After this lesson, you will be able to: Use Entra ID (Azure AD) for users, groups, roles, enterprise applications, and conditional access. Understand why Entra appears in interviews even at AWS-heavy shops.
Entra ID is the most important Azure service for cross-cloud careers. This lesson covers it deeply.
Microsoft's cloud identity service. Identities (users + service principals + managed identities), groups, roles, applications, devices. Used by: every Microsoft 365 customer, most enterprises for SSO into any SaaS, GitHub Enterprise Cloud auth, Microsoft Teams. Free tier: 50K users + basic auth. P1 / P2 add Conditional Access, Identity Protection, Privileged Identity Management. Even an AWS-only company often uses Entra ID for human auth and federates INTO AWS roles.
User: a human. Has a username + password + MFA. Service Principal (SP): an identity for an APP. Used by SaaS apps to authenticate to Azure / Microsoft Graph. Has a client ID + client secret OR certificate. Managed Identity (MI): an SP that Azure manages for you (creates, rotates, deletes credentials automatically). Comes in System-Assigned (tied to the resource lifecycle) + User-Assigned (reusable across resources). Modern best practice: Managed Identities everywhere. Never store SP secrets if MI works.
Azure RBAC is built on Entra identities + role assignments. Built-in roles: Owner, Contributor, Reader, plus 200+ resource-specific. Custom roles: define your own (e.g. 'can list VMs but not start/stop'). Scope: assign role at Management Group / Subscription / Resource Group / Individual Resource. Lower scope = least privilege. Same identity, different scope = different permissions per resource. Layer carefully.
CLI commands you'll use daily.
# List usersaz ad user list --display-name 'Alex' --output table# Create a useraz ad user create --display-name 'Test User' --user-principal-name testuser@your-tenant.onmicrosoft.com --password 'TempPass123!' --force-change-password-next-sign-in true# Add to a groupaz ad group member add --group 'devops-team' --member-id <user-objectId># Assign a role at a resource group scopeaz role assignment create \--assignee [email protected] \--role 'Contributor' \--resource-group rg-staging# List role assignments on a useraz role assignment list --assignee [email protected] --output table
Entra ID supports SAML 2.0 + OIDC. Register the target SaaS as an 'Enterprise Application' in Entra. Configure user provisioning (auto-create accounts when a user is added to a specific Entra group). Result: corporate identity = one source of truth. New hire gets a Entra account; AWS / GitHub / Slack accounts auto-provision; on offboarding, disable in Entra = everything else disables. This is why enterprises use Entra ID even on AWS.
Storing SP secrets in code or env vars when Managed Identity works. Granting Owner / Contributor at Subscription scope. Always scope down. Skipping Conditional Access on Global Administrator accounts. The highest-value targets are the easiest to lock down. Static-password service accounts. Replace with MI + key rotation. Not enabling Privileged Identity Management (PIM) for admin roles. PIM = role activation on demand + approval workflow + auto-expiry.
Pick the keyless option.
Sign in and purchase access to unlock this lesson.