On this page
Azure Active Directory
Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud-based identity and access management service. Every Azure resource, Microsoft 365 login, and enterprise application authentication flows through Entra ID. Mastering identity is the highest-impact security skill in Azure.
Entra ID Core Concepts
| Concept | Description | Example |
|---|---|---|
| Tenant | Entra ID directory instance | contoso.onmicrosoft.com |
| User | Individual identity | [email protected] |
| Group | Collection of users/devices | Developers, Admins |
| App Registration | Identity for applications | CI/CD service principal |
| Enterprise App | SSO integration with SaaS | Salesforce, GitHub |
| Managed Identity | Azure-managed credentials for resources | App Service → Key Vault |
Users and Groups
# Create user
az ad user create \
--display-name "Jane Developer" \
--password "TempPass123!" \
--user-principal-name [email protected]
# Create security group
az ad group create \
--display-name "Platform Developers" \
--mail-nickname platform-dev
# Add user to group
az ad group member add \
--group "Platform Developers" \
--member-id $(az ad user show --id [email protected] --query id -o tsv)
Role-Based Access Control (RBAC)
Azure RBAC assigns permissions at management group, subscription, resource group, or resource scope:
| Built-in Role | Permissions | Use Case |
|---|---|---|
| Owner | Full access + grant access to others | Subscription admins |
| Contributor | Full access except grant access | Developers deploying resources |
| Reader | View resources only | Auditors, monitoring |
| User Access Administrator | Manage user access | IAM team |
# Assign Contributor role on resource group
az role assignment create \
--assignee [email protected] \
--role Contributor \
--scope /subscriptions/SUB_ID/resourceGroups/rg-webapp-dev
# List role assignments
az role assignment list \
--scope /subscriptions/SUB_ID/resourceGroups/rg-webapp-dev \
--output table
# Create custom role (least privilege)
az role definition create --role-definition '{
"Name": "Web App Deployer",
"Description": "Can deploy to App Service only",
"Actions": [
"Microsoft.Web/sites/*",
"Microsoft.Web/serverfarms/read"
],
"AssignableScopes": ["/subscriptions/SUB_ID"]
}'
Managed Identities
Eliminate credentials in code — Azure manages authentication automatically:
# Enable system-assigned managed identity on App Service
az webapp identity assign \
--name my-webapp \
--resource-group rg-webapp-prod
# Grant identity access to Key Vault
az keyvault set-policy \
--name my-keyvault \
--object-id $(az webapp identity show --name my-webapp --resource-group rg-webapp-prod --query principalId -o tsv) \
--secret-permissions get list
# Python: access Key Vault with managed identity (no credentials in code)
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://my-keyvault.vault.azure.net/", credential=credential)
secret = client.get_secret("database-password")
| Identity Type | Lifecycle | Use Case |
|---|---|---|
| System-assigned | Tied to resource lifecycle | Single resource accessing Azure services |
| User-assigned | Independent lifecycle | Multiple resources sharing one identity |
Conditional Access
Enforce access policies based on conditions — requires Entra ID P1/P2:
| Condition | Policy Example |
|---|---|
| User/group | Require MFA for all admins |
| Location | Block sign-ins from untrusted countries |
| Device | Require compliant or hybrid-joined device |
| Application | Require MFA for Azure Portal access |
| Risk level | Block high-risk sign-ins automatically |
Configure in Portal: Entra ID → Security → Conditional Access → New policy
Example policy: “Require MFA for all users accessing Azure Portal from untrusted locations.”
App Registrations and Service Principals
# Register application
az ad app create --display-name "My API"
# Create service principal
az ad sp create --id APP_ID
# Create client secret (prefer certificates in production)
az ad app credential reset --id APP_ID --append
For production automation, prefer Managed Identities or federated credentials (OIDC with GitHub Actions) over client secrets.
Entra ID Connect (Hybrid Identity)
Sync on-premises Active Directory to Entra ID:
On-Premises AD ──→ Entra ID Connect ──→ Entra ID (cloud)
│
Password Hash Sync
Pass-through Auth
Federation (AD FS)
| Sync Mode | Description |
|---|---|
| Password Hash Sync | Most common; hashes synced to cloud |
| Pass-through Authentication | Validates against on-prem AD |
| Federation | AD FS handles authentication |
Enables single identity for on-premises and cloud resources.
Real-World Scenario: Enterprise IAM Layout
| Identity | Role | Scope |
|---|---|---|
| Developers (group) | Contributor | rg-*-dev resource groups |
| DevOps (group) | Contributor | rg--staging, rg--prod |
| Security (group) | Security Admin + Reader | Subscription level |
| CI/CD (service principal) | Web App Deployer (custom) | rg-webapp-prod only |
| App Service (managed identity) | Key Vault Secrets User | my-keyvault only |
Entra ID vs AWS IAM vs GCP IAM
| Feature | Entra ID | AWS IAM | GCP IAM |
|---|---|---|---|
| User directory | Built-in | Separate (or SSO) | Google accounts / Cloud Identity |
| MFA | Conditional Access | IAM policy condition | 2-Step Verification |
| Managed credentials | Managed Identity | Instance roles | Workload Identity |
| Hybrid identity | Entra Connect (best) | AD Connector | Cloud Identity |
| SSO to SaaS | Enterprise Apps (5000+ integrations) | Limited | Limited |
Common Mistakes
- Global Admin for daily work — use scoped roles; reserve Global Admin for emergencies
- Over-permissive Contributor on production — use custom roles with least privilege
- Client secrets in source code — use Managed Identities or Key Vault references
- No Conditional Access policies — MFA should be mandatory for all admin access
- Guest users with excessive permissions — audit B2B guest access regularly
- Ignoring sign-in logs — review Entra ID sign-in logs for anomalous activity
Troubleshooting
| Issue | Diagnosis | Fix |
|---|---|---|
AuthorizationFailed |
Missing RBAC role | Check assignments with az role assignment list |
| Managed Identity can’t access Key Vault | Missing access policy | Add identity’s object ID to Key Vault policy |
| Conditional Access blocking login | Policy too restrictive | Review sign-in logs; adjust policy conditions |
| Service principal expired secret | Secret past expiry date | Rotate credential; prefer federated auth |
| User can’t see subscription | No role assignment | Assign Reader minimum at subscription scope |
Best Practices
- Enforce MFA for all users via Conditional Access
- Use Managed Identities for all Azure-to-Azure authentication
- Apply least privilege with custom RBAC roles
- Separate admin accounts from daily-use accounts
- Enable Entra ID Protection (P2) for risk-based policies
- Review role assignments quarterly — remove stale permissions
- Use Privileged Identity Management (PIM) for just-in-time admin access
- Audit sign-in and audit logs with Log Analytics or Sentinel
Next: Virtual Machines.