Microsoft Entra ID: Your Identity Foundation
Before you manage a single Azure resource, you need to understand identity. Microsoft Entra ID is the identity service that controls who can access what — and it works very differently from the Active Directory you know on-prem.
What is Microsoft Entra ID?
Think of Entra ID as the security guard at a building entrance — except the building is your entire cloud.
If you’ve worked with Active Directory on-prem, you know it as the thing that lets people log in to their computers and access file shares. Entra ID does the same job, but for cloud services. When someone opens Outlook, Teams, or the Azure portal, Entra ID checks who they are and what they’re allowed to do.
The big difference? On-prem AD uses protocols like Kerberos and LDAP. Entra ID uses modern web protocols like OAuth 2.0 and SAML. It’s built for a world where people log in from phones, home laptops, and coffee shops — not just domain-joined PCs in the office.
Active Directory DS vs Microsoft Entra ID
If you’re an on-prem admin, this is the comparison you need. These are not the same product — they solve similar problems in very different ways.
| Feature | Active Directory DS (On-Prem) | Microsoft Entra ID (Cloud) |
|---|---|---|
| Where it runs | Windows Server domain controllers you manage | Microsoft-managed cloud service |
| Authentication protocols | Kerberos, NTLM | OAuth 2.0, SAML, OpenID Connect, WS-Federation |
| Structure | Forests, domains, OUs | Flat tenant (no OUs, no forests) |
| Device management | Group Policy Objects (GPOs) | Intune + Conditional Access |
| Query language | LDAP | Microsoft Graph API (REST) |
| Scope | On-prem network resources | Cloud apps, SaaS, Azure resources, on-prem (with sync) |
| High availability | You manage replication between DCs | Built-in global redundancy |
Exam tip: AD DS and Entra ID can coexist
In the real world (and on the exam), most organisations use both. Microsoft Entra Connect syncs on-prem AD identities to Entra ID, giving users a single identity across on-prem and cloud. This is called hybrid identity.
TechCorp Solutions runs exactly this setup — their 300 employees log in with the same credentials whether they’re accessing the on-prem file server or SharePoint Online. Password hash sync copies hashes from on-prem AD to Entra ID. If you enable SSPR with writeback (P1), cloud password resets also flow back to on-prem AD. The exam tests whether you understand that Entra Connect is the bridge, not a replacement.
Tenants, subscriptions, and Entra ID
Here’s where it clicks for Azure admins:
- Tenant = one instance of Entra ID. Your organisation gets one when you sign up for any Microsoft cloud service. It’s your identity boundary.
- Subscription = a billing container for Azure resources. It trusts exactly one Entra ID tenant.
- Management groups = containers for organising subscriptions (covered in Module 4).
The key relationship: Every Azure subscription trusts one Entra ID tenant. Users in that tenant can be granted access to resources in that subscription via RBAC (covered in Module 3).
Real-world scenario: Meridian Financial's multi-subscription setup
Meridian Financial (5000+ employees) has one Entra ID tenant but twelve Azure subscriptions — Production, Dev, Test, Staging for each of their three business units. All twelve subscriptions trust the same Entra ID tenant, so employees only need one set of credentials. RBAC controls who can access which subscription.
This is a common enterprise pattern the exam expects you to understand.
Entra ID editions
Microsoft offers three main editions. The exam expects you to know what’s included in each:
| Feature | Free | P1 | P2 |
|---|---|---|---|
| User and group management | Yes | Yes | Yes |
| SSO to SaaS apps | Yes (limited) | Unlimited | Unlimited |
| Self-service password reset (cloud) | Yes | Yes | Yes |
| Conditional Access | No | Yes | Yes |
| Self-service password reset (on-prem writeback) | No | Yes | Yes |
| Microsoft Entra Connect (hybrid sync) | Yes | Yes | Yes |
| Dynamic groups | No | Yes | Yes |
| Privileged Identity Management (PIM) | No | No | Yes |
| Identity Protection (risk-based CA) | No | No | Yes |
| Access reviews | No | No | Yes |
Exam tip: Know what requires P1 vs P2
The most commonly tested distinction: Conditional Access requires P1. PIM and Identity Protection require P2. If a scenario says “you need to require MFA only when users sign in from outside the office,” that’s Conditional Access — which means P1.
Alex, our admin, learned this the hard way — he tried to set up Conditional Access on a free tenant and couldn’t find the menu option.
What lives inside an Entra ID tenant
Your tenant contains more than just users:
- Users — cloud-only or synced from on-prem AD
- Groups — security groups, Microsoft 365 groups, dynamic groups
- App registrations — your custom applications that use Entra for auth
- Enterprise applications — SaaS apps integrated via SSO
- Devices — registered, joined, or hybrid-joined devices
- Roles — Entra ID roles (Global Administrator, User Administrator, etc.)
Knowledge check
TechCorp Solutions is migrating from on-prem Active Directory to a hybrid setup. Their IT manager asks Alex: 'Will our existing Group Policy Objects work in the cloud?' What should Alex tell them?
Meridian Financial has 12 Azure subscriptions and one Entra ID tenant. A new developer needs access to only the Dev subscription. Where is the developer's identity created?
CloudFirst Labs wants to set up risk-based Conditional Access that blocks sign-ins when a user's account shows signs of compromise. Which Entra ID edition do they need?
🎬 Video coming soon