Azure Active Directory Tutorial

Mastering the Cloud's Gatekeeper: Your Ultimate Azure Active Directory Tutorial

Introduction: Securing Your Digital Front Door

Welcome! In today’s digitally transformed world, managing who has access to what is more critical than ever. As organizations embrace cloud services like Microsoft 365, Azure, and countless other SaaS applications, a robust identity and access management (IAM) solution becomes the cornerstone of security and productivity. This tutorial is your comprehensive guide to understanding and utilizing Microsoft’s cloud-based identity powerhouse: Azure Active Directory, now a fundamental part of the Microsoft Entra product family.

 

Why Identity Management is Crucial in the Cloud Era

Think of identity as the new security perimeter. Traditional network perimeters are dissolving as users access resources from anywhere, on any device. Identity Management ensures that only authorized users can access the resources they need, when they need them, while keeping malicious actors out. Effective IAM helps:

 
  • Enhance Security: Protect against unauthorized access, data breaches, and credential theft using features like Multi-Factor Authentication (MFA) and Conditional Access.
     
  • Improve Productivity: Streamline user access with Single Sign-On (SSO), reducing password fatigue and helpdesk calls.
     
  • Enable Collaboration: Securely manage access for employees, partners, and customers.
     
  • Meet Compliance Requirements: Enforce access policies and generate audit reports for regulatory compliance (like GDPR, HIPAA, etc.).
  • Simplify IT Operations: Centralize identity management across cloud and on-premises environments.
     

Meet Azure Active Directory (Now Microsoft Entra ID): Core Concepts Explained

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It’s the backbone for managing users, applications, and devices within the Microsoft cloud ecosystem and beyond. At its core, Azure AD provides:

 
  • Authentication: Verifying user identities when they sign in.
     
  • Authorization: Granting appropriate access permissions based on policies.
     
  • Identity Management: Managing the lifecycle of users, groups, and devices.
     
  • Application Management: Enabling secure access to thousands of SaaS applications and custom-built apps.
     
  • Security Features: Offering advanced capabilities like MFA, Conditional Access, Identity Protection, and Privileged Identity Management (PIM).
     

It’s more than just a cloud version of the traditional Windows Server Active Directory Domain Services (AD DS). While they can work together (more on that later), Azure AD is designed for the internet-centric, distributed nature of cloud computing.

 

Decoding the Rebranding: Azure AD vs. Microsoft Entra ID

In mid-2023, Microsoft announced that Azure Active Directory (Azure AD) would become part of a larger product family called Microsoft Entra. As of now (April 2025), Microsoft Entra ID is the official product name for what was formerly known as Azure AD.

  • Why the change? Microsoft aimed to unify its identity and network access portfolio under the “Entra” brand, which includes other products like Permissions Management and Verified ID.
     
  • What it means for you: Functionally, the service remains the same powerful identity solution. You’ll primarily see the name change in documentation, administrative portals (now the Microsoft Entra admin center), and licensing bundles. Throughout this tutorial, we will primarily refer to it as Microsoft Entra ID or sometimes Azure AD (Entra ID) for clarity during this transitional understanding period. The core concepts and functionalities discussed remain consistent.

Who Should Follow This Tutorial? (Target Audience)

This tutorial is designed for:

  • IT Administrators: Responsible for managing users, security, and access within their organization.
  • Cloud Engineers/Architects: Designing and implementing solutions on Microsoft Azure or Microsoft 365.
  • System Administrators: Looking to extend on-premises Active Directory to the cloud.
  • Security Professionals: Focused on implementing identity-based security controls.
  • Developers: Building applications that need secure authentication and authorization.
  • Students and IT Professionals: Seeking to learn fundamental cloud identity concepts.

Whether you’re new to cloud identity or looking to deepen your existing Azure AD / Entra ID knowledge, this guide provides a structured learning path.

Learning Objectives: What You’ll Achieve

By the end of this tutorial, you will be able to:

  • Navigate the Microsoft Entra admin center.
  • Understand core Entra ID concepts like tenants, users, groups, and devices.
  • Manage user and group lifecycles effectively.
  • Integrate applications for Single Sign-On (SSO).
  • Implement fundamental security measures like MFA and Conditional Access.
  • Grasp the basics of hybrid identity using Microsoft Entra Connect.
  • Understand how to manage external identities (B2B).
  • Utilize basic monitoring and reporting features.

Prerequisites: Setting Up for Success (Azure Account & Basics)

To follow along effectively, you should ideally have:

  • An Azure Subscription: You can start with a free Azure trial if you don’t have one. Some features discussed (like P2 features) require specific licenses.
     
