Skip to main content

Module 2: Entra ID Essentials

Entra ID Overview

  • Entities -> Objects -> Resources
  • Authentication, Authorization, Identity Protection, Identity Governance, Access Management, Privileged Identity Management (PIM), Conditional Access
  • Identity Secure Score, Access Reviews, Entitlement Management, Terms of Use, device management, federation, and resource access

Microsoft Entra ID is Microsoft's cloud identity and access management service. It handles authentication and authorization for Azure, Microsoft 365, SaaS applications, and custom line-of-business apps.

Core capabilities:

  • Users, groups, devices, applications, and service principals are the main directory objects.
  • Single sign-on (SSO) lets users access multiple cloud apps with one identity.
  • Conditional Access evaluates signals such as user, location, device state, and risk before granting access.
  • Identity Protection detects risky users and risky sign-ins and can trigger automated remediation.
  • PIM provides just-in-time elevation and approval workflows for privileged roles.
  • Identity Governance adds access reviews, entitlement management, and lifecycle controls.

Important note:

  • Use Entra ID terminology instead of Azure AD. Azure AD was renamed to Microsoft Entra ID.
  • Entra ID is not the same as Active Directory Domain Services (AD DS). Entra ID is cloud-first and does not use OUs, GPOs, or traditional LDAP/Kerberos management.
  • A tenant gets a default domain such as something.onmicrosoft.com, and you can add custom domains.
  • A subscription trusts one Entra ID tenant at a time, but one tenant can be associated with many subscriptions.

Key features:

  • PIM is an identity access management service that enables you to manage, control, and monitor access to important resources in your organization. These resources include Entra ID, Azure, Microsoft 365, and other Microsoft online services.
  • Conditional Access is used to enforce access controls on users and devices based on conditions. It brings signals together to make decisions and enforce organizational policies.
  • Identity Protection helps identify vulnerabilities affecting identities, configure automated responses to suspicious activity, and investigate incidents.
  • Other service features include Identity Secure Score, Identity Governance, Access Reviews, Entitlement Management, Terms of Use, device management, federation, and resource access.

Comparison to AD DS:

  • Entra ID is primarily for identity in cloud and internet-facing apps.
  • AD DS is a traditional directory service for domain-joined infrastructure.
  • Entra ID uses modern protocols such as SAML, OpenID Connect, and OAuth.
  • AD DS relies heavily on Kerberos, LDAP, GPOs, and domain trusts.

Tips:

  • Remember the flat object model: no OUs and no GPOs in Entra ID.
  • Device objects in Entra ID are not the same as computer accounts in AD DS.
  • Service principals represent the identity of an application in a tenant.

Licensing:

  • Free
  • Premium P1
  • Premium P2
  • Other Microsoft 365 licenses include Entra ID features.

Licensing examples:

  • Free includes core directory services, user and group management, and basic authentication features.
  • P1 adds features such as Conditional Access and advanced self-service capabilities.
  • P2 adds Identity Protection, PIM, and deeper governance controls.

Demo: Exploring your own Entra ID Tenant

  • Sign in to the Azure portal and navigate to Microsoft Entra ID.
  • Explore sections such as Users, Groups, Enterprise applications, App registrations, Devices, and Roles and administrators.
  • Review the properties of your tenant, including the tenant ID and domain name.
  • Check Identity, Protection, and Monitoring areas to see where security and sign-in data are surfaced.
  • Open Users and review authentication methods, assigned roles, group memberships, and sign-in logs for a sample account.
  • Open Enterprise applications and App registrations to understand the difference between application objects and service principals.
  • Review available licenses and note which features require P1 or P2.
  • Entra ID is in the entra.microsoft.com portal, but you can also manage it through the Azure portal and Microsoft 365 admin center.
  • admin.microsoft.com also exists, but it is more focused on Microsoft 365 services and may not have the full set of Entra ID features.

Free Azure Subscription

MS shuts everything down when you hit your spending limit, so you can use the free subscription for learning without worrying about costs. You get $200 in credits for 30 days, and after that, you can continue using free services with no cost.

