Microsoft Entra ID is a directory service designed for cloud-based and web applications, sharing some features with traditional AD DS deployments. Contoso’s IT team can implement Microsoft Entra ID and synchronize its on-premises identities to the cloud. These steps would allow Contoso staff to use single sign-on (SSO) to access both on-premises resources and associated resources in their Azure tenant.

The IT team can use Microsoft Entra ID to increase employee productivity, streamline IT processes, and improve security when adopting various cloud services. Contoso employees can access online applications using a single user account. Contoso can also perform centralized user management using the well-known Windows PowerShell cmdlets. It is also worth noting that, because Microsoft Entra ID is highly scalable and designed for availability, the IT team will not have to maintain the associated infrastructure or worry about disaster recovery.

As an Azure component, Microsoft Entra ID can support multi-factor authentication as part of a comprehensive cloud service access strategy, providing an additional security layer. Role-based access control (RBAC), self-service password reset, group management, and device registration deliver enterprise-ready identity management solutions. Microsoft Entra ID also offers advanced identity protection, as well as enhanced reporting and alerting features that can help you detect threats more effectively.

Overview of Microsoft Entra ID

Microsoft Entra ID is part of the platform-as-a-service (PaaS) offering and operates as a directory service managed by Microsoft in the cloud. It is not part of the core infrastructure that customers own and manage, and it is not an IaaS offering. This means you have less control over its implementation, but also that you do not need to allocate resources for its deployment or maintenance.

With Microsoft Entra ID, you also have access to a set of features not natively available in AD DS, such as support for multi-factor authentication, identity protection, and self-service password reset. You can use Microsoft Entra ID to provide more secure access to cloud-based resources for organizations and individuals by:

• Configuring application access
• Configuring SSO for cloud-based SaaS applications
• Managing users and groups
• Provisioning users
• Enabling federation between organizations
• Providing an identity management solution
• Identifying irregular sign-in activities
• Configuring multi-factor authentication
• Extending existing on-premises Active Directory implementations to Microsoft Entra ID
• Configuring Application Proxy for cloud and on-premises applications
• Configuring conditional access for users and devices

Microsoft Entra Tenants

Unlike on-premises AD DS, Microsoft Entra ID is multi-tenant by design and is implemented specifically to ensure isolation between its individual directory instances. It is the largest multi-tenant directory in the world, hosting more than one million directory service instances, with billions of authentication requests per week. The term “tenant” in this context generally represents a company or organization that has subscribed to a Microsoft cloud service such as Microsoft 365, Microsoft Intune, or Azure, each using Microsoft Entra ID.

However, from a technical perspective, the term “tenant” represents an individual instance of Microsoft Entra. Within an Azure subscription, you can create multiple Microsoft Entra tenants. Having multiple tenants can be useful if you want to test Microsoft Entra features in one tenant without affecting others.

Each Microsoft Entra tenant is assigned a default DNS domain name consisting of a unique prefix. This prefix is derived from the Microsoft account name used to create the Azure subscription, or explicitly provided when creating the Microsoft Entra tenant, followed by the suffix onmicrosoft.com. It is possible and common to add at least one custom domain name to the same Microsoft Entra tenant. This name uses the DNS namespace that the company or organization owns, for example, Contoso.com. The Microsoft Entra tenant serves as a security boundary and container for Microsoft Entra objects such as users, groups, and applications.

Microsoft Entra ID Characteristics

Although Microsoft Entra ID shares many similarities with AD DS, there are also many differences. It is important to understand that using Microsoft Entra ID is not equivalent to deploying an AD DS domain controller on an Azure virtual machine and then adding it to your on-premises domain.

When comparing Microsoft Entra ID and AD DS, it is essential to note the following characteristics of Microsoft Entra ID:

• Microsoft Entra ID is primarily an identity solution, designed for Internet-based applications using HTTP (port 80) and HTTPS (port 443) communications.
• Microsoft Entra ID is a multi-tenant directory service.
• Microsoft Entra users and groups are created in a flat structure, without organizational units (OUs) or group policy objects (GPOs).
• You cannot query Microsoft Entra ID via LDAP; instead, it uses the REST API over HTTP and HTTPS.
• Microsoft Entra ID does not use Kerberos authentication; it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication, as well as OAuth for authorization.
• Microsoft Entra ID includes federation services, and many third-party services are federated with and trust Microsoft Entra ID.

Microsoft Entra Integration Options

Small organizations that do not have an on-premises directory such as AD DS can rely entirely on Microsoft Entra ID as an authentication and authorization service. However, the number of such organizations remains small, so most companies look for a way to integrate on-premises AD DS with Microsoft Entra ID. Microsoft provides identity and access management at cloud scale through Microsoft Entra ID, which offers several options for integrating AD DS with Azure. These options are described in the following table:

Options	Description
Extending on-premises AD DS to Azure	With this option, you host virtual machines in Azure that you then promote as domain controllers in your on-premises AD DS.
Synchronizing on-premises AD DS with Microsoft Entra ID	Directory synchronization propagates user, group, and contact information to Microsoft Entra ID and keeps this information synchronized. In this scenario, users use different passwords to access cloud and on-premises resources, and authentication processes are separate.
Synchronizing AD DS with Microsoft Entra ID using password hash synchronization	In this approach, on-premises AD DS synchronizes objects with Microsoft Entra ID and also sends user password hashes to Microsoft Entra ID. With this option, users can access applications and resources compatible with Microsoft Entra ID using the same password as their current on-premises login. For end users, this approach provides the same sign-in experience.
Implementing SSO between on-premises AD DS and Microsoft Entra ID	This option supports the widest range of integration features and allows a user to sign in to Azure after authenticating through on-premises AD DS. The technology that provides this functionality is called federation, which you can implement using Active Directory Federation Services (AD FS). AD FS relies on a set of federation servers and proxies, which take the form of the Web Application Proxy service role. As an alternative to deploying AD FS, you can also use pass-through authentication technology, which delivers almost the same results as AD FS. However, it does not use Web Application Proxy and requires less complex infrastructure than AD FS.

The Microsoft Entra directory is not an extension of an on-premises directory. Rather, it is a copy containing the same objects and identities. Changes made to these items on-premises are copied to Microsoft Entra ID, but changes made in Microsoft Entra ID are not replicated back to the on-premises domain.

Next unit: Plan integration with Microsoft Entra