Microsoft Entra ID, formerly known as Azure AD, is the control center for Microsoft 365 and beyond.
While this blog focuses only on Microsoft 365, we will be talking about that.
All other services, like Exchange Online, Teams, SharePoint Online, and Intune rely on it, communicating with it in the background.
If you want to allow a user to access Teams or their email, you need to use Entra ID to accomplish this.
Technically speaking, Microsoft Entra ID, in its essence, is an Identity Provider. Its power is based on identity.
While not diving into psychological or philosophical perspectives, identity, in simple words, is: "Who you are."
In everyday life, we need to prove who we are by using our ID documents. They are provided to us by Trusted Identity Providers.
By the way, no one would ask you to provide a "Trusted Identity Representation"; they will just say identification document, but the terminology is important for the story. 😀
For example:
In the case of Microsoft 365, if you want to access your email or Teams, you need to prove your identity by using your account, provided by a trusted identity provider, which in this case is Microsoft Entra ID.
Alright, we just understood the main purpose of an identity provider, in this case, Entra ID, and that's to check the identity of the person who is accessing the Microsoft 365 environment.
It's worth noting that there are also other identities that will access the Microsoft 365 environment, and they are not for humans.
So here is the breakdown of Entra ID identity types:
| Identity Type | Assigned To | Real-World Examples |
| User Identity | Human users (internal & external) | Employees, consultants, partners, vendors, customers |
| Device Identity | Physical endpoints used by people/workflows | Laptops, mobile phones, desktops, IoT devices |
| Workload Identity | Software entities (non-human actors) | Applications, APIs, virtual machines, background services, containers |
For now, I won’t go deeper into what these other identities mean. We will definitely cover them in future posts, but it’s good for you to know that they exist.
As we said before, Entra ID is like a control center for Microsoft 365, and managing users, blocking, and allowing access is the daily job of an administrator.
There is a generally accepted name for this kind of administration, and it’s called “Identity and Access Management,” or “IAM” for short.
IAM has its building blocks, and they are processes that are crucial for managing identity and access. They are:
The process, which takes place when Entra ID checks your identity after you enter your username and password, is called Authentication.
Let’s start from the beginning.
In order to log in to Microsoft 365, an administrator first needs to create a user account in Entra and assign you an email address and a password.
These are called “Credentials.”
This type of Authentication is called Single-Factor Authentication because you are using only one factor.
Below you can see the basic process of Authentication.
Firstly, you enter your email address into the prompt and choose "Next":
If the user account exists in Entra ID, you will be redirected to the next prompt to enter your password:
If the authentication is successful, you will be redirected to Outlook:
Now we can say you are authenticated in Entra ID. 🙂
In simple words, to be authorized to do something is “what are you allowed to do?”
Let's get back to our analogy of the Opera from the beginning.
So the message from this story is that you can sit only in the seats meant for you, or we can say for your ticket.
And that's predefined by the "Trusted Identity Provider" of the Opera tickets, which is the entity from which you bought the tickets.
This is similar to how authorization works in Entra ID.
It's a process of granting an already authenticated entity (User, Device, or Workload) permission to access specific resources or perform certain actions within those resources.
This way, when you log in to Microsoft 365, you can't go and start creating new users or accessing email mailboxes from other colleagues, except if the admin explicitly grants you those permissions, or in other words, except if the admin explicitly authorizes you to do that.
Here is an example.
We are already authenticated and logged into Outlook.
Let's say I want to send an email from a different email address than mine:
You see that I got an error telling me I don't have permissions.
I'm not thrown out, like from the Opera, but if I do this several times, the security team would definitely log me out, thinking I'm doing something suspicious, which would be the same as throwing me out. 😀
Auditing is keeping track of what an identity did in the system.
These tracks are stored in Audit Logs, and an administrator can always see specific logs related to a specific account.
In the previous example for authorization, we mentioned that the security team would definitely log me off if they detected that I’m doing something potentially malicious, like trying to send an email from other employees' email addresses.
They detected this with the help of audit logs.
Microsoft Entra ID serves as the backbone of identity and access management for Microsoft 365.
It ensures secure authentication, precise authorization, and thorough auditing, making it indispensable for administrators and users alike.
By understanding its core principles and processes, organizations can effectively manage access to their digital environments while maintaining security and compliance.
