Skip to main content
Support
Beginner

Entra ID Fundamentals

Microsoft Entra ID is the cloud identity platform that extends -- and increasingly replaces -- on-premises Active Directory, managing authentication for Azure, Microsoft 365, and thousands of SaaS applications.

Microsoft Entra ID (formerly Azure Active Directory or Azure AD) is Microsoft's cloud-based identity service. While on-premises Active Directory manages identities for your local network, Entra ID manages identities for cloud services -- Microsoft 365, Azure, and thousands of third-party applications. Every organization using Microsoft 365 already has an Entra ID tenant. Users sign in once and get access to all their cloud apps (single sign-on). Unlike on-prem AD, which uses Kerberos and LDAP, Entra ID uses modern protocols like OAuth 2.0, OpenID Connect, and SAML 2.0. Key concepts include tenants (your organization's dedicated Entra ID instance), app registrations (how applications are integrated), and service principals (the identity an app uses to authenticate).

If on-premises Active Directory is a national ID card system that only works inside the country, Entra ID is an international passport authority. Your passport (Entra identity) works at airports worldwide (SaaS apps, Azure services, partner organizations). The passport office (tenant) issues and manages identities, stamps visas (app registrations and consent), and maintains a registry of authorized travelers (users and service principals). You can even carry both a national ID and a passport -- that is hybrid identity.

Try It Yourself

Key Takeaways

  1. Entra ID is Microsoft's cloud identity platform, using OAuth 2.0/OIDC/SAML instead of Kerberos/LDAP.
  2. The tenant is the security boundary in Entra ID, analogous to the forest in on-prem AD.
  3. App registrations and service principals control how applications authenticate and access APIs.
  4. Every Microsoft 365 organization already has an Entra ID tenant.
  5. Managed identities eliminate the need for service account credentials in Azure workloads.
Why Should I Care?

As organizations move to the cloud, Entra ID becomes the new control plane. Understanding its architecture is essential because compromising Entra ID gives an attacker access to every connected cloud application and service.

Related Topics

Hybrid Identity & Azure AD ConnectConditional Access PoliciesWhat is Active Directory?Authentication Protocols
Sources
Hybrid Identity & Azure AD Connect
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org