If you convert to a pay-as-you-go subscription, you will still have credits, but once those are gone, you will be charged for any resources you create that are not free. However, you can set up spending limits and alerts to avoid unexpected charges.

I have my own tenant and subscription for the purposes of learning and testing. You can create a new tenant if you want to keep things separate, but it's not necessary. Just be mindful of what resources you create and delete them when you're done to avoid any potential costs.

Demo: Create and manage Entra ID tenants

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "Create a tenant" to start the process of creating a new Entra ID tenant.
  3. Choose the appropriate tenant type and provide the required information such as organization name, initial domain name, and country or region.
  4. Review the settings and click "Create" to create the tenant.
  5. Once the tenant is created, you can switch between tenants by clicking on your account in the top right corner and selecting "Switch directory." Note: You are limited to one tenant unless you have a P1 or P2 license, which allows you to create multiple tenants for testing and development purposes.
  6. Explore the new tenant and compare it to your original tenant to see the differences in settings and configurations.
  7. You can also delete the tenant if you no longer need it by going to the tenant settings and selecting "Delete tenant." Be cautious when deleting a tenant, as this action is irreversible and will remove all resources and data associated with that tenant.

Note: when you create a tenant, your name.onmicrosoft.com domain is automatically created and cannot be changed. You can add custom domains later if needed. You also set the region for the tenant, but this is mostly for data residency and does not affect where your resources are deployed.

Another note: When you create a tenant, you are automatically assigned the Global Administrator role for that tenant. This role has full access to all features and settings in the tenant, so be sure to manage it carefully and consider using PIM to assign it on a just-in-time basis for better security. Your account will then be added to the additional tenants as a global administrator as well, so you can manage all your tenants from a single account.

Demo: Create and manage Azure Subscriptions

  1. Sign in to the Azure portal and navigate to "Subscriptions."
  2. Click on "Add" to create a new subscription.
  3. Choose the subscription offer (e.g., Pay-As-You-Go, Free Trial) and provide the required information such as subscription name, billing account, and payment method.
  4. Review the settings and click "Create" to create the subscription.
  5. Once the subscription is created, you can manage it by going to the "Subscriptions" blade and selecting the subscription you want to work with.
  6. You can also switch between subscriptions by clicking on your account in the top right corner and selecting "Switch directory" to switch to the tenant associated with the subscription.
  7. To delete a subscription, you will need to cancel it through the billing portal. Go to the "Subscriptions" blade, select the subscription you want to cancel, and click on "Cancel subscription." Follow the prompts to complete the cancellation process. Note that canceling a subscription will stop all resources and services associated with that subscription, so be sure to back up any important data before canceling.

Note: You will be creating a "billing profile" when you create a subscription, which is used for billing and payment purposes. You can have multiple subscriptions under the same billing profile, but remember, each subscription can only be associated with one tenant.

Clicking on a subscription will show you details such as the subscription ID, tenant ID, billing information, and resource usage. You can also manage access to the subscription by assigning roles to users or groups in the associated tenant. Notice that your subscription is associated with ONE tenant.

You don't need to change directories to select resources in a subscription. It is very rare to change your subscription's associated tenant, and doing so can cause issues with resource access and management. Instead, you can manage resources across multiple tenants by using Azure Lighthouse or by assigning appropriate roles to users in each tenant.

Demo: Configure Domain for Entra ID

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "Custom domain names" in the left-hand menu.
  3. Click on "Add custom domain" to add a new domain to your tenant.
  4. Enter the custom domain name you want to add (e.g., dupossite.com) and click "Add domain."
  5. After adding the domain, you will need to verify ownership of the domain. This typically involves adding a TXT record to your domain's DNS settings with the provided verification value.
  6. Once you have added the TXT record, return to the Azure portal and click on "Verify" to complete the domain verification process.
  7. After the domain is verified, you can set it as the primary domain if desired by selecting the domain and clicking on "Make primary." This will change the default domain for new users and groups created in the tenant to the custom domain instead of the onmicrosoft.com domain.

