Entra ID (Azure AD) — Overview
Status: Scaffold — content in progress
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It is the identity backbone for Microsoft 365, Azure, and thousands of SaaS applications via SAML/OIDC federation.
Architecture
Key Concepts
| Concept | Description |
|---|---|
| Tenant | An isolated instance of Entra ID. Identified by a tenant ID (GUID) and domain (e.g., corp.onmicrosoft.com) |
| Directory | The object store within the tenant: users, groups, apps, service principals |
| Service Principal | The app registration's identity within a tenant — what gets permissions |
| Managed Identity | System-assigned or user-assigned identity for Azure resources (no credentials to manage) |
| Global Administrator | Highest privilege role — equivalent to Domain Admin in the cloud |
Authentication Protocols
Entra ID supports: OAuth 2.0, OpenID Connect (OIDC), SAML 2.0, WS-Federation
Hybrid Identity (AD + Entra ID)
Most enterprises run hybrid: on-premises AD synchronized to Entra ID via Entra Connect (formerly AAD Connect).
Sync modes:
- Password Hash Sync (PHS): NTLM/Kerberos hash variants synced to cloud
- Pass-through Authentication (PTA): Auth redirected to on-prem DCs
- Federation (ADFS): Full federation, SAML/WS-Fed tokens
Hybrid attacks: compromising the Entra Connect sync account (has DCSync rights in AD) or the federation trust can lead to forging tokens for any cloud user.
Key Security Features
| Feature | Description |
|---|---|
| Conditional Access | Policy-based access control using signals: user, location, device, risk |
| Identity Protection | ML-based risk detection for sign-ins and users |
| PIM (Privileged Identity Management) | JIT activation of privileged roles |
| MFA / SSPR | Multi-factor auth, self-service password reset |
| Entra ID Protection | Risk-based token revocation |
Telemetry
| Log | Key Signals |
|---|---|
| Sign-in logs | Authentication result, MFA, Conditional Access outcome, risk level, IP, location |
| Audit logs | Role assignments, app registrations, PIM activations, user/group changes |
| Provisioning logs | SCIM sync events |
| Risk detections | Leaked credentials, atypical travel, anonymous IP, malware-linked IP |
Cross-Links
| Topic | Link |
|---|---|
| OAuth2 | oauth2 |
| OIDC | oidc |
| SAML | saml |
| Conditional Access | conditional-access |
| PIM | pim |
| Cloud Attacks | Cloud Attacks |