What is Azure Active Directory? - Microsoft Entra (2023)


(Video) Microsoft Entra .. the new Azure Active Directory portal

  • Article
  • 8 minutes to read

Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see Quickstart: Create a new tenant in Azure Active Directory.

To learn the differences between Active Directory and Azure Active Directory, see Compare Active Directory to Azure Active Directory. You can also refer Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure like Azure AD and Microsoft-365.

Who uses Azure AD?

Azure AD provides different benefits to members of your organization based on their role:

  • IT admins use Azure AD to control access to apps and app resources, based on business requirements. For example, as an IT admin, you can use Azure AD to require multi-factor authentication when accessing important organizational resources. You could also use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Microsoft 365. Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements. To get started, sign up for a free 30-day Azure Active Directory Premium trial.

  • App developers can use Azure AD as a standards-based authentication provider that helps them add single sign-on (SSO) to apps that works with a user's existing credentials. Developers can also use Azure AD APIs to build personalized experiences using organizational data. To get started, sign up for a free 30-day Azure Active Directory Premium trial. For more information, you can also see Azure Active Directory for developers.

    (Video) Microsoft Entra / Azure AD 2 0 Explained with Full Demo

  • Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers already use Azure AD as every Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start managing access to your integrated cloud apps.

What are the Azure AD licenses?

Microsoft Online business services, such as Microsoft 365 or Microsoft Azure, use Azure AD for sign-in activities and to help protect your identities. If you subscribe to any Microsoft Online business service, you automatically get access to Azure AD free.

To enhance your Azure AD implementation, you can also add paid features by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory. The licenses provide self-service, enhanced monitoring, security reporting, and secure access for your mobile users.


For the pricing options of these licenses, see Azure Active Directory Pricing.

For more information about Azure AD pricing, contact the Azure Active Directory Forum.

  • Azure Active Directory Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.

    (Video) AZ-500: Azure Active Directory Review | Licenses | Microsoft Entra - Hindi

  • Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

  • Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

  • "Pay as you go" feature licenses. You can also get licenses for features such as, Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see Azure Active Directory B2C documentation.

For more information about associating an Azure subscription to Azure AD, see Associate or add an Azure subscription to Azure Active Directory. For more information about assigning licenses to your users, see How to: Assign or remove Azure Active Directory licenses.

Which features work in Azure AD?

After you choose your Azure AD license, you'll get access to some or all of the following features:

Application managementManage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal, and Software as a Service (SaaS) apps. For more information, see How to provide secure remote access to on-premises applications and Application Management documentation.
AuthenticationManage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. For more information, see Azure AD Authentication documentation.
Azure Active Directory for developersBuild apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. For more information, see Microsoft identity platform (Azure Active Directory for developers).
Business-to-Business (B2B)Manage your guest users and external partners, while maintaining control over your own corporate data. For more information, see Azure Active Directory B2B documentation.
Business-to-Customer (B2C)Customize and control how users sign up, sign in, and manage their profiles when using your apps. For more information, see Azure Active Directory B2C documentation.
Conditional AccessManage access to your cloud apps. For more information, see Azure AD Conditional Access documentation.
Device ManagementManage how your cloud or on-premises devices access your corporate data. For more information, see Azure AD Device Management documentation.
Domain servicesJoin Azure virtual machines to a domain without using domain controllers. For more information, see Azure AD Domain Services documentation.
Enterprise usersManage license assignments, access to apps, and set up delegates using groups and administrator roles. For more information, see Azure Active Directory user management documentation.
Hybrid identityUse Azure Active Directory Connect and Connect Health to provide a single user identity for authentication and authorization to all resources, regardless of location (cloud or on-premises). For more information, see Hybrid identity documentation.
Identity governanceManage your organization's identity through employee, business partner, vendor, service, and app access controls. You can also perform access reviews. For more information, see Azure AD identity governance documentation and Azure AD access reviews.
Identity protectionDetect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them. For more information, see Azure AD Identity Protection.
Managed identities for Azure resourcesProvide your Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported authentication service, including Key Vault. For more information, see What is managed identities for Azure resources?.
Privileged identity management (PIM)Manage, control, and monitor access within your organization. This feature includes access to resources in Azure AD and Azure, and other Microsoft Online Services, like Microsoft 365 or Intune. For more information, see Azure AD Privileged Identity Management.
Reports and monitoringGain insights into the security and usage patterns in your environment. For more information, see Azure Active Directory reports and monitoring.


