This chapter covers Entra ID (formerly Azure AD) administration, a core component of the Microsoft 365 ecosystem and a heavy focus area on the MS-102 exam. You will learn how Entra ID functions as the identity and access management backbone for Microsoft 365, including user management, authentication, synchronization, and security features. Approximately 20-25% of the exam questions touch on Entra ID topics, making mastery of this chapter critical for success.
Jump to a section
Imagine a city with a central Identity Bureau that issues, manages, and verifies every resident's identity card. Each resident (user) gets a unique ID number (UPN) and a card with photo, address, and expiration date (password, MFA, and validity period). The Bureau also maintains a directory of all residents, their addresses, and group memberships (like neighborhood associations). When a resident wants to enter a government building (an application), the guard (authentication system) scans the card and checks with the Bureau: 'Is this card valid? Is this person allowed in this building?' The Bureau responds with a token (an access token) that contains claims about the resident's identity and permissions. The Bureau also has a special department for external visitors (guest users) — they get temporary visitor badges with limited access. If a resident moves to a new address (changes attributes), they must update their record at the Bureau. The Bureau synchronizes with other city agencies (on-premises AD) to keep records consistent. It also has a policy engine (Conditional Access) that can deny entry if the resident is trying to enter after curfew (time-based) or from a suspicious location (untrusted IP). This centralized identity system ensures consistent, secure access across all city services.
What is Entra ID and Why Does It Exist?
Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management (IAM) service. It provides authentication, authorization, and directory services for Microsoft 365, Azure, and thousands of SaaS applications. Unlike on-premises Active Directory (AD DS), which is a directory service for Windows domain networks, Entra ID is a cloud-native identity platform that uses REST APIs and modern authentication protocols like OAuth 2.0, OpenID Connect, and SAML.
How Entra ID Works Internally
When a user attempts to sign in to a Microsoft 365 service (e.g., Exchange Online, SharePoint Online), the following flow occurs:
User initiates sign-in: The user navigates to portal.office.com and enters their User Principal Name (UPN) and password.
Authentication request: The application redirects the user to the Entra ID sign-in endpoint (login.microsoftonline.com). The request includes the application ID and redirect URI.
Credential verification: Entra ID validates the credentials against its directory. If the user has password hash synchronization (PHS) enabled, the password hash stored in Entra ID is compared. For federated users, the request is redirected to the on-premises ADFS or other identity provider.
Conditional Access evaluation: After successful authentication, Entra ID evaluates any Conditional Access policies configured for the user or application. This includes checks for MFA, device compliance, location, and risk level.
Token issuance: If all checks pass, Entra ID issues an access token (JWT) containing claims about the user (e.g., groups, roles, tenant ID). The token is returned to the application.
Application authorization: The application validates the token signature and claims to grant or deny access to resources.
Key Components, Defaults, and Timers
User Principal Name (UPN): The primary sign-in identifier. Default format: user@tenant.onmicrosoft.com. Can be customized to a verified domain (e.g., user@contoso.com).
Password Hash Synchronization (PHS): By default, password hashes are synced every 2 minutes from on-premises AD to Entra ID. The hash uses a one-way SHA256 algorithm (not reversible).
Pass-through Authentication (PTA): Validates passwords directly against on-premises AD without storing hashes in the cloud. Default timeout for agent registration: 30 days.
Seamless SSO: Enabled by default when using PHS or PTA. Users are automatically signed in when on a domain-joined device connected to the corporate network. The mechanism uses a Kerberos ticket to obtain a nonce, which is exchanged for a SAML token.
Access Token Lifetime: By default, access tokens are valid for 1 hour. Refresh tokens can be configured up to 90 days (sliding window).
MFA: Can be enforced per user or via Conditional Access. Default MFA methods include Microsoft Authenticator app, phone call, and text message.
Groups: Two types: Security groups (for access control) and Microsoft 365 groups (for collaboration). Groups can be assigned users dynamically based on rules (dynamic groups).
Configuration and Verification Commands
Using the Microsoft Graph PowerShell SDK:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
# Get all users
Get-MgUser -All
# Get a specific user
Get-MgUser -UserId "user@contoso.com"
# Set password policy (requires Privileged Authentication Admin)
Update-MgUser -UserId "user@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
# Get sign-in logs (requires Reports.Read.All)
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@contoso.com'" -Top 5For on-premises synchronization with Azure AD Connect:
# Check sync status (on Azure AD Connect server)
Get-ADSyncConnectorRunStatus
# Force a delta sync
Start-ADSyncSyncCycle -PolicyType DeltaInteraction with Related Technologies
Microsoft 365: Entra ID authenticates users for Exchange Online, SharePoint Online, Teams, and other services. Groups in Entra ID can be used to provision Microsoft 365 groups.
