Understanding Microsoft Entra ID Essentials

Microsoft Entra ID is a cloud-based identity and access management solution from Microsoft. It enables effective management of identities, enforcement of access policies, and security for applications and data across cloud and on-premises environments.

This series of posts will investigate Entra ID and the features offered by Microsoft for identity and access management.

Overview of Microsoft Entra ID

Microsoft Entra ID is a cloud-based Platform as a Service (PaaS) offering from Microsoft, meaning the hardware and updates are managed by Microsoft. The free tier of Entra ID is automatically included when creating a new Azure subscription or Microsoft 365 service. Entra ID provides features for managing user accounts, passwords, and user groups, along with a suite of security capabilities such as single sign-on (SSO), multi-factor authentication, sign-in activity reports, conditional access, and organizational federation. While some of these features incur additional costs, they enhance security and identity protection. Unlike Active Directory Domain Services, Entra ID is designed primarily for cloud and web applications, rather than on-premises identity management.

Entra ID Tenants

An Entra ID tenant is a unique instance of Entra ID usually created when subscribing to Microsoft services like Microsoft 365, Azure, or Intune. This tenant represents the organization and is used to manage user access across these services. Multiple services or Azure subscriptions can be associated with the same tenant, simplifying user management. Additionally, an organization is not limited to a single tenant—different Azure subscriptions can be linked to separate tenants, allowing for distinct permissions between production and testing environments.

Each Microsoft Entra tenant is assigned a unique default DNS domain name with a prefix based on the Microsoft account used to create it, followed by the suffix onmicrosoft.com. Organizations often add custom domain names they own to the tenant. The tenant serves as a security boundary and a container for objects like users, groups, and applications, and it can support multiple Azure subscriptions, providing flexibility for enterprise environments.

Entra ID emphasizes user and application management but lacks certain objects commonly found in AD DS, such as computer objects and organizational units (OUs). Instead, Entra ID uses device identities for access management. While this limits the ability to organize objects hierarchically, group management remains fully supported and sufficient for Entra ID's primary focus on identity and access management, rather than Group Policy administration.

Active Directory Domain Services Comparison

AD DS is the traditional on-premises Active Directory, there are a number of key differences between AD DS and Entra ID. Whilst AD DS can be deployed to Azure hosted VMs they are still purely a member of the Active Directory Domain with not use of Entra ID. The services can be connected using services like Entra Cloud Sync to synchronize users, groups and contact from AD DS to Entra ID.

Active Directory Domain Services (AD DS) is a true directory service built on a hierarchical X.500-based structure. It relies on the Domain Name System (DNS) to locate resources like domain controllers and can be queried and managed using Lightweight Directory Access Protocol (LDAP) calls. Authentication in AD DS is primarily handled through the Kerberos protocol. Organizational Units (OUs) and Group Policy Objects (GPOs) facilitate management, while computer objects represent devices joined to the domain. Additionally, AD DS supports trusts between domains, enabling delegated management across the directory.

Microsoft Entra ID is primarily an identity solution designed for internet-based applications, utilizing HTTP and HTTPS for communication. Unlike AD DS, it operates as a multi-tenant directory service with a flat structure, lacking Organizational Units (OUs) and Group Policy Objects (GPOs). Queries are performed over HTTP and HTTPS rather than LDAP. Authentication protocols differ as well, with Entra ID relying on SAML, WS-Federation, and OpenID Connect for authentication and OAuth for authorization, rather than Kerberos.

Summary

In this post, we’ve provided an introductory overview of Entra ID and highlighted how it differs from Active Directory Domain Services, focusing on its emphasis on cloud and web applications as well as user identity management. In the upcoming posts of this series, we will explore the features available in the premium versions of Entra ID and examine how Entra ID is leveraged for application authentication and authorization.