Note: From admin.microsoft.com, you can add another domain to your existing domain, but you cannot change the existing domain. You can only add a new domain and make it primary, but the original onmicrosoft.com domain will still exist and cannot be removed. 8. For a final test step, go in and create a new user and verify that the new primary domain is being used for the user's UPN (User Principal Name) and email address.

Entra ID User Identities

Users are the most common type of identity in Entra ID. They represent individual people who need access to resources. Users have properties such as username, email, password, and assigned roles. They can be members of groups and can be assigned permissions to access resources. Users can be created directly in Entra ID or synchronized from an on-premises Active Directory by using Microsoft Entra Connect Sync. They can also be created through self-service sign-up or by external identity providers through federation.

Common user identity types:

  • Member users are internal users in your tenant and are the default identity type for employees.
  • Guest users are typically external users invited through Microsoft Entra B2B collaboration to access selected apps, groups, or resources.
  • Cloud-only users are created and managed directly in Entra ID.
  • Synchronized Identities are synchronized from on-premises Active Directory into Entra ID.

Important identity concepts:

  • The user principal name (UPN) is the sign-in name for the account.
  • Authentication methods can include password, MFA, FIDO2 security keys, Microsoft Authenticator, SMS, and Temporary Access Pass.
  • Users can be assigned Entra roles for directory administration and Azure RBAC roles for Azure resource access.
  • Group-based licensing can simplify license assignment for large environments.

Administrative notes:

  • Deleted users are soft-deleted for a limited time and can usually be restored.
  • Administrative units can be used to delegate management over subsets of users and groups.
  • Dynamic groups can automatically include users based on attributes, which is useful for licensing and policy targeting.

Demo: Create and manage users in Entra ID

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "Users" in the left-hand menu.
  3. Click on "New user" to create a new user account.
  4. Choose "Create user" to create a cloud-only user or "Invite user" to invite a guest user from another organization.
  5. For a cloud-only user, fill in the required information such as name, username (UPN), and password. You can also set additional properties such as job title, department, and location if desired.
  6. For a guest user, enter the email address of the user you want to invite and customize the invitation message if needed.
  7. After creating the user, you can manage their properties, group memberships, assigned roles, and authentication methods by clicking on the user's name in the user list.
  8. You can also reset the user's password, enable or disable MFA, and review their sign-in activity from the user's profile page.
  9. To delete a user, select the user from the list and click on "Delete." Remember that deleted users are soft-deleted and can be restored within a certain period.

Demo: Bulk Create Users in Entra ID

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "Users" in the left-hand menu.
  3. Click on "Bulk create" at the top of the user list.
  4. Download the CSV template provided on the bulk create page.
  5. Open the CSV template in Excel or a text editor and fill in the required information for each user you want to create. The required fields typically include Display Name, User Principal Name (UPN), and Password. You can also include additional fields such as Job Title, Department, and Location if desired.
  6. Save the CSV file after filling in the user information.
  7. Return to the Azure portal and click on "Upload" to upload your completed CSV file.
  8. After uploading, the portal will validate the CSV file and show you a summary of the users that will be created. Review the summary to ensure that all user information is correct.
  9. Click on "Submit" to start the bulk user creation process. The portal will create the users based on the information provided in the CSV file.
  10. Once the process is complete, you can review the newly created users in the user list and manage their properties, group memberships, and assigned roles as needed.

Note: This will do some input validation in case you missed required fields or made formatting errors in the CSV. If there are issues, it will provide feedback on what needs to be corrected before you can successfully create the users.

Entra ID Application Identities

  • Applications can also be represented as identities in Entra ID. This allows applications to authenticate and access resources securely.
  • Applications can be registered in Entra ID to create an application object, which defines the application's identity and configuration. When an application is registered, a corresponding service principal is created in the tenant, which represents the application's identity when it is used to access resources.
  • Applications can be assigned permissions to access APIs and resources, and they can also be assigned roles for access control. This is important for scenarios such as service-to-service authentication, where an application needs to access resources without user interaction.
  • Applications can use various authentication methods, including client secrets, certificates, and managed identities. Managed identities are a special type of service principal that provides an automatically managed identity for applications running in Azure, eliminating the need for credentials in code.

