Introduction: The Foundation of Microsoft Cloud Identity
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft’s cloud-based identity and access management service. It serves as the control center for user authentication, application access, and security policies across Microsoft 365, Azure resources, and thousands of integrated applications. Understanding Entra ID is essential for secure and efficient cloud operations.
Note: In 2023, Microsoft rebranded Azure Active Directory (Azure AD) as Microsoft Entra ID. While the product name has changed, most functionality remains the same, and many interfaces still use “Azure AD” terminology. This cheatsheet uses both terms interchangeably.
Core Identity Concepts & Components
| Component | Description | Use Case |
|---|---|---|
| Tenant | Dedicated instance of Entra ID | Organization’s identity boundary |
| User | Individual identity (cloud or synced) | Employees, partners, customers |
| Group | Collection of users or other groups | Organizing users by department/role |
| Service Principal | Identity used by an application | App access to resources |
| Managed Identity | Automatically managed service principal | Azure services accessing other resources |
| Device | Hardware endpoints (mobile, desktop) | Device-based access policies |
| External Identity | Guest users or B2B collaborators | Partner collaboration |
| Administrative Unit | Container for managing permissions | Delegated administration |
| Conditional Access | Policy-based access control | Contextual security policies |
Azure AD Editions & Licensing
| Edition | Key Features | Use Cases |
|---|---|---|
| Free | User and group management, basic reports, SSO for 10 apps per user | Small businesses, basic identity |
| Microsoft 365 Apps | Cloud-only identity for M365 apps | Organizations using only M365 |
| Premium P1 | Dynamic groups, self-service, conditional access, MFA | Medium organizations, hybrid identity |
| Premium P2 | Identity Protection, PIM, Access Reviews | Enterprises, regulated industries |
| External Identities | B2B collaboration, B2C user management | Customer-facing apps, partner access |
Common Add-ons:
- Microsoft Defender for Identity (formerly ATP): Advanced threat protection
- Microsoft Defender for Cloud Apps (formerly MCAS): Cloud access security broker
- Entra ID Governance: Identity governance and lifecycle management
Directory Management
Tenant Creation & Configuration
- Initial domain:
[tenantname].onmicrosoft.com(immutable) - Custom domain verification requires DNS record validation
- Multi-tenant apps span organizational boundaries
- Cross-tenant access settings control external collaboration
User Management
| User Type | Source | Authentication |
|---|---|---|
| Cloud-only | Created in Azure AD | Azure AD credentials |
| Synced | Synced from on-premises AD | On-premises or cloud (password hash sync) |
| Guest | Invited from other organizations | Home tenant credentials |
| B2B | External partners | Their existing credentials (federated) |
| B2C | Customers | Social/local accounts for customer apps |
User Properties & Settings
- User Principal Name (UPN): Primary login identifier (email format)
- Object ID: Immutable identifier within a tenant
- Display Name: Shown in interfaces
- Mail: Email address (may differ from UPN)
- Department/Job Title/Manager: Organizational attributes
- Usage Location: Required for license assignment
- Authentication Methods: Ways the user can authenticate
- Authentication Contact Info: Phone/email for MFA/SSPR
Group Management
| Group Type | Membership | Scope |
|---|---|---|
| Security | Static or dynamic | Control access to resources |
| Microsoft 365 | Static or dynamic | Collaboration in M365 applications |
| Distribution | Static | Email distribution lists |
| Mail-enabled Security | Static | Both resource access and email distribution |
Group Creation Options:
- Assignment (static): Manually add/remove members
- Dynamic User: Rule-based membership using user attributes
- Dynamic Device: Rule-based membership using device attributes
Dynamic Group Rule Example:
user.department -eq "Finance" and user.country -eq "US"
