Azure

Microsoft Entra ID Fundamentals: Identity Management from the Former Azure AD (AZ-900/SC-900/AZ-104 Essentials)

2026-05-24
NicheeLab Editorial Team

Microsoft Entra ID is the cloud identity management service formerly known as Azure Active Directory (Azure AD), and it powers authentication for Microsoft 365, Azure, and thousands of SaaS applications worldwide. Since the July 11, 2023 rebrand, study materials, blog posts, and internal documentation have all mixed the old and new names, making this one of the first stumbling blocks for learners. This article pulls together the must-know fundamentals shared across AZ-900, SC-900, and AZ-104 — the rebrand backstory, tenant structure, authentication methods, Conditional Access, how it differs from Azure RBAC, and license selection — all in one place.

Entra ID is not a technology you learn in isolation. It runs through Azure resource permissions, Microsoft 365 user authentication, SaaS SSO integration, external partner invitations — every layer of the organization's IT foundation. It is a cross-cutting concept. That cross-cutting nature is precisely what makes it hard to study: touching it piece by piece never reveals the whole picture. This article is written for anyone who wants to "finally understand Entra properly," and aims to provide a conceptual map.

Why the Rebrand Happened in July 2023

The announcement on July 11, 2023 that Microsoft would rebrand Azure AD to Entra ID was purely a branding move — there was no change to the technical specs. The backdrop is Microsoft's strategy of consolidating its identity and access management products under the unified Microsoft Entra family brand. The Entra family includes the identity service itself (former Azure AD = Entra ID) along with several sub-brands: Entra Permissions Management (former CloudKnox), Entra Verified ID (decentralized identity), Entra External ID (the unified former B2B/B2C), Entra Private Access, Entra Internet Access, and more.

The cutover timeline in the field hit on October 1, 2023, when SKU names and licensing screens fully switched to Entra ID, after which Microsoft's official documentation was rewritten in lockstep. However, API endpoints (login.microsoftonline.com, graph.microsoft.com) and PowerShell module names (AzureAD is being retired and replaced by Microsoft Graph PowerShell) are migrating on a separate, gradual timeline. The latest revisions of AZ-900 and SC-900 now use "Microsoft Entra ID" as the official term, and the naming gap between older question banks and the live exam has become a real source of confusion for candidates.

Tenants and Subscriptions

The starting point for understanding Entra ID is the tenant. A tenant is "the logical boundary of an organization's Entra ID instance," and one is automatically created when an organization signs up for Microsoft 365 or Azure. Tenants are identified by a tenant ID in GUID format, an initial domain name (e.g. contoso.onmicrosoft.com), and any custom domains added later (e.g. contoso.com). The tenant ID cannot be changed once created, and tenants themselves cannot be technically migrated or merged, so naming and ownership decisions during the initial design phase need to be made carefully.

This is where beginners inevitably get confused about the relationship between an Entra ID tenant and an Azure subscription. An Azure subscription is "a billing unit for Azure resources," and an Entra ID tenant is "the management unit for identity and authentication" — completely different roles. One tenant can have multiple subscriptions attached, and the most common enterprise pattern is "one tenant for the whole company, multiple subscriptions per business unit." Conversely, a single subscription cannot belong to multiple tenants. This one-to-many structure is a frequently tested concept on AZ-900 and AZ-104.

Users, Groups, Devices, and Applications

Entra ID manages four main types of objects: users, groups, devices, and applications (Service Principals). Each object has credentials, attributes, roles, and policies attached, and Entra ID manages all of it in one place.

Users come in three main types: cloud-only users (exist only in Entra ID), synced users (synchronized from on-premises Active Directory via Entra Connect), and guest users (external users invited from other organizations via B2B). In real enterprises, you typically see a mix — employee accounts are synced users, service accounts are cloud-only, and external partners are guests.

Groups come in two flavors — Security Groups (for permission assignment) and Microsoft 365 Groups (for collaboration, integrated with Teams, SharePoint, and Outlook) — and membership can be managed in two ways: Assigned (added manually) and Dynamic (added automatically based on attributes). Dynamic Groups require an Entra ID P1 license and are a powerful feature that auto-updates membership based on rules like "everyone where Department = Engineering" or "everyone where City = Tokyo."

Devices are how endpoints — Windows, macOS, iOS, Android — get registered with Entra. There are three types: Entra registered (BYOD), Entra joined (corporate-owned), and Hybrid joined (joined to both on-premises AD and Entra). This is an important concept that underlies Conditional Access controls like "only allow access from Entra joined devices."

Applications are how SaaS apps and in-house apps get registered with Entra, split into two parts: an App Registration (the app's definition) and a Service Principal (the app's instance within a tenant). Service Principals are also the target for Azure RBAC role assignments, so they are frequently used as the authentication identity for automation scripts and CI/CD pipelines.