To better understand Azure AD and its documentation, we recommend reviewing the following terms.

Term or conceptDescription
IdentityA thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.
AccountAn identity that has data associated with it. You can’t have an account without an identity.
Azure AD accountAn identity created through Azure AD or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. This account is also sometimes called a Work or school account.
Account AdministratorThis classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
Service AdministratorThis classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
OwnerThis role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
Azure AD Global administratorThis administrator role is automatically assigned to whomever created the Azure AD tenant. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see Administrator role permissions in Azure Active Directory.
Azure subscriptionUsed to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card.
Azure tenantA dedicated and trusted instance of Azure AD. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.
Single tenantAzure tenants that access other services in a dedicated environment are considered single tenant.
Multi-tenantAzure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
Azure AD directoryEach Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
Custom domainEvery new Azure AD directory comes with an initial domain name, for example domainname.onmicrosoft.com. In addition to that initial name, you can also add your organization's domain names. Your organization's domain names include the names you use to do business and your users use to access your organization's resources, to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.
Microsoft account (also called, MSA)Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services. These products and services include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft account is created and stored in the Microsoft consumer identity account system that's run by Microsoft.

Next steps

  • Sign up for Azure Active Directory Premium

  • Associate an Azure subscription to your Azure Active Directory

    (Video) Microsoft Entra: Azure Active Directory Authentication Strengths explained

  • Azure Active Directory Premium P2 feature deployment checklist


Submit and view feedback for

This product This page

(Video) AZ-500: Azure Active Directory Review | Licenses | Microsoft Entra - English


What is Azure Entra? ›

Entra goes beyond traditional identity and access management – it's Microsoft's vision for the future of identity and access. As well as Azure AD, the Entra portal includes Permissions Management, utilising cloud infrastructure entitlement management (CIEM), and Verified ID for decentralised identity management.

Is Azure AD now part of Microsoft Entra? ›

Enter Microsoft Entra

Today, Microsoft announced a new name for their identity product family which encompasses familiar capabilities alongside new capability launches. Microsoft Entra covers identity, including Azure Active Directory (Azure AD), Permissions Management, and Verified ID.

What is Azure Active Directory used for? ›

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

What is part of Microsoft Entra? ›

What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.

What is the difference between Azure Active Directory and Active Directory? ›

AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud based environment you can just use Azure AD.

Is Microsoft Entra free? ›

Microsoft is making Entra, and a new admin portal associated with it, available today. In terms of pricing, customers who want Entra will continue to pay per user per month for Azure AD; per active user per month for external identities; and per resource for permissions, Simons said.

Is Azure AD the same as Office 365? ›

Azure AD is the cloud directory that is used by Office 365. No on-premises servers are required — Microsoft manages all of that for you. When identity and authentication are handled completely in the cloud, you can manage user accounts and user licenses through the Microsoft Online Portal or Windows PowerShell cmdlets.

Is Azure AD a replacement for AD? ›

Azure Active Directory is not a direct replacement for on-premises Active Directory, but if an organisation does not need the missing functionality, moving to Azure Active Directory and decommissioning Active Directory starts to become a functionally viable option.

Is Azure Active Directory same as IAM in AWS? ›

Azure AD is built for Azure infrastructure, and AWS IAM is designed for managing web console user access to AWS infrastructure. Each IAM tool wasn't designed to natively manage the entirety of an organization's IT needs, making it more enticing for admins to decide to leverage both concurrently.

What are the 4 types of Microsoft Active Directory? ›

Below we'll explain their differences in order to help you decide what you need.
  • Active Directory (AD) ...
  • Azure Active Directory (AAD) ...
  • Hybrid Azure AD (Hybrid AAD) ...
  • Azure Active Directory Domain Services (AAD DS)
Aug 25, 2019

What are the different types of Azure Active Directory? ›

Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2.