  • Global Administrator Role (Recommended): To perform all actions shown in this tutorial within your own test tenant, you’ll need sufficient permissions. Be cautious when making changes in a production environment.
  • Basic Understanding of Cloud Computing: Familiarity with general cloud concepts is helpful but not strictly required.
  • Web Browser: Access to a modern web browser.

Getting Your Bearings: Navigating the Azure AD Landscape

Before diving into management tasks, let’s familiarize ourselves with the environment where you’ll interact with Microsoft Entra ID.

Your Command Center: Accessing the Microsoft Entra Admin Center

The primary portal for managing Microsoft Entra ID is the Microsoft Entra admin center.

  • How to Access: You can typically access it via:
  • Interface: The admin center provides a dedicated interface focused solely on identity tasks. You’ll find navigation panels for managing users, groups, devices, applications, security features (like Protection, Conditional Access, Roles), identity governance, monitoring, and more. Spend some time clicking through the different sections to get a feel for the layout. 
     

Understanding Tenants vs. Subscriptions vs. Directories

These terms are often used in the Azure ecosystem, and it’s important to understand their relationship, especially concerning Entra ID:

  • Microsoft Entra ID Tenant (or Directory): When your organization signs up for a Microsoft cloud service (like Microsoft 365, Dynamics 365, or Azure), a dedicated instance of Microsoft Entra ID is automatically created. This instance is called a tenant. It represents your organization and acts as a secure container for your users, groups, devices, applications, and their associated identity information. Each tenant is distinct and isolated from other tenants. It has a unique directory ID and domain name (e.g., yourcompany.onmicrosoft.com). 
     
  • Azure Subscription: An Azure subscription is primarily a billing and management boundary for consuming Azure resources (like virtual machines, databases, storage). An Azure subscription is linked to (or “trusts”) a single Microsoft Entra ID tenant for identity services. You can have multiple Azure subscriptions associated with the same Entra ID tenant. The tenant handles the authentication and authorization for users accessing resources within those subscriptions. 
     

In essence: The Tenant (Directory) handles who can log in and access what. The Subscription handles the billing and management of the Azure resources themselves.

 

Azure AD Editions Unpacked: Free, Premium P1, and Premium P2 Features

Microsoft Entra ID comes in several editions, offering varying levels of functionality:

  • Free Edition: Included with Azure subscriptions and services like Microsoft 365. Provides core user and group management, basic security reports, B2B collaboration capabilities, and SSO for a limited number of applications per user. Suitable for basic identity needs. 
     
  • Microsoft 365 Apps Edition (Formerly Office 365 Edition): Included with certain Microsoft 365 subscriptions. Builds on Free with features like company branding for sign-in pages and basic MFA capabilities.
  • Premium P1 Edition: Offers more advanced features crucial for many organizations, including:
    • More sophisticated MFA options and Conditional Access policies.
    • Advanced group management (dynamic groups, naming policies).
    • Self-service password reset (SSPR) for cloud users.
       
    • Microsoft Entra Connect Health monitoring.
    • Advanced security reporting.
    • Application Proxy for publishing on-premises web apps.
       
    • Identity Protection (risk-based Conditional Access, automated risk detection and remediation).
       
    • Privileged Identity Management (PIM) for managing admin roles. 
       
    • Access Reviews for governing access attestations.
       
    • Entitlement Management for managing access packages.Premium P2 Edition: Includes all features of P1 plus the most advanced security and identity governance capabilities:
     

Choosing the right edition depends on your organization’s security, governance, and operational requirements.

The Basics of Azure AD Licensing: Assigning What You Need

Premium features (P1, P2) require licenses. Licenses are typically assigned on a per-user basis. 

 
  • Assignment: You can assign licenses manually through the Microsoft Entra admin center or the Microsoft 365 admin center. For larger organizations, group-based licensing is highly recommended. This allows you to assign licenses to a group, and any user added to that group automatically inherits the license. 
     
  • Requirement: Generally, if a user benefits from a premium feature (e.g., logs in using a Conditional Access policy requiring P1), they need the corresponding license. Microsoft’s licensing terms can be complex, so always consult the official documentation or your licensing provider for specifics. [Link to Microsoft Entra pricing page]
     

Managing Identities: Users, Groups, and Devices

These are the fundamental building blocks of your identity environment. Effective management is key.

Mastering User Account Lifecycles

User accounts represent individuals needing access to your organization’s resources. 

