This chapter covers Microsoft Entra ID (formerly Azure Active Directory), the core identity and access management service for Microsoft 365. Entra ID is the foundation of authentication, authorization, and identity security in the Microsoft cloud. On the MS-900 exam, approximately 10–15% of questions touch on identity concepts, with Entra ID being the most heavily tested component. Understanding its architecture, features, and how it differs from on-premises Active Directory is essential for passing the exam and for real-world administration.
Jump to a section
Think of Microsoft Entra ID as a corporate badge system for a large office building. When you join the company, HR creates your identity in the central directory and issues you a badge (your user account and password). That badge is proof of who you are. Now, suppose the building has multiple secure zones: the main entrance, the IT server room, the finance department, and the parking garage. Each zone has its own security guard who doesn't know you personally. Instead, when you swipe your badge at a door, the guard scans it and sends a request to the central security office (Entra ID). The central office checks your badge ID against its database: Is the badge valid? Is it expired? Do you have permission for this zone? It then sends back a simple "allow" or "deny" signal. The guard never sees your personal information — just the decision. This is authentication (who you are) and authorization (what you can access) separated. If you leave the company, HR deactivates your badge in the central system. Immediately, every door rejects your badge — you don't need to collect physical keys. Entra ID works the same way: it's the central identity provider for Microsoft 365, Azure, and thousands of SaaS apps. It authenticates users and issues tokens (like a temporary visitor pass) that apps accept as proof of identity. The apps don't store passwords; they trust Entra ID's tokens. This is federation. Entra ID also syncs with on-premises Active Directory via Azure AD Connect, like linking your badge system to an older keycard system so that one badge works everywhere.
What is Microsoft Entra ID?
Microsoft Entra ID is a cloud-based identity and access management (IAM) service. It provides authentication and authorization for users, devices, and applications. It is the identity backbone for Microsoft 365, Azure, and many third-party SaaS applications. Entra ID is not a directory service in the traditional sense like on-premises Active Directory Domain Services (AD DS); it is an identity platform that uses REST APIs and modern protocols (OAuth 2.0, OpenID Connect, SAML, WS-Federation) instead of Kerberos and LDAP.
Why Entra ID Exists
Before cloud computing, organizations used on-premises Active Directory to manage users and computers within a corporate network perimeter. With the rise of SaaS apps and mobile work, identities needed to work outside the network. Entra ID was built to handle internet-scale authentication, supporting billions of authentication requests per day. It decouples identity from the corporate network, allowing users to access resources from anywhere, on any device.
How Entra ID Works Internally
When a user attempts to sign in to a Microsoft 365 app (e.g., Outlook Web Access), the following happens:
Authentication Request: The app redirects the user to the Entra ID sign-in endpoint: https://login.microsoftonline.com. The user provides credentials (username and password, or other methods).
Authentication: Entra ID validates the credentials against its directory. If multi-factor authentication (MFA) is required, the user must complete the additional challenge.
Token Issuance: Upon successful authentication, Entra ID issues an ID token (OpenID Connect) and an access token (OAuth 2.0). The ID token contains claims about the user (e.g., name, email, tenant ID). The access token is a signed JSON Web Token (JWT) that includes the user's permissions (scopes).
Token Consumption: The app receives the tokens. It validates the token's signature using the public keys published by Entra ID at https://login.microsoftonline.com/common/discovery/keys. The app then uses the access token to call Microsoft Graph or other APIs.
Authorization: When the app calls an API, it presents the access token. The API checks the token's scopes to determine if the user is authorized.
Key Components
Tenant: A dedicated instance of Entra ID. Each Microsoft 365 subscription gets a tenant. The tenant ID is a GUID (e.g., contoso.onmicrosoft.com).
Directory: The store of user objects, groups, devices, and applications. Each tenant has a single directory.
User Principal Name (UPN): The sign-in name, typically an email address (e.g., user@contoso.com).
Object ID: A unique GUID for every object in the directory, immutable.
Security Groups: Used to assign permissions. Groups can be assigned to apps, roles, and licenses.
Service Principals: The identity of an application in the tenant. Used for app-only authentication.
Conditional Access Policies: Rules that enforce access controls based on conditions (e.g., location, device state, risk level).
Identity Protection: Uses machine learning to detect risky sign-ins (e.g., impossible travel, leaked credentials).
