Types of Identities in Microsoft Entra ID

Types of Identities in Microsoft Entra ID: A Complete Guide for SC-900

Why Is Understanding Types of Identities in Microsoft Entra ID Important?

Identity is the foundational pillar of modern security. In the SC-900 exam, Microsoft emphasizes identity as the new security perimeter. Understanding the different types of identities in Microsoft Entra ID (formerly Azure Active Directory) is critical because every access decision, every security policy, and every compliance control revolves around who or what is requesting access. Without a solid grasp of identity types, you cannot understand how authentication, authorization, conditional access, or zero trust principles are applied in Microsoft's ecosystem.

For the SC-900 exam specifically, questions about identity types appear frequently because they form the basis for understanding broader concepts like governance, identity protection, and access management.

What Are the Types of Identities in Microsoft Entra ID?

Microsoft Entra ID supports several types of identities, each serving a distinct purpose. These can be broadly categorized as follows:

1. User Identities

User identities represent people. There are several subtypes:

a. Internal Members (Cloud Identities)
These are user accounts created directly in your Microsoft Entra ID tenant. They authenticate directly against your directory. Examples include employees whose accounts are provisioned in the cloud.

b. Synchronized Identities (Hybrid Identities)
These are user accounts that originate in an on-premises Active Directory and are synchronized to Microsoft Entra ID using Microsoft Entra Connect (formerly Azure AD Connect). The source of authority for these accounts is the on-premises directory, but they can authenticate to cloud resources. These users often use password hash synchronization, pass-through authentication, or federation to sign in.

c. External Guest Users (B2B Collaboration)
These are users from outside your organization who are invited to collaborate. They are represented in your directory as guest users (UserType = Guest). They authenticate using their home organization's identity provider (another Entra ID tenant, a Microsoft account, Google federation, email one-time passcode, etc.). This is the foundation of Microsoft Entra External ID (B2B). Guest users appear in your directory but their credentials are managed externally.

d. External Members
In multi-tenant organizations, external users can be given member-level access (UserType = Member) rather than guest-level access. This is a less common but important distinction.

2. Device Identities

Devices can also have identities in Microsoft Entra ID. This is essential for scenarios like Conditional Access policies that evaluate device compliance or for device-based authentication. Device identity types include:

a. Microsoft Entra Registered
Typically personal (BYOD) devices. The user signs in with a local account, and the device is registered with Entra ID. Supports scenarios like mobile device management (MDM).

b. Microsoft Entra Joined
Corporate-owned devices that are joined directly to Microsoft Entra ID (no on-premises AD required). Users sign in with their Entra ID work account. Best for cloud-first organizations.

c. Microsoft Entra Hybrid Joined
Devices that are joined to both on-premises Active Directory and Microsoft Entra ID. This is common in organizations transitioning to the cloud while maintaining on-premises infrastructure.

3. Workload Identities

Workload identities represent software workloads rather than people. These are critical for automation, application integration, and service-to-service communication.

a. Applications and Service Principals
When an application is registered in Microsoft Entra ID, an application object is created (the global definition) and a service principal is created in each tenant where the application is used (the local instance). The service principal is the identity that the application uses to authenticate and access resources. Service principals can be assigned roles and permissions just like user identities.

b. Managed Identities
Managed identities are a special type of service principal that eliminates the need for developers to manage credentials. Azure automatically manages the identity's lifecycle and credentials. There are two types:

- System-assigned managed identity: Tied to a specific Azure resource (e.g., a Virtual Machine or Azure Function). When the resource is deleted, the managed identity is automatically deleted.
- User-assigned managed identity: Created as a standalone Azure resource. It can be assigned to one or more Azure resources and persists independently of any single resource.

Managed identities are a best practice because they eliminate the risk of credential exposure — there are no passwords or certificates for developers to handle.

