Microsoft Entra ID: What you need to know

Brandon DamueBrandon Damue
7 min read

Microsoft has been an industry leader in organizational user and object directory services with their Active Directory suite of services. Prior to the prevalence of cloud services, organizations have hosted their directory solutions primarily on-prem.

Many organizations are now moving these solutions to the cloud and many more have them running in a hybrid configuration (i.e. both on-prem and in the cloud).The purpose of this article is go over Entra ID, the new service organizations are using for identity and access management. Rather than starting this discussion (if I can call it that as I am the only one talking) with what it is, we are going to go in the opposite direction to begin with what it is not. Walk with me!

What is it not?

A lot of people think Entra ID is the cloud version of Active Directory Domain Services but it is not. Well, Microsoft is to be blamed for this confusion as Entra ID used to be known as Azure Active Directory.

If Entra ID is not the cloud version of Active Directory, what is it then? As stated in this Microsoft Learn documentation for Entra ID, it is a cloud-based identity and access management service that an organization can use to make it possible for its employees to access external resources such, as the Azure portal, Microsoft 365 apps (an aside: I recently learned that Office 365 and Microsoft 365 do not refer to the exact same suite of applications. I had always assumed they did) and a wide range of SaaS (Software as a Service) applications. Entra ID also helps organization manage access to internal line of business applications and other applications and services existing within the organizations intranet.

Check out this article that compares Active Directory Domain Service to Microsoft Entra ID so how they differ.

Entra ID Licensing

When you subscribe to any Microsoft Online Business service such as Microsoft 365, you automatically gain access to the free tier (license) of Entra ID. If you need additional features other than those offered in the free tier, you can upgrade to Entra Premium P1 or Premium P2 licenses. Here is what you get depending on the Entra ID license you decide to subscribe to:

  • The free tier provides you with user and group management, the ability to sync your cloud environment with your on-prem directory, self-service password change for cloud users, Single Sign-On (SSO) across Azure and popular SaaS applications.

  • With the Entra ID P1 license, you get everything offered in the free tier plus: the ability for hybrid users to access resources that are in the cloud as well as those on-prem. With it also comes the support for advanced administration which includes dynamic membership groups, Microsoft identity Manager, self-service group management, cloud write-backs capabilities which allows on-prem users to use self-service password reset.

  • When you upgrade to the Premium P2 license, you get all the features that come with the free and Premium P1 license. In addition to these features, you get: Microsoft Entra ID Protection that allows you to use risk-based conditional access policies as well as Privileged Identity Management, an offering that makes it possible for you to discover, restrict, monitor administrators, their access to resources and to provide just-in-time access when needed.

To see a complete list of all the free and premium features that Entra ID offers, you can go here to learn more.

Entra Authentication

I believe it goes without saying that authenticating user credentials when they try to sign into a device or application is the core feature of any identity and access management solution. In the case of Entra ID, it does more than just authenticate user credentials during sign-in processes. Entra ID also offers security features such as:

  • Self-service Password Reset which allows users to be able to reset their passwords if their account is locked or they forget their password.

  • Multi-Factor Authentication (MFA)

  • Write-back of password changes to on-prem environments

  • Enforcing password policies and

  • Passwordless Authentication made possible by tools such as Windows Hello for Business which enables users to sign into a device or application without a password but with their biometrics (facial recognition and fingerprints)

With these components of authentication, Entra ID makes the sign in process more convenient for end-users.

Role Based Access Control (RBAC) in Entra ID

When using Entra ID, you can grant granular access to your admins following the famous Principle of Least Privilege that calls for only granting the access required for completing a task no less, no more.

When it comes to RBAC in Entra ID, the key concepts you need to have a solid understanding of are:

Role Types

In Entra ID you can use either a built-in role (roles created by Microsoft that you can’t modify) or a custom role that you create to handle a specific use case. Built-in roles come with a fixed set of permissions that you can’t change. Microsoft keeps adding to their list of built-in roles to account for more use cases as they come up.

If there is a task that a role needs to be assigned for and all the permissions required for this task is not fully covered by a built-in role, you can create a custom role with permissions that you specify. This allows for more granular control over what a particular role can do. To be able to create a custom role, you need to create a role definition which is essentially a collection of permissions listing the create, update or delete operations that can be performed on an Entra resource.

Role Assignment

As you might have already guessed, role assignment is basically attaching a role definition (sometimes just called a role) to an entity usually called a security principal (which is nothing but a fancy name for a user, a group or an application) at a particular scope (where the permissions apply) so that they can gain access to something. This makes access control more convenient for administrator as all you have to do to grant access is to add a role assignment and then remove it when this access needs to be revoked.

Before you are able to perform a role assignment, a scope has to be defined. The three levels of scope that can be specified are: Tenant, administrative unit and Entra resource scope. When you specify the scope as Tenant or administrative unit, you are essentially applying the permissions to everything within the container (tenant or administrative unit) except the container itself. When you scope a role to a resource you are applying permissions to everything about that resource. It is also worth noting that scopes are structured in a parent-child type relationship which allows the child scope to automatically inherit the permissions granted to its parent.

Accept my apologize if I lost you when I started talking about tenants and administrative units. The tenant is this case refers to your entire Entra ID package while the administrative unit refers to just a part (subsection) of your Entra ID tenant.

It is worth noting that using built-in roles in Entra is free, if you want to create custom roles you need have the Entra Premium P1 license or higher. With the free tier, you can only assign the built-in roles directly to users. When you upgrade one level up to the Premium P1 license, you get the ability to create role-assignable groups that you can add users to and then add roles to the group rather to users directly which makes role assignment a more manageable process. If this is still not enough for your needs, you get the ability to use Privileged Identity Management which makes it possible for you to use just-in-time role assignment to grant access just when it is required and makes roles time-limited rather than permanent. It also goes further to give your more auditing power alongside detailed reporting capabilities.

To summarize this section, a role assignment has three components: the role definition, the security principal and the scope. You can think of these components are the Who (security principal), the What (role definition) and the Where (scope) of role assignments.

Conclusion

There is a lot to learn about Entra ID but the truth is that you don’t have to know everything to start using the features it offers to make identity and access management across your organization better. As with almost everything in life and business, start small and then build up from there as need arise.

If you want to learn more about Entra ID, Microsoft Learn is all you need or at the very least, a really great place to start. Thank you for taking the time to read this and I hope you learned as much as I did while writing it. If you enjoyed it or learned a thing or two, follow me on here, connect with me on Linkedin or check out my website for more.

0
Subscribe to my newsletter

Read articles from Brandon Damue directly inside your inbox. Subscribe to the newsletter, and don't miss out.

IAMaccess controlEntra IDAzure

Written by

Brandon Damue
Brandon Damue

πŸ‘‹ Hello, I'm Brandon Damue, a πŸš€ software developer and ✍️ technical writer with a passion for πŸ“š reading, πŸ”§ self-improvement, and a keen interest in various ☁️ cloud computing technologies. I have years of experience in software development, and I've honed my skills in multiple programming languages and frameworks, as well as ☁️ cloud computing technologies such as AWS. My expertise allows me to build and deploy robust and scalable applications as well write articles to help developers in their careers and learning journeys. As a πŸ“ technical writer, I have a talent for explaining complex concepts in a clear and concise manner. I've published numerous articles and tutorials on various platforms, and I'm well-known for my ability to provide valuable insights and knowledge. On my Hashnode blog, I share my insights and experiences on software development, technology, and personal growth. Follow my blog to stay up-to-date on the latest trends and advancements in ☁️ cloud computing and the tech industry. πŸ’‘