Azure: Entra ID provides identity for Azure resources via RBAC. Managed identities for Azure resources use Entra ID tokens.
On-premises AD: Azure AD Connect synchronizes users, groups, and devices from on-premises AD to Entra ID. Three main synchronization options: PHS, PTA, and federation with ADFS.
Conditional Access: A policy engine that evaluates signals (user, device, location, risk) to enforce access controls. Integrates with Microsoft Intune for device compliance.
Identity Protection: Uses machine learning to detect risk events (e.g., leaked credentials, impossible travel) and can trigger remediation like requiring password change or blocking sign-in.
Important Defaults and Limits
Tenant limit: Maximum 500,000 objects (users, groups, devices) in a free Azure AD tenant. Paid tiers have higher limits (up to 50 million).
Password expiration: Microsoft 365 default is 90 days, but Microsoft recommends setting passwords to never expire and using security defaults or Conditional Access for MFA.
Guest user access: Guest users (B2B collaboration) can be invited from any email address. They authenticate with their home tenant credentials. Maximum guest users: 5x the number of paid licenses.
Application registration: A tenant can have up to 250,000 app registrations (service principals).
Licensing Requirements
Free: Entra ID Free (included with Microsoft 365 subscriptions) provides user management, group management, and basic security defaults.
P1: Adds Conditional Access, Identity Protection (limited), and dynamic groups. Included with Microsoft 365 E3.
P2: Adds Identity Protection (full), Privileged Identity Management (PIM), and Identity Governance. Included with Microsoft 365 E5.
Exam Tip
MS-102 focuses heavily on the differences between PHS, PTA, and federation, and when to use each. Know the default sync intervals, what happens during a sync failure, and how to troubleshoot. Also understand the flow of authentication in a hybrid environment — e.g., what happens when a user signs in with Seamless SSO vs. a cloud-only user.
Configure Azure AD Connect
On a Windows Server 2016+ machine (domain-joined), download and run Azure AD Connect. Select 'Customize' to choose sync options. The wizard will prompt for Entra ID global admin credentials and on-premises AD enterprise admin credentials. During installation, you choose the synchronization method (PHS, PTA, or federation). For PHS, password hashes are synced every 2 minutes. For PTA, the wizard installs an agent that listens for authentication requests. The wizard also configures Seamless SSO by creating a computer account in the on-premises AD domain. The initial sync is a full sync; subsequent syncs are delta syncs every 30 minutes by default.
Verify Sync Status
After installation, use the Synchronization Service Manager on the Azure AD Connect server to verify the sync cycle. Look for 'Export' and 'Import' steps with no errors. You can also run the PowerShell command 'Get-ADSyncConnectorRunStatus' to see the last sync time. In the Entra ID admin center, go to 'Users' and confirm that on-premises users appear with 'Synchronized' as the source. Check the 'Azure AD Connect' blade for any sync errors. Common issues include duplicate UPNs, attribute mismatches, and connectivity problems.
Enable Seamless SSO
Seamless SSO is enabled by default when you choose PHS or PTA in Azure AD Connect. If disabled, run the Azure AD Connect wizard again and select 'Change user sign-in' to enable it. The feature creates a Kerberos service principal name (SPN) for the computer account AZUREADSSOACC in the on-premises AD domain. The client-side component uses Group Policy to add the Entra ID URL (https://autologon.microsoftazuread-sso.com) to the Intranet Zone in Internet Explorer. When a user accesses a Microsoft 365 service from a domain-joined device, the browser sends a Kerberos ticket to the Entra ID endpoint, which validates it and issues a token without prompting for a password.
Configure Conditional Access
In the Entra ID admin center, go to 'Security' > 'Conditional Access' > 'New policy'. Name the policy and assign users/groups. Under 'Cloud apps or actions', select the target applications (e.g., all cloud apps, specific apps). Under 'Conditions', set conditions like user risk, sign-in risk, device platforms, locations (named locations), client apps, and filter for devices. Under 'Grant', choose 'Require MFA', 'Require device to be marked as compliant', 'Require approved client app', or 'Require password change'. For 'Session', you can control sign-in frequency, persistent browser session, and app enforced restrictions. Test the policy using 'What If' tool before enabling.
Manage Guest Users (B2B)
In the Entra ID admin center, go to 'Users' > 'New guest user'. Enter the guest's email address and a personal message. The guest receives an invitation email with a link to accept. Once accepted, the guest appears in your tenant as a user with 'Guest' user type. Their authentication occurs in their home tenant. You can assign apps and groups to guests. To restrict guest access, use external collaboration settings (e.g., allow only specific domains). For fine-grained control, use Conditional Access with guest user conditions. Note: Guests are counted against your tenant's 500,000 object limit (free tier).