Administrative Models
| Role/Model | Description | Use Case |
|---|---|---|
| Global Administrator | Full access to all aspects | Emergency access, initial setup |
| Administrative Units | Delegated admin for user subsets | Regional IT teams, subsidiaries |
| Privileged Identity Management (PIM) | Just-in-time and temporary access | Sensitive admin roles |
| Custom Directory Roles | Tailored permissions | Organization-specific admin needs |
Key Built-in Roles:
- Global Administrator: Full control of Entra ID
- User Administrator: Create/manage users and groups
- Authentication Administrator: Reset passwords for non-admin users
- Application Administrator: Manage enterprise applications
- License Administrator: Assign and manage licenses
- Security Administrator: Manage security features
- Conditional Access Administrator: Manage CA policies
- Global Reader: Read-only access to everything
Authentication Methods
Primary Authentication Options
| Method | Description | Security Level |
|---|---|---|
| Password | Traditional secret | Basic (weakest) |
| FIDO2 Security Keys | Phishing-resistant hardware key | High |
| Windows Hello for Business | Biometric + device | High |
| Microsoft Authenticator | App-based passwordless | Medium-High |
| OATH Hardware Tokens | Time-based OTP devices | Medium |
| Phone Sign-in | App notification or code | Medium |
| SMS/Voice | Code via text/call | Lower (vulnerable to SIM swap) |
| Email OTP | One-time code to email | Lower (email vulnerabilities) |
Multi-Factor Authentication (MFA)
Configuration Options:
- Security Defaults: Basic MFA enforcement for all users
- Conditional Access Policies: Context-based MFA triggers
- Per-User MFA: Legacy configuration method (limited)
MFA Deployment Steps:
- Enable authentication methods in Authentication Methods policy
- Create Conditional Access policy requiring MFA
- Exclude break-glass admin accounts from MFA requirement
- Implement staged rollout to user groups
- Monitor Authentication Methods Activity dashboard
Self-Service Password Reset (SSPR)
Key Settings:
- Registration requirements (optional/required)
- Authentication methods needed (1-3)
- Method options (email, phone, authenticator app, security questions)
- Admin notification on reset
- On-premises writeback (requires AD Connect)
Authorization & Access Control
Conditional Access Policies
Policy Components:
- Assignments:
- Users/groups/roles (who)
- Cloud apps (what)
- Conditions (when/where/how)
- Access Controls:
- Grant controls (allow with requirements)
- Session controls (limit what can be done)
Common Conditional Access Scenarios:
| Scenario | Configuration |
|---|---|
| Require MFA for all users | All users → All cloud apps → Require MFA |
| Block legacy authentication | All users → All cloud apps → Client apps: Legacy → Block |
| Require managed devices | All users → All cloud apps → Require managed device |
| Geofencing | All users → All cloud apps → Locations: Block specified countries → Block |
| Risky sign-ins | All users → All cloud apps → Sign-in risk: High → Block |
Named Locations:
- IP ranges (trusted corporate networks)
- Countries/regions (allow or block)
- Mark as trusted location (affects risk calculations)
Identity Protection
Risk Detections:
| Risk Type | Examples | Response |
|---|---|---|
| Sign-in Risk | Atypical travel, anonymous IP, malware linked IP | MFA challenge, block |
| User Risk | Leaked credentials, suspicious activity | Password change, block |
Risk Policies:
- Sign-in Risk Policy: Actions during risky sign-ins
- User Risk Policy: Actions for users with compromised accounts
- MFA Registration Policy: Require MFA registration
Privileged Identity Management (PIM)
Role Assignment Types:
- Eligible: User must activate role when needed
- Active: Role is permanently assigned
Activation Settings:
- Activation duration (hours)
- Require MFA
- Require ticket/justification
- Approval requirements
Access Reviews:
- Periodic review of role membership
- Self-attestation or reviewer-driven
- Automated actions for denied access
Application Management
Enterprise Applications
Application Types:
- Microsoft Applications: M365, Dynamics, etc.
