Authenticate and authorize users and apps using Microsoft Entra ID
5 minutes
5 Questions
Microsoft Entra ID (formerly Azure Active Directory) serves as the cloud-based identity and access management service that enables authentication and authorization for users and applications in Azure environments.
**Authentication** verifies the identity of users or applications attempting to acce…Microsoft Entra ID (formerly Azure Active Directory) serves as the cloud-based identity and access management service that enables authentication and authorization for users and applications in Azure environments.
**Authentication** verifies the identity of users or applications attempting to access resources. Microsoft Entra ID supports multiple authentication methods including passwords, multi-factor authentication (MFA), passwordless options like FIDO2 security keys, and certificate-based authentication. Applications can leverage OAuth 2.0 and OpenID Connect protocols to authenticate users securely.
**Authorization** determines what authenticated identities can access. Role-Based Access Control (RBAC) assigns permissions through roles at various scopes including management groups, subscriptions, resource groups, and individual resources. Built-in roles like Owner, Contributor, and Reader provide common permission sets, while custom roles address specific requirements.
**For Application Authentication**, developers register applications in Microsoft Entra ID to obtain client IDs and configure authentication settings. Service principals represent application identities, while managed identities eliminate credential management by automatically handling identity lifecycle for Azure resources. System-assigned managed identities tie to specific resources, whereas user-assigned managed identities can be shared across multiple resources.
**Token-Based Authorization** uses access tokens obtained through the Microsoft Authentication Library (MSAL). Applications request tokens with specific scopes defining required permissions. The Microsoft Identity Platform validates tokens and enforces consent requirements.
**Conditional Access Policies** provide granular access control based on signals like user location, device compliance, risk level, and application sensitivity. These policies enforce requirements such as MFA or block access when conditions indicate elevated risk.
**Best Practices** include implementing least privilege access, using managed identities whenever possible, enabling MFA for all users, regularly reviewing access assignments, and monitoring sign-in logs for suspicious activity. Developers should store application secrets in Azure Key Vault and rotate credentials regularly to maintain security posture across their Azure implementations.
Authenticate and Authorize Users and Apps Using Microsoft Entra ID
Why is This Important?
Microsoft Entra ID (formerly Azure Active Directory) is the backbone of identity management in Azure. For the AZ-204 exam, understanding authentication and authorization is critical because virtually every Azure application needs to secure access to resources. This topic typically appears in 15-20% of exam questions and is fundamental to building secure cloud applications.
What is Microsoft Entra ID?
Microsoft Entra ID is a cloud-based identity and access management service that helps employees sign in and access resources. It provides:
• Authentication - Verifying the identity of users and applications • Authorization - Determining what resources an authenticated identity can access • Single Sign-On (SSO) - One set of credentials for multiple applications • Application Management - Managing cloud and on-premises apps • Conditional Access - Policies that control access based on conditions
How It Works
Authentication Flow:
1. User/App requests access to a protected resource 2. Redirect to Microsoft Entra ID for authentication 3. User provides credentials or app provides client credentials 4. Microsoft Entra ID validates and issues tokens (ID token, access token, refresh token) 5. Token presented to the resource for access
Key Concepts:
• OAuth 2.0 - Authorization framework for granting limited access • OpenID Connect (OIDC) - Authentication layer built on OAuth 2.0 • MSAL (Microsoft Authentication Library) - Library used to acquire tokens • App Registrations - Registering apps in Microsoft Entra ID to enable authentication • Service Principals - Identity for applications in a specific tenant • Managed Identities - Azure-managed identities for services to authenticate
Token Types:
• ID Token - Contains user identity claims, used for authentication • Access Token - Used to access protected APIs • Refresh Token - Used to obtain new access tokens
Implementation Approaches:
For Web Applications: Use MSAL.NET or MSAL.js with authorization code flow with PKCE
For APIs: Validate bearer tokens in the Authorization header
For Daemon/Service Apps: Use client credentials flow with certificates or secrets
For Azure Resources: Use Managed Identities to eliminate credential management
Exam Tips: Answering Questions on Microsoft Entra ID Authentication
1. Know the OAuth 2.0 Flows: • Authorization Code Flow - Web apps with server-side code • Client Credentials Flow - Service-to-service, no user interaction • Device Code Flow - Devices with limited input capabilities • Implicit Flow - Legacy, not recommended for new apps
2. Managed Identities vs Service Principals: • System-assigned - Tied to a single resource lifecycle • User-assigned - Can be shared across multiple resources • Prefer managed identities over storing credentials in code
3. MSAL is the Answer: When questions ask about acquiring tokens programmatically, MSAL is almost always the correct choice over ADAL (which is deprecated)
4. Scopes and Permissions: • Delegated permissions - App acts on behalf of signed-in user • Application permissions - App acts as itself, requires admin consent
5. Common Scenario Recognition: • Need to call Microsoft Graph? Use MSAL to get access token • Azure Function calling Azure SQL? Use Managed Identity • Multi-tenant app? Configure app registration for multiple tenants
6. Key Code Patterns to Remember: • DefaultAzureCredential - Best practice for Azure SDK authentication • ConfidentialClientApplication - For apps with secrets/certificates • PublicClientApplication - For apps that cannot keep secrets
7. Watch for Keywords: • Secure + API = Token validation • No credentials in code = Managed Identity • Background service = Client credentials flow • On behalf of user = Delegated permissions