TTechclick ⚡ XP 0% All lessons
Microsoft · Identity & Access · Entra IDInteractive · L1 / L2 / L3

Microsoft Entra ID Fundamentals — Tenants, Groups, Apps & Hybrid Identity

Microsoft Entra ID (the identity service formerly called Azure AD) is the cloud identity provider behind Microsoft 365, Azure and thousands of SaaS apps. This lesson maps the building blocks — tenant, users, groups, administrative units, app registrations vs enterprise apps — and shows how hybrid identity links it to your on-prem Active Directory, so you can explain it cleanly in an interview.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live sign-in demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Microsoft Entra ID (2026): what it is as a cloud identity provider versus on-prem Active Directory, tenants, users and groups (security, Microsoft 365, dynamic), administrative units, app registrations versus enterprise applications (service principals), SSO to SaaS, and hybrid identity with Entra Connect (PHS, PTA, federation) and Cloud Sync — plus the Free/P1/P2 licensing tiers.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

Cloud IdP vs on-prem AD DS — the core contrast.

 2

Tenant & objects

Users, groups, dynamic groups, administrative units.

 3

Apps & SSO

App registration vs enterprise app; SSO to SaaS.

 4

Hybrid & licensing

Entra Connect, Cloud Sync, PHS/PTA/federation, tiers.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Microsoft Entra ID just 'Active Directory in the cloud'?

Answered in What it is.

2. What is the difference between an app registration and an enterprise application?

Answered in Apps & SSO.

3. How does on-prem Active Directory connect to Entra ID?

Answered in Hybrid & licensing.

Most engineers think…

Most people hear 'Entra ID' (or its old name, Azure AD) and picture 'Active Directory, but in the cloud — same domain controllers, same Group Policy'. That mental model fails you in an interview and in production.

Microsoft Entra ID is a cloud identity provider (IDaaS). It authenticates users and apps using modern protocolsOAuth 2.0, OpenID Connect and SAML — not the Kerberos, LDAP and Group Policy that on-prem Active Directory Domain Services (AD DS) uses to manage domain-joined Windows machines. Entra ID has no organizational units or domain controllers; it has a tenant with users, groups, administrative units and apps. Understanding that split is what lets you answer 'Entra ID vs on-prem AD' and 'app registration vs enterprise app' without fumbling.

① What Microsoft Entra ID actually is — a cloud identity provider

The single most important idea: Microsoft Entra ID is a cloud identity provider, not a cloud domain controller. It was renamed from Azure Active Directory (Azure AD) to Microsoft Entra ID — same service, current name. It gives every user and app one identity to sign in to Microsoft 365, the Azure portal and thousands of SaaS apps.

Compare it to on-prem Active Directory Domain Services (AD DS). AD DS runs domain controllers, speaks Kerberos, LDAP and Group Policy, and manages domain-joined Windows machines with organizational units (OUs). Entra ID has none of those — no OUs, no Group Policy, no domain controllers. Instead it authenticates over modern web protocols (OAuth 2.0, OpenID Connect, SAML) that work over the internet, which is exactly why it suits mobile users and SaaS.

The interview line: AD DS manages machines on a corporate LAN; Entra ID manages identities for cloud apps over the internet. They solve different problems, and most organisations run both, linked by hybrid identity.

Figure 1 — On-prem AD DS vs Microsoft Entra ID
Two different jobs: AD DS manages domain-joined machines on a LAN; Entra ID is a cloud identity provider for apps over the internet.On-prem AD DS vs Microsoft Entra IDOn-prem AD DSDomain controllers + OUsKerberos, LDAP, NTLMGroup Policy on PCsManages domain-joined machinesRuns on your serversMicrosoft Entra IDTenant + admin unitsOAuth 2.0, OIDC, SAMLConditional Access (cloud)Manages identities for appsMicrosoft-run IDaaS
Two different jobs: AD DS manages domain-joined machines on a LAN; Entra ID is a cloud identity provider for apps over the internet.
Say 'Entra ID', not 'Azure AD'

Microsoft renamed Azure Active Directory to Microsoft Entra ID — the service is identical, only the name changed. In an interview, use the current name and add one line: 'it's a cloud identity provider, not a cloud domain controller.' That single contrast signals you actually understand it.

Quick check · Q1 of 10 · Understand

Microsoft Entra ID is best described as…

Correct: b. Entra ID (formerly Azure AD) is a cloud IDaaS that authenticates over modern web protocols. It has no domain controllers, OUs or Group Policy — those belong to on-prem AD DS. The two solve different problems and often run side by side.
👉 So far: Entra ID (formerly Azure AD) = a cloud identity provider using OAuth/OIDC/SAML. It is not on-prem AD DS — no domain controllers, OUs, Kerberos or Group Policy.