 
Creating, Updating, and Deleting Individual Users
  • Creation: Navigate to Identity > Users > All users > + New user. You can either:
    • Create user: Define a new cloud-only user entirely within Entra ID. You’ll specify details like name, username (User Principal Name or UPN, e.g., user@yourcompany.onmicrosoft.com), initial password, roles, usage location, etc.
    • Invite external user: Initiate the B2B collaboration process (covered later).
  • Updating: Select a user from the list to view their profile. You can edit properties, assign roles, manage licenses, reset passwords, configure authentication methods, and view their sign-in activity.
  • Deleting: Select a user and click ‘Delete’. Deleted users typically go into a ‘Deleted users’ area for 30 days, allowing for restoration before permanent deletion. Be cautious when deleting users, especially admin accounts.
     

Streamlining with Bulk User Operations (Import/Invite)

Managing users one by one isn’t efficient for large numbers. Entra ID supports bulk operations:

 
  • Bulk Create: Prepare a comma-separated value (.csv) file based on a template provided in the portal (Users > Bulk operations > Bulk create). Upload the file to create multiple users simultaneously.
  • Bulk Invite: Similar to bulk create, use a .csv file to invite multiple external B2B users at once. 
     
  • Bulk Delete: Use a .csv file containing the UPNs of users to delete them in bulk. 
     
  • PowerShell/Graph API: For more complex automation and scripting, Microsoft Graph API and the corresponding PowerShell modules (Microsoft.Graph.Identity.DirectoryManagement) offer powerful ways to manage users programmatically.

Understanding User Types: Members vs. Guests

  • Member: Typically represents internal employees or users belonging to your organization. They usually have full default permissions (unless restricted). Members authenticate against your home tenant. 
     
  • Guest: Represents external users (partners, vendors, contractors) invited into your tenant via the B2B collaboration feature. Guests usually authenticate using their home tenant credentials or another identity provider. They have restricted default permissions, configurable via External collaboration settings. 
     

Leveraging Groups for Smart Access Control

Groups are essential for managing access efficiently. Instead of assigning permissions or licenses to individual users, you assign them to groups.

Choosing the Right Group: Security vs. Microsoft 365
  • Security Groups: The primary type used for granting access permissions to resources (e.g., Azure resources, SharePoint sites, applications) and for applying policies (like Conditional Access or licensing). They can contain users and other security groups.
  • Microsoft 365 Groups: Designed for collaboration. Creating a Microsoft 365 group automatically provisions a shared set of resources like a SharePoint site, shared mailbox, Planner, OneNote notebook, etc. While they can also be used for granting access (they have an associated security principal), their main purpose is collaboration enablement. They can only contain users (not other groups).
     

Rule of Thumb: Use Security Groups for access control and policy assignment. Use Microsoft 365 Groups when you need shared collaboration resources.

Dynamic vs. Assigned Membership: Automating Group Management

Group membership determines who is part of the group:

  • Assigned: Administrators manually add or remove members. Simple and direct for static groups.
  • Dynamic User: (Requires Premium P1/P2) Membership is automatically managed based on user attributes (e.g., department, location, job title). You define rules (e.g., “all users in the ‘Sales’ department”). Users are automatically added or removed as their attributes change. Extremely powerful for automating access based on roles or properties.
     
  • Dynamic Device: (Requires Premium P1/P2) Similar to dynamic user, but membership is based on device attributes (e.g., OS type, device model). Useful for applying policies to specific types of devices.
Best Practices for Group Creation and Management
  • Clear Naming Convention: Use consistent prefixes or suffixes to indicate group type, purpose, or resource (e.g., SG-App-Salesforce-Users, M365-ProjectAlpha-Members).
  • Use Descriptions: Clearly state the group’s purpose in the description field.
  • Leverage Dynamic Groups: Automate membership where possible to reduce administrative overhead and improve accuracy. 
     
  • Avoid Excessive Nesting: While group nesting (adding groups within groups) is supported for Security Groups, deep nesting can complicate permission troubleshooting.
  • Regular Review: Periodically review group memberships and purpose, especially for groups granting high privileges. Access Reviews (P2 feature) can automate this.
     
     

Integrating and Managing Device Identities

Devices (laptops, desktops, mobile phones) are endpoints that access organizational resources. Managing their identity within Entra ID enhances security and enables features like Conditional Access based on device state

Device States Explained: Registered, Azure AD Joined, Hybrid Joined
  • Microsoft Entra Registered (Workplace Joined): Primarily for Bring Your Own Device (BYOD) scenarios. Users sign into the device with a personal account but register it with Entra ID to access specific company resources (like email or certain apps). Enables basic device signals for Conditional Access. Minimal organizational control. 
     
  • Microsoft Entra Joined: Devices are joined directly to your Entra ID tenant. Users sign in with their organizational (Entra ID) credentials. Provides strong organizational control, management via MDM (like Intune), and enables SSO to cloud apps. Ideal for cloud-first organizations or corporate-owned devices used remotely.
     
