Azure Active Directory
Every cloud system needs a way to manage who can access what. Azure Active Directory (Azure AD), now officially rebranded as Microsoft Entra ID, is Microsoft's cloud-based identity and access management service. It handles authentication (proving who someone is) and authorization (deciding what they are allowed to do) for Azure resources, Microsoft 365, and thousands of third-party applications.
What is Azure Active Directory?
Azure AD is not the same as the Windows Server Active Directory used in traditional on-premises networks. While Windows Server AD is designed for managing computers and users on a corporate network, Azure AD is designed for the cloud — managing identities for web applications, mobile apps, APIs, and cloud services.
Key Differences: Windows AD vs Azure AD
| Feature | Windows Server Active Directory | Azure Active Directory |
|---|---|---|
| Protocol | LDAP, Kerberos, NTLM | SAML, OAuth 2.0, OpenID Connect, WS-Federation |
| Designed For | On-premises computers, printers, file shares | Cloud and SaaS applications |
| Location | Physical domain controllers on-premises | Fully cloud-hosted by Microsoft |
| Management | Requires IT infrastructure team | Fully managed by Microsoft |
| Domain Join | Computers join the domain | Devices register/join Azure AD |
Azure AD Tenant
When an organization signs up for Microsoft Azure or Microsoft 365, Azure AD automatically creates a tenant — a dedicated, isolated instance of Azure AD that belongs exclusively to that organization. The tenant has a domain name like companyname.onmicrosoft.com and can also use a custom domain like companyname.com.
Every user, group, application, and device within the organization is managed within this tenant. Tenants from different organizations are completely isolated — there is no sharing of identities between tenants unless explicitly configured.
Core Azure AD Objects
Users
A user represents an individual person or service that can authenticate and access resources. Two types exist:
- Member Users: People who are native members of the organization's Azure AD tenant (employees).
- Guest Users: External people (partners, contractors) invited from outside the organization. Azure AD B2B enables this collaboration.
Groups
Groups are collections of users (or other groups). Instead of assigning permissions to each user individually, permissions are assigned to a group and all group members inherit those permissions. This simplifies management significantly.
- Security Groups: Used to manage access to Azure resources and applications.
- Microsoft 365 Groups: Used for collaboration in Microsoft Teams, SharePoint, Outlook, etc.
Applications (App Registrations)
When a custom application needs to authenticate users via Azure AD or access Azure resources, it is registered in Azure AD. The registration creates a service principal — an identity the application uses to authenticate.
Service Principals and Managed Identities
Applications and Azure services need an identity to authenticate, just like users do. A service principal is an identity for an application. A managed identity is a service principal whose credentials are automatically managed by Azure — no passwords or keys to store or rotate.
Authentication Features
Single Sign-On (SSO)
With SSO, a user signs in once with their Azure AD credentials and gains access to all connected applications — Microsoft 365, Azure Portal, Salesforce, Dropbox, GitHub — without signing in again to each app separately. This improves both security (fewer passwords) and user experience.
Multi-Factor Authentication (MFA)
MFA requires users to provide two or more verification methods to sign in:
- Something they know: Password
- Something they have: Phone (authenticator app, SMS code)
- Something they are: Fingerprint, face recognition
Even if a password is stolen, an attacker cannot log in without the second factor. MFA can be required for all users, specific users, or triggered only when a sign-in is considered risky (unusual location, unfamiliar device).
Conditional Access
Conditional Access policies define conditions under which access is granted or blocked. For example:
Policy: Require MFA for Admin Users Outside Office
IF:
User is in the "Admins" group
AND location is NOT the corporate IP range
THEN:
Require MFA
──────────────────────────────────────────
Policy: Block Access from High-Risk Countries
IF:
Sign-in location is in a blocked country
THEN:
Block access completely
Azure AD B2B (Business to Business)
Azure AD B2B allows organizations to invite external partners, contractors, or vendors to access internal resources using their own existing identity (Google account, Microsoft account, or their own company's Azure AD). No need to create separate accounts for external users — they use their existing credentials.
Azure AD B2C (Business to Consumer)
Azure AD B2C is a separate service designed for customer-facing applications. It allows the application's end-users (customers) to register and sign in using their own social accounts (Google, Facebook, Apple) or local email/password accounts. The organization manages the customer identity experience with full branding customization.
Azure AD B2B vs B2C
| Feature | Azure AD B2B | Azure AD B2C |
|---|---|---|
| Target Users | Business partners and contractors | End customers / consumers |
| Identity Source | Guest's own organization or personal Microsoft account | Social (Google, Facebook) or local accounts |
| Management | Guests appear in the organization's tenant | Separate B2C tenant from the corporate tenant |
| Scale | Hundreds of partner users | Millions of customer accounts |
Azure AD Licenses
| License | Included Features |
|---|---|
| Free | User management, SSO for 10 apps, basic MFA |
| Microsoft Entra ID P1 | Conditional Access, hybrid identity (Azure AD Connect), group-based access |
| Microsoft Entra ID P2 | Everything in P1 + Identity Protection (risk-based policies), Privileged Identity Management (PIM) |
Key Takeaways
- Azure Active Directory (Microsoft Entra ID) is the cloud-based identity platform for managing users, groups, and applications.
- A tenant is an isolated instance of Azure AD created automatically when an organization signs up for Azure or Microsoft 365.
- SSO allows users to sign in once and access all connected applications without re-entering credentials.
- MFA adds a second layer of security requiring a phone or biometric verification in addition to a password.
- Conditional Access policies grant, block, or require additional verification based on user risk signals.
- Azure AD B2B enables collaboration with external partners; Azure AD B2C manages customer-facing authentication at scale.