100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Azure

Azure Active Directory (Entra ID)

Microsoft's cloud-based identity and access management service, renamed Microsoft Entra ID, covering tenants, users, groups, app registrations, and conditional access.

Databases & IdentityBeginner9 min readJul 10, 2026
Analogies

What Is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service that authenticates users and authorizes access to Azure resources, Microsoft 365, and thousands of third-party SaaS applications, acting as the central identity provider for an organization's tenant rather than a traditional on-premises directory server.

🏏

Cricket analogy: It's like the ICC's central player registration and accreditation system that every league (IPL, BBL, The Hundred) trusts, so a player accredited once doesn't need separate identity checks at every ground they play at.

Tenants, Users, and Groups

An Entra ID tenant is a dedicated, isolated instance of the directory representing an organization, containing users (which can be cloud-only, synced from on-premises Active Directory via Entra Connect, or external guest users invited via B2B collaboration) and groups (security groups for access control or Microsoft 365 groups for collaboration), which together form the foundation for assigning permissions consistently at scale.

🏏

Cricket analogy: A tenant is like a national cricket board's player database (say, Cricket Australia's), containing contracted domestic players, state-team members synced from grade cricket records, and guest overseas players invited for a single Big Bash season.

App Registrations and Service Principals

An app registration defines an application's identity within a tenant — including its redirect URIs, API permissions, and credentials — while the service principal is the local representation of that app in a specific tenant that Entra ID actually uses to enforce permissions when the application authenticates and requests tokens.

🏏

Cricket analogy: An app registration is like an IPL franchise's official team charter filed with the BCCI describing its rules and roster limits, while the service principal is the actual squad fielded on a given match day that umpires check against those rules.

bash
# Register an app and create a service principal via Azure CLI
az ad app create --display-name "inventory-api" \
  --sign-in-audience AzureADMyOrg

az ad sp create --id <appId>

# Grant the app's service principal Reader role on a resource group
az role assignment create \
  --assignee <appId> \
  --role "Reader" \
  --scope /subscriptions/<sub-id>/resourceGroups/myRG

Entra ID Connect (formerly Azure AD Connect) synchronizes on-premises Active Directory identities to Entra ID, enabling hybrid identity where users authenticate with the same credentials whether accessing on-premises resources or cloud apps like Microsoft 365.

Conditional Access and MFA

Conditional Access policies enforce if-then access controls — for example, requiring multi-factor authentication (MFA) when a sign-in comes from an unfamiliar location, blocking legacy authentication protocols entirely, or requiring a compliant, managed device before granting access to sensitive applications — evaluated in real time during sign-in based on signals like user, location, device, and application risk.

🏏

Cricket analogy: This is like a stadium requiring extra ID verification only when a ticket is scanned from an unusual gate or an unfamiliar device, while season-ticket holders entering through their usual gate with their usual pass sail through with minimal friction.

Legacy authentication protocols (like POP, IMAP, and older Office clients using basic auth) cannot enforce Conditional Access or MFA — attackers frequently target them for password-spray attacks, so Microsoft has been disabling basic auth by default and organizations should explicitly block legacy authentication via Conditional Access.

  • Entra ID (formerly Azure AD) is the cloud identity provider for Azure, Microsoft 365, and SaaS apps.
  • A tenant is an isolated directory instance representing one organization.
  • Users can be cloud-only, synced via Entra Connect, or invited guests via B2B collaboration.
  • App registrations define an app's identity; service principals enforce its permissions per tenant.
  • Entra ID Connect enables hybrid identity between on-premises AD and the cloud.
  • Conditional Access enforces real-time, risk-based if-then access policies.
  • Legacy authentication protocols bypass MFA/Conditional Access and should be blocked.

Practice what you learned

Was this page helpful?

Topics covered

#Azure#AzureFundamentalsStudyNotes#CloudComputing#AzureActiveDirectoryEntraID#Active#Directory#Entra#Microsoft#StudyNotes#SkillVeris