HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Entra ID Entra IDAzure ADSSOConditional AccessMFAIdentityHybrid IdentityMD-102AZ-104

Microsoft Entra ID Complete Overview: Identity, SSO, Conditional Access and Licensing (Part 1)

IA
Imran Awan
1 July 2026

Every Microsoft service you manage — Intune, Azure, Microsoft 365, Defender — ultimately relies on Microsoft Entra ID for identity. It is the cloud directory and identity platform that authenticates users, authorises access, enforces Conditional Access policies, and provides the device identities that Intune manages. This guide covers the full foundational picture: what Entra ID is, how it works, its core components, identity types, authentication methods, SSO, Conditional Access, licensing, and Azure AD Connect.

1. What is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory / Azure AD) is Microsoft's cloud-based identity and access management (IAM) service. It manages users, groups, applications, and devices, and is the identity backbone behind Microsoft 365, Azure, Intune, and every SaaS app integrated via SAML or OAuth.

What it does
  • Manages users, groups, applications, devices
  • Provides Single Sign-On (SSO) to cloud and on-prem apps
  • Enforces Multi-Factor Authentication (MFA)
  • Evaluates Conditional Access policies
What it is NOT
  • Not a replacement for on-prem Active Directory
  • Not a DNS or DHCP service
  • Not a VPN or firewall
  • Not a device management platform (that's Intune)

2. How Microsoft Entra ID Works

Authentication & Authorisation Flow
User signs in
Entra ID authenticates
MFA evaluated
Conditional Access policies evaluated
Token issued
Access to resource granted
Resources include: Microsoft 365 · Azure Portal · SharePoint · Intune · Any SAML/OAuth integrated app

3. Core Components

ComponentDescriptionUsed in Intune?
TenantYour organisation's dedicated Entra ID instance — has a unique tenant ID (GUID)Yes — Intune lives inside your tenant
UsersIndividual identities — cloud-only or synced from on-prem ADYes — every Intune policy targets users or their devices
GroupsCollections of users or devices — security groups and M365 groupsYes — Intune assignments use Entra groups
DevicesEndpoints registered or joined to Entra IDYes — Entra device ID is the Intune device identity
Enterprise ApplicationsSaaS and enterprise apps integrated via SSO/SAML/OAuthYes — Intune Company Portal is an Enterprise App
App RegistrationsCustom apps registered to use Entra ID authenticationYes — Graph API automation uses App Registrations
Administrative UnitsScoping containers — delegate admin to a subset of users/devicesYes — useful for regional Intune admin delegation
RolesRBAC roles — Global Admin, Intune Administrator, Security Reader, etc.Yes — Intune Administrator role scoped to Intune

4. Identity Types

Identity typeDescription
Cloud-only identityCreated and lives entirely in Entra ID — no on-prem AD equivalent
Hybrid identitySynced from on-prem Active Directory via Microsoft Entra Connect
Guest user (B2B)External collaborators invited to your tenant with their own identity provider
External userCustomers or partners using Entra External ID (CIAM)
Service principalNon-human identity for applications and automation scripts (maps to an App Registration)
Managed identityAzure-resource-bound service principal — no credentials to manage, auto-rotated by Azure

5. Authentication Methods

MethodSecurity levelNotes
PasswordLowPhishable — should always be combined with MFA
Microsoft Authenticator appHighPush notification or number matching — passwordless capable
Phone / SMS OTPMediumNIST deprecated for high-security scenarios — use only as fallback
FIDO2 Security KeyVery highPhishing-resistant — hardware key (YubiKey, etc.)
Certificate-based authenticationVery highClient certificate from Intune certificate profile
Windows Hello for BusinessVery highPIN + TPM-backed asymmetric key — phishing-resistant, tied to the device
Passwordless strategy: Microsoft recommends FIDO2 Security Keys or Windows Hello for Business as the primary authentication method for high-privilege accounts. Microsoft Authenticator is the recommended first step for most users moving away from passwords.