  • Microsoft Entra Hybrid Joined: Devices are joined to your on-premises Active Directory Domain Services (AD DS) and registered with Microsoft Entra ID (typically via Entra Connect). Users sign in with their on-premises AD credentials. Allows organizations to leverage existing AD investments while benefiting from cloud features like Conditional Access. Common during transitions to the cloud or where on-premises AD management is still required.
     
Viewing and Managing Device Objects

Navigate to Identity > Devices > All devices. Here you can:

  • View all registered, joined, and hybrid joined devices.
  • See details like OS, join type, owner, compliance status (if managed by Intune), activity timestamp.
  • Enable, disable, or delete device objects (use with caution!). Disabling prevents the device from authenticating/accessing resources.
     
  • Configure Device Settings (e.g., restricting who can join devices, requiring MFA for join/registration).
     

Connecting the Ecosystem: Application Integration & SSO

One of the most powerful features of Entra ID is its ability to act as a central identity provider for thousands of applications, both cloud-based (SaaS) and on-premises.

App Registrations vs. Enterprise Apps: What’s the Difference?

This distinction often causes confusion:

  • App Registrations (Identity > Applications > App registrations): This is primarily for developers building custom applications (web apps, APIs, mobile apps) that need to integrate with the Microsoft identity platform (Entra ID) for authentication and authorization. When you register an app, you define its identity configuration (like redirect URIs, secrets/certificates for authentication) and specify the permissions (API scopes) it needs to access resources like Microsoft Graph or other APIs.
     
     
    • When you add a pre-integrated SaaS app from the gallery (like Salesforce, ServiceNow, Slack), an Enterprise Application (service principal) is created automatically.
       
    • When you register a custom app (App Registration), an Enterprise Application (service principal) is also automatically created in the tenant where it was registered, allowing you to manage user access and policies for that custom app. 
       
      Enterprise Applications (Identity > Applications > Enterprise applications): This represents an instance or service principal of an application within your tenant that users can sign into. It defines how users in your tenant access a specific application (either custom-developed or pre-integrated SaaS app) and what policies apply (like SSO configuration, user assignment, Conditional Access).
     

Think of it this way: App Registration is the application’s global identity definition. Enterprise Application is the application’s local presence and access policy configuration within your specific tenant.

Adding Gallery SaaS Apps: Simplified Enterprise Application Setup

Entra ID features a gallery containing thousands of pre-integrated SaaS applications.

  • Adding: Navigate to Enterprise applications > + New application > Browse Azure AD Gallery. Search for the app (e.g., “Salesforce”), select it, and click ‘Create’ (or ‘Add’).
  • Benefits: The gallery simplifies integration by pre-configuring many settings required for SSO and user provisioning (where supported by the app). 
     

Enabling Seamless Access: Implementing Single Sign-On (SSO) with SAML/OIDC

SSO allows users to sign in once with their Entra ID credentials and access multiple integrated applications without re-entering passwords.  

 
  • Configuration: Within the Enterprise Application settings (Manage > Single sign-on), you can configure SSO. Common protocols include:
    • SAML (Security Assertion Markup Language): Widely used standard for exchanging authentication and authorization data between identity providers (Entra ID) and service providers (SaaS app). Requires configuration in both Entra ID and the application’s admin console (exchanging metadata URLs, signing certificates). 
       
    • OpenID Connect (OIDC) / OAuth 2.0: Modern standards often used by newer web and mobile applications. Configuration typically involves providing client IDs, secrets/certificates, and redirect URIs.
       
    • Password-based SSO: Entra ID securely stores application credentials and replays them during sign-in (usually via a browser extension). Less secure than SAML/OIDC, used as a fallback when federation isn’t supported.
       
  • Setup: The specific steps vary per application, but Entra ID provides detailed tutorials for most gallery apps.
     

Controlling Access: Managing Application Permissions and User Consent

  • User Assignment: In the Enterprise Application settings (Manage > Users and groups), you can control who can access the application. You can assign individual users or, preferably, groups. You can set assignment as ‘Required’ to restrict access only to assigned users/groups.
     
    • Delegated Permissions: App acts on behalf of the signed-in user (e.g., read user’s mail). Requires user consent or admin consent. 
       
    • Application Permissions: App acts on its own identity (e.g., runs as a background service reading all user profiles). Always requires administrator consent.
       