4. External Identities (Microsoft Entra External ID)

Microsoft Entra External ID encompasses identity scenarios for people outside your organization:

- B2B Collaboration: Invite external users (guests) to access your organization's apps and resources.
- B2B Direct Connect: Establish mutual trust with another Entra ID organization for seamless collaboration (e.g., Teams shared channels).
- External ID for Customers (CIAM): Build customer-facing applications with identity management for consumers and business customers.

How Do These Identities Work Together?

In a typical enterprise environment, all these identity types coexist:

- Employees use internal or hybrid user identities to access corporate resources.
- Partners and vendors are invited as guest users through B2B collaboration.
- Devices are registered or joined to ensure they meet security requirements before granting access.
- Applications and services use service principals or managed identities to authenticate to APIs and Azure resources without human intervention.

All of these identities can be governed through Conditional Access policies, role-based access control (RBAC), Privileged Identity Management (PIM), and Identity Governance features like access reviews and entitlement management.

The Zero Trust model requires that every identity — whether user, device, or workload — is verified explicitly before granting access. Understanding the different identity types helps you understand why different verification and governance mechanisms exist.

Key Concepts to Remember for the SC-900 Exam

- Identity is the primary security perimeter in modern cloud environments.
- User identities can be cloud-only, synchronized/hybrid, or external (guest).
- Device identities include Entra Registered, Entra Joined, and Hybrid Joined devices.
- Workload identities include service principals and managed identities.
- Managed identities eliminate the need to manage credentials and come in system-assigned and user-assigned varieties.
- Guest users authenticate with their home identity provider, not your organization's credentials.
- Service principals are the local representation of an application in a specific tenant.

Exam Tips: Answering Questions on Types of Identities in Microsoft Entra ID

Tip 1: Know the Difference Between Guest and Member UserType
The exam may test whether you understand that guest users have limited default permissions compared to members. Remember that UserType (Guest vs. Member) is separate from the user's source (internal vs. external).

Tip 2: Understand Managed Identities Deeply
Questions often focus on the difference between system-assigned and user-assigned managed identities. Remember: system-assigned is tied to one resource and shares its lifecycle; user-assigned is independent and can be shared across multiple resources.

Tip 3: Distinguish Between Application Object and Service Principal
The application object is the global template (defined in the home tenant). The service principal is the local instance in each tenant. When a question asks about what an application uses to authenticate, the answer is typically the service principal.

Tip 4: Remember the Three Device Join States
Entra Registered = BYOD/personal devices. Entra Joined = cloud-only corporate devices. Hybrid Joined = on-premises AD + Entra ID. If a question describes a scenario with on-premises AD still in use, the answer is likely Hybrid Joined.

Tip 5: B2B vs. B2C (CIAM) Scenarios
B2B is for partners, vendors, and collaborators accessing your organization's resources. External ID for customers (CIAM) is for consumers accessing your customer-facing applications. Don't confuse these two scenarios.

Tip 6: Watch for Zero Trust Connections
When a question mentions verifying every identity explicitly, think about how all identity types (user, device, workload) must be authenticated and authorized. This ties identity types back to the Zero Trust framework.

Tip 7: Credential Management Questions
If a question asks about the most secure way for an Azure service to authenticate to another Azure service without managing secrets, the answer is almost always managed identities.

Tip 8: Hybrid Identity Synchronization
Know that Microsoft Entra Connect is the tool used to synchronize on-premises identities to the cloud. Questions may reference password hash sync, pass-through authentication, or federation — understand at a high level what each does.

Tip 9: Read Scenario Questions Carefully
Many SC-900 questions present a scenario and ask you to identify the correct identity type. Focus on key phrases like "external partner," "automated process," "personal device," or "Azure resource accessing another resource" to determine the identity type being described.

Tip 10: Governance Applies to All Identity Types
Access reviews, entitlement management, and PIM can apply to different identity types. Guest user access reviews are a commonly tested scenario — organizations regularly review whether external guests still need access.