A Map of Authentication Methods: From Passwords to FIDO2

The authentication methods Entra ID supports span a wide range of security strengths. Sorted from weakest to strongest: password only (not recommended) → password + SMS / voice call (vulnerable to phishing, being deprecated) → password + Microsoft Authenticator app (the current standard) → Passwordless - Authenticator phone sign-inPasswordless - Windows Hello for BusinessPasswordless - FIDO2 security key.

MFA (multi-factor authentication) requires "a combination of two or more different factors (knowledge, possession, inherence)." Microsoft's own research shows it reduces account compromise risk by 99.9% compared to password-only. Since 2024, Microsoft has been progressively making MFA mandatory for all Azure and Microsoft 365 administrators, and MFA enforcement for tenant admin roles is expected to be complete across all environments by the end of 2025.

Passwordless is the next step up: an approach that "does not use a password at all." Entra ID officially supports 3 Passwordless methods: Microsoft Authenticator phone sign-in (authentication completes via biometrics on a smartphone), Windows Hello for Business (authenticates using a TPM and local PIN or biometrics on the Windows device), and FIDO2 security keys (USB or NFC hardware keys like YubiKey). Among these, FIDO2 is a top-tier phishing-resistant method that conforms to the WebAuthn standard, available from vendors like Yubico and Feitian. For high-security environments, the modern best practice is the combination of "FIDO2 security key + Entra joined device."

Conditional Access: The Core of Zero Trust

Conditional Access is a policy engine available in Entra ID P1 and above, and it is the core implementation feature for a Zero Trust architecture. The underlying idea is simple — "dynamically decide whether to allow, block, require additional authentication, or grant restricted access, based on the context of the sign-in" — expressed as "if (condition) then (action)" rule sets.

The conditions you can specify include: users / groups, cloud apps (Office 365, Azure Management, specific SaaS), location (country, IP range), device state (Entra joined / Compliant), device platform (Windows / macOS / iOS / Android), client app (Browser / Mobile / Modern auth client), and sign-in risk (a dynamic risk score derived from Identity Protection).

Here are 3 patterns commonly used in practice. First, "always require MFA for admin roles" — make MFA mandatory for elevation to Global Administrator, Privileged Role Administrator, and similar roles. Second, "require MFA for access from outside the country" — require additional authentication for access from IPs outside Japan, to suppress suspicious logins from abroad. Third, "limit unmanaged devices to read-only Outlook Web" — combined with MAM (Mobile Application Management) to restrict data exfiltration even for BYOD. These are classic scenarios that come up repeatedly in SC-300 and AZ-104 practice questions.

The Boundary Between Entra Roles and Azure RBAC

The biggest pitfall when learning Entra ID is confusing Entra ID roles with Azure RBAC roles. These are two separate role systems, with totally different scopes and responsibilities.

Entra ID roles control "administrative actions inside the Entra tenant." Representative examples: Global Administrator (full tenant authority), User Administrator (user / group management), Application Administrator (app registration management), Privileged Role Administrator (managing assignment of other roles), and so on. These are administrative permissions scoped to the Entra ID tenant, and by default they do not include permission to operate resources (VMs, Storage, Databases, etc.) under Azure subscriptions.

Azure RBAC roles, on the other hand, control "operations on resources under an Azure subscription." Representative examples: Owner (full control), Contributor (can operate but cannot delegate), Reader (read-only), User Access Administrator (manages role assignments), plus hundreds of resource-specific roles like Storage Blob Data Contributor. These are assigned at Azure resource scopes (subscription, resource group, individual resource).

A common pitfall: a Global Administrator can manage everything in the Entra ID tenant, but does not, by default, have permission to operate resources under Azure subscriptions. If needed, the Global Administrator uses the "Elevate Access for Azure Subscriptions" button to elevate themselves to User Access Administrator across all subscriptions, and then assigns themselves an RBAC role like Owner — a two-step process. This boundary is something AZ-104 and SC-300 will always ask about.

SSO and SaaS Integration

One of Entra ID's most practically valuable features is SaaS app integration via single sign-on (SSO). The Entra ID Gallery already has over 10,000 SaaS apps pre-integrated worldwide, and nearly every major SaaS — Salesforce, ServiceNow, Workday, Zoom, Slack, GitHub, Asana, Box, Dropbox — can be wired up for SSO with a single click.

It supports four integration protocols — SAML 2.0, OpenID Connect (OIDC), OAuth 2.0, and WS-Federation — covering everything from legacy SAML to modern OIDC. In addition, SaaS apps that support SCIM 2.0 can be wired up for automated user lifecycle management, where creating or deleting a user in Entra ID automatically provisions or deprovisions them on the SaaS side as well. This is a powerful operational feature for preventing leftover SaaS access after an employee leaves.