    • Admin Consent Workflow: You can configure Entra ID to allow users to request admin consent for permissions they cannot grant themselves (Enterprise applications > Consent and permissions > Admin consent settings).Permissions & Consent (Primarily for App Registrations): When applications (especially custom ones via App Registrations) need to access data via APIs like Microsoft Graph, they request specific permissions (scopes).
     

Fortifying Your Tenant: Essential Security Measures

Entra ID provides a rich set of security features to protect identities and resources.

Your First Line of Defense: Implementing Multi-Factor Authentication (MFA)

MFA adds a crucial layer of security by requiring users to provide two or more verification factors during sign-in. It significantly reduces the risk of compromise from stolen credentials. 

 
  • Verification Methods: Common methods include:
    • Microsoft Authenticator app (push notification or verification code) – Recommended
    • SMS text message code
    • Phone call verification
    • FIDO2 security keys (most secure)
    • OATH hardware/software tokens

Enabling MFA:

    • Security Defaults: A baseline policy set enabled by default in newer tenants, requiring MFA for admins and sometimes users under certain conditions. Good starting point, but limited customization. 
       
    • Conditional Access Policies (Recommended – Requires P1/P2): The most flexible and powerful way. Allows you to require MFA based on specific conditions (users, apps, locations, risk). 
       
    • Per-User MFA (Legacy): Older method, generally discouraged in favor of Conditional Access or Security Defaults.
       

Configuration: Manage MFA settings under Protection > Multifactor authentication. Configure allowed methods, trusted IPs (use with caution), app passwords (legacy), etc.

Granular Control with Conditional Access Policies

Conditional Access (CA) is the core policy engine in Entra ID (Requires P1/P2). It acts as an “If-Then” statement: If a user tries to access a resource under certain conditions, Then apply specific access controls. 

Defining Smart Conditions (Who, What, Where, When, How)

Assignments (Who, What):

    • Users and groups: Target specific users, groups, or directory roles (or exclude them). 
       
    • Cloud apps or actions: Target specific applications, user actions (like registering security info), or all cloud apps.
       

Conditions (Where, When, How):

    • Device platforms: Target specific OS types (Windows, iOS, Android, macOS).
    • Locations: Target based on IP address ranges (e.g., trusted corporate network vs. unknown locations).  
       
    • Client apps: Differentiate between browser access, mobile apps, and legacy authentication clients.
    • Device state: Target based on whether a device is Hybrid Joined, Entra Joined, or marked as compliant by Intune.
    • Sign-in risk (Requires P2 / Identity Protection): Target based on real-time risk detected during sign-in (e.g., anonymous IP, malware-linked IP).  
       
    • User risk (Requires P2 / Identity Protection): Target based on the user’s overall risk score (e.g., leaked credentials detected).  
       

5.2.2. Setting Precise Access Controls (Block, Grant, Require MFA)

Based on the conditions met, you define the access controls:

  • Block access: Deny access completely. Use carefully, often for high-risk scenarios (e.g., block legacy authentication, block access from untrusted locations for admins).
  • Grant access: Allow access, but require one or more controls to be met:
    • Require multifactor authentication: Enforce MFA.
    • Require device to be marked as compliant: Enforce Intune compliance.
    • Require Microsoft Entra hybrid joined device: Ensure device is known on-premises.
    • Require approved client app: Limit access to specific approved applications.  
       
    • Require app protection policy: Enforce Intune App Protection Policies (MAM).
    • Require password change: Force a password reset (often used with risk policies).
    • Require terms of use: Make users accept specific terms.
  • Session Controls: Apply limitations within the session (e.g., limit session lifetime, enforce app-enforced restrictions). 
     

Best Practice: Start with baseline policies (e.g., require MFA for admins, block legacy auth), use report-only mode to test impact, and incrementally add more granular policies. 

Proactive Security: Exploring Azure AD Identity Protection (Risk Management)

Identity Protection (Requires P2) uses Microsoft’s vast threat intelligence signals to detect risky sign-ins and users whose credentials might be compromised. 

Risk Detections: Identifies various risks like:

    • Anonymous IP address usage
    • Atypical travel
    • Malware linked IP address
    • Leaked credentials found online
    • Password spray attacks
    • Sign-ins from infected devices

Risk Policies: You can configure policies to automatically respond to detected risks:

    • User risk policy: Targets users deemed ‘at risk’ (e.g., leaked credentials). Can force a secure password reset.
       
    • Sign-in risk policy: Targets sign-ins deemed risky (e.g., anonymous IP). Can require MFA or block access.
       

Reporting: Provides detailed reports on risky users, risky sign-ins, and risk detections for investigation.

Identity Protection works closely with Conditional Access, allowing you to use ‘User risk’ and ‘Sign-in risk’ as conditions in your CA policies for fine-grained control.

