Users
A user represents an identity that can authenticate and access Azure resources. To authenticate is to prove who you are, and to be authorized is to be able to do/access, and once a user authenticates to Azure, an access token is created to determine what he can do and access. It is important to note that Entra is an identity provider for Microsoft services, which means that a user on Entra can not only be used to access Azure but also other Microsoft services like M365. It can also provide means to use federated single sign-on to other third-party applications that have been configured to trust that Entra tenant.
Now, how do I get my user account? Well, you probably have one; if you have signed up for Azure or any Microsoft service before, then you have one. This first user is usually made a Global Administrator meaning this user can manage all aspects of Entra ID and microsoft services that use Entra identities.
Types of Users
Users can be defined in three ways:
Cloud identities: These users exist only in Microsoft Entra ID. They are created and managed on the cloud. The source is Entra ID
Directory Synchronized Identities: These ones are synced from an on-prem Active Directory(AD) to Entra ID using Microsoft Entra connect. The source is Windows Server AD
Guest Users: These are users that exist outside Azure.
Based on the origin of a user and access levels, we can also categorize users into the following:
Members
These users belong to the organization’s Entra ID tenant. They include full time employees in an organization .
Guests
These users authenticate using an external identity (such as another Entra ID tenant, Microsoft account, or a third party).
Now if you check the Azure portal, go to entra ID, and then users. You will find columns for UserType and User Principal Name
#EXT# in their UPN, such as cloudville#EXT#@cloudvillegmail.onmicrosoft.comGroups
As the name suggests, Entra allows you organize and manage users using groups. Microsoft Entra ID can provide assign access permissions to Entra groups instead of having to provide for each user.
Membership Types
Assigned: Here, you add and manage members of the group manually
Dynamic: Based on rules, members are added and removed. These rules are configured to select users or devices based on their attributes. e.g., if user.city is California, add to group.
Types of Groups
There are 2 types of groups:
Security Groups: They are used to manage member and computer access to shared resources.
Microsoft 365 Groups: They are used to provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint sites, and more.
You might be wondering why Microsoft 365 (M365) groups are being mentioned. This is because Microsoft Entra ID serves as the identity provider not just for Azure but for all Microsoft services, including M365 tools. In fact, Entra ID has its own dedicated portal, which can be found here.
Licences in Microsoft Entra ID
Users must have licences assigned to them in order to access Microsoft's paid services, including Azure, Enterprise Mobility + Security, and Microsoft 365. Licences determine the features and services available to a user, and they can be assigned manually or through group-based licencing in Microsoft Entra ID. Though group-based licencing is not available when you’re using the free licence.
Types of Entra ID Licences
Microsoft Entra ID Free: Basic identity and access management features.
Microsoft Entra ID P1: This includes everything in the free licences plus conditional access, dynamic groups, passwordless authentication, and more advanced security features.
Microsoft Entra ID P2: This includes everything in P1 plus Identity Protection, Privileged Identity Management (PIM), and advanced risk-based access controls.
Microsoft Entra Suite: It consists of five products: Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, and Microsoft Entra ID Protection, and Microsoft Entra Verified ID (premium capabilities)