② The tenant and its objects — users, groups and administrative units

An instance of Entra ID is a tenant: an isolated directory that holds one organisation's users, groups, devices and apps, plus its access policies. Every tenant gets an initial domain like contoso.onmicrosoft.com (globally unique, can't be changed), and you add your own custom domains. Tenants are securely isolated from each other.

Groups you must name

Security groups grant access to apps and resources (the cloud cousin of an AD security group). Microsoft 365 groups add shared collaboration — a mailbox, calendar, Teams and SharePoint site. Membership can be assigned (you add people manually) or dynamic — an attribute rule (e.g. department equals Sales) that auto-adds and removes users. Dynamic groups need a P1 licence.

Administrative units (AUs) scope admin rights to a slice of the directory — for example, a 'Mumbai' AU so a regional helpdesk can reset only Mumbai users' passwords. AUs are how you delegate without making everyone a global admin.

Figure 2 — What lives inside a tenant
A tenant is one isolated directory holding all of an organisation's identity objects.What lives inside a tenantUsersMembers and guests (B2B external identities)GroupsSecurity and Microsoft 365 — assigned or dynamicAdministrative unitsScope admin rights to a slice of the directoryApplicationsApp registrations and enterprise apps (service principals)
A tenant is one isolated directory holding all of an organisation's identity objects.
☁️
Tenant
tap to flip

An isolated instance of Entra ID for one organisation — its users, groups, admin units and apps, with an initial contoso.onmicrosoft.com domain.

👥
Dynamic group
tap to flip

A group whose membership is set by an attribute rule (e.g. department = Sales). Auto-adds and removes users. Needs a P1 licence.

🧩
App registration
tap to flip

The application object — the global blueprint (client ID, secrets, redirect URIs, permissions) living once in the app's home tenant.

🔗
Enterprise application
tap to flip

The service principal — the local instance of an app inside a tenant. It signs in and gets the access; one per tenant the app is used in.

Quick check · Q2 of 10 · Apply

You want a group whose membership updates automatically when a user's department changes. What do you use?

Correct: a. Dynamic groups use an attribute rule (e.g. department = Sales) to add and remove members automatically, and require a P1 licence. Assigned/static groups need manual edits; administrative units scope admin rights, not membership.
👉 So far: A tenant is one isolated directory: users, security and Microsoft 365 groups (assigned or dynamic), administrative units for scoped delegation, and apps.

③ Apps and SSO — app registration vs enterprise application

This is the classic interview trap. When a developer builds an app, they create an app registration — the application object. It is the global blueprint: the app's identity (client ID), redirect URIs, secrets/certificates, API permissions and whether it is single- or multi-tenant. It lives once, in the app's home tenant.

An enterprise application is the service principal — the local instance of that app inside a specific tenant. It is what actually signs in and is granted access. Per tenant, an app has one app registration in its home tenant but a service principal in every tenant where it is used. So a SaaS app like Salesforce shows up under Enterprise applications (a service principal) in your tenant, even though its app registration lives in the vendor's tenant.

SSO to SaaS

Add a SaaS app from the gallery, wire up SAML or OIDC, and users get single sign-on with their Entra ID identity — no extra password. Two related service-principal types are worth naming: a managed identity (an app identity Azure manages for you, no secrets to rotate) and a legacy service principal (an older app with no app registration).

Figure 3 — App registration vs enterprise application
One app has a single registration in its home tenant but a service principal in every tenant where it is used.App registration vs enterprise applicationApp registrationThe application objectGlobal blueprint of the appClient ID, secrets, redirect URIsAPI permissions and app rolesLives in the home tenant onlyEnterprise applicationThe service principalLocal instance in a tenantWhat signs in and gets accessHolds consent and assignmentsOne per tenant the app is used in
One app has a single registration in its home tenant but a service principal in every tenant where it is used.
Figure 4 — One Entra ID, single sign-on everywhere
Each app trusts the same tenant, so a user signs in once and reaches Microsoft 365 and SaaS apps with one identity.One Entra ID, single sign-on everywhereEntra ID tenantissues tokensMicrosoft 365Azure portalSalesforce (SAML)Custom app (OIDC)ServiceNow SaaSOn-prem app via proxy
Each app trusts the same tenant, so a user signs in once and reaches Microsoft 365 and SaaS apps with one identity.
Confusing the registration with the enterprise app

The number-one Entra interview slip is treating app registration and enterprise application as the same thing. Registration = the blueprint (app object, home tenant). Enterprise app = the service principal (local instance, one per tenant). One blueprint, many instances — say it that way.

▶ Watch a user single sign-on to a SaaS app via Entra ID

How one click into Salesforce becomes a signed token from your tenant. Press Play for the healthy path, then Break it to see the classic failure.