 

Least Privilege in Action: Managing Administrative Roles (Built-in & Custom)

Granting excessive permissions is a major security risk. Entra ID uses a Role-Based Access Control (RBAC) model.

  • Built-in Roles: Entra ID provides numerous built-in roles with predefined permission sets (e.g., Global Administrator, User Administrator, Helpdesk Administrator, Application Administrator, Conditional Access Administrator). Assign the role that grants only the necessary permissions for a task (principle of least privilege). Avoid overusing the Global Administrator role. 
     
  • Custom Roles (Requires P1/P2): If built-in roles aren’t granular enough, you can create custom roles by selecting specific permissions relevant to Entra ID management tasks.
     
  • Assignment: Roles can be assigned directly to users or, preferably, to groups (Requires P2 for group assignment eligibility configuration). Assign roles with a specific scope where applicable (e.g., administrative units – P1/P2).
     

Elevating Security: Just-in-Time Access with Privileged Identity Management (PIM)

Privileged Identity Management (PIM) (Requires P2) provides time-based and approval-based role activation to mitigate risks associated with persistent administrator permissions.

Core Features:

    • Eligible Assignments: Users are made eligible for a role but don’t have the permissions permanently.
    • Activation: To use the role, the eligible user must explicitly activate it for a limited time (e.g., 4 hours). 
       
    • Justification & Approval: Activation can require justification, MFA, and/or approval from designated approvers. 
       
    • Access Reviews: Schedule regular reviews to ensure users still need eligibility for privileged roles.
    • Auditing: Provides detailed logs of role assignments and activation
       

Usage: PIM should be used to manage eligibility and activation for highly privileged roles like Global Administrator, Security Administrator, Exchange Administrator, etc. It dramatically reduces the exposure window for privileged accounts.

Bridging Worlds: Hybrid Identity with Azure AD Connect

For organizations with existing on-premises Active Directory Domain Services (AD DS), hybrid identity allows seamless integration between on-premises AD and cloud-based Entra ID. Microsoft Entra Connect is the primary tool for achieving this.

 

Understanding Hybrid Identity Concepts

Hybrid identity synchronizes identity objects (users, groups) from your on-premises AD DS to Microsoft Entra ID. This enables users to use their familiar on-premises credentials to access cloud resources (SSO) and allows centralized management where appropriate. 

Choosing Your Authentication Method: PHS, PTA, or Federation?

When setting up Entra Connect, you must choose how users authenticate when accessing cloud resources:

Password Hash Synchronization (PHS) – Recommended: Entra Connect synchronizes a hash of the user’s on-premises AD password hash to Entra ID. Entra ID handles the cloud authentication directly.

  • Pros: Simple, reliable, enables leaked credential detection (P2), seamless SSO. No reliance on on-premises infrastructure for cloud sign-ins after sync.
  • Cons: Password changes made directly in the cloud don’t sync back by default (requires password writeback – Premium feature)
 

Pass-through Authentication (PTA): Entra ID redirects the authentication request back to a lightweight agent installed on-premises, which validates the user’s credentials directly against the on-premises AD DS.

  • Pros: No password hashes stored in the cloud. Enforces on-premises policies (like account lockout, sign-on hours) in real-time.
  • Cons: Relies on connectivity to the on-premises agents for cloud sign-ins. Slightly more complex setup than PHS 
     

Federation (e.g., with AD FS – Active Directory Federation Services): Entra ID redirects authentication to a separate on-premises federation server (like AD FS). The federation server handles the authentication and issues a security token back to Entra ID.

  • Pros: Supports complex authentication scenarios, allows full control over the authentication process on-premises.
  • Cons: Most complex to set up and maintain, requires significant on-premises infrastructure (AD FS servers, proxies), single point of failure if federation farm goes down. Generally less favored now unless specific requirements dictate it.
 

PHS is the most commonly recommended method due to its simplicity, resilience, and compatibility with cloud-native security features.

Step-by-Step: Installing and Configuring Azure AD Connect Sync

Setting up Entra Connect involves installing the software on a domain-joined server (Windows Server) and running through the configuration wizard: 