Defaults and Timers
Session Token Lifetime: By default, session tokens for Microsoft 365 apps last 8 hours. This can be configured via Conditional Access.
Refresh Token Lifetime: Refresh tokens are valid for 90 days of inactivity. If used regularly, they can last up to 180 days.
Password Expiration: Microsoft 365 passwords default to never expire (as of 2021). However, organizations can set a custom expiration policy (e.g., 90 days).
MFA Remembered Devices: Users can mark a device as trusted for 14 days to bypass MFA prompts.
Guest User Invitation Expiration: Guest invitations expire after 30 days by default.
Configuration and Verification Commands
Administrators manage Entra ID through the Entra admin center (https://entra.microsoft.com) or via PowerShell with the Microsoft Graph PowerShell SDK.
Example: Get tenant details
Connect-MgGraph -Scopes "Organization.Read.All"
Get-MgOrganization | Select-Object Id, DisplayName, VerifiedDomainsExample: Get users
Get-MgUser -All | Select-Object UserPrincipalName, DisplayName, UserTypeExample: Create a conditional access policy
$params = @{
displayName = "Require MFA for all users"
state = "enabled"
conditions = @{
users = @{ includeUsers = ["All"] }
applications = @{ includeApplications = ["All"] }
}
grantControls = @{
builtInControls = ["mfa"]
operator = "OR"
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsInteraction with Related Technologies
Azure AD Connect (now Microsoft Entra Connect): Syncs objects from on-premises AD DS to Entra ID. Supports password hash sync, pass-through authentication, and federation with AD FS.
Microsoft Graph: The REST API for accessing Entra ID data. All modern automation uses Graph.
Azure AD Domain Services: Provides managed domain services (LDAP, Kerberos, NTLM) for Azure VMs that cannot use Entra ID directly.
Microsoft Intune: Uses Entra ID for device identity and conditional access.
Microsoft 365 Defender: Integrates with Entra ID Identity Protection for risk-based conditional access.
Licensing Tiers
Entra ID has four editions: Free, Microsoft Entra ID P1, Microsoft Entra ID P2, and Microsoft Entra ID Governance. The MS-900 exam focuses on the capabilities included with Microsoft 365 subscriptions: - Microsoft 365 Business Basic/Standard/Premium: Includes Entra ID Free (with some P1 features like self-service password reset for cloud users). - Microsoft 365 E3: Includes Entra ID P1. - Microsoft 365 E5: Includes Entra ID P2.
Key differences: - Free: User/group management, single sign-on (SSO) to Microsoft apps, basic security reports. - P1: Conditional Access, self-service password reset with write-back, dynamic groups, Microsoft Identity Manager. - P2: Identity Protection, Privileged Identity Management (PIM), identity governance.
Exam-Relevant Details
Entra ID is NOT Active Directory. It does not support Kerberos, LDAP, or computer accounts.
The default password policy for cloud users: 8-16 characters, must include 3 of 4: uppercase, lowercase, numbers, symbols. No password expiration by default.
Entra ID supports up to 500,000 objects in the free tier (users + groups + devices). P1/P2 have no hard limit.
Users can be created in the cloud (cloud-only) or synced from on-premises (synchronized).
Guest users (B2B collaboration) can be invited from any email address; they authenticate with their own identity provider.
The MS-900 exam often tests the difference between authentication (who you are) and authorization (what you can do).
User Initiates Sign-In
The user navigates to a Microsoft 365 app like portal.office.com. The browser is redirected to login.microsoftonline.com with a request containing the application ID, redirect URI, and response type (code or id_token). The user enters their UPN and password. The browser sends a POST request to the Entra ID authentication endpoint.
Credential Validation
Entra ID receives the credentials. It first checks if the user exists in the directory and if the account is enabled (not blocked). Then it validates the password. If password hash sync is enabled, the password is checked against the hash stored in Entra ID. If pass-through authentication is used, the request is forwarded to an on-premises agent. If federation is configured, the user is redirected to the on-premises ADFS server.
Conditional Access Evaluation
After successful authentication, Entra ID evaluates any Conditional Access policies that apply. It checks conditions such as user/group membership, location (IP range), device compliance (via Intune), application sensitivity, and sign-in risk (from Identity Protection). If a policy requires MFA, the user is prompted. If the device is not compliant, access may be blocked or limited.