Application (website) needs to access a database (resource) -> application needs an identity to authenticate and access the resource -> application registration creates an application object and service principal in Entra ID -> assign permissions and roles to the service principal for access control.

Demo: Register an Application in Entra ID

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "App registrations" in the left-hand menu.
  3. Click on "New registration" to start the application registration process.
  4. Provide a name for the application and select the appropriate supported account types (e.g., single tenant, multi-tenant, or personal Microsoft accounts).
  5. Optionally, you can specify a redirect URI if your application requires one for authentication flows.
  6. Click on "Register" to create the application registration.
  7. After the application is registered, you will be taken to the application's overview page where you can see the application ID, tenant ID, and other details.
  8. You can manage the application's properties, authentication methods, API permissions, and assigned roles from the application registration page.
  9. To allow the application to access resources, you can assign API permissions by clicking on "API permissions" and then "Add a permission." Choose the appropriate API and permissions needed for your application.
  10. If your application needs to authenticate using a client secret or certificate, you can configure these under the "Certificates & secrets" section of the application registration.

Note: Single tenant applications are only available within the tenant where they are registered, while multi-tenant applications can be used across multiple tenants.

Your manifest is a JSON representation of the application registration's configuration and can be edited directly for advanced scenarios, but be cautious when making changes to the manifest as it can affect the application's behavior.

App proxy's are a way to publish on-premises applications securely through Entra ID, allowing users to access them from anywhere while still enforcing Entra ID's authentication and access controls.

API Permissions

API permissions define what resources and operations an application can access. There are two main types of API permissions:

  1. Delegated permissions: These are used when an application is accessing resources on behalf of a signed-in user. The permissions granted to the application are limited to what the user has access to.
  2. Application permissions: These are used when an application is accessing resources without a signed-in user (e.g., background services). The permissions granted to the application are independent of any user and typically require admin consent.

When you add API permissions, you may need to grant admin consent for the permissions to take effect, especially for application permissions that require elevated privileges.

Managed Identity

A managed identity is a special type of service principal that provides an automatically managed identity for applications running in Azure. This eliminates the need for developers to manage credentials in their code, improving security and simplifying authentication. They are similar to application registrations and service principals, but they are designed specifically for Azure resources to authenticate to other Azure services without needing to store credentials.

There are two types of managed identities:

  1. System-assigned managed identity: This type of managed identity is created and tied to a specific Azure resource (e.g., a virtual machine or an Azure Function). When the resource is deleted, the managed identity is also deleted.
  2. User-assigned managed identity: This type of managed identity is created as a standalone resource and can be assigned to one or more Azure resources. It exists independently of any specific resource and can be reused across multiple resources.

To log in using a managed identity, you don't need to provide a username or password or secret or certificate. Less management overhead.

Demo: Configure a Managed Identity - System Assigned

  1. Log into Azure
  2. Create 2 VMs, a vnet and a storage account
  3. Go to one of the VMs and click on "Identity" under the "Settings" section.
  4. Under the "System assigned" tab, click on "On" to enable the system-assigned managed identity for the VM.
  5. Click "Save" to apply the changes. This will create a service principal in Entra ID for the VM's managed identity.
  6. After enabling the managed identity, you can go to the storage account and click on "Access control (IAM)" in the left-hand menu.
  7. Click on "Add role assignment" to assign a role to the VM's managed identity for the storage account.
  8. In the "Add role assignment" pane, select the appropriate role (e.g., "Storage Blob Data Contributor") and then search for the name of the VM to find its managed identity. Select the VM's managed identity and click "Save" to assign the role.
  9. Now, the VM can authenticate to the storage account using its managed identity and access the resources based on the permissions granted by the assigned role.
  10. Now, add that system assigned managed identity to the other VM and see that it can also access the storage account without needing to manage any credentials.
  11. To test the authentication, you can use Azure CLI or PowerShell on the VM to acquire an access token for the storage account and then attempt to access the storage resources. This will confirm that the managed identity is working correctly and has the appropriate permissions.

