- Microsoft 365 (Exchange Online, SharePoint, Teams, etc.)
- Microsoft Azure (subscriptions, resource management, RBAC)
- Thousands of third-party SaaS apps integrated for single sign-on (SSO)
- Custom line-of-business apps that register against Entra ID
It speaks modern, open authentication protocols — OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0 — which is how one sign-in can unlock many apps without re-entering credentials.
A useful framing: Entra ID is the identity control plane for Microsoft's cloud. Every request to Microsoft 365, Azure, or an integrated SaaS app is brokered through it — it authenticates the principal, applies access policy, and issues the token the target service trusts. Because so much converges on it, securing Entra ID is the foundation of securing everything else, which is why the exam devotes an entire objective area to it.
Tenants: one directory per organization
Entra ID is multi-tenant. When an organization signs up for Microsoft 365 or Azure, it receives its own tenant — a dedicated, isolated instance of the directory. A tenant is identified by a tenant ID (a GUID) and gets an initial domain like contoso.onmicrosoft.com, to which the organization can add its own verified custom domains (e.g., contoso.com).
The tenant is the security and administrative boundary: users, groups, app registrations, and policies in one tenant are isolated from every other tenant. Identities from other tenants can be invited in as guests (covered in 3.x External Identities), but they remain external.
| Concept | Meaning on SC-900 |
|---|---|
| Tenant | A dedicated, isolated Entra ID directory instance for one organization |
| Tenant ID | The GUID that uniquely identifies a tenant |
| Initial domain | The default *.onmicrosoft.com domain created with the tenant |
| Token | Signed proof of identity/permissions that apps trust |
| Single sign-on (SSO) | Authenticate once, then access many connected apps |
Entra ID is not on-premises Active Directory
The single biggest conceptual trap is assuming Entra ID is just "Active Directory in the cloud." It is not. On-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID solve overlapping problems with very different technology.
| Capability | On-premises AD DS | Microsoft Entra ID |
|---|---|---|
| Protocols | Kerberos, NTLM, LDAP | OAuth 2.0, OIDC, SAML, REST |
| Structure | Forests, domains, OUs | Flat directory of objects in a tenant |
| Computer management | Domain join, Group Policy | Device registration/join, no GPO (uses Intune) |
| Built for | Internal Windows networks | Cloud and web/SaaS apps over the internet |
| Query interface | LDAP | Microsoft Graph API |
Entra ID has no Organizational Units (OUs) and no Group Policy Objects (GPOs); device configuration is handled by Microsoft Intune, not GPO. The two can work together through hybrid identity (section 3.3), but they are distinct services.
Why identity is the perimeter — and authentication vs. authorization
In the Zero Trust model, the traditional network firewall is no longer the only perimeter because users, devices, and apps connect from anywhere. Identity becomes the primary security perimeter: nearly every access decision begins with who or what is requesting access, so Entra ID is where security starts.
Two terms appear in almost every Entra question and must be kept separate:
- Authentication (AuthN) — proving who an identity is (a correct password, a passkey, an MFA approval). "Are you really you?"
- Authorization (AuthZ) — deciding what an authenticated identity is allowed to do (a role assignment, a Conditional Access grant). "Now that we know who you are, what can you do?"
A reliable exam reflex: a sign-in/proof scenario is authentication; a permission/access-allowed scenario is authorization. Entra ID handles both, but they are different steps in the same flow, and mixing them up is the classic distractor.
Finally, know where Entra ID sits in the licensing story, because SC-900 occasionally pairs a capability with the tier that unlocks it. The Free tier provides core directory, user/group management, SSO, and self-service password change. Microsoft Entra ID P1 adds Conditional Access, dynamic groups, self-service password reset with writeback, and hybrid features. Microsoft Entra ID P2 adds the advanced governance and protection tier — Privileged Identity Management (PIM) and Identity Protection (covered in Chapter 4).
You do not need to memorize a full SKU chart, but you should recognize that the richer access-management and protection features are paid tiers, while basic identity is included with Microsoft 365 and Azure subscriptions. The exam rewards knowing that Entra ID is the identity control plane and that its premium features deliver the Zero Trust controls the rest of this guide builds on.
What is the current name for the cloud service formerly called Azure Active Directory (Azure AD)?
Which statement correctly distinguishes Microsoft Entra ID from on-premises Active Directory Domain Services (AD DS)?
An organization signs up for Microsoft 365 and receives an isolated directory instance identified by a GUID and an initial onmicrosoft.com domain. What is this called?
A user enters a correct password and is verified. Which identity concept does this represent?