Microsoft Azure — Microsoft Entra ID (Azure AD)
Entra ID tenants, users, groups, directory roles, application registrations, and hybrid identity..
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
- ✓Azure subscription (free tier works), Azure CLI installed (version 2.50+), PowerShell 7+ with Microsoft Graph module (Install-Module Microsoft.Graph), basic understanding of cloud computing and identity concepts.
Microsoft Entra ID (Azure AD) is like having a specialized tool that handles entra id in the Microsoft cloud — you manage the configuration, Azure handles the infrastructure.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers microsoft entra id (azure ad) with production-ready configurations, best practices, and hands-on examples.
What Is Microsoft Entra ID and Why It Matters
Microsoft Entra ID, formerly Azure Active Directory, is Microsoft's cloud-based identity and access management service. It provides authentication and authorization for users, applications, and resources both in the cloud and on-premises. Unlike traditional on-premises Active Directory, Entra ID is a multi-tenant, cloud-native directory service that supports modern protocols like OAuth 2.0, OpenID Connect, and SAML. For DevOps teams, Entra ID is the backbone of access control for Azure resources, enabling single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies. Understanding Entra ID is critical because misconfigurations are a leading cause of security breaches in cloud environments. In production, you'll use it to manage identities for your CI/CD pipelines, application users, and service principals.
Setting Up Your First Entra ID Tenant
Every Azure subscription is associated with an Entra ID tenant. If you don't have one, create it via the Azure portal or using the Azure CLI. The tenant is automatically created when you sign up for Azure, but you can also create a standalone tenant for development. Key objects in a tenant include users, groups, applications, and service principals. For DevOps, you'll often create service principals for automated tools like Terraform, Jenkins, or GitHub Actions. When creating a tenant, pay attention to the initial domain name (e.g., contoso.onmicrosoft.com) and consider adding a custom domain for production. A common mistake is using the default domain for user emails, which can cause confusion. Always configure at least one Global Administrator and enable security defaults for basic protection.
Users, Groups, and Administrative Units
Users are the core identity objects in Entra ID. You can create cloud-only users or synchronize from on-premises Active Directory using Azure AD Connect. Groups simplify access management by assigning permissions to a collection of users. Use security groups for permissions and Microsoft 365 groups for collaboration. For fine-grained administrative control, use Administrative Units to delegate management of specific users or groups without granting global admin rights. In production, follow the principle of least privilege: assign users only the roles they need. Avoid using Global Administrator for daily tasks; instead, use role-specific administrators like User Administrator or Application Administrator. Regularly review guest users and remove stale accounts to reduce attack surface.
Service Principals and Managed Identities
Service principals are the identity for applications and automation tools. When you register an application in Entra ID, a service principal is created in your tenant. You can assign roles to service principals to grant access to Azure resources. However, managing secrets for service principals is error-prone. Managed identities are a safer alternative: they are automatically managed by Azure and eliminate the need to store credentials. There are two types: system-assigned (tied to a specific resource) and user-assigned (standalone identity that can be assigned to multiple resources). For DevOps pipelines, prefer managed identities over service principals. For example, a VM running a CI/CD agent can use a managed identity to access Azure Key Vault without any secrets.
Conditional Access Policies for DevOps
Conditional Access is the policy engine that enforces access controls based on signals like user location, device state, and risk level. For DevOps, you can create policies that require MFA for accessing the Azure portal, block access from untrusted IP ranges, or require compliant devices for CI/CD pipeline access. Policies are evaluated at sign-in and can grant, block, or require additional verification. A common production pattern is to require MFA for all administrative actions but allow service principals to bypass MFA via exclusion. Be careful with policy ordering: if you block all access accidentally, you can lock yourself out. Always create a break-glass account excluded from all policies.
Application Registration and Permissions
To integrate an application with Entra ID, you register it in the App Registrations blade. This creates an application object that defines the app's authentication settings, redirect URIs, and required API permissions. Permissions can be delegated (on behalf of a user) or application (app-only). For DevOps tools like Terraform or GitHub Actions, you typically use application permissions with client credentials flow. When granting permissions, be precise: request only the minimum scopes needed. Over-permissioning is a common security issue. Also, configure redirect URIs carefully to avoid open redirect vulnerabilities. In production, use certificate-based authentication instead of client secrets for higher security.
Integrating Entra ID with Azure DevOps
Azure DevOps can use Entra ID for authentication and access control. When you connect your Azure DevOps organization to an Entra ID tenant, you enforce corporate credentials and can use Conditional Access policies. This integration also enables group-based licensing and automatic user provisioning. To connect, go to Azure DevOps Organization Settings > Microsoft Entra ID. Once connected, all users must sign in with their Entra ID credentials. For service connections, use managed identities or service principals with appropriate permissions. A common pitfall is disconnecting the tenant without migrating users, which can lock everyone out. Always plan the migration carefully and communicate with your team.
Monitoring and Auditing with Entra ID Logs
Entra ID provides three types of logs: sign-in logs, audit logs, and provisioning logs. Sign-in logs show who signed in, from where, and whether it succeeded. Audit logs track changes to directory objects like user creation or role assignment. Provisioning logs detail synchronization from HR systems or other directories. For DevOps, these logs are essential for security investigations and compliance. You can stream logs to Azure Monitor, Log Analytics, or a SIEM like Sentinel. Set up alerts for suspicious activities like multiple failed sign-ins or role assignments to privileged roles. In production, retain logs for at least one year for compliance and use diagnostic settings to export them to a storage account or event hub.
Common Pitfalls and How to Avoid Them
Misconfigurations in Entra ID can lead to security breaches or service outages. Common pitfalls include: (1) Using the default domain for user sign-ins, which makes phishing easier. (2) Over-permissioning service principals with Contributor instead of a custom role. (3) Not enabling MFA for all users, especially admins. (4) Leaving legacy authentication protocols enabled, which bypass MFA. (5) Forgetting to review guest users, leading to stale access. (6) Not using break-glass accounts for emergency access. To avoid these, implement a least-privilege model, enable security defaults, and regularly audit permissions. Use tools like Microsoft Secure Score to track your security posture.
| File | Command / Code | Purpose |
|---|---|---|
| check-tenant.sh | az account show --query tenantId -o tsv | What Is Microsoft Entra ID and Why It Matters |
| create-tenant.sh | az account create --name "DevTenant" --offer-type MS-AZR-0017P --subscription-na... | Setting Up Your First Entra ID Tenant |
| create-user.ps1 | Connect-MgGraph -Scopes "User.ReadWrite.All" | Users, Groups, and Administrative Units |
| create-managed-identity.sh | az identity create --name "MyPipelineIdentity" --resource-group "rg-devops" | Service Principals and Managed Identities |
| create-ca-policy.ps1 | Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" | Conditional Access Policies for DevOps |
| register-app.sh | az ad app create --display-name "MyDevOpsApp" --sign-in-audience AzureADMyOrg --... | Application Registration and Permissions |
| connect-azuredevops.sh | az devops admin user update --organization https://dev.azure.com/myorg --origin-... | Integrating Entra ID with Azure DevOps |
| export-logs.ps1 | Connect-MgGraph -Scopes "AuditLog.Read.All" | Monitoring and Auditing with Entra ID Logs |
| check-legacy-auth.sh | az rest --method get --uri "https://graph.microsoft.com/v1.0/policies/authentica... | Common Pitfalls and How to Avoid Them |
Key takeaways
Common mistakes to avoid
3 patternsNot planning entra id properly before deployment
Ignoring Azure best practices for entra id
Overlooking cost implications of entra id
Interview Questions on This Topic
Explain Microsoft Entra ID (Azure AD) and its use cases.
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
That's Azure. Mark it forged?
4 min read · try the examples if you haven't