Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Microsoft Entra ID

Home » Azure Cheat Sheets » Azure Security Services » Microsoft Entra ID

Microsoft Entra ID

Last updated on December 12, 2024

Microsoft Entra ID Cheat Sheet

  • An identity and access management service that helps you access internal and external resources.
  • Microsoft Entra  licenses: Free, Premium P1, Premium P2 and Pay as you go
    • Microsoft Entra ID Free – user and group management in your on-premises directory
    • Microsoft Entra ID P1 – allows access to both on-premises and cloud resources.
    • Microsoft Entra ID P2 – provides an additional feature called Microsoft Entra ID Protection.
    • Pay as you go – offers a feature called Microsoft Entra B2C.

Features

  • You can use Microsoft Entra authentication for a self-service password reset, MFA, custom banned password list and smart lockout.
  • Allows you to manage external identities using Microsoft Entra B2B.
  • Microsoft Entra B2C is a business-to-customer identity as a service that allows you to control how your users sign up, sign in, and manage their profiles when using your applications.
  • You can manage access in your cloud apps with conditional access.
  • Tutorials dojo strip
  • With Microsoft Entra Device Management, allows you to manage and configure device identities.
  • If you need to manage domain services such as domain join, group policy, and authentication, you can use Microsoft Entra Domain Services.
  • Microsoft Entra ID Governance ensures that only authorized people have the right access to specific resources.
  • Supports hybrid identity to access resources in the cloud or on-premises.
  • Use Microsoft Entra Connect to accomplish your hybrid identity goals:
    • A sign-in method that uses password hash synchronization.
    • Pass-through authentication allows users to use the same password on-premises and in the cloud.
    • Enable federation integration to sign in to Microsoft Entra-based services without having to enter their passwords again.
    • Synchronization between your on-premises environment and Microsoft Entra.
    • Health Monitoring with Microsoft Entra Connect Health.

Concepts

  • Users
    • You can create a new user in your organization or a guest user.
    • By enabling Multi-Factor Authentication, you provide additional security by requiring the user a second form of authentication. The additional forms that can be used with Microsoft Entra MFA are: 
      • Microsoft Authenticator app
      • OATH hardware token
      • SMS
      • Voice call
    • You can also perform the following bulk operations: 
      • Bulk create
      • Bulk invite 
      • Bulk delete 
      • Bulk restore
      • Download users
    • Self-service password reset enables users to manage their passwords from any device, at any time, and from any location.
    • In the device settings, you can change the maximum number of devices per user.
    • You can assign licenses to multiple users or groups to allow them to use the licensed Microsoft Entra services. Licenses are applied per tenant, and you can’t transfer them to other tenants.
  • Groups
    • A collection of users, devices, groups, and service principals.
    • You can easily manage access to your resources by creating a Microsoft Entra groups.
    • A user can belong to multiple groups.
    • Groups do not have security credentials.
    • Group Types:
      • Security – it contains users, devices, groups, and service principals as its members. The users and service principals are the owners of this group.
      • Microsoft 365 – it contains users as its members. Both the users and service principals can be owners of this group.
    • Membership type:
      • Assigned – manually add users to be members of the group.
      • Dynamic user – automatically adds and removes members using the dynamic membership rules.
      • Dynamic device – automatically adds and removes members using the dynamic group rules.
  • With external identities, you can allow users outside your organization to sign in using an external identity provider like Facebook and Google.
  • Administrative roles can be used to grant access to Microsoft Entra and other Microsoft services. There are two types of role definitions:
    • Built-in roles – it has a fixed set of permissions.
    • Custom roles – you can select permissions from a preset list. To create a custom role, you need to have a Microsoft Entra ID P1 or P2 plans.
  • A Microsoft Entra resource that can be a container for other Microsoft resources is called an administrative unit. It can only contain users and groups.
  • Devices
    • Microsoft Entra registered
      • The devices registered are personally owned devices (bring your own device or mobile device). These devices are signed in with a personal Microsoft account.
      • The supported operating systems are Windows 10, macOS, iOS, and Android.
      • A Mobile Device Management (MDM) helps you enforce configurations like storage must be encrypted, password complexity, and up-to-date security software.
      • Key capabilities:
        • Single sign-on (SSO) to cloud resources.
        • Conditional access when enrolled in Microsoft Intune or via App protection policy.
        • Enables phone sign-in with the Microsoft Authenticator app.
    • Microsoft Entra joined
      • The devices and accounts are owned by an organization. It only exists in the cloud.
      • The supported operating systems are Windows 10 devices (except Windows 10 Home) and Windows Server 2019 Virtual Machines running in Azure.
      • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Microsoft Entra.
      • Key capabilities:
        • SSO to both cloud and on-premises resources.
        • Conditional access through MDM enrollment and MDM compliance evaluation.
        • Self-service password reset and Windows Hello PIN reset on the lock screen.
        • Enterprise State Roaming across devices.
    • Microsoft Entra hybrid joined devices
      • The devices and Active Directory Domain Services account are owned by an organization. It exists both in the cloud and on-premises resources.
      • The supported operating systems are Windows 7, 8.1, 10, Windows Server 2008/R2, 2012/R2, 2016, and 2019.
      • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Microsoft Entra.
      • Key capabilities:
        • SSO to both cloud and on-premises resources.
        • Conditional access through Domain join or through Microsoft Intune if co-managed.
        • Self-service password reset and Windows Hello PIN reset on the lock screen.
        • Enterprise State Roaming across devices.
  • If you register your application to use Microsoft Entra, the users in your organization can do the following:
    • Get an identity for their application that is recognized by Microsoft Entra.
    • Get secrets/keys that the application will use for authentication.
    • Create a custom name and logo for your application.
    • Apply Microsoft Entra authorization (RBAC and OAuth)
    • Declare the necessary permissions for the application.
  • With application proxy, you can provide SSO and remote access for web apps hosted on-premises.

