This chapter covers Microsoft Entra ID (formerly Azure Active Directory), the core identity and access management service in Azure. It is a critical topic for AZ-900 because identity is the foundation of cloud security; you will see several questions on Entra ID features, editions, and its role in authentication and authorization. This objective (2.5) carries approximately 10-15% of the exam weight, so mastering this content is essential. By the end of this chapter, you will understand what Entra ID is, how it works, its key components, and how it differs from on-premises Active Directory.
Jump to a section
Imagine a large hotel with thousands of guests and staff. Each guest gets a key card that only unlocks their room and common areas like the gym or pool. The hotel's central system—the 'identity provider'—manages who gets which key, for how long, and can revoke access instantly if a card is lost. This system also allows guests to use their key card to enter the hotel's partner spa without a separate membership. Microsoft Entra ID works the same way: it's a cloud-based identity and access management service. It stores user identities (like guest profiles) and controls access to resources (rooms). It supports single sign-on (one key card for multiple doors), multi-factor authentication (a PIN plus the card), and conditional access (only allow entry during certain hours). Just as the hotel system can integrate with a third-party valet service, Entra ID can federate with other identity providers. The key mechanism is that the hotel system is the authoritative source for identity—it issues tokens (key cards) that other systems trust, without needing to store user passwords themselves.
What is Microsoft Entra ID and What Business Problem Does It Solve?
Microsoft Entra ID is a cloud-based identity and access management (IAM) service. It provides authentication (verifying who you are) and authorization (what you are allowed to do) for users accessing cloud applications, such as Microsoft 365, the Azure portal, or thousands of third-party SaaS apps. Before cloud services, organizations managed user identities on-premises using Active Directory Domain Services (AD DS), which stored user accounts and passwords in a local database. However, as businesses adopted cloud apps, they needed a way to extend identity management beyond the corporate network. Entra ID solves this by being a multi-tenant, cloud-native directory that can authenticate users from anywhere, on any device, while integrating with on-premises AD DS for hybrid scenarios.
The core business problem Entra ID addresses is the need for secure, scalable, and centralized identity management across both cloud and on-premises resources. It eliminates the need for multiple username/password pairs for different apps (via single sign-on), enforces security policies like multi-factor authentication (MFA), and provides detailed audit logs for compliance.
How Entra ID Works – Step by Step
Entra ID uses a token-based authentication model. When a user signs in to an application, the following happens: 1. The user navigates to the app (e.g., portal.azure.com). The app redirects the user to the Entra ID login page. 2. The user enters their credentials (username and password, plus MFA if required). 3. Entra ID validates the credentials against its directory. If valid, it issues an access token (a JSON Web Token or JWT) containing claims about the user (e.g., user ID, group memberships, roles). 4. The token is sent back to the app. The app trusts the token because it is digitally signed by Entra ID. 5. The app uses the token to grant or deny access to its resources based on the claims.
This token-based approach means the app never handles the user's password directly, reducing security risks. Entra ID supports multiple authentication protocols: OAuth 2.0 for authorization, OpenID Connect for authentication, and SAML 2.0 for legacy apps.
Key Components of Entra ID
Users and Groups: Users represent people or service accounts. Groups (security groups or Microsoft 365 groups) simplify assigning permissions to multiple users at once.
Tenant: An instance of Entra ID dedicated to an organization. It is created when you sign up for Azure, Microsoft 365, or other Microsoft cloud services. Each tenant is isolated and has its own directory of users, groups, and app registrations.
App Registrations: Applications that are integrated with Entra ID for authentication. Each app has a unique Application (client) ID and can be configured with permissions (delegated or application).
Conditional Access: A policy engine that evaluates signals (user, device location, risk) to enforce access controls. For example, block access from untrusted locations or require MFA for sensitive apps.
Identity Protection: Uses machine learning to detect risky sign-ins (e.g., impossible travel, leaked credentials) and automatically remediate or block.
Azure AD Connect: A tool to synchronize on-premises AD DS users to Entra ID for hybrid identity.
