An identity model where all user accounts are created and managed directly in Microsoft Entra ID, with no dependency on on-premises Active Directory.

An authentication capability that lets users sign in once and then access multiple applications, such as Azure, Microsoft 365, and SaaS apps, without re-entering their credentials each time.

A dedicated Microsoft Entra ID instance representing a single organization, created when that organization subscribes to Azure, Microsoft 365, or related services.

Azure Identity Basics with Microsoft Entra ID — Microsoft Azure Fundamentals (AZ-900) Deep-Dive Exam Prep

Why Identity Is the New Perimeter in Azure

From Network Perimeter to Identity Perimeter

On-premises security focused on network boundaries like firewalls and VPNs. In the cloud, users connect from anywhere to resources across Azure and SaaS apps, so network location is no longer enough.

Identity as the New Perimeter

Azure security now centers on identity: "Who is this user or workload, and should they have this access right now?" This aligns with Zero Trust: never trust, always verify, enforce least privilege.

Canonical Definition of Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Why This Matters for AZ-900

For AZ-900, know that Entra ID stores users and groups, authenticates sign-ins to Azure and Microsoft 365, integrates thousands of SaaS apps, and works with SSO and MFA to protect access.

Connect to What You Know

From earlier modules: VNets and storage accounts are resources. Entra ID controls who can reach them and how they prove who they are, forming the core of Azure identity.

Microsoft Entra ID vs On-Premises Active Directory

What Is On-Premises Active Directory?

Active Directory Domain Services (AD DS) runs on Windows Server in your datacenter, using Kerberos/NTLM to authenticate users to domain-joined machines and on-prem apps.

What Is Microsoft Entra ID?

Microsoft Entra ID is a cloud-native identity and access management service in Microsoft’s public cloud, using modern protocols to secure access to Azure, Microsoft 365, and SaaS apps.

Conceptual Differences

AD DS is a traditional LDAP/Kerberos directory for on-prem networks. Entra ID is a multi-tenant cloud directory and identity platform designed for internet-based access to cloud resources.

Devices and Management

In AD DS you domain-join machines and use tools like Active Directory Users and Computers. In Entra ID you Entra-join or register devices and manage identity via the Azure portal and APIs.

Common Exam Trap

It is incorrect to say Entra ID is simply Active Directory in the cloud. They are related but distinct. Many organizations use both together in a hybrid identity setup.

Cloud-Only vs Hybrid Identity in Azure

Cloud-Only Identity

In cloud-only identity, all user accounts live in Microsoft Entra ID. Passwords are stored and verified in Entra ID, and there is no dependency on an on-premises directory.

When Cloud-Only Fits

Cloud-only is common for cloud-native or smaller organizations that mainly use Microsoft 365, Azure, and SaaS apps without many legacy on-prem applications.

Hybrid Identity

In hybrid identity, user accounts originate in on-prem Active Directory and are synchronized to Microsoft Entra ID, so users often keep the same username and password in both worlds.

Division of Responsibilities

With hybrid, on-prem AD continues to manage local resources, while Entra ID controls access to Azure, Microsoft 365, and SaaS apps, enabling gradual cloud adoption.

Exam Pattern Recognition

If a scenario mentions on-prem AD and "same credentials" for cloud and on-prem, think hybrid identity. If only the cloud is mentioned, think cloud-only identity.

How Authentication Works in Microsoft Entra ID

Authentication Flow Overview

When you sign in to Azure or Microsoft 365, the app redirects you to Microsoft Entra ID. You enter credentials, Entra ID verifies them, and then issues a token proving who you are.

Tokens and Access

After successful sign-in, Entra ID issues a token. The user presents this token to the resource, which uses it to decide whether to grant access based on identity and permissions.

Core Identity Objects

A tenant is your organization’s Entra ID instance. Users represent people, groups are collections of users, and app registrations give applications an identity in Entra ID.

Authentication vs Authorization

Authentication answers "Who are you?". Authorization answers "What are you allowed to do?". Azure commonly uses role-based access control (RBAC) to enforce authorization.

Exam Focus

For AZ-900, focus on understanding that Entra ID authenticates users and apps, issues tokens, and then Azure services use those tokens plus RBAC to grant or deny access.

SSO, MFA, and Passwordless: Where They Fit

Single Sign-On (SSO)

SSO lets users sign in once and then access multiple apps without re-entering credentials. Entra ID provides SSO across Azure, Microsoft 365, and many SaaS apps.

Why SSO Matters

SSO reduces password fatigue and centralizes sign-in. This improves usability and lets admins enforce consistent security policies at a single identity provider.

Multi-Factor Authentication (MFA)

MFA requires two or more factors, such as a password plus an app notification or SMS code. It protects against many attacks that rely on stolen or guessed passwords.

Passwordless Authentication

Passwordless methods like Windows Hello, FIDO2 security keys, or Authenticator number matching remove passwords from daily use, relying on strong cryptographic credentials.

