Manage Identities in Microsoft Entra ID

Question 1

What is Microsoft Entra ID?

Answer 1

Microsoft Entra ID is a cloud-based identity and access management service that your employees can use to access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.

Question 2

What are the Microsoft Entra ID licenses?

Answer 2

Microsoft Entra ID Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
Microsoft Entra ID P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Microsoft Entra ID P2. In addition to the Free and P1 features, P2 also offers Microsoft Entra ID Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
“Pay as you go” feature licenses. You can also get licenses for features such as, Microsoft Entra Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps

Question 3

Terminology

Answer 3

Identity A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.
Account An identity that has data associated with it. You can’t have an account without an identity.
Microsoft Entra account An identity created through Microsoft Entra ID or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Microsoft Entra ID and accessible to your organization’s cloud service subscriptions. This account is also sometimes called a Work or school account.
Account Administrator This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.
Service Administrator This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.
Owner This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.
Microsoft Entra Global Administrator This administrator role is automatically assigned to whomever created the Microsoft Entra tenant. You can have multiple Global Administrators, but only Global Administrators can assign administrator roles (including assigning other Global Administrators) to users. For more information about the various administrator roles, see Administrator role permissions in Microsoft Entra ID.
Azure subscription Used to pay for Azure cloud services. You can have many subscriptions and they’re linked to a credit card.
Tenant A dedicated and trusted instance of Microsoft Entra ID. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. This tenant represents a single organization and is intended for managing your employees, business apps, and other internal resources. For this reason, it’s considered a workforce tenant configuration. By contrast, you can create a tenant in an external configuration, which is used in customer identity and access management (CIAM) solutions for your consumer-facing apps (learn more about Microsoft Entra External ID).
Single tenant Azure tenants that access other services in a dedicated environment are considered single tenant.
Multitenant Azure tenants that access other services in a shared environment, across multiple organizations, are considered multitenant.
Microsoft Entra directory Each Azure tenant has a dedicated and trusted Microsoft Entra directory. The Microsoft Entra directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources.
Custom domain Every new Microsoft Entra directory comes with an initial domain name, for example domainname.onmicrosoft.com. In addition to that initial name, you can also add your organization’s domain names. Your organization’s domain names include the names you use to do business and your users use to access your organization’s resources, to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.
Microsoft account (also called, MSA) Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services. These products and services include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft account is created and stored in the Microsoft consumer identity account system that’s run by Microsoft.

Question 4

Roles Least Privilege regarding Users.

Answer 4

Create a new user User Administrator
Invite an external guestGuest Inviter
Assign Microsoft Entra rolesPrivileged Role Administrator

Question 5

Types of Users

Answer 5

Internal member: These users are most likely full-time employees in your organization.
Internal guest: These users have an account in your tenant, but have guest-level privileges. It’s possible they were created within your tenant prior to the availability of B2B collaboration.
External member: These users authenticate using an external account, but have member access to your tenant. These types of users are common in multitenant organizations.
External guest: These users are true guests of your tenant who authenticate using an external method and who have guest-level privileges.

Question 6

Resources in entra id group?

Answer 6

Microsoft Entra ID lets you use groups to manage access to applications, data, and resources. Resources can be:

Part of the Microsoft Entra organization, such as permissions to manage objects through roles in Microsoft Entra ID
External to the organization, such as for Software as a Service (SaaS) apps
Azure services
SharePoint sites
On-premises resources

Question 7

Groups that cant be managed in the azure portal?

Answer 7

Some groups can’t be managed in the Azure portal:

Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
Distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups

Question 8

Types of Group:

Answer 8

Security: Used to manage user and computer access to shared resources.

For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, service principals, and other groups (also known as nested groups), which define access policy and permissions. Owners of a security group can include users and service principals

Microsoft 365: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.

This option also lets you give people outside of your organization access to the group. Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365 group can include users and service principals

Question 9

Membership Types?

Answer 9

Assigned: Lets you add specific users as members of a group and have unique permissions.

Dynamic user: Lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

Dynamic device: Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

Question 10

Ways to assign access rights

Answer 10

Direct assignment. The resource owner directly assigns the user to the resource.
Group assignment. The resource owner assigns a Microsoft Entra group to the resource, which automatically gives all of the group members access to the resource. Group membership is managed by both the group owner and the resource owner, letting either owner add or remove members from the group.
Rule-based assignment. The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access the resource.
External authority assignment. Access comes from an external source, such as an on-premises directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members

Question 11

Can users join groups without being assigned?

Answer 11

The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.

After a user requests to join a group, the request is forwarded to the group owner. If it’s required, the owner can approve the request and the user is notified of the group membership. If you have multiple owners and one of them disapproves, the user is notified, but isn’t added to the group.

Question 12

What is Microsoft Entra External ID?

Answer 12

Microsoft Entra External ID combines powerful solutions for working with people outside of your organization. With External ID capabilities, you can allow external identities to securely access your apps and resources. Whether you’re working with external partners, consumers, or business customers, users can bring their own identities

Question 13

Scope of Microsoft Entra External ID?

