Microsoft Entra ID (formerly Azure Active Directory, or Azure AD) is Microsoft’s cloud-based identity and access management service.
It provides various tools and services to manage users, devices, and applications, ensuring secure access to resources.
Entra ID helps organizations protect their identities, implement secure access policies, and streamline user and resource management.
Here’s an overview of the key Microsoft Entra ID concepts that are fundamental to understanding and using the service effectively:
1.Tenants
Tenant is the fundamental unit in Microsoft Entra ID.
It represents an organization’s dedicated instance of the service and is tied to a specific domain.
A tenant is essentially a container for all of an organization's identity and access management data, such as users, groups, devices, and applications.
Tenant ID
Each Entra ID tenant is assigned a globally unique identifier (GUID) known as the Tenant ID. It’s used to differentiate tenants across the service.
Directory
The directory within a tenant stores all the information about your organization’s identity resources.
Example
An organization like Contoso would have a tenant named "Contoso" with a unique Tenant ID. Within this tenant, all user accounts, groups, devices, and applications for Contoso are managed.
2.Users
User accounts represent individual identities in Microsoft Entra ID. They are associated with a person or service that requires access to organizational resources (like apps, cloud resources, or network systems). Each user typically has a username and password, along with attributes such as job title, department, and other information.
Cloud-only users
These are users that exist solely within the Entra ID service and are not linked to on-premises Active Directory.
Hybrid users
Users who are synchronized from an on-premises Active Directory (AD) to Entra ID using Azure AD Connect.
3.Groups
Groups are collections of users, devices, or other groups within Entra ID. They are used to simplify management and enforce permissions. Groups are used for role assignments, access control, and resource management.
Security groups
These are used to manage user access to resources. For example, you can assign users to security groups to grant access to certain applications or services.
Office 365 Groups
These are collaborative groups used in Microsoft 365 (formerly Office 365) applications, such as Outlook, Teams, and SharePoint.
Dynamic groups
Groups where membership is automatically updated based on user attributes (e.g., users in the "HR" department).
4.Roles and Role-Based Access Control (RBAC)
Roles in Entra ID are used to define the permissions a user, group, or service principal has within the tenant. Roles grant administrative or operational access to different features of Entra ID or Azure resources.
Built-in roles
These are predefined roles provided by Microsoft, such as Global Administrator, User Administrator, Security Administrator, Helpdesk Administrator, etc.
Custom roles
You can create custom roles to fine-tune access control according to your organization's needs.
RBAC (Role-Based Access Control)
It enables organizations to manage permissions more effectively by granting specific access rights based on roles, rather than individual permissions.
5.Applications and Service Principals
Applications in Microsoft Entra ID refer to web or mobile apps that use Entra ID for authentication and authorization.
Enterprise applications
These are apps integrated into your organization’s Entra ID for single sign-on (SSO) or other identity-related features.
Service principals
A service principal is the identity created for an application when it needs to authenticate and access resources on behalf of the application (for instance, when an app interacts with other apps or services).
App Registrations
This is how you register an app in Entra ID to allow authentication and interaction with resources.
6.Conditional Access
Conditional Access is a policy-based approach to controlling access to resources. It defines the conditions under which users or devices can access specific apps, data, or services.
Conditions
You can set conditions such as user location, device compliance, risk level, or authentication strength.
Actions
If the conditions are met, actions such as granting access, requiring multi-factor authentication (MFA), or blocking access can be enforced.
Zero Trust
Conditional access is a key component in implementing a Zero Trust security model, where access is granted based on specific factors rather than implicitly trusting a user’s location or device.
7.Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a security feature in Entra ID that requires users to provide additional forms of verification (beyond just a password) to access resources.
Factors can include
Something you know
Password or PIN.
Something you have
A phone, hardware token, or a smart card.
Something you are
Biometric data like fingerprints or facial recognition.
MFA is an essential part of securing identity, particularly for sensitive applications or users with administrative roles.