Token Issuance
Once authentication and any additional controls are satisfied, Entra ID generates tokens. It creates an ID token (containing user claims) and an access token (containing scopes for the requested app). Tokens are signed using the tenant's private key. The tokens are returned to the browser via a redirect to the app's reply URL. The app then validates the token signature using Entra ID's public keys.
Resource Access
The app uses the access token to call Microsoft Graph or other APIs on behalf of the user. For example, to read the user's mailbox, the app presents the access token to the Exchange Online API. The API checks the token's audience, issuer, and scopes. If valid, the API returns the requested data. The token is typically cached by the app for its lifetime (default 1 hour for access tokens).
Enterprise Scenario 1: Hybrid Identity with Password Hash Sync
A large enterprise with 50,000 on-premises Active Directory users wants to move to Microsoft 365. They deploy Microsoft Entra Connect with password hash sync. User objects are synced every 30 minutes (default sync cycle). Passwords are hashed and synced to Entra ID. Users can now use the same password for on-premises and cloud resources. The IT team enables self-service password reset (SSPR) with write-back, so users can reset their own passwords from the cloud, and the change is written back to on-premises AD. Common misconfiguration: failing to sync the password hash properly due to firewall blocking port 443 to Azure. Solution: ensure outbound HTTPS is allowed to *.msappproxy.net.
Enterprise Scenario 2: Conditional Access for Remote Access
A company with 10,000 users wants to enforce MFA when users access corporate email from outside the office. They create a Conditional Access policy: target all users, target Exchange Online app, condition: location = any IP except corporate range, grant: require MFA. The policy is enabled. Users outside the office are prompted for MFA via Microsoft Authenticator app. Performance consideration: MFA prompts can cause user fatigue; they set the session token lifetime to 24 hours to reduce prompts. Common issue: users on VPN may appear as coming from corporate IP, bypassing MFA. Solution: use trusted IPs with Conditional Access or require MFA for all external access.
Enterprise Scenario 3: B2B Collaboration with Guest Users
A software company partners with external vendors. They invite 500 guest users to their Entra ID tenant via B2B collaboration. Guests use their own work or social identities to sign in. The company grants access to a SharePoint site and a custom SaaS app. They set an expiration policy for guest accounts: 90 days. Problem: guests are not automatically removed; the expiration policy sends a reminder email. Misconfiguration: forgetting to enable MFA for guest users, leaving the tenant vulnerable. Solution: create a Conditional Access policy requiring MFA for all guest users.
What MS-900 Tests on This Topic
The MS-900 exam objective 3.3 covers "Describe identity and access management capabilities of Microsoft 365." This includes:
Understanding what Entra ID is and its role in Microsoft 365
Differentiating between authentication and authorization
Knowing the features of Entra ID Free vs. P1 vs. P2
Understanding Azure AD Connect and its synchronization options (password hash sync, pass-through authentication, federation)
Recognizing Conditional Access and MFA
Understanding Identity Protection and Privileged Identity Management (PIM)
Common Wrong Answers and Why
"Entra ID is the same as on-premises Active Directory." Wrong. Entra ID is cloud-based, uses REST APIs, and does not support Kerberos, LDAP, or Group Policy. Candidates confuse the name "Azure Active Directory" with the on-premises version.
"All Microsoft 365 subscriptions include Conditional Access." Wrong. Conditional Access requires Entra ID P1, which is included in Microsoft 365 E3 but not in Business Basic/Standard. Many candidates think all subs have it.
"Password expiration is required by Microsoft." Wrong. Microsoft removed the default password expiration policy in 2021. The exam tests that passwords can be set to never expire.
"Azure AD Connect can sync passwords in plain text." Wrong. Passwords are synced as a hash (salted, iterated). Candidates may think it's plain text for simplicity.
Specific Numbers and Values on the Exam
Session token lifetime: 8 hours (default for SharePoint Online)
Default password expiration: never (unless configured)
Guest invitation expiration: 30 days
MFA trusted device: 14 days
Entra ID Free object limit: 500,000
Azure AD Connect sync interval: 30 minutes (default)
Edge Cases and Exceptions
If a user is synced from on-premises, their password cannot be reset from the cloud unless password write-back is enabled.
B2B guest users do not consume a license for basic access to Microsoft 365 apps (but do for advanced features like MFA per-user).
Conditional Access policies apply to all apps unless excluded; an empty policy blocks all access.