Entra ID Editions (Pricing Tiers)
Entra ID is available in four editions: - Free: Included with Azure subscription. Provides user and group management, single sign-on to Microsoft cloud services, and basic security reports. Limited to 500,000 directory objects. - Microsoft Entra ID P1: Adds advanced features like Conditional Access, hybrid identity, dynamic groups, and self-service password reset. Suitable for most businesses. - Microsoft Entra ID P2: Adds Identity Protection and Identity Governance (Privileged Identity Management, access reviews). Best for compliance-heavy environments. - Microsoft Entra ID P2 for Frontline Workers: A lower-cost P2 license for shift workers.
Comparison to On-Premises Active Directory
On-premises AD DS is a directory service that runs on Windows Server inside a corporate network. It uses Kerberos for authentication and LDAP for queries. It is not designed for cloud apps or internet-scale scenarios. Entra ID is completely different: it is a REST API-based service, uses modern protocols (OAuth, OpenID Connect), and is accessible from anywhere. They are not interchangeable; Entra ID is not a cloud version of AD DS. However, you can sync user passwords and attributes from AD DS to Entra ID using Azure AD Connect, enabling users to have a single identity for both on-premises and cloud resources (hybrid identity).
Azure Portal and CLI Touchpoints
You manage Entra ID primarily through the Azure portal under the "Microsoft Entra ID" service. There you can create users, groups, configure Conditional Access, and view sign-in logs. You can also use the Azure CLI with the az ad command group. For example:
List users: az ad user list
Create a user: az ad user create --display-name "John Doe" --password "P@ssw0rd" --user-principal-name john@contoso.com
Create a group: az ad group create --display-name "IT Admins" --mail-nickname "ITAdmins"
Assign a role: az role assignment create --assignee john@contoso.com --role Contributor --scope /subscriptions/...
PowerShell modules like Microsoft.Graph (preferred) or AzureAD are also available for scripting.
Concrete Business Scenarios
Scenario 1: New Employee Onboarding: When a new employee joins, the IT admin creates a user account in Entra ID (either manually or via HR system integration). The employee is assigned to groups that grant access to Microsoft 365, internal apps, and Azure resources. They receive a temporary password and are prompted to change it on first sign-in. MFA is enforced via Conditional Access.
Scenario 2: Third-Party SaaS App Access: A company uses Salesforce. Instead of managing separate Salesforce accounts, they configure Salesforce to trust Entra ID (federation). Users sign in with their corporate credentials and get single sign-on. When an employee leaves, IT disables the Entra ID account, which automatically blocks access to Salesforce.
Scenario 3: Privileged Access Management: An organization uses Entra ID P2 with Privileged Identity Management (PIM) to grant just-in-time admin roles. A user requests elevation to Global Administrator for a specific task. The request requires approval and is time-bound. Once the time expires, the role is revoked automatically.
Create an Entra ID Tenant
When you first sign up for an Azure subscription, an Entra ID tenant is automatically created for your organization. You can also create additional tenants manually: In the Azure portal, go to Microsoft Entra ID > Manage tenants > Create. Fill in the organization name, initial domain name (e.g., contoso.onmicrosoft.com), and country/region. Behind the scenes, Azure provisions a new isolated directory with default security settings. The tenant's default domain is `<yourdomain>.onmicrosoft.com`. You can later add custom domains (e.g., contoso.com) after verifying ownership via DNS TXT records. Each tenant can have up to 500,000 directory objects in the Free tier; higher tiers have no hard limit but practical limits apply.
Add Users and Groups
Navigate to Microsoft Entra ID > Users > New user. Enter the user's name, username (e.g., jane.doe@contoso.com), and assign a temporary password. You can also set usage location and job title. For groups, go to Groups > New group, choose Security or Microsoft 365 group type, and add members. Security groups are used for permissions; Microsoft 365 groups provide collaboration features (shared mailbox, calendar). Groups can be static (manual membership) or dynamic (membership based on user attributes like department). Dynamic groups require Entra ID P1. Behind the scenes, each user and group is stored as a directory object with a unique Object ID. Deleting a user does not immediately remove the object; it is soft-deleted for 30 days.
