Every Microsoft service you manage — Intune, Azure, Microsoft 365, Defender — ultimately relies on Microsoft Entra ID for identity. It is the cloud directory and identity platform that authenticates users, authorises access, enforces Conditional Access policies, and provides the device identities that Intune manages. This guide covers the full foundational picture: what Entra ID is, how it works, its core components, identity types, authentication methods, SSO, Conditional Access, licensing, and Azure AD Connect.
1. What is Microsoft Entra ID?
Microsoft Entra ID (formerly Azure Active Directory / Azure AD) is Microsoft's cloud-based identity and access management (IAM) service. It manages users, groups, applications, and devices, and is the identity backbone behind Microsoft 365, Azure, Intune, and every SaaS app integrated via SAML or OAuth.
- Manages users, groups, applications, devices
- Provides Single Sign-On (SSO) to cloud and on-prem apps
- Enforces Multi-Factor Authentication (MFA)
- Evaluates Conditional Access policies
- Not a replacement for on-prem Active Directory
- Not a DNS or DHCP service
- Not a VPN or firewall
- Not a device management platform (that's Intune)
2. How Microsoft Entra ID Works
3. Core Components
| Component | Description | Used in Intune? |
|---|---|---|
| Tenant | Your organisation's dedicated Entra ID instance — has a unique tenant ID (GUID) | Yes — Intune lives inside your tenant |
| Users | Individual identities — cloud-only or synced from on-prem AD | Yes — every Intune policy targets users or their devices |
| Groups | Collections of users or devices — security groups and M365 groups | Yes — Intune assignments use Entra groups |
| Devices | Endpoints registered or joined to Entra ID | Yes — Entra device ID is the Intune device identity |
| Enterprise Applications | SaaS and enterprise apps integrated via SSO/SAML/OAuth | Yes — Intune Company Portal is an Enterprise App |
| App Registrations | Custom apps registered to use Entra ID authentication | Yes — Graph API automation uses App Registrations |
| Administrative Units | Scoping containers — delegate admin to a subset of users/devices | Yes — useful for regional Intune admin delegation |
| Roles | RBAC roles — Global Admin, Intune Administrator, Security Reader, etc. | Yes — Intune Administrator role scoped to Intune |
4. Identity Types
| Identity type | Description |
|---|---|
| Cloud-only identity | Created and lives entirely in Entra ID — no on-prem AD equivalent |
| Hybrid identity | Synced from on-prem Active Directory via Microsoft Entra Connect |
| Guest user (B2B) | External collaborators invited to your tenant with their own identity provider |
| External user | Customers or partners using Entra External ID (CIAM) |
| Service principal | Non-human identity for applications and automation scripts (maps to an App Registration) |
| Managed identity | Azure-resource-bound service principal — no credentials to manage, auto-rotated by Azure |
5. Authentication Methods
| Method | Security level | Notes |
|---|---|---|
| Password | Low | Phishable — should always be combined with MFA |
| Microsoft Authenticator app | High | Push notification or number matching — passwordless capable |
| Phone / SMS OTP | Medium | NIST deprecated for high-security scenarios — use only as fallback |
| FIDO2 Security Key | Very high | Phishing-resistant — hardware key (YubiKey, etc.) |
| Certificate-based authentication | Very high | Client certificate from Intune certificate profile |
| Windows Hello for Business | Very high | PIN + TPM-backed asymmetric key — phishing-resistant, tied to the device |
6. Single Sign-On (SSO)
SSO lets users authenticate once and access multiple applications without re-entering credentials. Entra ID supports three SSO protocols:
| Protocol | Used for |
|---|---|
| SAML 2.0 | Enterprise SaaS apps (ServiceNow, Salesforce, Workday) — most common for enterprise SSO |
| OAuth 2.0 + OpenID Connect | Modern apps and APIs — Microsoft 365, Azure, custom apps using MSAL |
| WS-Federation | Legacy federation scenarios — older SharePoint, ADFS |
7. Conditional Access
Conditional Access is the access control engine of Entra ID. Every time a user or device tries to access a resource, Conditional Access evaluates a set of conditions and makes a real-time decision: Allow, Block, or Allow with MFA required.
- User identity & group membership
- Device compliance (from Intune)
- Location (named locations, countries)
- Application being accessed
- Sign-in risk (from Identity Protection)
Engine
8. Entra ID Licensing
| Edition | Key features |
|---|---|
| Free | User & group management, basic SSO, MFA (for admins), self-service password reset |
| Entra ID P1 | Everything in Free + Conditional Access, SSO to all SaaS apps, Dynamic Groups, Hybrid Identity (Entra Connect) |
| Entra ID P2 | Everything in P1 + Identity Protection (sign-in risk), Privileged Identity Management (PIM), Access Reviews |
| Entra Suite | P2 + Entra Internet Access, Private Access, ID Governance, Verified ID, External ID — full Zero Trust stack |
For Intune deployment, P1 is the minimum practical licence (Conditional Access for device compliance enforcement). Most M365 E3/E5 and Business Premium licences include P1 or P2.
9. Microsoft Entra Connect (Azure AD Connect)
Microsoft Entra Connect (formerly Azure AD Connect) is the tool that synchronises your on-premises Active Directory to Entra ID. It is the foundation of Hybrid Identity — letting on-prem AD accounts sign in to cloud services.
10. Key Benefits
- Never share the Global Administrator account — use PIM to activate it only when needed
- Enable MFA for all administrator accounts (Conditional Access policy, not per-user MFA)
- Apply the principle of least privilege — assign Intune Administrator, not Global Admin
- Monitor Sign-in Logs and Audit Logs in Entra ID → Monitoring
- Create at least one emergency access (break-glass) account excluded from Conditional Access
Official References
- What is Microsoft Entra ID?
- What is Conditional Access?
- Authentication methods in Microsoft Entra ID
- What is Microsoft Entra Connect?
- Microsoft Entra ID licensing
This guide was inspired by Anuradha Kumari's LinkedIn post on Azure AD (Entra ID) Complete Overview – Part 1 — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.