🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-900 Domain 2
Domain 2 — Module 9 of 11 82%
16 of 26 overall

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights
Domain 2: Describe Azure Architecture and Services Premium ⏱ ~11 min read

Microsoft Entra ID: Your Identity Hub

Before anyone accesses anything in Azure, they go through Microsoft Entra ID. It's the identity and access management service that controls who can do what.

What is Microsoft Entra ID?

☕ Simple explanation

Think of Entra ID as the bouncer at a nightclub.

Before you get in, the bouncer checks your ID (authentication — “who are you?”). Then they check whether you’re on the VIP list (authorisation — “what are you allowed to do?”).

Every time anyone accesses Azure, Microsoft 365, or thousands of other apps, Entra ID is the bouncer checking their identity and permissions.

Microsoft Entra ID is the modern, cloud-based identity service. It replaced what used to be called “Azure Active Directory” (Azure AD).

Microsoft Entra Domain Services is for legacy apps that need old-school Active Directory features (like domain join and Group Policy) but you don’t want to run your own domain controllers.

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management (IAM) service. It provides authentication, authorisation, single sign-on, multi-factor authentication, conditional access, and application management for cloud and hybrid environments.

Every Azure subscription is associated with an Entra ID tenant. The tenant holds the directory of users, groups, and applications. One tenant can be associated with multiple subscriptions.

Microsoft Entra Domain Services provides managed domain services — domain join, group policy, LDAP, and Kerberos/NTLM authentication — without deploying, managing, or patching domain controllers. It’s designed for legacy applications that require traditional AD protocols but need to run in the cloud.

Entra ID vs on-premises Active Directory

If you’ve worked with Active Directory before, Entra ID is similar in purpose but very different in how it works:

On-premises AD DS vs Microsoft Entra ID
FeatureOn-Premises AD (AD DS)Microsoft Entra ID
LocationYour serversMicrosoft's cloud
ProtocolsKerberos, LDAP, NTLMOAuth 2.0, SAML, OpenID Connect
StructureForest → Domain → OU hierarchyFlat structure (no OUs)
Device managementGroup Policy (GPOs)Intune, Conditional Access
App accessOn-premises appsCloud apps + on-prem (with hybrid)
ManagementYou manage domain controllersMicrosoft manages infrastructure

Key naming update: Microsoft renamed “Azure Active Directory” to “Microsoft Entra ID” in 2023. The exam uses the new name. If you see old materials saying “Azure AD,” it’s the same service.

What Entra ID does

CapabilityDescription
AuthenticationVerifies user identity (passwords, MFA, passwordless)
Single sign-on (SSO)One login gives access to multiple applications
Application managementRegister and manage cloud and on-prem apps
Device managementRegister devices, enforce policies via Intune
B2B collaborationInvite external users (partners, contractors)
B2C identityCustomer-facing sign-in (social logins, custom branding)
Conditional AccessGrant or block access based on conditions (location, device, risk)

Harbour Health’s Entra ID setup

Every Harbour Health employee has an identity in Entra ID. When Dr. Patel opens the patient portal:

  1. Entra ID checks her credentials (authentication)
  2. Verifies her MFA (second factor)
  3. Checks Conditional Access policies (is she on a managed device? In a trusted location?)
  4. Grants access to the apps she’s authorised to use (authorisation)

All of this happens in milliseconds, every single time she logs in.

Microsoft Entra Domain Services

Some legacy applications still need old AD protocols (Kerberos, LDAP, NTLM). Running your own domain controllers to support these is expensive and complex.

Microsoft Entra Domain Services provides a managed domain — you get domain join, Group Policy, LDAP, and Kerberos without deploying domain controllers.

FeatureEntra IDEntra Domain Services
Cloud-native apps✅✅
Modern protocols (OAuth, SAML)✅❌
Legacy protocols (Kerberos, LDAP)❌✅
Domain join❌✅
Group Policy❌✅ (limited)
You manage domain controllersNoNo (Microsoft manages them)

Summit Construction’s use case: Their legacy project management app requires domain join and LDAP. Instead of running domain controllers in Azure VMs, they use Entra Domain Services — same functionality, zero infrastructure to manage.

💡 Exam tip: Entra ID vs Entra Domain Services

The exam tests whether you know when to use each:

  • Modern cloud apps (OAuth, SAML, web-based) → Entra ID
  • Legacy apps that need domain join, LDAP, Kerberos, Group Policy → Entra Domain Services
  • Both → Use Entra ID for cloud identity AND Entra Domain Services for legacy protocol support

Entra ID tenants

An Entra ID tenant represents an organisation. It holds:

  • Users and groups
  • App registrations
  • Device registrations
  • Policies (Conditional Access, MFA)

Key relationships:

  • One Entra ID tenant can be linked to multiple Azure subscriptions
  • Each Azure subscription trusts exactly one Entra ID tenant
  • When you sign up for Azure, a tenant is created automatically

🎬 Video walkthrough

🎬 Video coming soon

Microsoft Entra ID — AZ-900

Microsoft Entra ID — AZ-900

~10 min

Flashcards

Question

What is Microsoft Entra ID?

Click or press Enter to reveal answer

Answer

Cloud-based identity and access management service (formerly Azure Active Directory). Provides authentication, SSO, MFA, Conditional Access, and application management. Every Azure subscription is associated with an Entra ID tenant.

Click to flip back
Question

What is Microsoft Entra Domain Services?

Click or press Enter to reveal answer

Answer

A managed domain service that provides legacy AD features (domain join, Group Policy, LDAP, Kerberos) without running your own domain controllers. Use it for legacy apps that need traditional AD protocols in the cloud.

Click to flip back
Question

What protocols does Entra ID use vs on-premises AD?

Click or press Enter to reveal answer

Answer

Entra ID uses modern web protocols: OAuth 2.0, SAML, OpenID Connect. On-premises AD uses Kerberos, LDAP, and NTLM. This is why legacy apps may need Entra Domain Services for compatibility.

Click to flip back
Question

What is an Entra ID tenant?

Click or press Enter to reveal answer

Answer

A tenant represents an organisation in Entra ID. It holds users, groups, app registrations, devices, and policies. One tenant can be linked to multiple Azure subscriptions. Each subscription trusts exactly one tenant.

Click to flip back

Knowledge Check

Knowledge Check

Summit Construction's legacy application requires LDAP and domain join to function. They want to run it in Azure without managing domain controllers. Which service should they use?
Knowledge Check

Which statement about Microsoft Entra ID tenants is correct?

Next up: Authentication in Azure — SSO, MFA, passwordless, external identities, and Conditional Access.

← Previous

Data Migration: Moving to Azure

Next →

Authentication and External Identities

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.