What are the two types of Active Directory? ›

Active Directory has two types of groups:
  • Security groups: Use to assign permissions to shared resources.
  • Distribution groups: Use to create email distribution lists.
Oct 5, 2022

How does Microsoft ESI work? ›

Microsoft provides the Microsoft Enterprise Skills Initiative (ESI) for free if your employer qualifies. The ESI program includes multiple courses, a Certificate practice exam, free certification voucher for developers, administrators, or engineers, with one-time retakes.

How do I enable Microsoft Entra? ›

Go to Entra services and use your credentials to sign in to Azure Active Directory. If you aren't already authenticated, sign in as a global administrator user. If needed, activate the global administrator role in your Azure AD tenant.

What does Microsoft ESI stand for? ›

The Microsoft Enterprise Skills Initiative (ESI) provides hands-on training for learning and enhancing technical skills and knowledge of Microsoft and Azure technologies.

How do I access Azure Active Directory? ›

Access Azure Active Directory
  1. Go to portal.azure.com and sign in with your work or student account.
  2. In the left navigation pane in the Azure portal, click Azure Active Directory. The Azure Active Directory admin center is displayed.
Oct 3, 2022

What are the limitations of Azure Active Directory? ›

An Azure AD organization can have a maximum of 5,000 dynamic groups and dynamic administrative units combined. A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant). A maximum of 100 users can be owners of a single group.

How much is Microsoft Entra? ›

Microsoft charges $10.40 per user per month to use the Permissions Management service, according to its online pricing page.

Is Active Directory free on Azure? ›

Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. The Free edition is included with a subscription of a commercial online service, e.g. Azure, Dynamics 365, Intune, and Power Platform.

Is Entra included in E5? ›

Microsoft Entra Identity Governance Preview capabilities are currently available with an Azure AD Premium P2 subscription or free trial: Azure AD Premium P2 is included with Microsoft 365 E5 and offers a free 30-day trial.

Can you use Office 365 without Azure AD? ›

Office 365 runs on top of Azure AD. You can't then have O365 without Azure AD.

Do you need Azure AD for Office 365? ›

Office 365 customers can use Azure Active Directory (Azure AD) for free, although some of its capabilities entail paying for subscription costs. Office 365 has its own local directory. There's no requirement to use Azure AD, which is an identity and access management service housed in Microsoft's datacenters.

Can you have O365 without Azure AD? ›

For most organizations, however, in order to have directory services with O365, you'll end up requiring both on-prem AD and Azure AD.

Is Microsoft discontinuing Azure? ›

We're retiring Azure VMs (classic) on September 1, 2023 - Azure Virtual Machines | Microsoft Learn. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Where is Azure Active Directory data stored? ›

Azure AD Core Store data, stored in data centers closest to the tenant-residency location, to reduce latency and provide fast user sign-in times. Azure AD Core Store data stored in geographically isolated data centers to assure availability during unforeseen single-datacenter, catastrophic events.

What is the difference between Azure AD and AD domain services? ›

Active Directory provides identity and access management for on-premises systems and applications whereas Azure AD provides cloud-based identity management and additionally allows you to deploy single sign-on services for your cloud-based resources.

Is Active Directory an IAM tool? ›

IAM Tools. An identity management system typically involves the following areas: Employee data—such as through an HR system, directories (i.e. Active Directory), and more—used to define and identify individual users. Tools to add, modify, and delete users.

Is Azure an IAM tool? ›

Secure access to your resources with Azure identity and access management solutions. Protect your applications and data at the front gate with Azure identity and access management solutions.

How do I connect Azure Active Directory to AWS? ›

Log in to the Azure AD portal with your Azure AD subscription. Select Amazon Web Services (AWS) from results panel and then add the application. Wait a few seconds while the application is added to your tenant.

What are the 3 main identity types used in Azure AD? ›

Azure AD manages different types of identities:
  • User. User identity is a representation of something that's Azure AD manages. ...
  • Service principal. A service principal is a secure identity that enables an application or service to access Azure resources. ...
  • Managed identity. ...
  • Device.

What are the 3 main components of an Active Directory? ›

AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company's head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

What is Active Directory in simple words? ›

Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer.

What are the two basic users types in Azure AD? ›

Guest account - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as managing a tenant. Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C.

What is Azure Active Directory interview questions? ›

Azure Active Directory Interview Questions and Answers for Experienced
  • What are the license requirements for using Azure AD connect? ...
  • Name the types of cloud computing in Azure AD? ...
  • Define dynamic groups in Azure AD? ...
  • What is conditional access in Azure Active Directory? ...
  • What is risk detection?