  1. Download: Get the latest version of Microsoft Entra Connect from the Microsoft Download Center.
  2. Prerequisites: Ensure the server meets requirements (OS version, .NET Framework, PowerShell) and you have necessary credentials (Entra ID Global Admin, on-premises AD Enterprise Admin).
  3. Installation: Run the installer. Choose ‘Express Settings’ for simple, single-forest scenarios with PHS, or ‘Customize’ for more complex setups (multiple forests, specific OUs, PTA/Federation, feature selection).
  4. Connect Directories: Provide credentials for both Entra ID and your on-premises AD DS forest(s).
  5. Configure Sign-In: Choose your desired authentication method (PHS, PTA, Federation).
  6. Domain/OU Filtering: Select which domains and Organizational Units (OUs) you want to synchronize to Entra ID. Best practice is to only sync necessary OUs.
  7. Optional Features: Select features like Password Writeback, Group Writeback, Device Writeback, Exchange Hybrid deployment support, etc., based on your needs and licenses.
  8. Install & Configure: The wizard installs the sync engine service and configures the initial synchronization.
  9. Verification: After installation, check the Synchronization Service Manager console on the server and the Microsoft Entra admin center to ensure synchronization is occurring without errors. Monitor using Microsoft Entra Connect Health (P1 feature).

Extending Collaboration: Managing External Identities

Entra ID allows you to securely collaborate with users outside your organization.

Secure Collaboration: Inviting and Managing B2B Guest Users

Azure AD B2B (Business-to-Business) collaboration lets you invite external users (partners, vendors, contractors) into your tenant to access specific applications or resources while they use their own credentials. 

Invitation Process:

    • Invite users individually via the Entra admin center (Users > + New user > Invite external user).
    • Invite users in bulk using a .csv file.
    • Enable self-service sign-up flows for specific applications.
    • Use Entitlement Management (P2) access packages for governed B2B access. 
       

Authentication: Invited users typically authenticate using their home organization’s credentials (if their org uses Entra ID or is federated), a Microsoft Account, or a one-time passcode sent via email if other methods aren’t available.

Permissions: Guest users have restricted permissions by default. You control their access by adding them to groups, assigning them directly to applications, and configuring external collaboration settings (External Identities > External collaboration settings).

Lifecycle Management: Implement processes for reviewing guest access (e.g., using Access Reviews) and removing guests when collaboration ends.

 

Customer Identity Management: An Introduction to Azure AD B2C

While B2B focuses on collaboration with external partners, Azure AD B2C (Business-to-Consumer) is a separate service designed for building customer-facing applications.  

 

Purpose: Provides Identity-as-a-Service for your customer applications (web, mobile). Allows customers to sign up, sign in, and manage their profiles using social accounts (Facebook, Google), local accounts (email/username + password), or enterprise identity providers.

 

Key Differences from B2B:

    • B2C is a separate service with its own tenant type and pricing model (based on Monthly Active Users – MAU).
       
    • Highly customizable user interfaces and user journeys (sign-up/sign-in policies). 
       
    • Designed for large scale (millions of users).
       

Note: This tutorial focuses on the core Microsoft Entra ID (Azure AD) used for organizational identities (employees, B2B), not the separate B2C service.

Keeping Watch: Monitoring, Reporting, and Troubleshooting

Monitoring the health and activity within your Entra ID tenant is crucial for security and operations.

Gaining Visibility: Analyzing Audit Logs and Sign-in Reports

Navigate to Identity > Monitoring & health.

  • Audit Logs: Record administrative actions performed in your tenant – who did what, when, and to which resource (e.g., user created, policy changed, application added). Essential for tracking changes and security investigations. Logs can be filtered, sorted, and exported. 
     
  • Sign-in Logs: Record interactive and non-interactive user sign-in attempts to Entra ID and integrated applications. Shows details like user, application, location, IP address, device, success/failure status, MFA requirement, Conditional Access policies applied. Crucial for troubleshooting access issues and identifying suspicious activity. 
     

Retention: Log retention periods vary by license (Free/M365: 7 days, P1/P2: 30 days). For longer retention, integrate logs with Azure Monitor (Log Analytics) or security information and event management (SIEM) systems like Microsoft Sentinel.

Leveraging Azure AD Analytics for Health and Usage Insights

Beyond basic logs, Entra ID provides reporting and analytics features:

  • Usage & insights: (Monitoring & health > Usage & insights) Provides dashboards and reports on application activity, authentication methods usage, sign-in activity trends, and AD FS activity (if applicable). Helps understand how Entra ID is being used.
  • Identity Protection Reports: (Protection > Identity Protection) Detailed reports on risk detections, risky users, and risky sign-ins.
  • Microsoft Entra Connect Health: (Monitoring & health > Connect Health – Requires P1 agent install) Monitors the health of your on-premises identity infrastructure (Entra Connect servers, AD FS, AD DS domain controllers). Provides alerts, performance data, and sync error reports.

Regularly reviewing these logs and reports is key to maintaining a secure and healthy identity environment.

Summary: Consolidating Your Azure AD Knowledge

Congratulations on completing this comprehensive journey through Microsoft Entra ID (formerly Azure AD)! We’ve covered the essential concepts and functionalities needed to effectively manage identities and access in the Microsoft cloud.

