Identity is the new security perimeter in cloud computing. In Azure, Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity platform that underpins authentication, authorisation, and conditional access for Azure, Microsoft 365, and thousands of SaaS applications.
Microsoft Entra ID (Azure Active Directory)
Entra ID is a cloud-native Identity as a Service (IDaaS). It is NOT the same as on-premises Windows Server Active Directory — it uses modern protocols (OAuth 2.0, OpenID Connect, SAML) rather than Kerberos/LDAP.
Key concepts:
- Tenant: A dedicated, isolated instance of Entra ID for your organisation. Every Azure subscription has an associated tenant.
- Users: Individual identity accounts within the tenant
- Groups: Collections of users for managing permissions efficiently
- Enterprise Applications: SaaS apps registered in your tenant (e.g., Salesforce, ServiceNow)
- App Registrations: Custom applications that use Entra ID for authentication
Azure RBAC (Role-Based Access Control)
Azure RBAC controls access to Azure resources (VMs, storage, databases) — separate from Entra ID which controls access to Entra ID itself. RBAC uses role assignments consisting of three elements:
- Security principal: Who gets access — User, Group, Service Principal, or Managed Identity
- Role definition: What permissions are granted — a named collection of actions
- Scope: The resource boundary — Management Group, Subscription, Resource Group, or individual Resource
Permissions are additive and inherited downward through the scope hierarchy.
Built-in Roles
| Role | Permissions |
|---|---|
| Owner | Full access including manage access (assign roles) |
| Contributor | Create and manage all resources, cannot manage access |
| Reader | View all resources, no changes |
| User Access Administrator | Manage user access to resources only |
Azure also has hundreds of service-specific built-in roles (e.g., Storage Blob Data Reader, Virtual Machine Contributor). You can also create custom roles.
Managed Identities
Managed Identities allow Azure services (VMs, App Service, Functions, AKS pods) to authenticate to other Azure services (Key Vault, Storage, SQL) without storing credentials.
- System-assigned: Tied to the lifecycle of one resource. Auto-deleted when the resource is deleted.
- User-assigned: Created as a standalone resource and can be assigned to multiple resources.
Managed Identities are the recommended way to authenticate services in Azure — eliminates secret rotation, reduces credential exposure risk.
Conditional Access
Conditional Access policies enforce security conditions before granting access to applications or Azure resources. Policies use an if-then logic:
- Conditions: User, Group, App, Location, Device Platform, Sign-in risk level
- Controls: Require MFA, Require Compliant Device, Block Access, Require Password Change
Example policy: "If user is in the Finance group AND signing in from outside the corporate network, THEN require MFA."
Microsoft Entra PIM (Privileged Identity Management)
PIM enables just-in-time privileged access — users request elevated permissions for a limited time window rather than having permanent admin access. Supports approval workflows and activity audit logs.