For apps not in the Gallery, you can register them manually as custom SAML apps. Building SSO into in-house web apps with Entra ID is a common pattern, and with MSAL (Microsoft Authentication Library) you can wire up the authentication flow in just a few lines of code.

External Identities: Where B2B and B2C Stand Today

Entra ID provides mechanisms for managing not just "your own users" but "external users" as well. This is Microsoft Entra External ID.

The former Azure AD B2B Collaboration is still alive today as the B2B capability of Entra External ID — a mechanism for inviting business partners' or vendors' Microsoft / Google accounts into your tenant as guest users with access to specific resources or apps. It is frequently used for granting temporary access to external design firms or auditors in collaborative projects.

On the other hand, the former Azure AD B2C was a separate architecture aimed at "consumer app identity," and Microsoft stopped accepting new sign-ups on May 1, 2025, recommending External ID for customers (the new consumer identity platform) for new projects. Existing Azure AD B2C tenants can continue to be used until 2030, but the roadmap assumes migration to the new platform. When building a new B2C-style authentication backbone, Microsoft's official guidance is to skip Azure AD B2C entirely and start with External ID for customers.

Choosing a License: Where Free, P1, and P2 Differ

Entra ID licensing has four broad tiers: Free, P1, P2, and Microsoft Entra Suite (F2 exists as a Microsoft 365 bundle, but it's a special SKU). Where to pull the trigger on paid is something many organizations agonize over, so let's lay out where the feature boundaries fall.

Free covers only the minimum — tenant creation, basic user / group management, and authentication for Microsoft 365 accounts. P1 ($6 USD per user per month) unlocks Conditional Access, Self-Service Password Reset (with write-back to on-prem AD), Dynamic Groups, Application Proxy, SCIM provisioning, and group-based app assignment. In practice the deciding factor is whether you need Conditional Access — for most enterprise environments, P1 ends up being the minimum baseline.

P2 ($9 USD per user per month) adds higher-tier governance features on top of everything in P1: Privileged Identity Management (PIM), Identity Protection, Access Reviews, and Entitlement Management. PIM is "the mechanism where admin roles aren't kept permanently active — instead they're elevated on a request basis for a limited time," which is the core feature for implementing least-privilege principles. For organizations with mature security postures, or companies that need to meet regulations like SOX or ISO 27001, P2 is effectively mandatory.

Microsoft Entra Suite ($12 USD per user per month, P2 included), launched in 2024, is the top-tier SKU that bundles Entra Verified ID, Entra Private Access, Entra Internet Access, and Entra Permissions Management on top of P2 features. It's a package aimed at organizations rolling out the full Zero Trust Network Access (ZTNA) and decentralized identity stack — the kind of investment that warrants rethinking your entire subscription strategy.

Exams That Cover Entra ID, and Study Resources

Here's the learning route through Entra ID organized by exam. For an introduction, SC-900 (Security, Compliance & Identity Fundamentals) is ideal. It covers Entra concepts, Zero Trust, and the Defender lineup at an introductory level, in 45 minutes for $99 USD. If you're aiming for serious administrator territory, SC-300 (Identity and Access Administrator Associate) is the main target, focused on implementing Conditional Access, PIM, and External Identities. If you're an Azure operator learning Entra alongside everything else, AZ-104 (Azure Administrator) includes basic management. At the top, SC-100 (Cybersecurity Architect Expert) is aimed at the role of designing Entra strategy within a Zero Trust architecture.

For free learning resources, Microsoft Learn's "Microsoft Entra fundamentals" path is the recommended starting point — available in Japanese, about 4 hours. For hands-on practice, the Microsoft 365 Developer Program sandbox tenant is invaluable: it lets you test Conditional Access or PIM behavior without affecting your production environment. Before touching commercial environments, the standard learning pattern is to first build a test Conditional Access policy in the sandbox and apply it to your own account.

Frequently Asked Questions

Are Microsoft Entra ID and Azure AD the same thing?

Yes, they are exactly the same service. On July 11, 2023, Microsoft announced the rebrand of Azure Active Directory (Azure AD) to Microsoft Entra ID, and by October 1, 2023 the SKU names and licensing screens had been fully updated. The technical specs, API endpoints (login.microsoftonline.com), and tenant structure have not changed at all. When older study materials or Stack Overflow answers say "Azure AD," you can simply read that as "Entra ID" and the content still applies to the current service.

How many Entra ID license tiers are there?

There are 4 official tiers: Free, P1, P2, and Microsoft Entra Suite (F2 is a special SKU bundled with Microsoft 365 F2). Free only covers tenant creation and basic user/group management. P1 unlocks the features you actually need in practice — Conditional Access, Self-Service Password Reset, Dynamic Groups, Application Proxy — at $6 USD per user per month. P2 adds Privileged Identity Management (PIM), Identity Protection, and Access Reviews on top of P1 for $9 USD per user per month. The "P5" SKU mentioned in some blog posts does not officially exist.

