Fundamentals & Core Concepts

1. What is Azure Active Directory (Azure AD / Microsoft Entra ID)?

Answer: Azure Active Directory (now often called Microsoft Entra ID) is Microsoft’s cloud-based identity and access management (IAM) service. It helps employees sign in and access resources in external resources (like Microsoft 365, Azure portal, and thousands of other SaaS applications) and internal resources (like apps on the corporate network and intranet, along with any cloud apps developed by the organization). It provides features like Single Sign-On (SSO), Multi-Factor Authentication (MFA), Conditional Access, and identity protection.

2. How is Azure AD different from On-Premises Active Directory Domain Services (AD DS)?

Answer:

• Environment: Azure AD is a cloud-native service designed for web-based protocols (SAML, OAuth 2.0, OpenID Connect), while AD DS is an on-premises directory service primarily using Kerberos and LDAP.
• Structure: Azure AD has a flat structure, whereas AD DS uses a hierarchical structure with Domains and Forests.
• Management: AD DS uses Group Policy Objects (GPOs) for management, while Azure AD uses policies like Conditional Access and Intune (for device management).
• Primary Use: Azure AD is primarily for managing user access to cloud and web applications, while AD DS manages traditional on-premises resources like servers, computers, and file shares within a domain.

3. What is an Azure AD Tenant?

Answer: An Azure AD tenant is a dedicated and trusted instance of Azure AD that an organization receives and owns when it signs up for a Microsoft cloud service like Azure, Microsoft 365, or Dynamics 365. It represents the organization and contains its users, groups, applications, and associated identity/security settings. Each tenant is distinct and separate from other tenants.

4. What are the different editions of Azure AD (Free, P1, P2)?

Answer: Azure AD comes in several editions:

• Free: Included with Azure and Microsoft 365 subscriptions. Provides basic user/group management, SSO for many apps, B2B collaboration, and basic security reports.
• Premium P1: Adds features for more demanding identity and access management needs, including Conditional Access, MFA for all users, hybrid identity features (like password writeback), advanced group management (dynamic groups, naming policies), and Application Proxy.
• Premium P2: Includes all P1 features plus advanced identity protection and governance. Key features are Identity Protection (risk-based policies) and Privileged Identity Management (PIM).

5. What is the relationship between an Azure Subscription and an Azure AD Tenant?

Answer: An Azure subscription is primarily a billing and management boundary for Azure resources (like VMs, databases, etc.). An Azure AD tenant is the identity and access management backbone. An Azure subscription has a trust relationship with exactly one Azure AD tenant, which is used to authenticate and authorize users, services, and devices for that subscription. Multiple Azure subscriptions can trust the same Azure AD tenant, but not vice-versa.

6. What are Users and Groups in Azure AD?

• • Answer:
    • Users: Represent individuals (or service principals for applications) needing access to resources. User objects contain identity information like name, UPN, password hashes, etc.
    • Groups: Collections of users (or other groups, devices, service principals). They simplify access management by allowing permissions and licenses to be assigned to a group rather than individual users. Types include Security groups (for managing access) and Microsoft 365 groups (for collaboration features).

7. What are Dynamic Groups in Azure AD?

Answer: Dynamic groups automatically add or remove members (users or devices) based on rules defined using attributes (like department, location, device OS type). This automates group membership management, ensuring groups stay up-to-date without manual intervention. This feature requires an Azure AD Premium P1 or P2 license.

Authentication & Authorization

8. What is Single Sign-On (SSO) in Azure AD?

Answer: SSO allows users to sign in once with a single set of credentials (username and password) and gain access to multiple applications and resources without needing to authenticate again for each one. Azure AD acts as the central identity provider, facilitating SSO for thousands of pre-integrated SaaS apps and on-premises applications via Application Proxy or federation.