Answer 13

If you’re an organization or a developer creating consumer apps, use External ID to quickly add authentication and customer identity and access management (CIAM) to your application. Register your app, create customized sign-in experiences, and manage your app users in a Microsoft Entra tenant in an external configuration. This tenant is separate from your employees and organizational resources.
If you want to enable your employees to collaborate with business partners and guests, use External ID for B2B collaboration. Allow secure access to your enterprise apps through invitation or self-service sign-up. Determine the level of access guests have to the Microsoft Entra tenant that contains your employees and organizational resources, which is a tenant in a workforce configuration.

Question 14

Ways to invite Guest to an organiziation?

Answer 14

Invite users to collaborate using their Microsoft Entra accounts, Microsoft accounts, or social identities that you enable, such as Google. An admin can use the Microsoft Entra admin center or PowerShell to invite users to collaborate. The user signs into the shared resources using a simple redemption process with their work, school, or other email account.
Use self-service sign-up user flows to let guests sign up for applications themselves. The experience can be customized to allow sign-up with a work, school, or social identity (like Google or Facebook). You can also collect information about the user during the sign-up process.
Use Microsoft Entra entitlement management, an identity governance feature that lets you manage identity and access for external users at scale by automating access request workflows, access assignments, reviews, and expiration.
A user object is created for the business guest in the same directory as your employees. This user object can be managed like other user objects in your directory, added to groups, and so on. You can assign permissions to the user object (for authorization) while letting them use their existing credentials (for authentication).

You can use cross-tenant access settings to manage collaboration with other Microsoft Entra organizations and across Microsoft Azure clouds. For collaboration with non-Azure AD external users and organizations, use external collaboration settings.

Question 15

What are “workforce” and “external” tenants?

Answer 15

A tenant is a dedicated and trusted instance of Microsoft Entra ID that contains an organization’s resources, including registered apps and a directory of users. There are two ways to configure a tenant, depending on how the organization intends to use the tenant and the resources they want to manage:

A workforce tenant configuration is a standard Microsoft Entra tenant that contains your employees, internal business apps, and other organizational resources. In a workforce tenant, your internal users can collaborate with external business partners and guests using B2B collaboration.
An external tenant configuration is used exclusively for apps you want to publish to consumers or business customers. This distinct tenant follows the standard Microsoft Entra tenant model, but is configured for consumer scenarios. It contains your app registrations and a directory of consumer or customer accounts.

Question 16

What is B2B direct connect?

Answer 16

B2B direct connect lets you create two-way trust relationships with other Microsoft Entra organizations to enable the Teams Connect shared channels feature. This feature allows users to seamlessly sign in to Teams shared channels for chat, calls, file-sharing, and app-sharing. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Unlike B2B collaboration, B2B direct connect users aren’t added as guests to your workforce directory. Learn more about B2B direct connect in Microsoft Entra External ID.

Question 17

Capabilities of B23 direct connect?

Answer 17

Once you set up B2B direct connect with an external organization, the following Teams shared channels capabilities become available:

A shared channel owner can search within Teams for allowed users from the external organization and add them to the shared channel.
External users can access the Teams shared channel without having to switch organizations or sign in with a different account. From within Teams, the external user can access files and apps through the Files tab. The shared channel’s policies determine the user’s access.

Question 18

What are cross tentant access settings

Answer 18

Use External Identities cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations through B2B collaboration. These settings determine both the level of inbound access users in external Microsoft Entra organizations have to your resources, and the level of outbound access your users have to external organizations. They also let you trust multifactor authentication (MFA) and device claims (compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft Entra organizations.

Question 19

What is Azure active directory B2C?

Answer 19

Azure Active Directory B2C (Azure AD B2C) is Microsoft’s legacy solution for customer identity and access management. Azure AD B2C includes a separate consumer-based directory that you manage in the Azure portal through the Azure AD B2C service

Question 20

How can you use Microsoft Entra entitlement management for business guest sign-up

Answer 20

As an inviting organization, you might not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with policies that you control. To enable users from other organizations to request access, you can use Microsoft Entra entitlement management to configure policies that manage access for external users. Upon approval, these users will be provisioned with guest accounts and assigned to groups, apps, and SharePoint Online sites.

Question 21

How can i use Microsoft Entra Microsoft Graph API for B2B collaboration?

Answer 21

Cross-tenant access settings API: The Microsoft Graph cross-tenant access API lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration. For example, you can allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft Entra organizations.
B2B collaboration invitation manager: The Microsoft Graph invitation manager API is available for building your own onboarding experiences for business guests. You can use the create invitation API to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.

Question 22

What about Multitenant applications?

Answer 22

A multitenant organization is an organization that has more than one instance of Microsoft Entra ID. There are various reasons for multi-tenancy. For example, your organization might span multiple clouds or geographical boundaries.

Multitenant organizations use a one-way synchronization service in Microsoft Entra ID, called cross-tenant synchronization. Cross-tenant synchronization enables seamless collaboration for a multitenant organization. It improves user experience and ensures that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant.

Cross-tenant synchronization settings are configured under the Organization-specific access settings. To learn more about multitenant organizations and cross-tenant synchronization see the multitenant organizations documentation and the feature comparison.

Question 23

What is Microsoft Entra Identity Protection?

Answer 23

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation.