SkarpSkarp

Chapter 11 of 20

Azure Identity: Microsoft Entra ID, Authentication, and Access Basics

Follow the sign-in journey from user to resource and see how Microsoft Entra ID underpins authentication and access across Azure and Microsoft 365.

27 min readen

Big Picture: Why Identity Matters in Azure

Identity: The Third Pillar

Networking connects resources and storage holds data. Identity and access answer: who are you and what are you allowed to do in Azure and Microsoft 365?

Canonical Definition to Memorize

Microsoft Entra ID: "Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications."

Branding: Entra vs Azure AD

As of 2026, Microsoft Entra ID is the new name for Azure AD. Treat them as the same service. Exams may use either name; conceptually they are equivalent.

Sign-in Journey Preview

This module follows the path: user → Entra ID → token → resource. Along the way you will learn tenants, identities, authentication vs authorization, and single sign-on.

Tenants, Directories, and Subscriptions: Who Owns What?

What Is a Tenant?

A Microsoft Entra tenant is your organization’s dedicated identity and access boundary. It stores users, groups, apps, and devices in a Microsoft Entra ID directory.

What Is a Subscription?

An Azure subscription is a container for Azure resources and billing. It is always linked to one tenant, but a tenant can have many subscriptions.

Tenant–Subscription Relationship

Identities live in the tenant. Permissions to Azure resources live in subscriptions that trust that tenant. Multiple subscriptions can share one tenant.

Common Exam Trap

Exam distractor: "Each Azure subscription has its own separate identity system." Correct: identity is centralized in the Microsoft Entra tenant, not per subscription.

Identities in Microsoft Entra ID: Users, Groups, and Service Principals

User Identities

User accounts represent real people. They sign in with credentials, can be internal members or external guests, and can be assigned roles and licenses.

Group Identities

Groups bundle users so you assign access once to the group instead of many times to individuals. Security groups are used for access control.

Service Principals

Service principals represent applications or automated processes. They let apps authenticate and access Azure resources securely without using human accounts.

Key Exam Idea

If a person, app, or device needs to access Azure or Microsoft 365, it should have an identity in Microsoft Entra ID (user, group, service principal, or managed identity).

Authentication vs Authorization in Azure

What Is Authentication?

Authentication answers: "Who are you?" It is the process of proving identity, like entering username, password, and MFA so Entra ID can verify you.

What Is Authorization?

Authorization answers: "What are you allowed to do?" It checks your permissions to decide if you can view, create, modify, or delete a resource.

Division of Responsibilities

Microsoft Entra ID mainly handles authentication and issues tokens. Azure services use those tokens plus RBAC to enforce authorization.

Exam Clue Words

Sign-in, MFA, tokens → authentication. Roles, permissions, access to VMs or storage → authorization. Distinguish them carefully on questions.

Step-by-Step Sign-in Journey: From User to Azure Resource

Step 1: Go to the Portal

Jordan browses to the Azure portal. The portal redirects to the organization’s Microsoft Entra ID tenant to start sign-in.

Step 2: Authentication

Jordan enters username and password, and completes MFA if required. Entra ID verifies the identity and issues an access token.

Step 3: Token Used by Portal

The browser presents the token to the Azure portal. The portal now knows Jordan’s identity and tenant context.

Step 4: Authorization Check

When Jordan opens a storage account, Azure checks RBAC roles on that resource. If Jordan has the right role, access is granted; otherwise it is denied.

Single Sign-On (SSO) with Microsoft Entra ID

What Is SSO?

Single sign-on (SSO) lets users authenticate once to Microsoft Entra ID and then access multiple apps without re-entering credentials each time.

How SSO Works

Apps trust Microsoft Entra ID as an identity provider. They accept Entra ID tokens instead of prompting users again for username and password.

Where SSO Applies

SSO covers Microsoft 365 apps, the Azure portal, and thousands of integrated SaaS applications that are configured to trust Entra ID.

Exam Signal for SSO

If the question mentions a single set of credentials for many apps or reducing repeated logins, the concept is SSO with Microsoft Entra ID.

Thought Exercise: Map the Scenario to Identity Concepts

Use this short exercise to connect real-world stories to the right identity concepts. Think through each case before you reveal the explanations in your head.

  1. Scenario A
  • A university uses Microsoft 365 for email and Teams. They also use a third-party learning management system (LMS) hosted as a SaaS app. Students complain about having to log in separately to the LMS.
  • Question: Which Microsoft Entra ID feature would best solve this, and at what level is it configured (tenant, subscription, or resource)?
  1. Scenario B
  • A company has three Azure subscriptions: Dev, Test, and Prod. They want all employees to use the same usernames and passwords across all three, and they want to centrally manage MFA.
  • Question: How should they structure their Microsoft Entra tenant and subscriptions?
  1. Scenario C
  • A finance application running in Azure needs to read data from a storage account on a schedule, even when no user is signed in.
  • Question: What type of identity should the app use, and which service enforces access?

Pause and answer mentally:

  • For each scenario, identify: identity type, authentication vs authorization, where SSO or RBAC fits, and which component is doing what.

Then check yourself with the guidance below.

Suggested answers (for self-check only):

  • Scenario A: Configure the LMS as an enterprise application in Microsoft Entra ID and enable SSO at the tenant level.
  • Scenario B: Use one Microsoft Entra tenant with three subscriptions linked to it. Users authenticate once to that tenant; RBAC and policies differ per subscription.
  • Scenario C: Use a service principal or managed identity for the app. Microsoft Entra ID authenticates the app; Azure Storage and RBAC handle authorization.

Quiz 1: Authentication vs Authorization

Test your understanding of the difference between authentication and authorization in Azure.

A user successfully signs in to the Azure portal using Microsoft Entra ID, but receives an "Access denied" message when trying to open a specific storage account. What is the MOST likely cause?

  1. Authentication failed, so Microsoft Entra ID did not recognize the user.
  2. The user is not authorized with the correct RBAC permissions on that storage account.
  3. The user’s Microsoft Entra ID account is in the wrong tenant, and tenants cannot share subscriptions.
  4. Single sign-on (SSO) is disabled, so the user cannot access storage accounts.
Show Answer

Answer: B) The user is not authorized with the correct RBAC permissions on that storage account.

The user already signed in successfully, so authentication worked. The "Access denied" occurs when checking permissions on the specific resource. That is an authorization problem, typically because the user or their groups do not have the necessary RBAC role on the storage account, its resource group, or subscription.

Quiz 2: Tenant, Subscription, and SSO Concepts

Check that you can distinguish tenants, subscriptions, and SSO responsibilities.

An organization wants users to sign in once and then access Microsoft 365, the Azure portal, and several SaaS apps with the same credentials. Which statement best describes how this is achieved?

  1. Create a separate Microsoft Entra tenant for each SaaS app and configure passwords to match.
  2. Use a single Microsoft Entra tenant to provide SSO to Microsoft 365, Azure, and integrated SaaS apps.
  3. Create one Azure subscription per app and enable shared credentials at the subscription level.
  4. Store user passwords in each SaaS app and sync them manually from Microsoft Entra ID.
Show Answer

Answer: B) Use a single Microsoft Entra tenant to provide SSO to Microsoft 365, Azure, and integrated SaaS apps.

Single sign-on is provided by Microsoft Entra ID at the tenant level. A single tenant can authenticate users and issue tokens that are accepted by Microsoft 365, the Azure portal, and many integrated SaaS applications, enabling SSO with one set of credentials.

Key Term Flashcards: Microsoft Entra ID and Access Basics

Use these flashcards to reinforce the core terms for AZ-900 related to Microsoft Entra ID, authentication, authorization, and SSO.

Microsoft Entra ID (canonical definition)
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Authentication
The process of proving identity; answers "Who are you?" In Azure, Microsoft Entra ID authenticates users, apps, and devices, often using passwords plus MFA, and issues tokens.
Authorization
The process of controlling access; answers "What are you allowed to do?" In Azure, authorization is typically enforced using RBAC roles and other access controls on subscriptions, resource groups, and resources.
Tenant
A dedicated Microsoft Entra ID instance for an organization. It stores identities (users, groups, apps) and acts as the security and identity boundary for Azure and Microsoft 365.
Azure subscription
A billing and resource container in Azure that holds resources like VMs and storage accounts. Each subscription is associated with exactly one Microsoft Entra tenant.
User identity
An account in Microsoft Entra ID that represents a real person, such as an employee or guest. It can sign in, be assigned licenses, and receive roles.
Group (security group)
A collection of user accounts (and sometimes other groups) used to simplify access management. Roles and permissions can be assigned to the group instead of individual users.
Service principal
An identity in Microsoft Entra ID for an application or automated process. It allows apps and services to authenticate and access Azure resources securely.
Single sign-on (SSO)
A capability where a user signs in once to Microsoft Entra ID and then accesses multiple applications (Azure, Microsoft 365, SaaS apps) without re-entering credentials.
Role-based access control (RBAC) (canonical definition)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Connecting Identity to Other Azure Fundamentals and Next Steps

Identity + Networking

Networking decides where traffic can go. Microsoft Entra ID decides who can configure those networks and who can access services exposed through them.

Identity + Storage

Storage defines where data lives and network access. Entra ID and RBAC decide which users or apps can actually read or write that data.

Shared Responsibility Reminder

Microsoft runs Entra ID, but you manage identities, roles, and sign-in policies. That is your side of the shared responsibility model.

What to Be Able to Explain

Be sure you can define Entra ID, explain tenant vs subscription, separate authentication from authorization, and describe SSO across Azure and Microsoft 365.

Key Terms

Tenant
A dedicated Microsoft Entra ID instance for an organization that stores identities and acts as the security and identity boundary for Azure and Microsoft 365.
Authorization
The process of controlling access to resources; answers "What are you allowed to do?" Often implemented using RBAC roles in Azure.
User identity
An account in Microsoft Entra ID representing a real person, such as an employee or guest user.
Authentication
The process of proving identity; answers "Who are you?" Typically involves credentials and MFA and results in a token from Microsoft Entra ID.
Service principal
An identity in Microsoft Entra ID for an application or automated process, allowing it to authenticate and access Azure resources.
Azure subscription
A billing and resource container in Azure that is associated with one Microsoft Entra tenant and holds Azure resources like VMs and storage accounts.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Single sign-on (SSO)
A capability where a user signs in once to Microsoft Entra ID and then accesses multiple trusted applications without re-entering credentials.
Group (security group)
A collection of user accounts used to simplify access management by assigning permissions to the group instead of individuals.
Shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself