SkarpChapter 9 of 21
Microsoft Entra ID and Azure Identity Basics
See how identities, sign-ins, and access to Azure and SaaS apps are unified through Microsoft Entra ID at the heart of the Microsoft cloud.
Microsoft Entra ID: The Identity Engine of Azure
Canonical Definition
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Identity Engine of the Cloud
Entra ID stores identities, handles sign-ins and SSO, and enforces security controls like MFA and Conditional Access across Microsoft cloud services.
From Azure AD to Entra ID
Microsoft Entra ID is the modern name for Azure Active Directory. On AZ-900, treat Entra ID as the main term; Azure AD in older screenshots refers to the same service.
Three Worlds Connected
Entra ID connects Azure resources, Microsoft 365 services, and thousands of SaaS apps, acting as the common identity layer for sign-in and access.
Entra ID and Azure Portal
Every time you open the Azure portal, your browser talks to Entra ID to verify who you are and what you can see or manage.
Identity vs Authentication vs Authorization
Identity: Who Are You?
An identity is a digital representation of a person, app, or device. In Entra ID, this includes user accounts, groups, and service principals.
Authentication: Prove It
Authentication verifies that you are who you claim to be, using passwords, MFA codes, biometrics, or other factors.
Authorization: What Can You Do?
Authorization decides what resources you can access and what actions you can perform after you have been authenticated.
Exam Signal Words
Sign-in, passwords, MFA → authentication. Permissions, roles, read/write → authorization. Accounts, groups, identities → identity.
How Microsoft Entra ID Underpins Azure and SaaS Sign-ins
Entra ID and Azure Portal
When you open the Azure portal, it redirects you to Entra ID to authenticate you and issue a token proving your identity.
Tokens and Authorization
Azure Resource Manager uses your Entra ID token and role assignments to decide which subscriptions and resources you can access.
Microsoft 365 and SaaS
Outlook, Teams, SharePoint, and many SaaS apps rely on Entra ID to authenticate users and trust its tokens.
Centralized Security
With Entra ID, you manage identities and security policies like MFA once and reuse them across many apps and services.
Single Sign-On (SSO) Fundamentals
What Is SSO?
Single sign-on (SSO) lets a user sign in once with Entra ID and then access multiple apps without re-entering credentials.
How SSO Works
After you authenticate, Entra ID issues a token. Other integrated apps accept this token instead of asking for your password again.
SSO Benefits
SSO improves user experience, reduces password fatigue, and lets admins centrally cut off access by disabling a single Entra ID account.
Exam Clues for SSO
Phrases like “sign in once to many apps” or “reduce number of passwords” usually point to Entra ID single sign-on.
Multifactor Authentication (MFA) Basics
What Is MFA?
Multifactor authentication requires at least two factors: something you know, something you have, or something you are.
MFA in Entra ID
Commonly, you enter a password, then approve a notification or code on your phone using Microsoft Authenticator.
Why MFA Matters
MFA protects against stolen or phished passwords by requiring an additional verification factor an attacker is unlikely to have.
Exam Clues for MFA
Phrases like “second form of verification” or “reduce risk of compromised passwords” usually point to Entra multifactor authentication.
Authorization to Azure Resources: RBAC and Entra ID
RBAC Definition
role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Identity + Roles
Entra ID stores identities. Azure assigns roles like Reader or Contributor to those identities at subscription, resource group, or resource scope.
Example: Reader Role
If Alex is authenticated by Entra ID and given Reader on a resource group, Alex can view resources but cannot change or delete them.
Exam Distinction
Entra ID handles identity and authentication; RBAC handles authorization to Azure resources with fine-grained permissions.
End-to-End Scenario: From Sign-in to Resource Access
Step 1: Identity Creation
Admin creates `priya@contoso.com` in Entra ID and assigns licenses. This is Priya’s digital identity in the organization.
Step 2: Authentication + MFA
Priya signs in, changes her password, and configures MFA with Microsoft Authenticator, adding strong protection to her account.
Step 3: SSO Across Apps
After authenticating, Priya opens Teams, SharePoint, and the Azure portal without re-entering her password, thanks to SSO.
Step 4: RBAC for Azure
Priya gets the Contributor role on one resource group, so she can manage those resources but not others in the subscription.
Linking Concepts
This scenario connects Entra ID identities, MFA, SSO, and RBAC—exactly the combination AZ-900 questions often test.
External Identities and B2B Collaboration (High Level)
What Are External Identities?
External identities let people from other organizations use their own accounts to access your apps and resources securely.
B2B Guest Users
In B2B collaboration, you invite an external user as a guest in your Entra ID tenant and assign them roles or group memberships.
How Guests Sign In
Guests authenticate with their home organization but are authorized in your tenant according to the roles you assign.
Exam Clues for B2B
Mentions of partners, suppliers, or contractors needing access usually point to external identities or B2B collaboration.
Thought Exercise: Match the Scenario to the Concept
Work through these mini-scenarios mentally and decide which Entra ID feature or concept is the best primary match. You do not need to write anything down, but pausing to answer will strengthen recall.
- Scenario A
- A user logs into the Azure portal and then opens Microsoft Teams and SharePoint Online in the same browser session without re-entering their password.
