Microsoft Entra ID

Users, groups, MFA, Conditional Access, PIM.

Beginner30 min · lesson 1 of 15

Every Azure administrator starts with identity, because Microsoft Entra ID (formerly Azure AD) is the cloud identity service that authenticates every user and controls access to Azure and Microsoft 365. Getting identity right is the foundation of a secure, well-run tenant.

Users, groups, and the tenant

An Entra ID tenant is your organization’s dedicated identity directory, holding users, groups, devices, and app registrations. You create and manage users (cloud-only or synced from on-prem Active Directory via Entra Connect), organize them into groups (assigned or dynamic) for easier access management, and manage guest users for external collaboration. Assigning access and licenses to groups rather than individuals is a core efficiency: membership changes flow through automatically. The tenant is the top-level identity boundary, and everything an administrator does with access ultimately traces back to identities defined here.

manage identities as groups, not individuals
# Create a group and assign access/licenses to it — members inherit automatically.
az ad group create --display-name "App-Admins" --mail-nickname appadmins
az ad group member add --group "App-Admins" --member-id <user-object-id>
# Grant the GROUP an Azure RBAC role (covered next lesson):
az role assignment create --assignee-object-id <group-id> \
--role "Contributor" --scope /subscriptions/<sub>/resourceGroups/app-rg
# Add/remove a user from the group to change their access — no per-user edits.

Securing sign-in

Entra ID provides the tools to secure authentication. Multi-factor authentication (MFA) blocks the vast majority of credential attacks and should be required for administrators at minimum. Conditional Access policies make sign-in adaptive — require MFA, a compliant device, or a trusted location, or block risky sign-ins based on signals — so access decisions respond to context rather than being static. Self-service password reset (SSPR) lets users reset securely and cuts helpdesk load. For privileged roles, Privileged Identity Management (PIM) makes access just-in-time and time-bound instead of standing. Layering MFA, Conditional Access, and PIM on top of well-organized identities is the identity-security baseline every administrator should establish.

Entra ID essentials
identities
users + groups
assign access by group
guests + devices
external + device identity
secure sign-in
MFA
block credential attacks
Conditional Access
adaptive, context-based access
PIM
just-in-time privileged roles
Organize by group, then secure sign-in with MFA, Conditional Access, and PIM — the identity foundation of a well-run tenant.
Standing admin access is the tenant’s biggest identity risk
Permanent Global Administrator or Owner assignments are a large attack surface — a compromised admin account can control the tenant. Enforce MFA on all admins, make privileged roles eligible via PIM (activated just-in-time with approval), and keep the number of standing admins tiny.