8.Self-Service Capabilities
Self-Service Password Reset (SSPR)
This allows users to reset their passwords without IT intervention. It helps reduce administrative overhead and improves user experience.
Self-Service Group Management
Users can request to join or leave groups (such as distribution groups or security groups), subject to approval from an administrator.
9.Identity Protection
Microsoft Entra ID Identity Protection helps organizations identify, detect, and respond to potential identity-based risks and vulnerabilities in real-time.
Risky Sign-ins
It detects anomalous sign-ins that might be due to credential stuffing, location-based anomalies, or device risks.
Risky Users
It monitors the behavior of users and flags accounts that exhibit risky behaviors (e.g., compromised passwords, unusual login patterns).
Risk-based Conditional Access
When risky behavior is detected, Conditional Access policies can automatically block or require additional verification steps.
10.Devices
Devices can be registered and managed in Microsoft Entra ID. This allows for enforcing device-based policies, controlling access based on device health, compliance, and security.
Azure AD Join
A device is joined directly to Entra ID instead of an on-premises Active Directory, typically for corporate-owned devices.
Hybrid Azure AD Join
Devices are joined to both an on-premises Active Directory and Entra ID, typically for organizations using a hybrid infrastructure.
Device Registration
This feature allows personal or corporate devices to be registered for access to resources in Entra ID.
11.B2B and B2C Collaboration
Business-to-Business (B2B)
Entra ID allows organizations to collaborate securely with external partners, contractors, or vendors by adding their external identities (via Azure AD B2B). External users can use their existing credentials to access your applications or resources.
External users may be granted access to specific apps, share documents, or collaborate within an organization’s environment without having to create new accounts.
Business-to-Consumer (B2C)
Entra ID B2C is designed to enable organizations to build identity management solutions for external customers. This service allows businesses to integrate authentication with social identities like Facebook, Google, or local accounts for consumers who access their web or mobile apps.
12.Synchronization with On-Premises Active Directory
Azure AD Connect is the tool used to synchronize on-premises Active Directory (AD) with Microsoft Entra ID.
It enables hybrid environments where users can access cloud resources while maintaining their on-premises Active Directory credentials.
Password Hash Synchronization (PHS)
The user’s password hash from on-premises AD is synchronized to Entra ID for cloud authentication.
Pass-through Authentication (PTA)
Users authenticate directly with the on-premises Active Directory, and their credentials are validated against the on-premises AD.
Federation
You can use Active Directory Federation Services (AD FS) for federated authentication between on-premises AD and Entra ID.
13.Security and Governance
Azure AD Privileged Identity Management (PIM)
Helps manage and monitor privileged roles in Entra ID, ensuring that only authorized individuals can access sensitive resources or perform high-impact administrative actions. PIM enables just-in-time (JIT) role assignments, approval workflows, and auditing.
Access Reviews
An access review process can be implemented to periodically assess whether users or groups still require access to certain resources.
Audit Logs and Reporting
Entra ID maintains detailed logs for activities such as user sign-ins, role assignments, group changes, and administrative actions. These logs are essential for security audits and compliance.
14.Authentication Methods
Password-based authentication
The traditional way users authenticate by entering a password.
Passwordless authentication
More secure and user-friendly methods that eliminate passwords altogether.
This can include methods like Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator app.
Single Sign-On (SSO)
A feature that allows users to authenticate once and gain access to multiple applications without needing to log in separately for each one.
Conclusion
Microsoft Entra ID (Azure AD) offers a comprehensive set of identity and access management features to help organizations secure their applications, services, and resources.
Understanding the core concepts such as users, groups, roles, conditional access, MFA, and B2B/B2C collaboration is essential for managing identities effectively.
Whether you're dealing with cloud-only environments, hybrid infrastructures, or multi-cloud deployments, Microsoft Entra ID provides the tools needed to manage, secure, and monitor user access.
Leave a Reply