bydev / notes

Microsoft Entra ID (Azure AD)

Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), is a cloud‑based directory and identity management service. It provides authentication, authorization, and access control for Microsoft cloud applications, third‑party SaaS applications, and custom solutions. Entra ID also integrates with on‑premises Active Directory for hybrid environments.

Core Capabilities

  • Authentication:
    • Self‑service password reset
    • Multi‑factor authentication (MFA)
    • Custom banned password lists
    • Smart lockout to detect suspicious sign‑in attempts
  • Single Sign‑On (SSO): Users sign in once to access multiple applications with a single set of credentials.
  • Application Management:
    • Application Proxy for secure remote access
    • Integration with SaaS applications
  • Device Management:
    • Support for device registration
    • Integration with Microsoft Intune for device compliance enforcement

Who Uses Microsoft Entra ID?

  • IT Administrators: Manage access, policies, and directory services.
  • Application Developers: Integrate authentication and authorization into applications.
  • End Users: Access cloud and on‑premises applications securely.
  • Service Subscribers: Access Microsoft and third‑party online services.

Microsoft Entra Connect

Synchronizes user identities between on‑premises Active Directory and Microsoft Entra ID, supporting hybrid identity management.

Microsoft Entra Domain Services

Provides managed domain services such as:

  • Domain Join
  • Group Policy
  • LDAP integration
  • Kerberos and NTLM authentication

Authentication Methods

  • Windows Hello for Business: Biometric and PIN‑based authentication.
  • Microsoft Authenticator App: Mobile app supporting MFA and passwordless sign‑in.
  • FIDO2 Security Keys: Hardware keys using USB, Bluetooth, or NFC for secure authentication.

External Identities

  • B2B Collaboration: Invite external users to use their existing identity providers (e.g., Microsoft, Google, Facebook) for access.
  • B2B Direct Connect: Establish mutual trust with another Entra ID tenant for seamless two‑way collaboration.
  • B2C: Enable customer identity management, including sign‑up, sign‑in, and profile management.

Security and Access Control

Conditional Access

Provides access control decisions based on identity signals such as user, location, and device state. Supports granular MFA policies, for example:

  • No second factor required from a trusted location
  • MFA enforced when accessing from an unusual location or device
Role‑Based Access Control (RBAC)

Enables fine‑grained access control across multiple teams and roles using the principle of least privilege. RBAC helps reduce risk but may become complex in large environments.

Choosing the Right Option
  • Microsoft Entra ID: For identity and access management in cloud or hybrid environments.
  • Microsoft Entra B2B: For collaboration with guest users and business partners.
  • Microsoft Entra B2C: For customer‑facing applications requiring user sign‑up, sign‑in, and profile management.

Conclusion

Microsoft Entra ID provides a platform for identity and access management across cloud and hybrid environments. With features such as authentication, single sign‑on, device and application management, and external collaboration, it enables secure and seamless access for users, administrators, and partners.