In this article, I will explain what the Miscrosoft Entra ID is, how is it used and how it compares to orthodoxon-premise active directory.
Active directory is often times use in on-premise infrastructure as a tool to manage various resources such as users, devices or groups. On top of that, administrators can also define and use group policies in order to better manage those resources. The utilized network protocol is LDAP. There is a lot of to say about active directory, but the core components can be categorized to:
- Users and Groups
- Domains
- Trusts
- Identity Services
- Users and Groups
- Authentication and Authorization
- Directory Services
AD in azure is nowadays called Microsoft Entra ID. People often mistakenly think that one if upgrade of other, but they are rather complementing each other, where active directory is focused on on-premise infrastructure and Microsoft Entra ID on cloud. In various hybrid cloud scenarios, organizations often use both of them as Azure offers various means to do it.
Microsoft Entra ID
The main idea of Microsoft Entra ID is to provide identity and access management service by which you can manage access to various resources such as devices or application.
In typical scenario, there are generally three levels of users located in Entra Id:
- Admins – responsible for infrastructure, granting various permissions, creating groups, users and managing security
- Users – users working for company, can be a developer or arbitrary employee
- Guests – users from outside of the company, for example external developers
The admins have the most privileges, followed by users working for company and ending with guests.
Microsoft entra tenant architecture
When it comes to Azure, you can think of tenant as sort of top-most entity for your organization. Every subscription has it’s tenant in which it is located. Second important factor is that every tenant has it’s own instance of Microsoft Entra or so called Azure AD.
Although it is not necessary, you can assume that tenant represents company. Therefore the Microsoft Entra represents it’s employees, various groups such as developers, managers, various policies, etc. Tenant also goes by other names as well, such as Organization or Directory.
There can be multiple subscriptions under one tenant -> one to many relationships. However subscription can be associated only with one tenant.
Navigating through the tenant
When navigating to Microsoft Entra ID in the portal you are presented with basic info about your tenant:
- Name – name of your tenant, default one is called Default Directory
- Tenant ID – guid associated with your tenant
- Primary domain – default for your tenant, the default domain is derived from your mail, but you can add your own domain if you want
- Users, Groups, Applications, etc. – identities located in your Entra ID
Creating user
Now that I covered the basics we can go ahead and create new user. Go to Entra ID -> Manage -> Users:
After that click on New user -> Create new user:
Next go through each tab and assign information to user, such ass upn, password and other attributes. Click review + create and wait for the user to be created.
Creating group
Next we will look into groups. Groups are preferable way to organize your Entra ID. Say for example that you have developers which need access to certain applications, such as web app, function app, keyvault, etc. Instead of adding the same permissions every time the new developer is hired, you can instead create group with those permission and assign the new developer to this group.
Go ahead and create new user. Go to Entra ID -> Manage -> Groups:
There are multiple fields which need to be filled:
- Group type – I am choosing security, other type is microsoft 365
- Group name – name
- Group description – description
- Membership type – in the Azure free license you can only use Assigned. However feel free to look into Dynamic assignments as well at https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
Now we will assign the created user to the group. Go to your created user, click Manage -> Groups -> Add memberships and choose your created group:
Conclusion
Microsoft Entra ID or Azure AD is popular solution for identity management when it comes to cloud. It can be integrated with orthodox on-premise active directory as well thanks to which you can have your company partly on-premise and partly in cloud.
Using Entra ID is a must when it comes to Azure. Whether you are thinking about going to cloud fully or you are just migrating from on-premise, integration with Entra ID is important in order to preserve security, access management, identity management and all other aspects which I already mentioned earlier.