Enterprise Scenario 1: Hybrid Identity with PHS and Seamless SSO
A large enterprise with 50,000 on-premises AD users migrates to Microsoft 365. They choose PHS for simplicity and Seamless SSO for user experience. They deploy Azure AD Connect on two servers in a staging mode for high availability. The sync interval is set to 30 minutes (delta). During a crisis, a bug in a security update causes password hashes to fail to sync for 2 hours. Users report being locked out. The IT team identifies the issue by checking the synchronization logs in the Synchronization Service Manager, which shows repeated export errors. They roll back the update and force a full sync. To prevent recurrence, they implement monitoring with Azure Monitor alerts on sync errors. They also enable password writeback to allow users to reset their own passwords from the cloud, reducing helpdesk calls.
Enterprise Scenario 2: B2B Guest Access for a Partner Portal
A company launches a partner portal using SharePoint Online. They need to grant external partners access to specific sites. They use Entra ID B2B collaboration to invite partners as guest users. They configure external collaboration settings to allow invitations from all domains but block consumer email domains (e.g., gmail.com) for security. They create a dynamic group that includes all guest users and apply a Conditional Access policy requiring MFA for all guests. The policy also restricts access to only the partner portal app. Partners authenticate with their own corporate credentials via federation. The company monitors guest sign-ins using Entra ID sign-in logs and Identity Protection. A challenge arises when a partner's domain has a federation outage; guests cannot sign in. The company adds a backup authentication method (email OTP) for guests as a fallback.
Enterprise Scenario 3: Conditional Access with Device Compliance
A financial services firm requires that all access to Microsoft 365 apps only occurs from compliant devices. They use Microsoft Intune to enforce device compliance policies (e.g., encryption, minimum OS version, jailbreak detection). They create a Conditional Access policy that grants access only if the device is marked as compliant. For devices that are not enrolled in Intune, access is blocked or limited to browser-only with session controls. The policy also includes a location condition: access from non-corporate IPs requires MFA. The helpdesk frequently gets calls from users who are blocked because their device is out of compliance (e.g., missing a security update). The IT team sets up a notification email to remind users to update. They also configure a grace period using the 'Customize continuous access evaluation' policy.
What MS-102 Tests on Entra ID Administration (Objective 2.1)
The exam covers the following sub-objectives:
Plan and implement identity synchronization (Azure AD Connect)
Manage user and group identities (including guest users)
Implement authentication methods (PHS, PTA, federation, Seamless SSO)
Plan and implement Conditional Access
Monitor and troubleshoot identity
Common Wrong Answers and Why Candidates Choose Them
Choosing Federation over PHS for simplicity: Many candidates think federation is the default for hybrid identity because it was common in the past. However, Microsoft recommends PHS as the primary method for most organizations due to simplicity and the ability to fall back if on-premises identity provider is unavailable. The exam expects you to know that PHS is the easiest to implement and provides redundancy.
Assuming Seamless SSO requires ADFS: Seamless SSO works with both PHS and PTA; it does not require federation. Candidates often confuse Seamless SSO with federated authentication. Know that Seamless SSO is a separate feature that can be enabled with PHS or PTA.
Thinking Conditional Access requires P2 license: While some advanced features (like risk-based policies) require P2, basic Conditional Access (e.g., MFA based on location) is available with P1. The exam tests licensing requirements, so know the difference.
Mixing up password writeback and password hash sync: Password writeback allows users to reset passwords from the cloud to on-premises. It requires Azure AD Connect with password writeback enabled. PHS is one-way (on-prem to cloud). Candidates often think PHS includes writeback.
Specific Numbers and Terms That Appear Verbatim
Default sync interval: 30 minutes (delta), 2 minutes for password changes.
Maximum number of objects in free tier: 500,000.
Seamless SSO uses Kerberos and the computer account AZUREADSSOACC.
PHS uses SHA256 one-way hash.
PTA agent registration timeout: 30 days.
Access token default lifetime: 1 hour.
Refresh token maximum lifetime: 90 days (sliding window).
Edge Cases and Exceptions
When using PTA, you must have at least two agents for high availability.
If a user has both on-premises and cloud-only accounts with the same UPN, sync will fail. You must resolve the conflict.
Guest users from Azure AD tenants (B2B direct connect) do not require an invitation; they can be added via cross-tenant access settings.
For Seamless SSO to work, the device must be domain-joined or Hybrid Azure AD joined.
How to Eliminate Wrong Answers
If a question asks about the simplest identity model for a new organization with no on-premises AD, the answer is cloud-only identities, not PHS.
If a question mentions 'users can sign in even if on-premises AD is down', the answer is PHS, not federation.
For questions about controlling access based on device compliance, look for Conditional Access with Intune integration.
For questions about risk-based policies, look for Identity Protection (requires P2).
Entra ID is a cloud IAM service, not a directory service; uses REST APIs and OAuth/OpenID Connect.
Default delta sync interval for Azure AD Connect is 30 minutes; password changes sync every 2 minutes.