How to Eliminate Wrong Answers
If the question asks about Kerberos or LDAP, it's not Entra ID.
If the question mentions Group Policy, it's on-premises AD.
If the question asks about cloud-only features like Identity Protection, look for P2 licensing.
If the question mentions syncing passwords, the answer is password hash sync (not plain text).
Entra ID is a cloud identity provider, not a directory service like on-premises AD.
Authentication verifies identity; authorization grants access.
Conditional Access requires Entra ID P1 (included in E3/E5).
Azure AD Connect syncs objects from on-premises AD to Entra ID.
Password hash sync is the most common synchronization method.
Default password expiration in Microsoft 365 is never.
Guest users (B2B) do not require a license for basic access.
MFA can be enforced via Conditional Access or per-user settings.
Identity Protection is an Entra ID P2 feature.
Session tokens default to 8 hours for SharePoint Online.
These come up on the exam all the time. Here's how to tell them apart.
Entra ID Free
User and group management
Single sign-on to Microsoft cloud apps
Basic security and usage reports
Self-service password reset for cloud users only
Object limit of 500,000
Entra ID P1
All Free features
Conditional Access
Self-service password reset with write-back
Dynamic groups
Microsoft Identity Manager
Mistake
Microsoft Entra ID is just Active Directory in the cloud.
Correct
Entra ID is not Active Directory Domain Services. It does not support Kerberos, LDAP, or computer objects. It is a cloud identity platform using REST APIs and modern protocols like OAuth 2.0 and OpenID Connect.
Mistake
All Microsoft 365 plans include Conditional Access.
Correct
Conditional Access requires Entra ID P1, which is included in Microsoft 365 E3/E5 and Business Premium, but not in Business Basic or Standard.
Mistake
Microsoft requires password expiration every 90 days.
Correct
As of 2021, the default password policy in Entra ID sets passwords to never expire. Organizations can still enforce expiration if desired.
Mistake
Azure AD Connect syncs passwords in plain text.
Correct
Azure AD Connect syncs a password hash using a one-way salted hash. The original password is never transmitted or stored in Entra ID.
Mistake
Guest users need a license to access Microsoft 365 apps.
Correct
Guest users (B2B) can access Microsoft 365 apps without a license, but they are limited to basic features. To use advanced features like Conditional Access or MFA per-user, a license is needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Entra ID is a cloud-based identity and access management service that uses REST APIs and modern protocols like OAuth 2.0 and OpenID Connect. On-premises Active Directory (AD DS) is a directory service that uses Kerberos, LDAP, and DNS. Entra ID does not support computer objects, Group Policy, or Kerberos authentication. It is designed for internet-scale authentication and works with SaaS apps, whereas AD DS is designed for on-premises network environments.
Yes, Conditional Access requires an Entra ID P1 license. This is included in Microsoft 365 E3, E5, and Business Premium subscriptions. Microsoft 365 Business Basic and Standard include only Entra ID Free, which does not have Conditional Access. Exam tip: if a question asks about enforcing MFA based on location, look for a subscription that includes P1.
Azure AD Connect syncs password hashes using a one-way salted hash. The on-premises password hash is extracted, salted, and hashed again before being sent to Entra ID. The original password is never transmitted or stored in the cloud. This allows users to use the same password for on-premises and cloud resources without exposing the plaintext password.
The default session token lifetime for SharePoint Online is 8 hours. For Exchange Online, it's also 8 hours. This means users are prompted to sign in again after 8 hours of inactivity. However, administrators can configure session timeout policies using Conditional Access or SharePoint admin settings.
Only if password write-back is enabled. Password write-back is a feature of Azure AD Connect that allows password changes in the cloud to be written back to the on-premises Active Directory. Without it, synced user passwords must be reset on-premises. Cloud-only users can always reset their passwords via self-service password reset (SSPR).
Authentication is the process of verifying who a user is (e.g., checking username and password). Authorization is the process of determining what resources a user can access (e.g., reading email or editing documents). In Entra ID, authentication happens via sign-in, and authorization is controlled by tokens with scopes and Conditional Access policies.
External users can be invited via B2B collaboration in the Entra admin center. Go to Users > New guest user. Enter the user's email address and a personal message. The user receives an invitation email with a link to accept. Once accepted, the user appears as a guest in your directory. Guest users authenticate with their own identity provider.
You've just covered Microsoft Entra ID (Azure AD) in M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?