① Open appA user clicks Salesforce; the app redirects the browser to the Entra ID tenant to authenticate.
② AuthenticateEntra ID checks the user (and any Conditional Access), confirming identity for the app's service principal.
③ Issue tokenEntra ID issues a SAML assertion (or OIDC token) saying who the user is, and sends them back to Salesforce.
④ Access grantedSalesforce trusts the token and signs the user in — single sign-on, no second password.
Press Play to step through the healthy single sign-on path. Then press Break it.
Quick check · Q3 of 10 · Analyze

Salesforce appears under 'Enterprise applications' in your tenant. Where does its app registration live?

Correct: d. An app has one app registration (the blueprint) in its home tenant — here, the vendor's. Your tenant holds a service principal (the enterprise application) that represents the local instance signing in and being granted access.
👉 So far: App registration = the app blueprint (one, in the home tenant). Enterprise application = the service principal (the local instance, one per tenant). SSO to SaaS via SAML/OIDC.

④ Hybrid identity and licensing — Entra Connect, Cloud Sync and the tiers

Most companies keep on-prem AD DS and use Entra ID, so they link the two — that's hybrid identity. Microsoft Entra Connect is the on-prem sync tool that copies users and groups up to the tenant. The sign-in method is the key choice: Password Hash Sync (PHS) syncs a hash of the on-prem password to the cloud (simplest, also enables leaked-credential detection); Pass-Through Authentication (PTA) validates the password against an on-prem agent live (no password hash stored); Federation (AD FS) hands sign-in to an on-prem identity service (most complex).

Cloud Sync — the lighter option

Microsoft Entra Cloud Sync is the newer, lightweight agent. Configuration lives in the cloud, multiple agents give automatic failover, and it natively handles disconnected forests (mergers). Microsoft is steering customers toward Cloud Sync; it still has limits (e.g. ~150K objects per domain) versus the older Connect Sync.

Licensing in one breath

Free = basic users, groups and SSO. P1 adds dynamic groups, administrative-unit admins, Conditional Access and self-service password reset writeback. P2 adds Identity Protection and Privileged Identity Management (PIM). Match the feature to the tier and you've answered the licensing question.

Figure 5 — Hybrid sign-in — three ways to authenticate
On-prem AD syncs to the tenant, then sign-in is resolved by PHS, PTA or federation depending on the method you chose.Hybrid sign-in — three ways to authenticateOn-prem ADusers and groupsSync agentConnect or Cloud SyncEntra tenantsynced identitiesSign-inPHS / PTA / federationTokenaccess to cloud apps
On-prem AD syncs to the tenant, then sign-in is resolved by PHS, PTA or federation depending on the method you chose.

Rohan, an IT admin at a Pune manufacturing firm, faces this

After enabling Entra Connect with PHS, new Microsoft 365 users can sign in, but a regional helpdesk lead complains he 'can't reset passwords for anyone' even though he was told he's an admin.

Likely cause

He was given a directory role but with no scope, then locked down — or he needs his rights scoped to just his region, which means an administrative unit, not a tenant-wide role.

Diagnosis

Check his role assignment: he is a User Administrator scoped to a 'Pune' administrative unit, but the Pune users were never added as members of that AU, so there is nothing in his scope.

Entra admin center ▸ Roles & admins ▸ Administrative units ▸ Pune ▸ Members
Fix

Add the Pune users (directly, or via a dynamic-membership AU rule on a P1 licence) as members of the Pune administrative unit; his User Administrator role then applies to exactly those users.

Verify

Re-test: he can reset passwords for Pune users only and cannot touch Mumbai or Delhi users — least-privilege delegation working as intended.

Confirm the sign-in method before you debug auth

Before chasing a 'can't sign in' ticket, check which hybrid method is configured — PHS, PTA or federation. The same symptom has different causes: a PTA agent being down, a federation certificate expiring, or PHS simply not yet synced. Read the method first, then troubleshoot.

Quick check · Q4 of 10 · Understand

Which hybrid sign-in method validates the password against an on-prem agent without storing a password hash in the cloud?

Correct: c. PTA validates credentials live against an on-prem agent, so no password hash is stored in Entra ID. PHS syncs a hash to the cloud; federation hands sign-in to an on-prem identity service like AD FS.
👉 So far: Hybrid identity links on-prem AD via Entra Connect or Cloud Sync, with sign-in by PHS, PTA or federation. Licensing: Free, P1 (dynamic groups, CA) and P2 (Identity Protection, PIM).

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What was Microsoft Entra ID previously called?

Correct: a. Microsoft renamed Azure Active Directory to Microsoft Entra ID. The service is the same cloud identity provider; only the name changed. Use the current name in interviews.
Q6 · Understand

Which capability belongs to on-prem AD DS but NOT to Microsoft Entra ID?

Correct: c. Group Policy, Kerberos, LDAP and OUs are AD DS features for managing domain-joined Windows machines. Entra ID is a cloud identity provider using modern web protocols and has none of those.
Q7 · Apply

A developer registers a new app and gets a client ID, secrets and redirect URIs. Which object did they just create?