9. What Authentication Protocols does Azure AD support?

Answer: Azure AD primarily supports modern, web-based authentication protocols like:

• OAuth 2.0: An authorization framework often used for APIs and mobile apps.
• OpenID Connect (OIDC): Built on top of OAuth 2.0, it provides identity verification (authentication). Commonly used for web application sign-in.
• SAML 2.0: A widely used standard for exchanging authentication and authorization data between identity providers (like Azure AD) and service providers (like SaaS apps), enabling web-based SSO.

10. What is Multi-Factor Authentication (MFA)?

Answer: MFA is a security process requiring users to provide two or more verification factors to gain access to a resource. It adds a critical layer of security beyond just a password. Common factors include something you know (password), something you have (authenticator app code, SMS code, hardware token), and something you are (biometrics like fingerprint or facial recognition). Azure AD MFA supports various methods like the Microsoft Authenticator app, SMS, voice calls, and hardware tokens.

11. How does Azure AD use tokens for authentication and authorization?

Answer: After successful authentication, Azure AD issues tokens (typically JSON Web Tokens – JWTs) to the client application. These tokens contain claims about the user (like user ID, name, group memberships, roles).

• ID Tokens (OIDC): Used by the client application to verify the user’s identity.
• Access Tokens (OAuth 2.0): Used by the client application to securely call protected web APIs on behalf of the user. The API validates the token to authorize the request.

12. What is Role-Based Access Control (RBAC) in Azure AD?

Answer: Azure AD RBAC allows administrators to grant specific permissions to users, groups, or service principals by assigning them built-in or custom roles. These roles define what actions the assignee can perform within Azure AD (e.g., User Administrator, Global Administrator, Application Administrator). This follows the principle of least privilege, ensuring users only have the access necessary for their jobs. RBAC scopes can be applied at the tenant level, administrative units, or sometimes specific objects. Note: This is distinct from Azure RBAC, which controls access to Azure resources like VMs and storage.

13. What is Self-Service Password Reset (SSPR)?

Answer: SSPR is an Azure AD feature that allows users to reset their forgotten passwords without needing to contact IT support. Users must first register one or more authentication methods (like phone number, email, security questions). When they need to reset their password, they verify their identity using these registered methods. This reduces helpdesk load and improves user productivity.

14. Explain the different sign-in methods for Hybrid Identity (PHS, PTA, Federation).

Answer: When synchronizing on-premises AD DS with Azure AD using Azure AD Connect, you can choose different user sign-in methods:

• Password Hash Synchronization (PHS): A hash of the user’s on-premises AD password hash is synchronized to Azure AD. Authentication happens directly against Azure AD. It’s the simplest method and enables features like leaked credential detection.
• Pass-Through Authentication (PTA): User authentication requests are passed from Azure AD to a lightweight agent running on an on-premises server, which validates the credentials against the on-premises AD DS directly. No password hashes are stored in the cloud. Requires agents installed on-premises.
• Federation (e.g., with AD FS): Authentication is delegated entirely to a separate on-premises federation service (like Active Directory Federation Services – AD FS). Azure AD redirects the user to the federation service for authentication. Offers the most control but adds complexity and requires managing the federation infrastructure.

Identity Management & Hybrid Identity

15. What is Azure AD Connect?

Answer: Azure AD Connect (now also referred to as Microsoft Entra Connect) is the Microsoft tool designed to meet and accomplish hybrid identity goals. It synchronizes identity data (users, groups, contacts) between on-premises Active Directory Domain Services (AD DS) and Azure Active Directory. It also facilitates the chosen sign-in method (PHS, PTA, or Federation).

16. What are the key components synchronized by Azure AD Connect?

Answer: Azure AD Connect synchronizes user accounts, group memberships, contacts, and optionally device objects. It can also synchronize password hashes (for PHS) or configure PTA/Federation. Attribute mapping allows customization of which attributes are synchronized and how they are transformed.

17. What is the purpose of the Azure AD Connect Synchronization Scheduler?

Answer: The scheduler is a built-in component of Azure AD Connect that automatically runs synchronization cycles (typically every 30 minutes). It performs delta synchronizations to pick up changes made in either on-premises AD or Azure AD (if writeback features are enabled) and keeps the directories consistent. Full synchronization cycles can also be triggered manually.