- Which concept is central here: SSO, MFA, RBAC, or External Identities?
- Scenario B
- A security team wants to make sure that even if an attacker steals a password, they still cannot sign in to Azure or Microsoft 365 without also having the user’s phone.
- Which concept is central: SSO, MFA, or B2B collaboration?
- Scenario C
- A project team needs to give a partner company’s engineer access to a specific SharePoint site and one Azure resource group, but they want that engineer to use their own corporate account (`user@partner.com`).
- Which concept is central: RBAC, External Identities/B2B, or Azure Policy?
- Scenario D
- An admin wants to make sure that some users can view virtual machines but not start, stop, or delete them.
- Which concept is central: RBAC, MFA, or SSO?
After you have your answers, reveal the explanations in your mind:
- A → SSO (single sign-on across apps)
- B → MFA (extra verification beyond password)
- C → External Identities/B2B (guest users)
- D → RBAC (fine-grained permissions on Azure resources)
If any felt unclear, revisit the earlier steps for that concept. These exact patterns appear frequently in AZ-900 items.
Quick Check: Identity, Authentication, Authorization
Test your ability to distinguish core identity concepts.
A user successfully signs in to the Azure portal but can only view resources, not modify or delete them. Which concept primarily explains this limitation?
- Authentication handled by Microsoft Entra ID
- Authorization controlled by role-based access control (RBAC)
- Single sign-on (SSO) between Azure and Microsoft 365
- Multifactor authentication (MFA) requirements
Show Answer
Answer: B) Authorization controlled by role-based access control (RBAC)
Authentication (Entra ID) verifies the user’s identity. The fact that they can only VIEW resources is about what actions they are allowed to perform, which is authorization. In Azure, this is controlled by RBAC roles such as Reader, Contributor, or Owner.
Quick Check: SSO, MFA, and External Identities
Reinforce your understanding of Entra ID features.
Your company wants partner users from another organization to access a shared Azure application using their own corporate credentials, while your admins still control what those users can do in your tenant. Which Microsoft Entra ID capability is most appropriate?
- Multifactor authentication (MFA)
- Single sign-on (SSO)
- External identities and B2B collaboration
- Azure Policy
Show Answer
Answer: C) External identities and B2B collaboration
External identities and B2B collaboration allow you to invite partner users as guests in your Entra ID tenant. They authenticate with their home organization, and you use RBAC and groups in your tenant to control what they can access.
Flashcards: Core Microsoft Entra ID Concepts
Use these flashcards to solidify key definitions and distinctions before moving on.
- Microsoft Entra ID (canonical definition)
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Identity vs Authentication
- Identity is the digital representation of a user, app, or device (for example, a user account in Entra ID). Authentication is the process of verifying that identity, such as entering a password and completing MFA.
- Authentication vs Authorization
- Authentication answers “Who are you?” and verifies your identity. Authorization answers “What are you allowed to do?” and determines your permissions on resources.
- Single Sign-On (SSO)
- A capability that lets users sign in once with Microsoft Entra ID and then access multiple applications without re-entering their credentials, by reusing security tokens.
- Multifactor Authentication (MFA)
- A security feature requiring at least two types of verification (something you know, have, or are) to reduce the risk of account compromise, even if a password is stolen.
- RBAC (role-based access control) in Azure
- role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- External Identities / B2B Collaboration
- A Microsoft Entra ID capability that lets external users (such as partners or contractors) use their own organization’s accounts to access your apps and resources as guests, while you control their permissions in your tenant.
- How Entra ID relates to Azure resources
- Entra ID authenticates users and stores identities; Azure uses RBAC role assignments tied to those identities to authorize access to subscriptions, resource groups, and individual resources.
- How Entra ID relates to SaaS apps
- Entra ID provides centralized identities, SSO, and security policies for many SaaS applications, allowing users to access them with a single corporate account and consistent protection like MFA.
Key Terms
- Token
- A signed piece of data issued by Microsoft Entra ID after successful authentication that proves an identity to applications and services during access requests.
- Identity
- A digital representation of a user, application, or device, such as a user account, group, or service principal stored in Microsoft Entra ID.
- Authorization
- The process of determining what an authenticated identity is allowed to do, such as which resources it can access and what actions it can perform.
- Authentication
- The process of verifying that an identity is genuine, typically by checking credentials such as passwords and multifactor authentication codes.
- B2B collaboration
- A Microsoft Entra ID feature where external users are invited as guest accounts linked to their home identities, enabling secure sharing of apps and resources with partners and contractors.
- Service principal
- An identity used by applications, hosted services, and automated tools to access Azure resources, managed within Microsoft Entra ID.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- External identities
- Microsoft Entra ID capabilities that allow users from outside your organization to use their own credentials to access your resources as guests, commonly used for B2B collaboration.
- Single Sign-On (SSO)
- A capability that allows a user to sign in once and then access multiple applications without re-entering credentials, by reusing security tokens issued by Microsoft Entra ID.
- Multifactor Authentication (MFA)
- A security mechanism that requires at least two different types of verification (something you know, something you have, something you are) to complete sign-in.
- role-based access control (RBAC)
- role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.