Microsoft Entra ID: Your Identity Hub

What is Microsoft Entra ID?

Simple explanation

Think of Entra ID as the bouncer at a nightclub.

Before you get in, the bouncer checks your ID (authentication — “who are you?”). Then they check whether you’re on the VIP list (authorisation — “what are you allowed to do?”).

Every time anyone accesses Azure, Microsoft 365, or thousands of other apps, Entra ID is the bouncer checking their identity and permissions.

Microsoft Entra ID is the modern, cloud-based identity service. It replaced what used to be called “Azure Active Directory” (Azure AD).

Microsoft Entra Domain Services is for legacy apps that need old-school Active Directory features (like domain join and Group Policy) but you don’t want to run your own domain controllers.

Entra ID vs on-premises Active Directory

If you’ve worked with Active Directory before, Entra ID is similar in purpose but very different in how it works:

On-premises AD DS vs Microsoft Entra ID
Feature	On-Premises AD (AD DS)	Microsoft Entra ID
Location	Your servers	Microsoft's cloud
Protocols	Kerberos, LDAP, NTLM	OAuth 2.0, SAML, OpenID Connect
Structure	Forest → Domain → OU hierarchy	Flat structure (no OUs)
Device management	Group Policy (GPOs)	Intune, Conditional Access
App access	On-premises apps	Cloud apps + on-prem (with hybrid)
Management	You manage domain controllers	Microsoft manages infrastructure

Key naming update: Microsoft renamed “Azure Active Directory” to “Microsoft Entra ID” in 2023. The exam uses the new name. If you see old materials saying “Azure AD,” it’s the same service.

What Entra ID does

Capability	Description
Authentication	Verifies user identity (passwords, MFA, passwordless)
Single sign-on (SSO)	One login gives access to multiple applications
Application management	Register and manage cloud and on-prem apps
Device management	Register devices, enforce policies via Intune
B2B collaboration	Invite external users (partners, contractors)
B2C identity	Customer-facing sign-in (social logins, custom branding)
Conditional Access	Grant or block access based on conditions (location, device, risk)

Harbour Health’s Entra ID setup

Every Harbour Health employee has an identity in Entra ID. When Dr. Patel opens the patient portal:

Entra ID checks her credentials (authentication)
Verifies her MFA (second factor)
Checks Conditional Access policies (is she on a managed device? In a trusted location?)
Grants access to the apps she’s authorised to use (authorisation)

All of this happens in milliseconds, every single time she logs in.

Microsoft Entra Domain Services

Some legacy applications still need old AD protocols (Kerberos, LDAP, NTLM). Running your own domain controllers to support these is expensive and complex.

Microsoft Entra Domain Services provides a managed domain — you get domain join, Group Policy, LDAP, and Kerberos without deploying domain controllers.

Feature	Entra ID	Entra Domain Services
Cloud-native apps	✅	✅
Modern protocols (OAuth, SAML)	✅	❌
Legacy protocols (Kerberos, LDAP)	❌	✅
Domain join	❌	✅
Group Policy	❌	✅ (limited)
You manage domain controllers	No	No (Microsoft manages them)

Summit Construction’s use case: Their legacy project management app requires domain join and LDAP. Instead of running domain controllers in Azure VMs, they use Entra Domain Services — same functionality, zero infrastructure to manage.

Exam tip: Entra ID vs Entra Domain Services

The exam tests whether you know when to use each:

Modern cloud apps (OAuth, SAML, web-based) → Entra ID
Legacy apps that need domain join, LDAP, Kerberos, Group Policy → Entra Domain Services
Both → Use Entra ID for cloud identity AND Entra Domain Services for legacy protocol support

Entra ID tenants

An Entra ID tenant represents an organisation. It holds:

Users and groups
App registrations
Device registrations
Policies (Conditional Access, MFA)

Key relationships:

One Entra ID tenant can be linked to multiple Azure subscriptions
Each Azure subscription trusts exactly one Entra ID tenant
When you sign up for Azure, a tenant is created automatically

🎬 Video walkthrough

Flashcards

Question

What is Microsoft Entra ID?

Click or press Enter to reveal answer

Answer

Cloud-based identity and access management service (formerly Azure Active Directory). Provides authentication, SSO, MFA, Conditional Access, and application management. Every Azure subscription is associated with an Entra ID tenant.

Click to flip back

Question

What is Microsoft Entra Domain Services?

Click or press Enter to reveal answer

Answer

A managed domain service that provides legacy AD features (domain join, Group Policy, LDAP, Kerberos) without running your own domain controllers. Use it for legacy apps that need traditional AD protocols in the cloud.

Click to flip back

Question

What protocols does Entra ID use vs on-premises AD?

Click or press Enter to reveal answer

Answer

Entra ID uses modern web protocols: OAuth 2.0, SAML, OpenID Connect. On-premises AD uses Kerberos, LDAP, and NTLM. This is why legacy apps may need Entra Domain Services for compatibility.

Click to flip back

Question

What is an Entra ID tenant?

Click or press Enter to reveal answer

Answer

A tenant represents an organisation in Entra ID. It holds users, groups, app registrations, devices, and policies. One tenant can be linked to multiple Azure subscriptions. Each subscription trusts exactly one tenant.

Click to flip back

Knowledge Check

Summit Construction's legacy application requires LDAP and domain join to function. They want to run it in Azure without managing domain controllers. Which service should they use?

Knowledge Check

Which statement about Microsoft Entra ID tenants is correct?

Next up: Authentication in Azure — SSO, MFA, passwordless, external identities, and Conditional Access.