Microsoft Entra ID Interview Questions — Identity & Access Answers & Prep 2026

① Tenants, objects & licensing — Entra ID fundamentals

Q: What is a Microsoft Entra ID tenant and what core objects live in it?

Model answer: A tenant is a dedicated, isolated instance of Microsoft Entra ID that represents one organisation. It gets a globally unique identifier (tenant ID) and a default domain (yourorg.onmicrosoft.com). Inside the tenant, the core directory objects are: users (members and guests), groups (security and Microsoft 365, assigned or dynamic), devices (Entra-joined, hybrid-joined, registered), app registrations (the identity definition of an application in your tenant), and service principals (the tenant-local instance of an app registration that holds the actual permissions and consent). The separation between app registration (the definition) and service principal (the instance) trips up many candidates — name both and you stand out.

Q: What is the difference between an app registration and a service principal in Entra ID?

Model answer: An app registration lives in the home tenant of the developer or organisation that owns the application. It defines the app's identity: client ID, redirect URIs, API permissions requested, and any secrets or certificates. A service principal is the per-tenant instance of that app — when an admin consents to an app in their tenant, Entra ID creates a service principal in that tenant. The service principal holds what has actually been granted (granted permissions, app roles assigned, conditional access exclusions). So a multi-tenant Microsoft app like Teams has one app registration in Microsoft's tenant but millions of service principals — one in each customer tenant. The interview one-liner: app registration = the blueprint, service principal = the tenant-local instance that holds the actual grants.

Q: Explain the Entra ID licensing tiers and what key features each adds.

Model answer: Entra ID Free is included with any Microsoft cloud subscription and covers basic directory, SSO for up to 10 apps per user, self-service password reset for cloud-only users, and basic security defaults. Entra ID P1 (included in Microsoft 365 Business Premium and E3) adds Conditional Access, Entra Application Proxy, dynamic groups, group-based licensing, and hybrid identity with Entra Connect. Entra ID P2 (included in E5) adds Identity Protection (risk-based sign-in and user risk signals for CA) and Privileged Identity Management (PIM). Entra ID Governance adds access reviews at scale, entitlement management (access packages and catalogs), lifecycle workflows, and advanced PIM features. The clean summary: P1 = Conditional Access + hybrid; P2 = risk-based CA + PIM; Governance = full lifecycle and entitlement management.

② SSO, MFA & Conditional Access — the Zero Trust policy engine

Q: What are the three hybrid authentication methods in Entra ID, and when do you choose each?

Model answer: When synchronising an on-premises Active Directory to Entra ID with Entra Connect, you choose how authentication actually happens. Password Hash Sync (PHS) syncs a hash of the password hash to the cloud — authentication happens in Entra ID, so it works even if the on-prem AD is down and is the simplest option. Pass-Through Authentication (PTA) routes authentication to an on-prem agent in real time — the password never leaves the corporate network, which suits organisations with strict password policies or regulatory requirements, but it requires the on-prem agent to be available. Federation (AD FS / third-party IdP) redirects authentication entirely to an on-prem identity provider — chosen when you need on-prem claims, smartcard, or complex custom sign-in logic, but it is the most complex to operate. A fourth option for pure cloud-only tenants is managed authentication (no sync needed). The rule of thumb: PHS is the default recommendation; PTA when the password must never leave the network; federation only when claims or custom login are truly required.

Q: Walk me through how you design a Conditional Access policy and what signals it evaluates.

Model answer: A Conditional Access policy follows an if-then structure: if the assignment conditions are met, then enforce the access controls. The assignment signals (the if) include: Users and groups (who), Cloud apps or actions (which app or action like device registration), Conditions — sign-in risk level (from Identity Protection, needs P2), user risk level, device platform, location (named locations, trusted IP ranges, countries/regions), client apps (browser, mobile apps, legacy protocols), and device state (compliant, hybrid-joined). The access controls (the then) are either Grant (block, require MFA, require compliant device, require hybrid-joined device, require approved app, require app protection policy, require password change — combinable with AND/OR) or Session (sign-in frequency, persistent browser session, app-enforced restrictions, Defender for Cloud Apps session proxy, token binding). Always deploy in report-only mode first to see impact before enabling enforcement. The interview money line: CA is the Zero Trust policy engine — it decides what to enforce, using signals from users, apps, devices, locations and real-time risk — and MFA is just one of many grant controls it can require.

Q: What is Entra ID Identity Protection and how does it plug into Conditional Access?

Model answer: Identity Protection (P2 feature) is the risk-detection engine. It continuously calculates two risk signals: sign-in risk — the probability that the specific sign-in is not from the legitimate user (e.g. impossible travel, unfamiliar location, password spray detected) — and user risk — the probability that a user's account is compromised (e.g. leaked credentials, anomalous behaviour). These signals are surfaced as low/medium/high risk levels. A Conditional Access policy can then use sign-in risk condition or user risk condition to dynamically require MFA, block access, or force a password change. For example: if sign-in risk = high, block; if sign-in risk = medium, require MFA. The clean description: Identity Protection detects risk signals; Conditional Access consumes them as policy conditions to respond in real time.

Q: What is Seamless SSO and what is a Primary Refresh Token (PRT)?