18. What is Staging Mode in Azure AD Connect?

Answer: Staging mode allows you to install a second Azure AD Connect server for redundancy or testing without it actively exporting changes to Azure AD or on-premises AD. A server in staging mode performs all import and synchronization steps but doesn’t write data. This is useful for testing configuration changes, validating upgrades, or having a hot standby server.

19. What is Password Writeback?

Answer: Password writeback is an Azure AD Premium feature, enabled via Azure AD Connect, that allows password changes initiated in the cloud (e.g., through SSPR or an admin resetting a user’s password in Azure AD) to be written back to the user’s on-premises AD DS account. This ensures password consistency across both environments.

20. What is Azure AD Domain Services (AADDS)?

Answer: Azure Active Directory Domain Services (AADDS) provides managed domain services (like domain join, group policy, LDAP, Kerberos/NTLM authentication) that are compatible with traditional AD DS but delivered as an Azure PaaS service. It synchronizes identities from your Azure AD tenant (which might itself be synchronized from on-premises AD DS via Azure AD Connect). It’s useful for lift-and-shift scenarios where legacy applications running on Azure VMs need traditional domain services, without requiring you to deploy and manage domain controller VMs yourself.

21. How does AADDS differ from Azure AD and AD DS?

Answer:

• vs. Azure AD: Azure AD is the core cloud identity provider using modern protocols. AADDS provides traditional domain services integrated with Azure AD identities.
• vs. AD DS: AD DS is the full on-premises directory service requiring self-managed domain controllers. AADDS is a managed service offering a subset of AD DS features (e.g., no Schema extensions, no Enterprise/Domain Admin rights for customers, limited forest trust capabilities).

Security Features

22. What is Conditional Access?

Answer: Conditional Access is the policy engine within Azure AD (requires P1/P2) that uses signals (like user location, device health, application, real-time risk detection) to bring policies together and enforce organizational requirements for accessing resources. Policies are essentially “If-Then” statements: If a user attempts access under certain conditions (e.g., from an untrusted network), Then enforce specific controls (e.g., require MFA, block access, require a compliant device).

23. What are common Conditions used in Conditional Access policies?

Answer: User/Group assignments, Cloud apps/actions targeted, User risk, Sign-in risk, Device platform (iOS, Android, Windows), Locations (IP ranges, countries), Client apps (browser, mobile/desktop apps), Device state (Hybrid Azure AD joined, Compliant).

24. What are common Grant Controls used in Conditional Access policies?

Answer: Block access, Require MFA, Require device to be marked as compliant (via Intune), Require Hybrid Azure AD joined device, Require approved client app, Require app protection policy, Require password change. You can require one or all selected controls. 

25. What is the Conditional Access “What If” tool?

Answer: The “What If” tool in the Azure portal allows administrators to simulate a sign-in scenario by providing user, application, location, device, and risk information. It then shows which Conditional Access policies would apply to that simulated sign-in and what controls would be enforced. This is extremely useful for testing policies before deployment and troubleshooting access issues.

26. What is Azure AD Identity Protection?

Answer: Azure AD Identity Protection (requires P2) uses Microsoft’s vast threat intelligence and machine learning to detect suspicious activities and potential vulnerabilities related to user identities. It calculates risk levels (User Risk and Sign-in Risk) based on detected signals (e.g., anonymous IP address usage, leaked credentials, impossible travel) and allows configuring risk-based Conditional Access policies to automatically respond (e.g., force password reset, require MFA, block access).

27. What are some examples of Risk Detections in Identity Protection?

Answer: Leaked credentials, sign-in from anonymous IP address, impossible travel, sign-in from infected device, sign-in from unfamiliar location, sign-in from malicious IP address, password spray attack detection.