What are the 5 roles of Active Directory? ›

Currently in Windows there are five FSMO roles:
  • Schema master.
  • Domain naming master.
  • RID master.
  • PDC emulator.
  • Infrastructure master.
Dec 1, 2021

Why do we need Active Directory? ›

The purpose of Active Directory is to enable organizations to keep their network secure and organized without having to use up excessive IT resources. For example, with AD, network administrators don't have to manually update every change to the hierarchy or objects on every computer on the network.

What are examples of Active Directory? ›

An example of an Active Directory domain name would be “ad-internal.company.com,” where “ad-internal” is the name you are using for your internal AD domain, and “company.com” is the name of your external resources.

What is Azure AI on my laptop? ›

Microsoft Azure AI can detect which APP is running and automatically adjust profiles for CPU, GPU and fan accordingly in order to offer the optimal using environment. With such feature, AERO laptops can help user fluently transfer from one app to another without further manual settings.

What is the Azure equivalent of Kafka? ›

This endpoint enables you to configure your existing Kafka applications to talk to Azure Event Hubs, an alternative to running your own Kafka clusters.
Talk to Event Hubs, like you would with Kafka and unleash the power of PaaS!
Kafka ConceptEvent Hubs Concept
OffsetSequence Number
4 more rows
May 9, 2018

What are the 3 important services offered by Azure? ›

This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.

What is Azure and why do I need it? ›

The Azure cloud platform is more than 200 products and cloud services designed to help you bring new solutions to life—to solve today's challenges and create the future. Build, run, and manage applications across multiple clouds, on-premises, and at the edge, with the tools and frameworks of your choice.

Can I remove Azure? ›

Select your subscription on the Subscriptions page in the Azure portal. Select the subscription that you want to delete. At the top of the subscription page, select Delete. When all required conditions are met, you can delete the subscription.

What is Azure and do I need it? ›

Microsoft Azure is a cloud computing service offered by Microsoft. There are over 600 services that fall under the Azure umbrella, but broadly speaking, it is a web-based platform on which applications and services can be built, tested, managed, and deployed.

What is replacing Azure DevOps? ›

You can replace Azure DevOps Server with GitHub Enterprise Server to keep data within your network. Like Azure DevOps, you have to install and maintain the software and machine.

Which platform is best for Azure? ›

10 Best Online Courses to learn Microsoft Azure for 2022
  • AZ-900: Microsoft Azure Fundamentals Exam Prep. ...
  • Microsoft Azure Fundamentals AZ-900 Exam Prep Specialization [Coursera + Microsoft] ...
  • Microsoft Azure Fundamentals [Pluralsight] ...
  • Microsoft Azure Virtual Machines by Microsoft [edX]

Does Netflix use AWS or Azure? ›

Netflix's Cloud Journey on AWS

Netflix uses AWS for nearly all its computing and storage needs, including databases, analytics, recommendation engines, video transcoding, and more—hundreds of functions that in total use more than 100,000 server instances on AWS.


1. What is Microsoft Entra ?
2. Microsoft Entra - What’s new in Identity and Authentication!
(Andy Malone MVP)
3. What is Microsoft Entra Admin Center? | Azure Active Directory Part1
(How IT Works)
4. What is Microsoft Entra?
(Talking tech with Techielass)
5. Introducing Microsoft Entra
(Microsoft Security)
6. Microsoft Entra The MUST KNOW Guide for Admins
(Andy Malone MVP)
Top Articles
Latest Posts
Article information

Author: Catherine Tremblay

Last Updated: 02/12/2023

Views: 6358

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Catherine Tremblay

Birthday: 1999-09-23

Address: Suite 461 73643 Sherril Loaf, Dickinsonland, AZ 47941-2379

Phone: +2678139151039

Job: International Administration Supervisor

Hobby: Dowsing, Snowboarding, Rowing, Beekeeping, Calligraphy, Shooting, Air sports

Introduction: My name is Catherine Tremblay, I am a precious, perfect, tasty, enthusiastic, inexpensive, vast, kind person who loves writing and wants to share my knowledge and understanding with you.