Microsoft Entra ID
Users, groups, MFA, Conditional Access, PIM.
Every Azure administrator starts with identity, because Microsoft Entra ID (formerly Azure AD) is the cloud identity service that authenticates every user and controls access to Azure and Microsoft 365. Getting identity right is the foundation of a secure, well-run tenant.
Users, groups, and the tenant
An Entra ID tenant is your organization’s dedicated identity directory, holding users, groups, devices, and app registrations. You create and manage users (cloud-only or synced from on-prem Active Directory via Entra Connect), organize them into groups (assigned or dynamic) for easier access management, and manage guest users for external collaboration. Assigning access and licenses to groups rather than individuals is a core efficiency: membership changes flow through automatically. The tenant is the top-level identity boundary, and everything an administrator does with access ultimately traces back to identities defined here.
# Create a group and assign access/licenses to it — members inherit automatically.az ad group create --display-name "App-Admins" --mail-nickname appadminsaz ad group member add --group "App-Admins" --member-id <user-object-id># Grant the GROUP an Azure RBAC role (covered next lesson):az role assignment create --assignee-object-id <group-id> \--role "Contributor" --scope /subscriptions/<sub>/resourceGroups/app-rg# Add/remove a user from the group to change their access — no per-user edits.
Securing sign-in
Entra ID provides the tools to secure authentication. Multi-factor authentication (MFA) blocks the vast majority of credential attacks and should be required for administrators at minimum. Conditional Access policies make sign-in adaptive — require MFA, a compliant device, or a trusted location, or block risky sign-ins based on signals — so access decisions respond to context rather than being static. Self-service password reset (SSPR) lets users reset securely and cuts helpdesk load. For privileged roles, Privileged Identity Management (PIM) makes access just-in-time and time-bound instead of standing. Layering MFA, Conditional Access, and PIM on top of well-organized identities is the identity-security baseline every administrator should establish.