Challenge 16: Microsoft Entra ID & Authentication
25-35 min | Cost: Free | Domain: Azure Architecture & Services (35-40%)
Exam skills covered
- Describe directory services (Microsoft Entra ID, Entra Domain Services)
- Describe authentication methods (SSO, MFA, passwordless)
Overview
Microsoft Entra ID (formerly Azure Active Directory) is Azure's cloud-based identity and access management service. It handles authentication (proving who you are) and authorization (what you're allowed to do).
Unlike traditional Active Directory (which runs on Windows Server), Entra ID is cloud-native and designed for internet-scale authentication, including web apps, mobile apps, and SaaS services.
Explore
Task 1: Understand Entra ID vs Active Directory
| Feature | Active Directory (on-prem) | Microsoft Entra ID (cloud) |
|---|---|---|
| Protocol | Kerberos, LDAP | OAuth 2.0, SAML, OpenID Connect |
| Scope | Internal network only | Internet-wide |
| Structure | OUs, forests, domains | Flat tenant |
| Device management | Group Policy | Intune + Conditional Access |
| Authentication | Username/password | MFA, passwordless, SSO |
Task 2: Explore Entra ID in the Portal
- In Azure Portal, search for Microsoft Entra ID
- Click on it to open the Entra ID blade
- Explore:
- Overview: Tenant name, ID, license level
- Users: All users in your tenant
- Groups: Security groups and Microsoft 365 groups
- Enterprise applications: Integrated SaaS apps
- This is read-only exploration — no cost
Task 3: Understand authentication methods
| Method | Security | User experience | Example |
|---|---|---|---|
| Password only | Low | Easy | Traditional login |
| MFA (Multi-Factor) | High | Moderate | Password + phone approval |
| Passwordless | Very high | Excellent | Windows Hello, FIDO2 key |
| SSO (Single Sign-On) | Varies | Best | One login for all apps |
Multi-Factor Authentication (MFA) uses 2+ of:
- Something you know (password, PIN)
- Something you have (phone, security key)
- Something you are (fingerprint, face)
Task 4: Understand SSO
Single Sign-On (SSO) means one login gives access to multiple applications:
User logs in ONCE to Entra ID
→ Access Microsoft 365 ✓
→ Access Salesforce ✓
→ Access GitHub ✓
→ Access custom apps ✓
Benefits:
- Users remember one password (fewer help desk calls)
- Centralized access control
- Easier to disable access when employee leaves
Task 5: Entra Domain Services
Microsoft Entra Domain Services provides managed domain services:
- Domain join, group policy, LDAP, Kerberos/NTLM
- No need to manage domain controllers
- Integrates with your Entra ID tenant
- Use case: Legacy apps that need traditional AD protocols
| Scenario | Use |
|---|---|
| Modern web app needs authentication | Entra ID |
| Legacy app needs LDAP/Kerberos | Entra Domain Services |
| On-prem servers need Group Policy | Traditional AD (on-prem) |
# List users in your Entra ID tenant (first 5)
az ad user list --query "[0:5].{Name:displayName, UPN:userPrincipalName}" --output table
# Show your tenant info
az account show --query "{TenantId:tenantId, Name:name}" --output table
Key Concepts
| Concept | Description |
|---|---|
| Microsoft Entra ID | Cloud-based identity and access management (formerly Azure AD) |
| Tenant | A dedicated instance of Entra ID for your organization |
| Authentication | Proving identity (who are you?) |
| Authorization | Checking permissions (what can you do?) |
| MFA | Requires 2+ verification methods for login |
| SSO | One login provides access to multiple applications |
| Passwordless | Login without a password (biometrics, security keys) |
| Entra Domain Services | Managed domain services (LDAP, Kerberos) without domain controllers |
Knowledge Check
1. What is Microsoft Entra ID?
2. Multi-Factor Authentication (MFA) requires at least how many verification methods?
3. A company wants employees to log in once and access all their business applications without signing in again. What feature provides this?
4. An organization has a legacy application that requires LDAP and Kerberos authentication. They want to run it in Azure without managing domain controllers. What should they use?
5. Which authentication method is considered the most secure and provides the best user experience?
Learn More
- 📚 Study Guide AZ-900 — Curated study materials
- Microsoft Learn: Describe Azure identity, access, and security
- Microsoft Entra ID documentation