Configure Custom Domain
To use your own domain (e.g., contoso.com) instead of the default contoso.onmicrosoft.com, you must add and verify it. Go to Microsoft Entra ID > Custom domain names > Add custom domain. Enter the domain name, then copy the DNS verification record (a TXT record) provided by Azure. Add this record to your domain's DNS zone with your registrar. After propagation (can take minutes to hours), click Verify. Once verified, you can set it as the primary domain. This allows users to sign in with user@contoso.com. You can add multiple custom domains, but each must be verified separately. If you remove a custom domain, users with that domain will be unable to sign in until reassigned.
Set Up Single Sign-On (SSO)
SSO allows users to sign in once and access multiple applications without re-entering credentials. To configure SSO for a SaaS app (e.g., Salesforce), go to Microsoft Entra ID > Enterprise applications > New application > Create your own application. Select "Integrate any other application you don't find in the gallery" and choose SAML-based sign-on. Download the SAML metadata XML from Entra ID and upload it to the SaaS app's configuration. Then assign users or groups to the app. Behind the scenes, Entra ID and the app establish a trust relationship using certificates. When a user accesses the app, they are redirected to Entra ID for authentication. If already authenticated, Entra ID issues a SAML assertion without prompting for credentials. SSO works only if the app supports SAML, OIDC, or password-based SSO.
Enable Multi-Factor Authentication (MFA)
MFA adds a second layer of security beyond password. You can enable MFA per user (legacy) or via Conditional Access (recommended). For Conditional Access: Go to Microsoft Entra ID > Security > Conditional Access > New policy. Name it (e.g., "Require MFA for all users"), select users/groups, choose cloud apps (e.g., All cloud apps), and under Grant, select "Require multi-factor authentication". Enable policy and save. Behind the scenes, when a user signs in, Entra ID evaluates the policy. If MFA is required, the user must provide a second factor (e.g., phone call, text, Microsoft Authenticator app). Conditional Access policies are evaluated at every sign-in and can include location, device compliance, and risk signals. MFA via Conditional Access is more flexible than per-user MFA because it allows exceptions and context-based rules.
Scenario 1: Global Enterprise with Hybrid Identity
A multinational corporation with 50,000 employees uses on-premises Active Directory for internal resources and Microsoft 365 for email and collaboration. They need a unified identity system to allow employees to use the same credentials for both environments. They deploy Azure AD Connect to synchronize user accounts, groups, and password hashes from on-premises AD to Entra ID. They also enable password hash synchronization and seamless SSO, so users signed into their domain-joined PCs automatically authenticate to cloud apps. The IT team configures Conditional Access policies to require MFA for users accessing sensitive data from outside the corporate network. They use Entra ID P2 licenses for Identity Protection to detect and block compromised accounts. Common issues: if Azure AD Connect stops syncing (e.g., due to network issues), changes to on-premises user accounts (like password resets) do not propagate to the cloud, causing sign-in failures. Cost: Entra ID P1 licenses for all users (~$6/user/month) plus Azure AD Connect server costs.
Scenario 2: Startup with Cloud-Only Identity
A 200-person startup uses only cloud services: Azure for infrastructure, Slack, and various SaaS apps. They have no on-premises servers. They create a cloud-only Entra ID tenant and manage all identities directly in the portal. They use dynamic groups based on department to automatically grant access to resources. For example, all employees in the "Engineering" department get access to the Azure DevOps project. They enforce MFA for all users via Conditional Access. They also set up self-service password reset to reduce help desk tickets. Common mistake: when a user leaves, the admin must manually disable or delete the account; if forgotten, the former employee retains access to all apps. Cost: Entra ID Free is sufficient for basic needs, but they opt for P1 to use dynamic groups and Conditional Access.
Scenario 3: Regulated Financial Institution
A bank with 10,000 employees must comply with strict regulations requiring privileged access management and regular access reviews. They use Entra ID P2 with Privileged Identity Management (PIM) to grant just-in-time admin roles. For example, a database administrator requests elevation to "SQL Server Contributor" for a specific Azure SQL database. The request triggers an approval workflow, and the role is activated for a limited time (e.g., 4 hours). PIM also requires MFA upon activation. They schedule quarterly access reviews for all privileged roles, where managers review and confirm or remove access. If a role is not reviewed, it is automatically deactivated. Common pitfalls: administrators may try to bypass PIM by assigning permanent roles, which violates compliance. Cost: Entra ID P2 licenses for all users (~$9/user/month) plus additional costs for Azure resources accessed.
Exactly What AZ-900 Tests on This Objective
Objective 2.5: "Describe identity services in Azure" focuses on Microsoft Entra ID (formerly Azure AD), including its features, editions, and core concepts like authentication, authorization, MFA, SSO, and Conditional Access. You will not be asked to configure Entra ID, but you must understand the differences between Entra ID Free, P1, and P2, and what features are included in each. You should know the difference between authentication (who you are) and authorization (what you can do).
Common Wrong Answers and Why Candidates Choose Them
"Entra ID is the same as on-premises Active Directory" – Candidates confuse the two because of the similar name. Reality: They are different products with different architectures. Entra ID is cloud-based, uses REST APIs, and modern protocols. On-premises AD uses Kerberos/LDAP.
"Entra ID Free includes Conditional Access" – Candidates assume all features are free. Reality: Conditional Access requires Entra ID P1 or P2.
"Multi-factor authentication requires Entra ID P1" – Actually, MFA is available in Free edition when enabled per user, but Conditional Access-based MFA (more flexible) requires P1. The exam may test this nuance.
"Azure AD Connect is used to migrate on-premises AD to the cloud" – Candidates think it's a migration tool. Reality: Azure AD Connect synchronizes identities; it does not migrate the entire AD infrastructure.
Specific Terms and Values That Appear on the Exam
Tenant: An instance of Entra ID. Each tenant is isolated.
Service Principal: An identity for an application (like a service account).
Managed Identity: An automatically managed identity in Entra ID for Azure resources (e.g., VMs, functions) to authenticate without credentials.
Conditional Access: Policy engine (requires P1).
Identity Protection: Risk-based protection (requires P2).
PIM: Privileged Identity Management (requires P2).
SSO: Single sign-on.
MFA: Multi-factor authentication.
Azure AD Join: Device identity (not in AZ-900 scope but sometimes confused).
Edge Cases and Tricky Distinctions
Entra ID vs. Azure RBAC: Entra ID authenticates users; Azure RBAC authorizes access to Azure resources (e.g., VMs, storage). They work together but are separate.
Guest Users (B2B): Entra ID supports collaboration with external users via B2B, where guests use their own identity provider. This is not the same as B2C (for customer identities).
Service Principals vs. Managed Identities: Both are identities for apps, but managed identities are easier to manage (no credential rotation) and are tied to an Azure resource.
Memory Trick: Decision Tree for Eliminating Wrong Answers
When asked about features, ask: "Is this feature about user authentication (e.g., SSO, MFA) or about governance (e.g., access reviews, PIM)?" Authentication features (SSO, MFA) are available in Free or P1; governance features (PIM, Identity Protection) require P2. For Conditional Access, remember: "Conditional Access = P1 or P2, never Free." Another tip: If a question mentions "risk" or "privileged access," the answer is likely P2.
Microsoft Entra ID is a cloud-based identity and access management service, not a cloud version of on-premises Active Directory.
Entra ID has four editions: Free, P1, P2, and P2 for Frontline Workers. Conditional Access requires P1; Identity Protection and PIM require P2.
Authentication verifies identity; authorization determines access. Entra ID provides authentication; Azure RBAC provides authorization for Azure resources.
Single Sign-On (SSO) allows users to sign in once and access multiple applications without re-entering credentials.
Multi-Factor Authentication (MFA) adds a second layer of security. It is available in Free edition per user, but Conditional Access-based MFA requires P1.
Azure AD Connect synchronizes on-premises AD users to Entra ID for hybrid identity. It does not migrate AD infrastructure.
A tenant is an isolated instance of Entra ID. Each Azure subscription trusts exactly one tenant, but a tenant can have multiple subscriptions.
Managed identities provide an automatically managed identity for Azure resources to authenticate without storing credentials.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Entra ID (Cloud Identity)
Cloud-based multi-tenant directory service
Uses OAuth 2.0, OpenID Connect, SAML protocols
REST API-based; accessible from anywhere
Manages identities for cloud apps (SaaS, custom)
No domain controllers to manage; Microsoft handles infrastructure
On-Premises Active Directory (AD DS)
On-premises directory service on Windows Server
Uses Kerberos and LDAP protocols
Requires domain controllers within the corporate network
Manages identities for on-premises resources (file servers, printers)
Requires server hardware, OS updates, and maintenance
Mistake
Microsoft Entra ID is just a cloud version of on-premises Active Directory.