- Gallery Applications: Pre-integrated SaaS apps
- Non-gallery Applications: Custom SAML/OAuth integrations
- On-premises Applications: App Proxy for internal apps
Key Application Properties:
- Enterprise App Object ID: Unique identifier for the service principal
- App Registration Object ID: Unique identifier for the app registration
- Application ID (Client ID): Identifier used in authentication flows
- Client Secret/Certificate: Authentication credentials for the app
- Reply URL (Redirect URI): Where authentication responses are sent
- App Roles: Role-based access control within applications
- Required User Assignment: Whether users must be assigned to use the app
Single Sign-On Methods
| SSO Method | Use Case | Configuration |
|---|---|---|
| SAML | Enterprise SaaS applications | Upload IdP metadata, configure claims |
| OAuth/OIDC | Modern applications, APIs | Register app, configure permissions |
| Password-based | Legacy applications | Store credentials in Entra ID |
| Linked | Microsoft applications | Automatic configuration |
Application Consent & Permissions
Permission Types:
- Delegated: App acts on behalf of signed-in user
- Application: App acts with its own identity
Consent Settings:
- User consent for personal apps
- User consent for apps in your organization
- Admin consent for all apps
Admin Consent Workflow:
- User requests access to an app
- Admins receive notification
- Admins review and approve/deny
Hybrid Identity Configuration
Azure AD Connect
Synchronization Options:
- Password Hash Synchronization: Store password hash in cloud
- Pass-through Authentication: Verify credentials on-premises
- Federation: Redirect to on-premises ADFS
Key Configuration Decisions:
- Filtering (sync all vs selected OUs)
- Custom attribute synchronization
- Attribute transformation rules
- Multi-forest considerations
- Password writeback for SSPR
Hybrid Security Features
| Feature | Description | Requirements |
|---|---|---|
| Password Writeback | Reset cloud passwords back to on-premises | Azure AD Connect, P1 license |
| Device Writeback | Write device objects back to AD | Azure AD Connect, P1 license |
| Password Hash Sync | Enable leaked credential detection | Azure AD Connect |
| Seamless SSO | Silent sign-on for domain-joined devices | Azure AD Connect, Computer objects |
| Hybrid Azure AD Join | Register on-premises devices in Entra ID | Azure AD Connect |
Device Management
Device Identity Types
| Identity Type | Description | Creation | Management |
|---|---|---|---|
| Azure AD Registered | Personal devices accessing work resources | User self-service | Limited |
| Azure AD Joined | Organization-owned cloud devices | User setup or autopilot | Full cloud management |
| Hybrid Azure AD Joined | Organization-owned domain-joined devices | AD + Azure AD Connect | On-premises + cloud |
Device Security Features
- Conditional Access device filters: Block/allow specific device platforms
- Device compliance: Integrate with Intune for health status
- Compliant vs. Hybrid Join requirement: Different trust levels
- Microsoft Authenticator: Additional security on mobile devices
- Device-based Conditional Access: Require managed devices
- Primary Refresh Token (PRT): Seamless access across applications
Security Recommendations & Best Practices
Identity Security Foundation
Secure Authentication:
- Enable MFA for all users
- Implement passwordless where possible
- Block legacy authentication protocols
- Configure SSPR for user autonomy
Least Privilege Access:
- Use Privileged Identity Management (PIM)
- Implement Just-in-Time access for admin roles
- Regularly review access with Access Reviews
- Use Cloud App Security for session monitoring
Zero Trust Implementation:
- Verify explicitly (strong authentication)
- Use least privilege access (JIT)
- Assume breach (segmentation, monitoring)
Monitoring & Alerting
Key Areas to Monitor:
- Sign-in logs (failed attempts, unusual patterns)
- Audit logs (admin activities, permission changes)
- Risky users and sign-ins
- MFA failures and registration status
- Service principal activity
- Provisioning logs
Alert Priorities:
- Global Admin role assignments
- Password changes for privileged accounts
- MFA changes or disabling
- Conditional Access policy modifications
- New service principal creation
- External user invitations
Security Benchmarks
Microsoft Secure Score Actions:
- Enable security defaults
- Require MFA for administrative roles
- Register all users for MFA
- Enable Password Hash Synchronization
- Use Cloud App Security to detect risky app usage
- Regularly review sign-in logs
PowerShell Cmdlets & Management Tools
Microsoft Graph PowerShell SDK
Key Module Installation:
Install-Module Microsoft.Graph -Scope CurrentUser
Authentication:
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
Common User Management Commands:
# Get all users
Get-MgUser -All
# Create new user
$params = @{
AccountEnabled = $true
DisplayName = "John Smith"
MailNickname = "jsmith"
UserPrincipalName = "jsmith@contoso.com"
PasswordProfile = @{
Password = "SecureP@$$w0rd!"