How do Entra ID tenants and Azure subscriptions relate?

An Entra ID tenant is the logical boundary that manages identity and authentication, while an Azure subscription is a billing unit — they are completely separate concepts. A single Entra ID tenant can have multiple Azure subscriptions attached, but each subscription belongs to exactly one tenant. The most common pattern is one tenant for the whole organization with multiple subscriptions per business unit. The tenant ID is a GUID and cannot be changed (or migrated), so naming and initial design choices need to be made carefully.

What is Conditional Access?

Conditional Access is a policy engine that combines signals — who is signing in, from where, on what device, to which app — and dynamically decides whether to block, allow, require MFA, or grant restricted access. It requires Entra ID P1 or higher. Common scenarios include "require MFA for access from outside Japan," "limit access from unmanaged PCs to read-only Outlook Web," and "force a password reset when sign-in risk is High." It is the cornerstone of Zero Trust design and shows up frequently on SC-300 and AZ-104.

What is the difference between Entra ID roles and Azure RBAC?

Entra ID roles (Global Administrator, User Administrator, etc.) control administrative actions inside the Entra ID tenant. Azure RBAC roles (Owner, Contributor, Reader, etc.) control operations on resources under an Azure subscription. A common pitfall: a Global Administrator can manage everything in Entra ID but does not, by default, have permission to operate Azure subscription resources (they can elevate themselves through User Access Administrator if needed). This boundary is a frequently tested concept on AZ-104 and SC-300.

How are MFA, Passwordless, and FIDO2 related?

MFA (multi-factor authentication) is the concept of requiring two or more authentication factors — combinations like password + SMS, password + Microsoft Authenticator, or password + FIDO2 security key. Passwordless takes this further by removing the password entirely. Entra ID officially supports 3 Passwordless methods: FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator phone sign-in. FIDO2 keys (such as YubiKey) follow the WebAuthn standard and offer the highest level of phishing resistance among Passwordless options.

What is the difference between External Identities (formerly B2B and B2C)?

Entra External ID is the name introduced in the 2023 reorganization that unified B2B Collaboration and B2C. B2B lets you invite users from external organizations — business partners, vendors — into your own tenant, and is alive and well as the guest user feature. B2C was the mechanism for managing consumer app sign-in through Entra, but for new customer apps Microsoft now recommends the new Customer Identity platform (External ID for customers). New sign-ups for Azure AD B2C ended in 2025; existing tenants can be used until 2030, but Microsoft's official guidance is to choose the new platform for any new project.

Which exam should I take to learn Entra ID?

For an introduction, SC-900 (Security, Compliance & Identity Fundamentals) gives you broad coverage of Entra concepts. If you are aiming to become a serious administrator, SC-300 (Identity and Access Administrator Associate) is the main target, focusing on implementing Conditional Access, PIM, and External Identities. If you are an Azure operator learning Entra alongside everything else, AZ-104 (Azure Administrator) includes basic Entra management. At the top is SC-100 (Cybersecurity Architect Expert), aimed at architects designing Entra ID strategy as part of a Zero Trust architecture.

Related Articles and Exam Info

Microsoft Entra MFA 詳細ガイド|認証方式選定・Conditional Access・Number Matching・Phishing-resistant MFA【2026 年版】

Microsoft Entra Multi-Factor Authentication (MFA) の詳細ガイド。10 種類の認証方式選定・Conditional Access での MFA 強制・Per-user MFA vs Conditional Access MFA・Security Defaults・MFA Fatigue 攻撃対策・Phishing-resistant MFA・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Azure Fundamentals 5 試験完全比較|AZ-900 / DP-900 / SC-900 / MS-900 / AI-901 の違いと選び方

Microsoft Azure Fundamentals 階層 5 試験 (AZ-900 / DP-900 / SC-900 / MS-900 / AI-901) を完全比較。各試験の出題範囲、難易度、適性、推奨取得順、合計学習時間、Virtual Training Day での無料バウチャー活用法、Associate ティアへの展開ルートを日本語で網羅。

Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】

Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

The Entra ID specifications in this article are based on the official Microsoft Learn Entra documentation and the MicrosoftDocs/entra-docs GitHub repository (CC BY 4.0). This article is not an official Microsoft Corporation product and has no affiliation or endorsement from Microsoft. Microsoft, Microsoft Entra, Microsoft Entra ID, Azure, and Windows Hello are trademarks of the Microsoft group of companies. FIDO2 is a trademark of the FIDO Alliance, and YubiKey is a trademark of Yubico AB. Information is based on official public materials as of May 24, 2026. For the latest information, always check the official Microsoft Entra ID documentation.

Check what you learned with practice questions

Practice with certification-focused question sets

See Azure exam prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.