Model answer: Seamless SSO (Seamless Single Sign-On) lets users on domain-joined corporate machines sign into cloud apps without entering their credentials again — the device uses Kerberos behind the scenes to obtain an Entra ID token silently. It works with both PHS and PTA (not federation, which has its own SSO mechanism). A Primary Refresh Token (PRT) is a long-lived token (valid up to 14 days, renewable) issued by Entra ID to a device when a user signs in. It represents the user + device combination and is used by the Windows Account Manager to silently obtain new tokens for apps (giving the SSO experience). The CA device state condition (compliant or hybrid-joined) is enforced by evaluating the device claim in the PRT. The interview point: PRT = the device-bound SSO token that enables seamless sign-in; it carries device compliance claims that CA can verify.

③ Governance & PIM — just-in-time, reviews and entitlement management

Q: What is Privileged Identity Management (PIM) and how does just-in-time (JIT) access work?

Model answer: PIM (Entra ID P2 or Governance) eliminates standing privileged access — instead of an admin having the Global Administrator role permanently, they are made eligible for the role. When they need it, they activate it: they request elevation, provide a business justification, pass MFA (and optionally wait for manager approval), and receive the role for a time-limited window (configured max, typically 1–8 hours). When the window expires the elevation ends automatically. PIM covers both Entra ID directory roles (e.g. Global Admin, User Admin) and Azure RBAC roles (e.g. Owner, Contributor on a subscription or resource group). The 2026 addition: PIM can now require Conditional Access reauthentication at activation time, so the MFA check at elevation is enforced through a CA policy, not just a PIM setting — strengthening the assurance level. The one-liner: PIM = eligible not standing, activate with JIT + MFA + optional approval, auto-expire.

Q: What are Entra ID Access Reviews and when do you use them?

Model answer: Access Reviews are a periodic, automated process that asks reviewers to confirm whether users still need the access they have. You create a review for a group membership, an application role assignment, or a PIM eligible/active role. Reviewers can be the resource owners, managers of the users, or the users themselves (self-review). When the review period ends, Entra ID can auto-apply the result — removing access for anyone the reviewer denied or for anyone who did not respond (if you configure the on-no-response setting to remove). Use cases: quarterly review of privileged role members, annual review of guest access, semi-annual review of application role assignments. Access Reviews are an Entra ID Governance feature and are the standard answer to the interview question 'how do you enforce least-privilege over time?'

Q: What is Entitlement Management in Entra ID Governance?

Model answer: Entitlement Management lets you define access packages — bundles of resources (groups, SharePoint sites, Teams, app roles) that a user type needs — and publish them in a catalog with an access request policy. Employees or guests self-request the package; Entra ID routes the request for approval, grants the bundled access when approved, and can optionally set an expiry so access lapses automatically. This replaces the pattern of admins manually assigning individual resources. The interview framing: Entitlement Management = self-service access bundles (packages) with approval workflows and auto-expiry, replacing manual resource-by-resource assignment. Combined with Access Reviews, it gives a full access lifecycle: request → approve → periodic review → auto-remove.

④ Hybrid, external & scenarios — Entra Connect, B2B, External ID

Q: Compare Entra Connect Sync and Entra Cloud Sync — when do you choose each?

Model answer: Both tools synchronise on-premises Active Directory objects to Microsoft Entra ID, but they have different deployment models. Entra Connect Sync (the traditional tool, formerly Azure AD Connect) is installed on a dedicated on-prem server, offers the widest feature set (device writeback, group writeback, password writeback, Exchange hybrid, complex filtering, all three authentication methods), and supports complex multi-forest topologies. Entra Cloud Sync uses a lightweight agent installed on each domain controller (no dedicated server) and syncs through a cloud-hosted provisioning engine. Cloud Sync is the right choice for simpler environments, multi-forest scenarios where the forests are disconnected (it handles each forest independently), and for new deployments where you don't need writeback features. Microsoft's direction is toward Cloud Sync for most new implementations. The headline: Connect Sync = full-featured on-prem server; Cloud Sync = lightweight agent, simpler to operate, preferred for new projects.

Q: What is the difference between B2B collaboration and Entra External ID?

Model answer: B2B collaboration is the Entra ID feature that lets you invite external partners or contractors (from other organisations) as guest users in your tenant. They sign in with their own organisation's credentials (or a Microsoft/Google account) and are represented as guests. You control what they can access via groups and Conditional Access, and Access Reviews clean up stale guests. Entra External ID is the umbrella product for customer-facing (CIAM) identity — it has two tenant models: the workforce tenant (where B2B collaboration lives) and the external tenant (the CIAM-focused model, the successor to Azure AD B2C). The external tenant is built for consumer sign-up/sign-in flows with social identity providers (Google, Facebook) and is separate from your corporate directory. The clean split: B2B collaboration = invite business partners as guests in your tenant; Entra External ID external tenant = customer-facing CIAM apps with self-service sign-up, successor to Azure AD B2C.

Q: A user is blocked by Conditional Access in a way you did not expect. How do you investigate?

Model answer: Start with the Sign-in logs in the Entra ID portal (Monitor & Health → Sign-in logs) — filter on the user, find the failed sign-in, and open the Conditional Access tab to see exactly which policy applied, the result (granted, blocked, MFA required) and why. The What If tool in Conditional Access lets you simulate a sign-in (user, app, location, device state, risk level) and see which policies would fire before any real user is impacted — essential for pre-validation. For investigation, also check the CA policy in report-only mode — any policy in report-only shows in the sign-in log what it would have done without actually enforcing it. If the block is unexpected, the most common causes are: the policy targets a group the user was recently added to, a new named-location rule, a recent device compliance change, or a risk level triggered by Identity Protection. The gold line: Sign-in log CA tab first for the actual block reason, What If for pre-validation, report-only for safe pre-deployment testing.