A TLDR definition of ENTRA ID is that it is the identity provider (or identity service) for Microsoft’s cloud (Azure) and many other environments. It is a service that is used to manage identities.
Identity refers to the unique representation of a user, device, service principal or application in a system. In simpler terms, it's the answer to the question, "Who are you?" An identity can be associated with a set of attributes like a username, email address, or phone number. Identity is important because it serves as a basis for enabling security and implementing the “principle of least privilege”.
We use (our) identities to access resources in different environments. An example of such an environment is the Azure Cloud.
We usually need to prove our ownership of these identities in order to use them. One of the many ways we do this is to provide credentials that get verified through some central “library” or “store”. This process of proving we own (or have access) to an identity is called “Authentication”. Once our identity has been authenticated, what we can do with our identity in a particular environment is determined by another concept called “Authorization”.
To define these two concepts formally, Authentication is the process of proving one's identity. This can be done using passwords, tokens, biometrics, or other methods while Authorization is the process of granting or denying permissions to resources based on the authenticated identity.
In environments (organisations) where multiple identities will require access to resources and perform varying levels of actions on those resources, there is a need to keep records of these identities and manage all their activities. This is where identity providers (or identity platforms) come in.
An Identity Provider (IdP) is a service that creates, maintains, and manages identity information while providing authentication services to relying applications. In essence, IdPs are the gatekeepers that verify user identities and grant them access to various resources. Identity Providers allow organisations to manage users, groups, and permissions, ensuring that the right people have the right access to the necessary resources. ENTRA ID is Microsoft's identity provider offering. Apart from ENTRA ID, there are several other popular IdPs, including Google Identity, Amazon Cognito, Auth0 and Okta. Each has its features and integrations, but the core idea remains the same: managing and verifying user identities.
Microsoft Entra ID (formerly Azure Active Directory or Azure AD) is Microsoft's cloud-based identity and access management service. It helps organizations securely manage and authenticate users, devices, and resources both within and outside the organization. Prior to its rebranding, a common misconception was that Azure AD was exclusive to the Azure Cloud or the Microsoft ecosystem. In reality, Microsoft Entra ID remains a versatile tool that can be used across various environments. Whether you're using Microsoft services, third-party SaaS applications, or even on-premises (custom) applications, Entra ID can manage and authenticate users for these resources effectively.
ENTRA ID VS. ACTIVE DIRECTORY: UNDERSTANDING THE RELATIONSHIP
While both ENTRA ID and Active Directory (AD) are identity services from Microsoft, they serve different purposes and have distinct features:
Active Directory is somewhat a predecessor to ENTRA ID but it is important to know that they do not operate in the same way.
Active Directory (AD) is an on-premises identity service, primarily used for intranet and network resource access within an organisation's firewall. AD uses protocols like LDAP and Kerberos for its operations.
ENTRA ID is a cloud-based service, designed for internet-based applications and resources. ENTRA ID uses protocols like OAuth, SAML, and OpenID Connect.
The table below compares and contrasts Active Directory (AD) and ENTRA ID based on a few of their key features:
| Feature | Active Directory (AD) | Microsoft Entra ID |
| Primary Use | On-premises identity service for intranet and network resource access. | Cloud-based identity service for internet-based applications and resources. |
| Location | Installed and managed on-premises. | Managed in the cloud by Microsoft. |
| Protocols | LDAP, Kerberos | OAuth, SAML, OpenID Connect |
| Cloud Integration | Requires additional tools like ENTRA ID Connect to sync with cloud services. | Native cloud integration. |
| Scope | Limited to on-premises resources. | Can be used across various cloud environments and on-premises. |
| User Base | Typically internal organization users. | Both internal organization users and external users (like partners or customers). |
| Management Tools | AD Administrative Center, Group Policy. | Azure portal, ENTRA ID PowerShell module. |
| Security | Basic security features; advanced features require additional solutions. | Built-in advanced security features like Multi-Factor Authentication, Conditional Access, Privileged Identity Management and Identity Protection. |
A common misconception is to think that ENTRA ID is just “Active Directory in the cloud” (especially when it was still going by the former name “Azure Active Directory). From the information in the table above you can see that this is not the case.
CONCLUSION
ENTRA ID is a powerful and versatile identity management tool that plays a pivotal role in modern cloud architectures. As organisations continue to migrate to the cloud, understanding ENTRA ID and its capabilities becomes increasingly crucial. Whether you're preparing for an Azure certification exam or just looking to bolster your cloud knowledge, a deep dive into ENTRA ID is time well spent.