ForceChangePasswordNextSignIn = $true
}
}
New-MgUser -BodyParameter $params
# Get user by UPN
Get-MgUser -Filter "userPrincipalName eq 'jsmith@contoso.com'"
# Update user properties
Update-MgUser -UserId "user-id" -DisplayName "John A. Smith"
# Disable user account
Update-MgUser -UserId "user-id" -AccountEnabled:$false
Group Management:
# Get all groups
Get-MgGroup -All
# Create new group
$params = @{
DisplayName = "Marketing Team"
MailEnabled = $false
MailNickname = "marketingteam"
SecurityEnabled = $true
Description = "Marketing department team"
}
New-MgGroup -BodyParameter $params
# Add member to group
New-MgGroupMember -GroupId "group-id" -DirectoryObjectId "user-id"
# Get group members
Get-MgGroupMember -GroupId "group-id"
Application Management:
# Get all applications
Get-MgApplication -All
# Create service principal
$params = @{
AppId = "application-id"
}
New-MgServicePrincipal -BodyParameter $params
# Get all enterprise applications (service principals)
Get-MgServicePrincipal -All
Azure CLI Commands
Authentication:
az login
User Management:
# List users
az ad user list
# Create user
az ad user create --display-name "John Smith" --password "SecureP@$$w0rd!" --user-principal-name "jsmith@contoso.com"
# Get user
az ad user show --id "jsmith@contoso.com"
# Update user
az ad user update --id "jsmith@contoso.com" --display-name "John A. Smith"
Group Management:
# List groups
az ad group list
# Create group
az ad group create --display-name "Marketing Team" --mail-nickname "marketingteam"
# Add member to group
az ad group member add --group "Marketing Team" --member-id "user-object-id"
# List group members
az ad group member list --group "Marketing Team"
Integration Scenarios & Solutions
Microsoft 365 Integration
Key Identity Components:
- Single identity across all M365 services
- Unified admin portal (Microsoft 365 admin center)
- User assignment for licenses and app access
- Group-based license assignment
- Teams integration for collaboration
Hybrid Management Scenarios
| Scenario | Solution Components |
|---|---|
| Hybrid Exchange | Azure AD Connect + Exchange Hybrid Configuration Wizard |
| Hybrid SharePoint | Azure AD Connect + External Sharing in SharePoint |
| Hybrid Teams | Azure AD Connect + Teams Direct Routing |
| Hybrid Device Management | Azure AD Connect + Intune + ConfigMgr Co-management |
Third-Party Integration Patterns
| Pattern | Description | Example |
|---|---|---|
| SAML Integration | Standard-based SSO for web apps | Salesforce, ServiceNow |
| OAuth Integration | Modern auth for APIs and mobile | Custom mobile apps |
| SCIM Provisioning | Automated user provisioning | Workday, SAP SuccessFactors |
| Custom Directory Extension | Extended user attributes | Industry-specific attributes |
Troubleshooting Toolkit
Sign-in Issues
| Problem | Troubleshooting Steps |
|---|---|
| Sign-in blocked | Check Conditional Access policies, risk status, account status |
| MFA problems | Verify registration status, authentication methods, phone number |
| Password issues | Check password expiry, banned password list, password reset policies |
| Application access | Verify app assignment, permissions, consent status |
Common Error Codes
| Error | Meaning | Resolution |
|---|---|---|
| AADSTS50076 | MFA required | Complete MFA registration or satisfy MFA requirement |
| AADSTS50105 | External user needs invite | Send invitation to guest user |
| AADSTS50126 | Invalid username or password | Verify credentials or reset password |
| AADSTS50079 | User needs to re-authenticate | Sign in again to refresh session |
| AADSTS700016 | Application not found | Verify application ID and availability in tenant |
| AADSTS90002 | Tenant not found | Verify domain name and tenant existence |
Sign-in Log Analysis
Key Fields to Review:
- Status: Success or failure
- Conditional Access: Policies applied and results
- Device Info: Browser, OS, trusted device status
- Authentication Details: Method used
- Location: IP address and named location
- Additional Details: Risk state, applied policies
Resources for Further Learning
Official Documentation
- Microsoft Entra ID Documentation
- Microsoft Entra Admin Center
- Microsoft Graph API Reference
- Azure AD Feature Comparison
Practice & Certification
- Microsoft Learn Modules for Identity
- SC-300: Microsoft Identity and Access Administrator
- MS-500: Microsoft 365 Security Administration