Correct
Entra ID is a completely different service. It uses modern authentication protocols (OAuth, OpenID Connect, SAML) and a REST API, whereas on-premises AD uses Kerberos and LDAP. They are not interchangeable; however, they can be integrated via Azure AD Connect for hybrid identity.
Mistake
You need Entra ID P1 to use multi-factor authentication.
Correct
MFA per user is available in the Free edition. However, Conditional Access policies that require MFA (more flexible and recommended) require Entra ID P1 or P2. The exam may test this distinction.
Mistake
Azure AD Connect migrates your on-premises domain controllers to the cloud.
Correct
Azure AD Connect only synchronizes user objects and passwords from on-premises AD to Entra ID. It does not migrate the AD infrastructure itself. For a full migration, you would need additional services like Azure AD DS or lift-and-shift of domain controllers.
Mistake
All Azure subscriptions share a single Entra ID tenant.
Correct
Each Azure subscription is associated with exactly one Entra ID tenant, but a tenant can have multiple subscriptions. The tenant is the identity boundary; you cannot have one subscription span multiple tenants without using cross-tenant authentication.
Mistake
Entra ID is only for Microsoft cloud services like Microsoft 365.
Correct
Entra ID can authenticate users for thousands of third-party SaaS apps (e.g., Salesforce, Dropbox) and custom-built applications. It is a universal identity provider, not limited to Microsoft services.
There is no difference. Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. The service is the same; only the name changed. On the AZ-900 exam, you may see either name, but the current official name is Microsoft Entra ID. The exam objectives still refer to 'Azure Active Directory' in some places, but you should be familiar with both terms.
Yes, Entra ID Free is included with any Azure subscription and provides basic user/group management, SSO to Microsoft cloud services, and per-user MFA. However, it lacks advanced features like Conditional Access, dynamic groups, and self-service password reset. For a small business with simple needs, Free may suffice. If they need more security or automation, P1 ($6/user/month) is recommended.
Yes, you can create an Entra ID tenant without an Azure subscription by signing up for Microsoft 365 or other Microsoft cloud services. However, to use Azure-specific features like managed identities or Azure RBAC, you need an Azure subscription associated with that tenant.
Authentication (AuthN) is the process of verifying who a user is, typically through a password, MFA, or biometrics. Authorization (AuthZ) determines what resources a user can access and what actions they can perform. Entra ID handles authentication by issuing tokens; authorization is often handled by the target application (e.g., Azure RBAC for Azure resources). For example, when you sign in to the Azure portal, Entra ID authenticates you, then Azure RBAC authorizes you to manage VMs.
A managed identity is an automatically managed service principal in Entra ID that represents an Azure resource (e.g., a VM, Azure Function, or App Service). It allows the resource to authenticate to any service that supports Entra ID authentication (like Azure Key Vault or Azure SQL) without storing credentials. Managed identities come in two types: system-assigned (tied to the resource lifecycle) and user-assigned (standalone identity that can be assigned to multiple resources).
Conditional Access is a policy engine that evaluates signals (user, device, location, risk) at sign-in to enforce access controls. For example, you can create a policy that requires MFA for all users accessing the Azure portal from outside the corporate network. When a user signs in, Entra ID evaluates the policy and either grants access, requires additional verification, or blocks access. Conditional Access requires Entra ID P1 or P2. It is a key security feature for zero-trust architectures.
Azure AD Connect is a tool that synchronizes user identities from an on-premises Active Directory to Microsoft Entra ID. It is used in hybrid identity scenarios where organizations want users to have a single identity for both on-premises and cloud resources. Azure AD Connect can also enable password hash synchronization, pass-through authentication, and federation with AD FS. It is not a migration tool; it keeps identities in sync so that changes on-premises are reflected in the cloud.
You've just covered Microsoft Entra ID (Azure AD) — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?