Exam Scenarios

To reduce password risk, think MFA or passwordless. To simplify access to many SaaS apps, think SSO through Microsoft Entra ID as the central identity provider.

External Identities: Collaborating Beyond Your Tenant

Why External Identities?

You often need to give partners, contractors, or customers access to your apps without making them full internal users. External identities in Entra ID address this need.

B2B Collaboration

With B2B, you invite partner users as guests into your tenant. They sign in with their home organization’s account, but you manage their permissions in your Entra ID.

Customer-Facing Apps

For public apps, Entra External ID lets customers sign in with social or other identities, so you do not manage their passwords directly but still control app access.

Security Controls

You can apply policies like MFA and conditional access to external users and use groups and RBAC to tightly control what they can do in your environment.

Exam Clues

If a scenario mentions partners or customers using their own accounts to access your apps, the concept being tested is external identities with Microsoft Entra ID.

Entra ID, RBAC, and Azure Resources

From Identity to Permissions

Entra ID proves who a user or app is. Azure then needs to decide what that identity can do with resources like storage accounts, VMs, or VNets.

Canonical RBAC Definition

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

How They Work Together

Entra ID stores identities and authenticates sign-ins. Azure Resource Manager reads RBAC role assignments for those identities to authorize actions on resources.

Concrete Example

A user signs in via Entra ID, then tries to open a storage account. Azure checks if that user or their groups have a suitable RBAC role like Reader or Storage Blob Data Contributor.

Exam Distinction

Questions about sign-in and identity: think Entra ID. Questions about who can perform which actions on resources: think RBAC and role assignments in Azure.

Walkthrough: A User Accessing Azure and SaaS with Entra ID

Scenario 1: Alice Signs In

Alice is a Contoso employee with a cloud-only Entra ID account. She goes to Microsoft 365, is redirected to Entra ID, enters her password, and completes MFA using the Authenticator app.

Scenario 1: SSO and RBAC

After Entra ID authenticates Alice, she later opens the Azure portal. SSO reuses her session, so no new password prompt. RBAC limits her to Reader access on specific resource groups.

Scenario 2: Partner Bob as Guest

Bob works for Fabrikam, which has its own Entra ID tenant. Contoso invites Bob as a guest user into their tenant so he can access a line-of-business app.

Scenario 2: External Identity and Access

Bob signs in with his Fabrikam account, then uses SSO to access Contoso’s app. Contoso assigns him to a group with Contributor rights via RBAC, controlling what he can change.

Connecting the Dots

These examples show Entra ID handling sign-in and SSO, MFA adding protection, external identities enabling partner access, and RBAC defining allowed actions on Azure resources.

Thought Exercise: Classify Identity Scenarios

Work through these short scenarios and decide which Azure identity concepts apply. Think it through before checking the hints.

Scenario A: A startup uses only Microsoft 365, a few Azure web apps, and some SaaS tools. They have no on-premises servers. All employees are created directly in Microsoft Entra ID.

Question: Is this cloud-only or hybrid identity? Which Entra features are they likely using for sign-in?

Scenario B: A large enterprise has an on-premises Active Directory forest and hundreds of legacy apps. They want users to use the same username and password for on-prem Windows sign-in and Microsoft 365.

Question: Is this cloud-only or hybrid identity? What sync concept is involved?

Scenario C: A university builds a portal where external researchers log in using their home institution accounts to access shared datasets stored in Azure Storage.

Question: Which Entra concept enables this? How do you expect sign-in to work?

Scenario D: A company wants to reduce the risk of compromised passwords when employees access the Azure portal from unmanaged home devices.

Question: Which authentication methods should they prioritize enabling in Entra ID?

Pause and answer in your own words. Then compare with these brief hints:

Scenario A: Think cloud-only and SSO/MFA in Entra ID.
Scenario B: Think hybrid identity and directory synchronization from on-prem AD.
Scenario C: Think external identities and guest or federated sign-in.
Scenario D: Think MFA and passwordless options, possibly combined with conditional access.

Quiz 1: Core Entra ID Concepts

Test your understanding of Microsoft Entra ID basics.

Which statement best describes the primary role of Microsoft Entra ID in an Azure environment?

It is a service used to deploy and manage virtual networks and subnets in Azure.
It is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
It is an on-premises directory service that uses Kerberos to authenticate users to Windows servers.
It is a backup solution for storing copies of Azure virtual machines and databases.

Show Answer

Answer: B) It is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Quiz 2: Cloud-Only vs Hybrid and Auth Methods

Check your understanding of identity scenarios and authentication methods.

An organization has on-premises Active Directory and wants users to use the same credentials for on-prem apps and Microsoft 365. They also want to reduce the risk of password theft when accessing the Azure portal. Which combination best matches their needs?

Cloud-only identity with single sign-on only.
Hybrid identity with multi-factor authentication enabled in Microsoft Entra ID.
Hybrid identity with only on-premises Group Policy.
Cloud-only identity with no additional authentication methods.