28. What is Privileged Identity Management (PIM)?

Answer: PIM (requires P2) is a service in Azure AD that enables organizations to manage, control, and monitor access to important resources. It helps mitigate risks associated with excessive privileged access by providing:

• Just-In-Time (JIT) access: Users request activation for privileged roles only when needed.
• Time-bound access: Role assignments can expire automatically.
• Approval workflows: Role activation can require approval from designated approvers.
• Access reviews: Regular reviews to ensure users still need their assigned roles.
• Auditing: Detailed logs of privileged activity.

29. What is the difference between “Eligible” and “Active” assignments in PIM?

Answer:

• Eligible: The user is eligible to activate the role when needed (JIT access). They don’t have the privileges permanently but can request them for a limited time, potentially requiring justification or approval.
• Active: The user has the role assigned permanently (similar to a standard role assignment), but PIM can still enforce activation requirements like MFA or track the assignment duration. Eligible assignments are generally preferred for privileged roles to minimize standing access.

30. What are Access Reviews in Azure AD?

Answer: Access Reviews (part of Azure AD Identity Governance, requires P2) enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. Administrators can configure recurring reviews where users or designated reviewers attest to (approve) or deny continued access for users, ensuring that access rights remain appropriate over time and reducing the risk associated with stale access permissions.  

31. How does Azure AD Password Protection work?

Answer: Azure AD Password Protection helps prevent users from choosing weak or commonly compromised passwords. It maintains a global banned password list (updated by Microsoft) and allows administrators to add custom banned words specific to their organization (like company names, product names, locations). When a user changes or resets their password (in the cloud or on-premises if deployed with Azure AD Connect), the new password is checked against these lists. If a match is found, the user is prompted to choose a stronger password.

32. What is Azure Key Vault and how does it relate to Azure AD?

Answer: Azure Key Vault is a cloud service for securely storing and accessing secrets (like API keys, passwords, certificates, cryptographic keys). While not strictly part of Azure AD, it relies heavily on Azure AD for authentication and access control. Applications and users authenticate via Azure AD to access the Key Vault, and access policies within Key Vault use Azure AD identities (users, groups, service principals) to grant permissions (e.g., get secrets, list keys).

External Identities (B2B & B2C)

33. What is Azure AD B2B Collaboration?

Answer: B2B (Business-to-Business) collaboration allows organizations to securely share their applications and services with guest users from external organizations (partners, suppliers, vendors). Guest users authenticate using their own corporate or social identities (if configured), and the inviting organization doesn’t need to manage their credentials. They appear as Guest user objects in the inviting tenant’s directory. 

34. How are Guest users invited in B2B?

Answer: Guest users can be invited via:

• The Azure portal by an administrator or users with guest inviter roles.
• PowerShell or Microsoft Graph API.
• Self-service sign-up flows (if configured).
• Directly granting access to specific applications (like SharePoint sites or Teams). The guest receives an invitation email with a link to redeem. Once redeemed, they can access the shared resources.

35. What are Cross-Tenant Access Settings?

Answer: These settings provide granular control over how other Azure AD organizations collaborate with you (inbound) and how your users collaborate with other Azure AD organizations (outbound). You can configure default settings and organization-specific settings to trust MFA/device compliance claims from external tenants, block/allow B2B collaboration, and scope access to specific users, groups, and applications.

36. What is Azure AD B2C?

Answer: B2C (Business-to-Consumer) is a separate Azure AD service designed as a customer identity and access management (CIAM) solution. It allows businesses to build customer-facing applications where customers can sign up, sign in, manage their profiles, and reset passwords using social identities (like Facebook, Google), enterprise identities, or local accounts (email/username and password specific to the application). It offers highly customizable user experiences through user flows or custom policies.

37. What are User Flows in Azure AD B2C?

Answer: User flows are predefined, configurable policies in B2C for common identity tasks like sign-up, sign-in, profile editing, and password reset. Administrators can customize the user interface, attributes collected during sign-up, MFA requirements, and identity providers offered within these flows without writing code.

38. How does B2C differ fundamentally from B2B?

Answer:

• Target Audience: B2B is for collaborating with external partners/businesses who typically have their own corporate identities. B2C is for managing identities of end customers interacting with consumer-facing applications.
• Identity Types: B2B primarily uses external corporate or invited social identities. B2C focuses on social identities and self-managed local accounts specific to the application.
• Directory: B2B guest users exist within the organization’s main Azure AD tenant. B2C uses a completely separate B2C tenant to store customer identities, isolated from the corporate tenant.
• Customization: B2C offers much higher levels of UI customization for branding purposes.

Application Management

39. What is the difference between Application Registration and Enterprise Applications in Azure AD?

Answer:

• Application Registration: This is the process of defining an application identity within your Azure AD tenant. It’s typically done by the application developer. This registration creates a globally unique Application (client) ID and allows configuration of authentication platforms, redirect URIs, API permissions requested, secrets/certificates, etc. It defines what the application is.
• Enterprise Application: This represents an instance of an application within your tenant, specifically how it’s used and managed for access. When you register an app, an Enterprise Application object (also called a Service Principal) is automatically created in your home tenant. When you consent to a multi-tenant app or add an app from the gallery, an Enterprise Application object is created in your tenant. It’s used to manage SSO configuration, user assignments, provisioning, and Conditional Access policies for that specific application instance in your tenant. It defines how the application is used.

40. What is the Application Consent Framework?

Answer: When an application needs to access data or act on behalf of a user (e.g., read user profile, send email), it requests specific permissions (defined in its registration). The consent framework governs how users or administrators grant these permissions.

• User Consent: Allows individual users to grant consent for permissions that don’t require admin privileges (e.g., sign in and read user profile).
• Admin Consent: Required for permissions that grant significant access (e.g., read all users’ profiles, manage directory data). An administrator must grant consent on behalf of the entire organization. Administrators can configure consent settings to control whether users can consent to apps at all.

41. What is Azure AD Application Proxy?

Answer: Application Proxy is an Azure AD Premium feature that provides secure remote access to web applications hosted on-premises within a private network. It involves installing lightweight connector agents on-premises. These agents create secure outbound connections to the Application Proxy service in Azure. Users authenticate against Azure AD, and the service then proxies the requests securely back to the on-premises application via the connectors. This eliminates the need for VPNs or opening inbound firewall ports.

42. How does Application Proxy handle authentication?

Answer: Application Proxy primarily handles pre-authentication at the Azure AD level, meaning users must authenticate with Azure AD (potentially satisfying MFA and Conditional Access policies) before their request is forwarded to the on-premises application. It can integrate with various on-premises authentication methods like Windows Integrated Authentication (Kerberos Constrained Delegation) or header-based authentication to provide SSO to the backend application.

Device Management & Identity

43. What are the different Device Identity states in Azure AD?

Answer: Azure AD recognizes several ways a device can be associated with the directory:

• Azure AD Registered: Primarily for Bring Your Own Device (BYOD) scenarios. Users sign in with a local account but register the device with Azure AD using their work/school account (via Settings > Accounts > Access work or school). Allows SSO to cloud resources and is often a prerequisite for Intune enrollment and some Conditional Access policies.
• Azure AD Joined: Devices joined directly to Azure AD, typically for corporate-owned cloud-first devices. Users sign in using their Azure AD credentials. Provides full SSO experience and enables management via Intune and Conditional Access. Cannot join an on-premises AD domain.
• Hybrid Azure AD Joined: Devices joined to both on-premises AD DS and Azure AD. Suitable for organizations with existing on-premises infrastructure managing devices via Group Policy but wanting to leverage cloud features like Conditional Access and SSO to cloud resources. Users sign in with their on-premises AD credentials. Requires Azure AD Connect configuration.

44. When would you use Azure AD Join vs. Hybrid Azure AD Join?

Answer:

• Azure AD Join: Best for new Windows devices in cloud-centric organizations, remote workers, or scenarios where on-premises AD management is not required. Simplifies device setup (e.g., via Autopilot) and management (via Intune).
• Hybrid Azure AD Join: Ideal for organizations with significant investment in on-premises AD and Group Policy management. Allows existing domain-joined devices to gain Azure AD identity features and access cloud resources seamlessly while retaining on-premises management capabilities. It’s often a stepping stone in cloud migration.

45. How does device compliance relate to Azure AD and Conditional Access?

Answer: Device compliance is typically managed by a Mobile Device Management (MDM) solution like Microsoft Intune. Intune defines compliance policies (e.g., require encryption, minimum OS version, password complexity). Devices enrolled in Intune are evaluated against these policies. Intune reports the compliance status (Compliant/Non-compliant) back to Azure AD. Conditional Access policies can then use this device compliance state as a condition, for example, requiring a device to be marked as compliant before granting access to sensitive applications.

Troubleshooting & Monitoring

46. How would you troubleshoot a user’s sign-in issue in Azure AD?

Answer:

• Check Azure AD Sign-in Logs: This is the primary tool. Filter by the user, time, application, and status (Success/Failure). Examine failed attempts for the specific error code and failure reason (e.g., invalid credentials, MFA required, Conditional Access policy block, application misconfiguration).
• Use the Conditional Access “What If” Tool: Simulate the user’s sign-in conditions to see which policies might be blocking access.
• Verify User Status: Check if the user account is enabled, if their password has expired, or if they are locked out.
• Check Assignments: Ensure the user is assigned to the application (if assignment is required).
• Check MFA Configuration: Verify the user’s registered MFA methods are correct and active.
• Check On-Premises (if Hybrid): If using PTA or Federation, check the status of the PTA agents or AD FS servers and related event logs on-premises. Check Azure AD Connect sync status and errors.

47. What information can you find in the Azure AD Audit Logs?

Answer: Audit logs provide a trail of administrative activities performed within Azure AD. This includes changes like user creation/deletion, group updates, role assignment changes, application consent actions, policy modifications (Conditional Access, PIM), device registrations, etc. It shows who performed the action, what action was performed, the target resource, and the time it occurred. Essential for security monitoring and compliance.

48. What is Azure AD Connect Health?

Answer: Azure AD Connect Health (now often under Microsoft Entra monitoring) is a feature (requires P1/P2) that provides monitoring and insights into the health of your hybrid identity infrastructure. It monitors Azure AD Connect sync servers, AD FS servers, and PTA agents. It provides alerts for critical issues (e.g., sync failures, agent offline), performance data, usage analytics (e.g., risky IP report for AD FS), and sync error reports.

49. A user reports they are suddenly being prompted for MFA frequently. What could be the cause?

Answer: Possible causes include:

• New or Changed Conditional Access Policy: A policy might now require MFA under conditions that the user is meeting (e.g., accessing from a new location, using a non-compliant device).
• Identity Protection Risk: The user’s sign-in or account might have been flagged as risky, triggering a risk-based policy requiring MFA.
• Token Lifetime Changes: Changes to Azure AD token lifetime policies could lead to more frequent re-authentication prompts.
• Browser/Client Issues: Browser settings, extensions, or client application issues might be clearing session cookies, forcing re-authentication.
• PIM Activation: If accessing a resource requiring a PIM role activation, MFA might be enforced during activation.
• Per-User MFA State: Check if legacy per-user MFA was inadvertently enabled or enforced for the user.

50. How can you ensure least privilege when managing Azure AD?

Answer:

• Use Built-in Roles: Assign the most specific built-in role that provides only the necessary permissions (e.g., use User Administrator instead of Global Administrator for managing users).
• Use Administrative Units: Scope role assignments to specific subsets of users or groups within an administrative unit, limiting the blast radius of administrators.
• Leverage PIM: Assign privileged roles as “Eligible” rather than “Active,” requiring Just-In-Time activation with justification, approval, and time limits.
• Regular Access Reviews: Conduct periodic reviews of role assignments and group memberships to remove unnecessary permissions.
• Custom Roles (If Needed): Create custom roles with precisely defined permissions if built-in roles are too broad.
• Monitor Audit Logs: Regularly review audit logs for privileged role usage and assignments.