Monitoring

  • Monitor the security and usage patterns of your environment with Microsoft Entra reports and monitoring.
  • With Microsoft Entra Connect Health, you can view alerts, monitor performance and check usage analytics of your on-premises Active Directory and Microsoft Entra.

Microsoft Entra Directory Security

  • Detect potential vulnerabilities and resolve suspicious actions with identity protection.
  • Microsoft Entra PIM helps you control the access within your organization.
  • You can use security defaults to enable MFA in your organization.
  • Enabling security defaults protects you from common identity-related attacks.
  • You use block legacy authentication if a user is using a legacy application.
  • Identity secure score helps you verify your configurations if it’s aligned with Microsoft’s best practices for security.
  • You can lockout intruders that try to guess your users’ passwords or use brute-force methods in Microsoft Entra using smart lockout.
  • Manage, control, and monitor access to significant resources in your organization with Privileged Identity Management (PIM).

Authentication Fundamentals: The Basics

Learn more about Microsft Entra ID in this playlist from the Microsoft Azure YouTube channel:
https://www.youtube.com/watch?v=AO-uTWSmU_E&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0

Validate Your Knowledge

Question 1

Question Type: Single choice

You are managing a Microsoft Entra tenant that has 500 user accounts.

You created a new user account named AppAdmin.

You must assign the role of Application Administrator to the AppAdmin user account.

What should you do in the Microsoft Entra ID settings to accomplish this requirement?

  1. Select the user profile and add the role assignments.
  2. Select the user profile and add the user to the admin group.
  3. Select the user profile and assign it to an administrative unit.
  4. Select the user profile and enable the My Staff feature.

Free AWS Courses

Correct Answer: 1

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external and internal resources. External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Microsoft Entra has a set of built-in admin roles for granting access to manage configuration in Microsoft Entra for all applications. These roles are the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Microsoft Entra not related to application configuration. Here are the two common built-in roles in Microsoft Entra ID:

– Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

– Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

If you want to grant a user permission to manage Microsoft Entra resources, you must assign them to a role that provides the permissions they need. Based on the given scenario, the new user account needs the role of Application Administrator. To grant a role to the new user account, you must select the user profile and click on add assignments in the assigned roles option. Add the Application Administrator role, and the user can now create and manage all aspects of app registrations and enterprise apps.

Hence, the correct answer is: Select the user profile and add the role assignments.

The option that says: Select the user profile and add the user to the admin group is incorrect because adding the user to the admin group doesn’t mean that the Application Administrator’s role is automatically assigned to the user account.

The option that says: Select the user profile and assign it to an administrative unit is incorrect because this option only restricts permissions in a role to any portion of your organization that you define. Take note that the requirement in the scenario is to assign an Application Administrator role to the new user account and not to restrict its permissions in your account.

The option that says: Select the user profile and enable the My Staff feature is incorrect because the My Staff feature simply enables you to delegate to a figure of authority, such as a store manager or a team lead, the permissions to ensure that their staff members are able to access to their Microsoft Entra accounts.

References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
https://azure.microsoft.com/en-us/services/active-directory/

Check out this Microsoft Entra ID Cheat Sheet:

https://tutorialsdojo.com/microsoft-entra-id/

Microsoft Entra ID vs Role-Based Access Control:

https://tutorialsdojo.com/microsoft-entra-id-vs-role-based-access-control-rbac/

Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Microsoft Entra ID Cheat Sheet References:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://azure.microsoft.com/en-us/services/active-directory/

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?