Seamless SSO uses Kerberos and the AZUREADSSOACC computer account; works with PHS and PTA.
Conditional Access policies are disabled by default and require explicit enablement.
Guest users (B2B) authenticate in their home tenant and do not require a license for basic access.
PHS is the recommended identity synchronization method for most organizations.
Access tokens default to 1-hour lifetime; refresh tokens up to 90 days (sliding window).
Identity Protection requires Azure AD Premium P2 license for full risk-based policies.
Password writeback is a separate feature that must be explicitly enabled in Azure AD Connect.
Maximum 500,000 objects in free tier; paid tiers support up to 50 million.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Sync (PHS)
Password hashes are synced to Entra ID every 2 minutes.
Users can sign in even if on-premises AD is unavailable (cloud fallback).
Simplest to deploy; no additional agents needed beyond Azure AD Connect.
No on-premises server is required for authentication (hashes are in cloud).
Recommended by Microsoft for most organizations.
Pass-Through Auth (PTA)
Passwords are validated directly against on-premises AD; no hash stored in cloud.
Requires at least one PTA agent (Windows Server) running on-premises.
If all agents are down, authentication fails (no cloud fallback).
Supports real-time password validation and lockout policies.
Useful when on-premises password policies must be strictly enforced.
Mistake
Entra ID is just a cloud version of Active Directory.
Correct
Entra ID is not a directory service like AD DS; it is an identity and access management service. It does not support LDAP, Kerberos (for on-premises apps), or Group Policy. It uses REST APIs and modern authentication protocols (OAuth, SAML, OpenID Connect).
Mistake
Password Hash Synchronization stores plaintext passwords in the cloud.
Correct
PHS synchronizes a one-way SHA256 hash of the password. The original password cannot be derived from the hash. The hash is used only for authentication; Entra ID never has access to the plaintext password.
Mistake
Seamless SSO requires Azure AD Connect to be running continuously.
Correct
Seamless SSO only requires the initial configuration via Azure AD Connect. Once enabled, the client-side Kerberos ticket exchange works without any dependency on the Azure AD Connect server. The server is only needed for sync cycles.
Mistake
Conditional Access policies apply to all users by default.
Correct
Conditional Access policies are disabled by default. You must explicitly enable them after configuration. Also, policies can be scoped to specific users, groups, or apps; they do not automatically apply to everyone.
Mistake
Guest users (B2B) consume a paid license.
Correct
Guest users do not require a Microsoft 365 license for basic access to resources. However, they may need a license if they need access to paid features (e.g., advanced auditing). The inviting tenant can assign licenses to guests if needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Entra ID is the new name for Azure Active Directory (Azure AD) as of 2023. The functionality remains the same; only the branding changed. Microsoft renamed it to 'Microsoft Entra ID' to unify the identity product family. On the MS-102 exam, you may see both terms used interchangeably, but the official name is now Microsoft Entra ID.
You can force a delta sync by running 'Start-ADSyncSyncCycle -PolicyType Delta' on the Azure AD Connect server. For a full sync, use 'Start-ADSyncSyncCycle -PolicyType Initial'. Alternatively, you can use the Synchronization Service Manager GUI to start a delta sync manually. Note that forced syncs should be used sparingly to avoid performance impact.
Basic Conditional Access policies (e.g., MFA based on location or device) require Azure AD Premium P1 licenses for users. Advanced policies (e.g., risk-based policies using Identity Protection) require Azure AD Premium P2. Microsoft 365 E3 includes P1; E5 includes P2. Some policies may also require Intune licenses for device compliance.
No, Seamless SSO is configured and enabled through Azure AD Connect. The wizard creates the necessary Kerberos delegation and sets up the AZUREADSSOACC account. After initial configuration, the feature works independently of the sync server, but the setup requires Azure AD Connect.
Use the Synchronization Service Manager on the Azure AD Connect server to view import, sync, and export errors. Common issues include duplicate UPNs, missing attributes, and permission problems. Check the 'Azure AD Connect' blade in the Entra ID admin center for sync status. PowerShell cmdlets like 'Get-ADSyncConnectorRunStatus' and 'Get-ADSyncExportError' can help. Also, enable verbose logging for detailed troubleshooting.
Security groups are used for access control to resources (e.g., assigning licenses, permissions). They can be mail-enabled or not. Microsoft 365 groups are used for collaboration and include a shared mailbox, calendar, and SharePoint site. They are also security-enabled by default. Both can be managed in Entra ID and synced from on-premises AD.
Yes, you can block sign-in for a user in the Entra ID admin center by navigating to the user's profile and setting 'Sign-in status' to 'Blocked'. This prevents the user from authenticating but keeps their account and data intact. Alternatively, you can use Conditional Access to block access based on conditions.
You've just covered Entra ID Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?