You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Introduction to Microsoft Entra ID
Introduction to Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory, or Azure AD) is Microsoft's cloud-based identity and access management service. It is the backbone of authentication and authorisation across the Azure ecosystem and integrates with thousands of SaaS applications, on-premises resources, and custom-built solutions.
What Is Identity and Access Management?
Identity and Access Management (IAM) is the discipline of ensuring that the right people and services have the right level of access to the right resources at the right time. IAM covers:
- Authentication — proving who you are (e.g., username and password, biometrics, security keys)
- Authorisation — determining what you are allowed to do once authenticated
- Governance — reviewing, auditing, and managing access over time
Without a robust IAM strategy, organisations face data breaches, compliance violations, and operational chaos.
From Azure AD to Microsoft Entra ID
In July 2023, Microsoft rebranded Azure Active Directory to Microsoft Entra ID as part of the broader Microsoft Entra product family. The service itself remains functionally the same, but the new name reflects its expanded scope beyond Azure.
Key points about the rebrand:
- Entra ID replaces Azure AD in all documentation and portal experiences
- Existing APIs, PowerShell modules, and endpoints continue to work
- Licence tiers were renamed: Azure AD Free became Microsoft Entra ID Free, Azure AD P1 became Microsoft Entra ID P1, and so on
- The Microsoft Entra family also includes Entra Permissions Management, Entra Verified ID, and Entra Internet Access
Throughout this course, we will use the name Microsoft Entra ID, but you will encounter "Azure AD" in older documentation, scripts, and community resources.
Core Components of Entra ID
Tenant
A tenant is a dedicated instance of Entra ID that an organisation receives when it signs up for a Microsoft cloud service (Azure, Microsoft 365, Dynamics 365). Each tenant has a unique ID and a default domain (e.g., contoso.onmicrosoft.com).
Directory
The directory is the database within the tenant that stores identity objects — users, groups, applications, service principals, and devices.
Identity Objects
| Object | Description |
|---|---|
| User | A person who authenticates to access resources |
| Group | A collection of users, devices, or service principals |
| Application | A registered application that can request tokens |
| Service Principal | The local representation of an application within a tenant |
| Device | A registered or joined device (PC, phone, IoT) |
How Authentication Works
When a user signs in to an Azure resource or a connected application, the following flow occurs:
- The user navigates to the application or the Azure portal
- The application redirects the user to the Microsoft identity platform endpoint
- The user provides credentials (password, MFA, certificate, etc.)
- Entra ID validates the credentials against the directory
- If successful, Entra ID issues tokens (ID token, access token, refresh token)
- The application uses the access token to authorise requests
This flow uses industry-standard protocols:
- OAuth 2.0 — for authorisation (access tokens)
- OpenID Connect (OIDC) — for authentication (ID tokens), built on top of OAuth 2.0
- SAML 2.0 — for federated single sign-on with enterprise applications
Entra ID Editions
Microsoft Entra ID is available in several editions:
| Edition | Key Features |
|---|---|
| Free | User and group management, basic SSO, self-service password change, Entra Connect sync |
| P1 | Conditional Access, dynamic groups, self-service password reset, on-premises write-back |
| P2 | Identity Protection (risk-based policies), Privileged Identity Management (PIM), access reviews |
| Governance | Entitlement management, lifecycle workflows, advanced access reviews |
Most organisations require at least P1 for Conditional Access policies. P2 is essential for organisations with strict governance and zero-trust requirements.
Entra ID vs On-Premises Active Directory
It is important to distinguish between Entra ID and traditional Windows Server Active Directory Domain Services (AD DS):
| Aspect | Entra ID | AD DS |
|---|---|---|
| Protocol | OAuth 2.0, OIDC, SAML | Kerberos, LDAP, NTLM |
| Structure | Flat (no OUs or GPOs) | Hierarchical (OUs, forests, domains) |
| Management | Azure portal, Graph API | Server Manager, Group Policy |
| Scope | Cloud-first, internet-facing | On-premises, LAN-focused |
| Join type | Entra join, Entra hybrid join | Domain join |
Entra ID is not a direct replacement for AD DS. Many organisations run both and synchronise identities using Microsoft Entra Connect (formerly Azure AD Connect).
The Microsoft Identity Platform
The Microsoft identity platform is the developer-facing side of Entra ID. It provides:
- Token endpoints for OAuth 2.0 and OIDC
- The Microsoft Authentication Library (MSAL) for .NET, JavaScript, Python, Java, and more
- The Microsoft Graph API — a unified endpoint for accessing identity data, mail, calendar, files, and other Microsoft 365 resources
Developers register their applications in Entra ID and use MSAL to acquire tokens that grant access to protected APIs.
Summary
Microsoft Entra ID is the foundational identity service in Azure. It manages users, groups, applications, and devices, and it provides authentication and authorisation using modern protocols. Understanding Entra ID is essential for securing any Azure environment. In the next lesson, we will explore users, groups, and tenants in greater detail.