Demo: Configure a Managed Identity - User Assigned

  1. Log into Azure
  2. Create a new Resource Group, 2 VMs, a vnet and a storage account.
  3. Go to "Managed identities" in the Azure portal.
  4. Click on "Add" to create a new user-assigned managed identity.
  5. Follow the prompts to create the user-assigned managed identity.
  6. Once created, you can assign this user-assigned managed identity to multiple Azure resources.
  7. Go to one of the VMs and click on "Identity" under the "Settings" section.
  8. Under the "User assigned" tab, click on "Add" to assign the user-assigned managed identity to the VM.
  9. Go to the resource group and assign it at the resource group level, and see that both VMs can use the same user-assigned managed identity to access the storage account.
  10. Continue to manage its permissions similarly to a system-assigned managed identity.

Entra ID Groups

Groups in Entra ID are used to manage and organize users and other directory objects. They can be used for assigning permissions, applying policies, and simplifying administration. Groups can contain users, other groups (nested groups), and service principals. They can be used to manage access to resources by assigning permissions to the group instead of individual users, which simplifies administration and improves security.

  • reduced administration
  • improved security
  • automation and self-service

Instead of assigning permissions to each user, you can assign permissions to a group and then add users to that group. This way, when you need to change permissions, you only need to update the group instead of each individual user.

Different groups can have different Roles and those groups can act like the boundary for those Role Based Access Control (RBAC) permissions. For example, you can have a group for "HR Team" with specific permissions to access HR-related resources, and another group for "IT Team" with different permissions for IT resources.

Membership

  • Manually add users to groups
  • Dynamic membership (based on user attributes) - all users with "Department" attribute set to "Sales" are automatically added to the "Sales Team" group
  • Security Groups (access control)
  • M365 groups (created in Microsoft 365 admin center) - SharePoint, Teams, etc. - can be security enabled or not
  • Nested groups (groups within groups)

Can add an owner to the group who can manage group membership and settings. Owners can be users or service principals.

You can nest groups within groups, but be cautious with nested groups as they can complicate access management and may not be supported in all scenarios (e.g., Azure RBAC does not support nested groups for role assignments).

M365 Groups can have expiration and naming policies applied to them, which can help with lifecycle management and ensuring consistent naming conventions.

Premium licensing is required for dynamic groups and some advanced group features such as group expiration and naming policies or group-based licensing.

Demo: Manage Entra ID Licenses

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. Click on "Licenses" in the left-hand menu.
  3. Click on "All products" to view the available licenses in your tenant.
  4. To assign licenses to users, click on "Users" under the "Manage" section.
  5. Select the user you want to assign a license to and click on their name to open their profile.
  6. In the user's profile, click on "Licenses" in the left-hand menu.
  7. Click on "Assign licenses" to assign a license to the user.
  8. Select the appropriate license(s) from the list and click "Save" to apply the license assignment.
  9. You can also manage group-based licensing by going back to the "Licenses" section and clicking on "Groups" under the "Manage" section. Here, you can assign licenses to groups, and all members of the group will inherit the assigned licenses.

Note: Licenses need locations to be assigned to users, so make sure to set the user's location in their profile before assigning licenses. Also, be aware of the differences between the various license types (e.g., Free, P1, P2) and the features they enable in Entra ID.

You can click on the reprocess button to re-evaluate group memberships and license assignments if you have made changes to user attributes that affect dynamic group membership or if you have assigned licenses to groups.

Exam Notes

  • Expect Microsoft to still reference Azure AD in some older training or exam wording, but treat it as Entra ID.
  • Know the difference between Entra roles and Azure RBAC roles.
  • Know when to use Conditional Access, MFA, Identity Protection, and PIM.
  • Know that Microsoft Entra Domain Services is separate from Entra ID and is used when legacy LDAP, NTLM, or domain join capabilities are required.