Key Takeaways and Concepts Revisited
  • Centralized Identity: Entra ID acts as the central hub for managing users, groups, devices, and applications. 
     
  • Rebranding: Azure AD is now Microsoft Entra ID, part of the broader Microsoft Entra family. The core service remains the same. 
     
  • Core Objects: Users, groups (Security/M365, Assigned/Dynamic), and devices (Registered/Joined/Hybrid) are fundamental building blocks.
  • Application Integration: Entra ID enables SSO and secure access management for thousands of SaaS and custom apps via Enterprise Applications and App Registrations. 
     
  • Security is Paramount: Features like MFA, Conditional Access, Identity Protection, PIM, and proper role management are crucial for securing your tenant.
  • Hybrid Connectivity: Microsoft Entra Connect bridges on-premises AD with Entra ID, with PHS being the recommended authentication method.
     
  • External Collaboration: B2B allows secure access for guest users. 
     
  • Monitoring: Audit logs, sign-in reports, and analytics provide vital visibility. 
     
Your Next Steps: Further Learning and Resources

This tutorial provides a strong foundation. To continue your learning:

  • Microsoft Learn: Explore the official Microsoft Learn paths for Microsoft Entra ID (https://learn.microsoft.com/en-us/entra/).
  • Microsoft Entra Documentation: Dive deeper into specific features and configurations (https://learn.microsoft.com/en-us/entra/fundamentals/).
  • Experiment: Use a trial or test tenant to safely experiment with features like Conditional Access, PIM, and dynamic groups.
  • Certifications: Consider pursuing Microsoft certifications related to identity and security, such as the SC-300: Microsoft Identity and Access Administrator.
  • Community: Engage with the Microsoft technical community for questions and discussions.
Frequently Asked Questions (FAQs)

Here are answers to some common questions:

What is the core difference between on-premises Active Directory (AD DS) and Azure AD (Entra ID)?
  • AD DS: Designed for managing identities and resources within a traditional corporate network. Uses protocols like Kerberos, LDAP, and Group Policy Objects (GPOs). Primarily focused on domain-joined Windows servers and clients.
     
  • Entra ID: Designed as a cloud-native, internet-scale identity management service. Uses modern web protocols like SAML, OpenID Connect, OAuth 2.0, and SCIM. Manages access to cloud resources (SaaS apps, Azure) and integrates with modern devices (Windows, macOS, iOS, Android). While it can integrate with AD DS (Hybrid Identity), it’s fundamentally different architecturally. 
     
How does Azure AD pricing work? (Overview and link)

Microsoft Entra ID has multiple tiers (Free, Microsoft 365 Apps, Premium P1, Premium P2). Free offers basic functionality. Premium P1 and P2 add advanced features and are licensed on a per-user, per-month basis. Specific feature availability depends on the license tier. For detailed pricing, always refer to the official Microsoft Entra pricing page: [Link to Microsoft Entra pricing page

Is it possible to rename my Azure AD / Entra ID tenant?

You cannot rename the initial yourcompany.onmicrosoft.com domain name associated with your tenant. However, you can (and should) add your own custom verified domain names (e.g., yourcompany.com) to the tenant. You can then set your custom domain as the primary domain for user accounts (e.g., user@yourcompany.com) and branding purposes.

What are the best practices for securing admin accounts in Azure AD?
  • Use dedicated admin accounts: Separate from daily user accounts.
  • Enforce strong MFA: Use phishing-resistant methods like FIDO2 keys or Authenticator app.
     
  • Apply Conditional Access: Restrict admin sign-ins based on location, device compliance, and risk. Block legacy authentication. 
     
  • Implement PIM: Use Just-in-Time (JIT) activation for privileged roles instead of permanent assignments.
     
  • Assign least privilege roles: Avoid overusing Global Administrator. Use granular roles.
  • Regularly review role assignments: Use Access Reviews (PIM/P2 feature).
  • Monitor admin activity: Keep a close eye on audit logs for privileged actions.
Why did Microsoft rename Azure AD to Microsoft Entra ID?

Microsoft rebranded Azure AD to Microsoft Entra ID as part of unifying its identity and network access product portfolio under the “Microsoft Entra” family name. This aims to provide a clearer, more integrated story for customers looking for comprehensive security solutions covering identity verification, permissions management, identity governance, and secure network access. Functionally, Microsoft Entra ID is the continuation of the Azure AD service.

Popular Courses

Oracle ATG Training

ATG Training

Saviynt Training

Saviynt Training

Leave a Comment