6. Single Sign-On (SSO)

SSO lets users authenticate once and access multiple applications without re-entering credentials. Entra ID supports three SSO protocols:

ProtocolUsed for
SAML 2.0Enterprise SaaS apps (ServiceNow, Salesforce, Workday) — most common for enterprise SSO
OAuth 2.0 + OpenID ConnectModern apps and APIs — Microsoft 365, Azure, custom apps using MSAL
WS-FederationLegacy federation scenarios — older SharePoint, ADFS
SSO — User flow across multiple apps
User (signs in once)
Microsoft Entra ID
Microsoft 365
·
SharePoint
·
Salesforce
·
ServiceNow
·
Zoom
·
Custom App

7. Conditional Access

Conditional Access is the access control engine of Entra ID. Every time a user or device tries to access a resource, Conditional Access evaluates a set of conditions and makes a real-time decision: Allow, Block, or Allow with MFA required.

Conditional Access — Signals → Decision → Enforcement
Signals (conditions)
  • User identity & group membership
  • Device compliance (from Intune)
  • Location (named locations, countries)
  • Application being accessed
  • Sign-in risk (from Identity Protection)
Policy
Engine
Enforcement
✓ Allow access
⚠ Require MFA
✗ Block access
Gotcha: Conditional Access policies with Require compliant device depend on Intune marking the device compliant first. If you enable this policy before enrolling devices in Intune, users will be locked out. Always deploy in report-only mode first.

8. Entra ID Licensing

EditionKey features
FreeUser & group management, basic SSO, MFA (for admins), self-service password reset
Entra ID P1Everything in Free + Conditional Access, SSO to all SaaS apps, Dynamic Groups, Hybrid Identity (Entra Connect)
Entra ID P2Everything in P1 + Identity Protection (sign-in risk), Privileged Identity Management (PIM), Access Reviews
Entra SuiteP2 + Entra Internet Access, Private Access, ID Governance, Verified ID, External ID — full Zero Trust stack

For Intune deployment, P1 is the minimum practical licence (Conditional Access for device compliance enforcement). Most M365 E3/E5 and Business Premium licences include P1 or P2.

9. Microsoft Entra Connect (Azure AD Connect)

Microsoft Entra Connect (formerly Azure AD Connect) is the tool that synchronises your on-premises Active Directory to Entra ID. It is the foundation of Hybrid Identity — letting on-prem AD accounts sign in to cloud services.

Entra Connect — Three sync modes
Password Hash Sync (PHS)
Password hashes synced to cloud — sign-in happens against Entra ID. Simplest and most resilient.
Pass-through Authentication (PTA)
Password validated against on-prem AD in real time — hash never leaves. Requires on-prem agent.
Federation (ADFS)
Sign-in fully handled by on-prem ADFS — maximum control, maximum complexity.
Seamless SSO: Both PHS and PTA support Seamless SSO — domain-joined devices automatically authenticate to cloud apps without a login prompt, using Kerberos tickets. Enable this in Entra Connect optional features.

10. Key Benefits

Centralised identity
Single directory for all users and devices across cloud and on-prem
Zero Trust foundation
Every access request verified — no implicit trust based on network location
MFA & passwordless
Phishing-resistant authentication built in
Conditional Access
Granular, real-time access control based on identity, device, location, risk
SSO everywhere
One login for all M365, Azure, and SaaS apps
Hybrid identity
Bridge between on-prem AD and cloud services via Entra Connect
Device management integration
Device compliance from Intune feeds directly into Conditional Access
Identity Protection
ML-based risk detection for compromised accounts and risky sign-ins
Bonus — Important Terms
Tenant — A dedicated instance of Entra ID for your organisation
App Registration — Register an application to integrate with Entra ID authentication
Enterprise App — Pre-configured app for SSO and user assignment (from the App Gallery)
Object ID — Unique GUID for every user, group, device, or app in Entra ID
Directory Role — RBAC role assigned to manage Entra ID resources (e.g. Global Admin, Intune Administrator)
Principal ID — The Object ID of a Service Principal or Managed Identity
Security checklist — apply before going live

Official References

This guide was inspired by Anuradha Kumari's LinkedIn post on Azure AD (Entra ID) Complete Overview – Part 1 — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Entra ID
Entra Conditional Access: WHfB Enforcement Deadline July 2026
Microsoft's July 2026 deadline for phishing-resistant MFA enforcement is approaching.…
Entra ID
PRT Not Working + Local Admin Missing on Entra Joined Device
Primary Refresh Token broken means no SSO to Microsoft 365. Local admin not applying…
Guides
Top 20 PowerShell Commands Every Intune & Azure Engineer Needs
PowerShell is not optional for Intune and Azure engineers. Here are the 20 commands you…