Microsoft Entra ID: Your Identity Hub
The cloud identity service behind every Microsoft 365 login. Learn what Entra ID is, how it differs from on-prem Active Directory, and the types of identities it manages.
What is Microsoft Entra ID?
Think of Entra ID as the receptionist for your entire organisation.
When you walk into a hotel, the receptionist checks your booking, hands you a key card, and tells you which rooms you can access. You don’t need to show ID again at the pool, the gym, or the restaurant — your key card works everywhere.
Microsoft Entra ID does the same thing for your digital workplace. You sign in once, and it gives you a digital “key card” (a token) that works across Microsoft 365, Azure, and thousands of other apps — without signing in again each time.
What Entra ID does for your organisation
| Capability | What It Means |
|---|---|
| Authentication | Verifies who you are (passwords, MFA, passwordless) |
| Single sign-on (SSO) | Sign in once, access all your apps |
| Application management | Connect thousands of cloud and on-prem apps |
| Device management | Register and manage devices alongside identities |
| Conditional Access | Make access decisions based on conditions (location, device, risk) |
| B2B/B2C | Collaborate with external partners and customers |
How is Entra ID different from on-premises Active Directory?
If you’ve worked in IT, you’ve probably heard of Active Directory. It’s been the backbone of corporate networks for decades. But Entra ID is not Active Directory in the cloud — it’s a different service built for a different era.
| Feature | Active Directory Domain Services (AD DS) | Microsoft Entra ID |
|---|---|---|
| Where it lives | On your company servers | In Microsoft's cloud |
| Designed for | Local network resources | Cloud and web applications |
| Protocols | Kerberos, NTLM, LDAP | OAuth 2.0, SAML, OpenID Connect |
| Structure | Organisational units (OUs), Group Policy | Flat structure, no OUs or GPOs |
| Device control | Group Policy Objects (GPO) | Intune, Conditional Access policies |
| Queried by | LDAP queries | REST APIs (Microsoft Graph) |
| Scope | Corporate network and VPN | Anywhere with an internet connection |
Exam tip: 'same thing in the cloud' is a trap
The exam may offer an option like “Entra ID is the cloud version of Active Directory Domain Services.” This is incorrect. They share the word “Active Directory” in their history, but they are fundamentally different services with different protocols, structures, and capabilities. Many organisations run both side by side (hybrid identity).
Entra ID as the identity provider
Microsoft Entra ID is the identity provider (IdP) for the entire Microsoft ecosystem. Every sign-in to Microsoft 365, Azure, Dynamics 365, and Power Platform goes through Entra ID.
It also works as the IdP for thousands of third-party apps in the Entra ID app gallery — Salesforce, ServiceNow, Zoom, Slack, and more. One identity, one sign-in, access everywhere. That’s single sign-on (SSO) powered by Entra ID.
Types of identities in Entra ID
Entra ID manages more than just user accounts. There are five types of identities you need to know:
1. User identities
These are people — employees, admins, students. Each user gets a unique account in the directory with a username (like raj@lakewood.edu) and authentication credentials.
There are two sub-types:
- Cloud-only users — created directly in Entra ID
- Synced users — created in on-prem AD and synchronised to Entra ID
2. Workload identities
These are identities for applications and services — not people. There are two main types:
- Service principals — an identity for an application. When an app needs to access resources (like reading data from a database), it authenticates using a service principal instead of a person’s account.
- Managed identities — a special type of service principal that Azure manages automatically. No passwords to store or rotate. Azure handles the credentials behind the scenes.
Scenario: Raj and the automated report
Lakewood University has a script that generates student attendance reports every night. Raj used to use his own admin account to run it — which meant his credentials were stored in the script.
Now he uses a managed identity. The Azure service running the script gets its own identity, and Azure automatically handles the credentials. No passwords in code, no risk of Raj’s account being compromised through the script.
3. Device identities
Devices can be registered or joined to Entra ID. This lets the organisation know which devices are accessing resources and apply policies (like requiring encryption or up-to-date antivirus).
Three ways to bring devices into Entra ID:
- Entra registered — personal devices (BYOD). User signs in with their personal device.
- Entra joined — company-owned devices. The device belongs to the organisation.
- Hybrid Entra joined — devices that are joined to both on-prem AD and Entra ID.
4. External identities (guests)
These are people outside your organisation who need access to your resources — contractors, partners, vendors. They sign in with their own identity (Gmail, personal Microsoft account, or their own company’s Entra ID) and get limited, controlled access to your tenant.
Key exam concept: External identities (B2B guests) authenticate with their OWN identity provider. Your organisation does not manage their credentials — it just controls what they can access.
5. Groups
Groups organise identities for easier management. Instead of assigning permissions to 500 individual users, you assign them to one group.
Two types:
- Security groups — used to assign permissions to resources
- Microsoft 365 groups — used for collaboration (shared mailbox, SharePoint site, Teams channel)
Groups can have assigned membership (manually added) or dynamic membership (automatically added based on user attributes like department or job title).
Entra ID editions
Microsoft Entra ID comes in different editions. Each adds more capabilities on top of the previous one:
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Included with | Azure subscription, M365 | M365 E3, standalone licence | M365 E5, standalone licence |
| SSO and basic authentication | Yes | Yes | Yes |
| MFA (Security Defaults) | Yes | Yes | Yes |
| Conditional Access policies | No | Yes | Yes |
| Self-service password reset | Admin accounts only | All users (including hybrid with writeback) | All users (including hybrid with writeback) |
| Dynamic groups | No | Yes | Yes |
| Identity Protection (risk detection) | No | No | Yes |
| Privileged Identity Management (PIM) | No | No | Yes |
| Access reviews | No | No | Yes |
Scenario: Sam picks the right edition for BrightStar
Sam’s 50-person retail shop uses Microsoft 365 Business Basic — which includes the Free edition of Entra ID. His staff gets SSO and basic MFA through Security Defaults. For a small business, that’s a solid start.
If Sam later needs Conditional Access (like blocking sign-ins from countries BrightStar doesn’t operate in), he’d need to upgrade to P1.
P2 is for organisations like SecureBank that need Identity Protection (risk-based policies) and Privileged Identity Management (time-limited admin access).
🎬 Video walkthrough
🎬 Video coming soon
Microsoft Entra ID Overview — SC-900 Domain 2
Microsoft Entra ID Overview — SC-900 Domain 2
~12 minFlashcards
Knowledge Check
Raj has a background script at Lakewood University that pulls student data from Microsoft Graph every night. He wants to avoid storing any passwords in the script. Which type of identity should Raj use?
Sam's BrightStar Retail uses Microsoft 365 Business Basic. He wants to create a policy that blocks sign-ins from countries where BrightStar has no operations. What does Sam need?
A contractor from an external company needs temporary access to Lakewood University's SharePoint site. The contractor already has their own corporate Microsoft account. What type of Entra ID identity should Raj create?