What Is Microsoft Entra ID (Formerly Azure Active Directory)?
AZ-900 · Updated June 2026
Every time you sign into Microsoft 365, Azure, or a connected application, Microsoft Entra ID is the service that checks who you are and what you are allowed to access. It is Azure's identity platform, and it sits at the centre of security for almost everything Microsoft hosts in the cloud. The AZ-900 exam tests it as a core concept because identity is the foundation of access control in Azure.
What Microsoft Entra ID is
Microsoft Entra ID is a cloud-based identity and access management service. Its job is to authenticate users (verify that they are who they claim to be) and authorize them (determine what they are allowed to do). It manages the identities of people, applications, and devices that need to access Microsoft cloud services.
You may know it by its previous name: Azure Active Directory, or Azure AD. Microsoft rebranded it to Microsoft Entra ID in 2023 as part of a broader Entra product family. The underlying service is the same. If you see Azure AD mentioned in older study materials or exam questions, it refers to the same thing.
Every Azure subscription is connected to a Microsoft Entra ID tenant. A tenant is an organisation's dedicated instance of Entra ID, containing all its users, groups, and application registrations. When a company signs up for Microsoft 365 or Azure, a tenant is created automatically.
What Microsoft Entra ID does
The core capabilities of Microsoft Entra ID cover the full lifecycle of identity and access:
- arrow_rightAuthentication: verifying that users are who they claim to be, including support for multi-factor authentication (MFA) and passwordless sign-in methods like Windows Hello and the Microsoft Authenticator app.
- arrow_rightSingle sign-on (SSO): once a user signs in, they can access all connected applications without signing in again. This works across Microsoft 365, Azure, and thousands of third-party SaaS applications.
- arrow_rightApplication access management: organisations register applications with Entra ID and control which users or groups can access them.
- arrow_rightConditional access: policies that evaluate context before granting access. For example, requiring MFA when a user signs in from an unfamiliar location or blocking access from non-compliant devices.
- arrow_rightExternal identities: allowing partners, suppliers, or customers to sign in using their own credentials from other identity providers.
How it differs from Windows Server Active Directory
This distinction comes up on the AZ-900 exam. Windows Server Active Directory (on-premises AD) and Microsoft Entra ID are related but different services designed for different environments.
| Windows Server AD | Microsoft Entra ID | |
| Environment | On-premises corporate network | Cloud and internet |
| Protocols | Kerberos, LDAP, NTLM | OAuth 2.0, SAML, OpenID Connect |
| Structure | Domains, forests, OUs | Tenants, users, groups |
| Device management | Domain join | Entra join / Intune |
| Primary use | Internal network resources | Cloud apps and SaaS |
Organisations with an existing on-premises Active Directory can connect it to Microsoft Entra ID using Microsoft Entra Connect. This hybrid setup synchronises user accounts so that employees can use the same credentials for both on-premises resources and cloud services. AZ-900 mentions hybrid identity as a concept but does not go deep into the configuration details.
Microsoft Entra ID editions
Microsoft Entra ID comes in several tiers. The Free tier is included with every Azure subscription and Microsoft 365 plan. It covers basic authentication, SSO, and user management. The Premium P1 and P2 tiers add conditional access, identity protection, privileged identity management, and access reviews. AZ-900 does not test the specific feature differences between tiers in depth, but knowing that a free tier exists and that advanced features require Premium is useful.
How to answer Microsoft Entra ID questions on the exam
- 1
Identity service questions
Which Azure service manages user identities and controls access to resources? The answer is Microsoft Entra ID. Which service enables single sign-on across Microsoft 365 and Azure? Also Microsoft Entra ID.
- 2
Comparison questions
What is the difference between Microsoft Entra ID and on-premises Active Directory? Entra ID is cloud-based and uses modern web protocols. On-premises AD is network-based and uses Kerberos and LDAP. They are complementary, not the same thing.
- 3
Feature questions
Which feature requires users to prove their identity with a second factor in addition to their password? That is multi-factor authentication (MFA), enforced through Microsoft Entra ID. Which feature grants or blocks access based on user location or device state? That is conditional access, also part of Entra ID.
Frequently asked questions
▶What is Microsoft Entra ID?
Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It handles authentication (proving who you are) and authorization (controlling what you can access) for cloud applications and services. It is the identity backbone of Microsoft 365, Azure, and thousands of third-party SaaS applications. It was previously called Azure Active Directory (Azure AD).
▶What is the difference between Microsoft Entra ID and Windows Server Active Directory?
Windows Server Active Directory is an on-premises directory service designed for managing users, computers, and resources inside a corporate network. It uses protocols like Kerberos and LDAP. Microsoft Entra ID is a cloud identity service built for internet-scale access to web applications and APIs. It uses modern protocols like OAuth 2.0 and SAML. They serve related but different purposes and can be connected through hybrid identity setups using Microsoft Entra Connect.
▶What does Microsoft Entra ID do?
Microsoft Entra ID authenticates users signing into Microsoft 365, Azure, and connected applications. It enforces multi-factor authentication, manages group memberships and role assignments, enables single sign-on across applications, supports external identity federation, and provides conditional access policies that evaluate context before granting access.
▶Why did Microsoft rename Azure Active Directory to Microsoft Entra ID?
Microsoft rebranded Azure Active Directory to Microsoft Entra ID in 2023 as part of a broader Microsoft Entra product family that includes identity governance, permissions management, and verified ID. The rename reflects the expanded scope beyond traditional Active Directory concepts. For AZ-900 purposes, Azure AD and Microsoft Entra ID refer to the same service.
▶How does AZ-900 test Microsoft Entra ID?
AZ-900 tests Entra ID as Azure's identity service for authentication and access control. Common question patterns: what service manages user identities in Azure (Entra ID), what enables single sign-on across Microsoft services (Entra ID), what is the difference between Entra ID and on-premises AD, and which feature requires a user to provide a second form of verification (multi-factor authentication, which Entra ID enforces).
Microsoft Entra ID is not a peripheral Azure service. It is the identity layer that every other service relies on. Understanding what it is, how it relates to on-premises Active Directory, and what features it provides will help you across multiple domains of the AZ-900 exam, not just the identity questions.
The key things to remember: Entra ID is cloud-only, it uses modern protocols, it is included free with every Azure subscription, and it is the service behind every Microsoft 365 and Azure sign-in.
Ready to practise AZ-900 questions?
15 questions free · no account needed.