Correct: b. Creating the app blueprint — client ID, secrets, redirect URIs, permissions — is the app registration (application object) in the home tenant. The enterprise application (service principal) is the local instance that represents the app in a tenant.
Q8 · Analyze

Why does one app have a single app registration but possibly many service principals?

Correct: c. The application object is the one global blueprint in the home tenant; a service principal (enterprise application) is the local instance created in each tenant that uses the app. One blueprint, many instances.
Q9 · Evaluate

You need risk-based Conditional Access and just-in-time admin access via PIM. Which licence tier?

Correct: a. Identity Protection (risk-based policy) and Privileged Identity Management (PIM) are P2 features. Free covers basics; P1 adds dynamic groups and Conditional Access but not Identity Protection or PIM.
Q10 · Evaluate

An interviewer asks why a company would choose Cloud Sync over the older Entra Connect Sync. Best answer?

Correct: b. Cloud Sync stores configuration in the cloud, uses lightweight auto-updated agents with multiple-agent failover, and natively syncs disconnected forests (useful for mergers). It still uses an on-prem agent and has scale limits (e.g. ~150K objects per domain), so 'unlimited / no agent' answers are wrong.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is Microsoft Entra ID called a 'cloud identity provider' rather than 'Active Directory in the cloud'? Then compare with the expert version.

Expert version: Because Entra ID authenticates users and apps over modern internet protocols — OAuth 2.0, OpenID Connect and SAML — and has no domain controllers, organizational units, Kerberos or Group Policy. Those belong to on-prem AD DS, which manages domain-joined Windows machines on a LAN. Entra ID instead manages identities for cloud and SaaS apps in an isolated tenant of users, groups, administrative units and applications. The two are complementary, which is exactly why hybrid identity (Entra Connect or Cloud Sync) exists to link them rather than replace one with the other.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Microsoft Entra ID
The cloud identity and access management service (IDaaS), formerly named Azure Active Directory (Azure AD). Authenticates users and apps over OAuth 2.0, OIDC and SAML.
Active Directory Domain Services (AD DS)
On-prem directory that manages domain-joined Windows machines using Kerberos, LDAP, NTLM and Group Policy, organised in OUs. Not the same as Entra ID.
Tenant
An isolated instance of Entra ID for one organisation, holding its users, groups, administrative units and apps, with a unique contoso.onmicrosoft.com initial domain.
Security group / Microsoft 365 group
Security groups grant access to resources; Microsoft 365 groups add collaboration (mailbox, Teams, SharePoint). Both can be assigned or dynamic.
Dynamic group
A group whose membership is set by an attribute rule (e.g. department = Sales) and updates automatically. Requires a P1 licence.
Administrative unit (AU)
A container that scopes admin rights to a slice of the directory, enabling delegated, least-privilege administration (e.g. by region).
App registration
The application object — the global blueprint of an app (client ID, secrets, redirect URIs, permissions) that lives once in the app's home tenant.
Enterprise application (service principal)
The local instance of an app within a tenant. It is what signs in and is granted access; one exists per tenant where the app is used.
Entra Connect / Cloud Sync
Hybrid-identity sync tools that copy on-prem AD users and groups to a tenant. Cloud Sync is the newer, cloud-managed, lightweight-agent option.
PHS / PTA / Federation
Hybrid sign-in methods: Password Hash Sync (hash in cloud), Pass-Through Authentication (live on-prem check), and Federation via AD FS.

📚 Sources

  1. Microsoft Learn — What is Microsoft Entra ID? learn.microsoft.com/entra/fundamentals/what-is-entra
  2. Microsoft Learn — Compare Active Directory to Microsoft Entra ID. learn.microsoft.com/entra/fundamentals/compare
  3. Microsoft Learn — Application and service principal objects in Microsoft Entra ID. learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals
  4. Microsoft Learn — What is Microsoft Entra Connect? (PHS, PTA, federation). learn.microsoft.com/entra/identity/hybrid/connect/whatis-azure-ad-connect
  5. Microsoft Learn — What is Microsoft Entra Cloud Sync? & Connect-to-Cloud-Sync decision guide. learn.microsoft.com/entra/identity/hybrid/cloud-sync/what-is-cloud-sync
  6. Microsoft Learn — Administrative units & dynamic groups (licensing P1/P2). learn.microsoft.com/entra/identity/role-based-access-control/administrative-units

What's next?

Got the fundamentals? Next, go deep on Conditional Access and MFA — the policy engine that decides who can sign in, from where and on what device — then on Privileged Identity Management (PIM), Identity Protection and identity governance for least-privilege and just-in-time admin access.

Next · All interview lessons → Practice on exam.techclick.in →