Entra ID and Identity Types
Microsoft Entra ID and the Entra family
Sign in to Microsoft 365, the Azure portal, or a connected SaaS app, and the directory that decides who you are is Microsoft Entra ID. It is Microsoft's cloud-based identity and access management service[1], which authenticates users, applications, and devices and then governs what each one may reach. Entra ID was named Azure Active Directory (Azure AD) until 2023; the service is the same, only the name changed.
Entra ID is not Active Directory in the cloud
The most common misconception is that Entra ID is on-premises Active Directory Domain Services (AD DS) moved to Azure. It is not. Entra ID has no domain controllers, no organizational units, and no Group Policy, and it authenticates with internet protocols such as SAML, OAuth 2.0, and OpenID Connect rather than Kerberos and LDAP. When a legacy application in Azure genuinely needs Kerberos, NTLM, LDAP, or Group Policy, that job belongs to a separate product, Microsoft Entra Domain Services[2], which stands up a managed domain for you.
One directory, one family
Microsoft Entra is the family name for a group of identity and network access products[1], and Entra ID is the foundational directory at its center. The specialized siblings build on that directory: Entra ID Protection scores sign-in and user risk, Entra ID Governance runs access reviews and identity lifecycle, Entra External ID handles customer and partner identities, Entra Workload ID secures application identities, and Entra Verified ID issues verifiable credentials. For the exam, keep the directory itself separate from these add-ons. A question that describes risk-based sign-in policies is pointing at ID Protection, not at Entra ID on its own.
Tenants and editions
Every organization that adopts a Microsoft cloud service gets its own tenant[1], a dedicated instance of Entra ID with an initial domain like contoso.onmicrosoft.com. Features are licensed in tiers: Entra ID Free covers the core directory and sign-in, while Entra ID P1 and P2 add premium capabilities. Naming the tier a feature needs is fair on SC-900 (Conditional Access requires P1, and ID Protection's risk detection requires P2[3]), but memorizing a full price sheet is out of scope.
The identity types Entra ID manages
Entra ID does not just track people. Anything it can authenticate and authorize is an identity, whether that is an employee, a background service reading a database, or a laptop checking in for a policy decision. Microsoft sorts identities into human and machine identities[4]: users are the human ones, and machine identities split into workload identities and devices.
Users: members and guests
A user identity represents a person. Your own employees are members. When you invite someone from outside, a partner or a vendor, Entra External ID B2B collaboration[5] adds them as a guest who keeps signing in with their own home credentials, so you never issue or manage a password for them. Member versus guest is the distinction this topic tests.
Workload identities: application, service principal, managed identity
A workload identity is an identity for software rather than a person. In Entra ID it takes three forms[4]: an application, a service principal, and a managed identity. The application object is the global blueprint of an app, and it lives once, in the tenant where the app was registered. The service principal[6] is the local instance of that app inside a specific tenant, and it is the thing that actually holds permissions and role assignments. One application object can have many service principals, one in every tenant that uses the app.
Managed identity: system-assigned versus user-assigned
A managed identity is a special service principal that an Azure resource uses to get Entra ID tokens with no secret to store, and it costs nothing extra. It comes in two flavors, and the difference is the single most tested point on this page. A system-assigned identity[4] is created on one Azure resource and shares that resource's lifecycle: delete the resource and Azure deletes the identity, so it is strictly one-to-one and cannot be shared. A user-assigned identity is created as its own standalone Azure resource with an independent lifecycle, and you can attach it to many resources, so it is the reusable choice when several workloads need the same access.
Devices
A device gets an identity so Entra ID can weigh it in an access decision, which is what makes device-based Conditional Access[7] and Intune management possible. There are three ways to get one: Entra registered for personal, bring-your-own devices; Entra joined for organization-owned Windows devices that live only in the cloud; and Entra hybrid joined for devices joined to both on-premises AD and Entra ID, a stepping stone for organizations that still run an on-premises domain.
Hybrid identity: sync versus authentication
Picture an employee who has signed in to the on-premises domain for years and now needs Microsoft 365. You do not want a second, unrelated cloud account. Hybrid identity[8] solves this by giving the person one identity that works both on-premises and in the cloud.
The sync tool is a separate decision from the sign-in method
Two independent choices make hybrid identity work, and swapping them is the classic exam trap. The first is how accounts get into the cloud: Microsoft Entra Connect[3], or the lighter-weight Microsoft Entra Cloud Sync, synchronizes users and groups from on-premises Active Directory into Entra ID. The second is how a sign-in is verified, the authentication method. These are set independently, so the same directory sync can sit under any of the three authentication methods below.
Three ways to verify a hybrid sign-in
Password hash synchronization (PHS)[3] is the simplest: a hash of the on-premises password hash is synchronized to Entra ID, which then verifies sign-ins itself, in the cloud. Because it needs nothing on-premises beyond the sync server, Microsoft recommends enabling it even alongside the other methods, so cloud sign-in survives an on-premises outage. Pass-through authentication (PTA) instead installs a lightweight agent on-premises that validates the password directly against Active Directory, so the password check never happens in the cloud. Federation, usually with Active Directory Federation Services (AD FS) though other trusted identity providers are supported, hands the sign-in off entirely to that on-premises system, which verifies the password on-premises and needs its own server farm and TLS certificate. The overview's comparison table lines these three up side by side.
Exam-pattern recognition
SC-900 questions in this area almost always turn on one of a handful of look-alike pairs. Train yourself to spot which pair a stem is testing.
Sync tool versus authentication method
If a question asks how on-premises accounts get into the cloud, the answer names Microsoft Entra Connect[3] or Entra Cloud Sync. If it asks how a hybrid sign-in is verified, the answer is one of the three authentication methods (password hash synchronization, pass-through authentication, or federation). A stem that says an organization wants the simplest option, or wants cloud sign-in to keep working when the on-premises servers fail, is pointing at password hash synchronization.
System-assigned versus user-assigned managed identity
Watch the resource count. One resource that owns its identity for its whole life is system-assigned. An identity that several resources share, or that must outlive any single resource, is user-assigned. A stem that stresses reuse across multiple resources is user-assigned every time.
Member versus guest, and identity type versus product
An external partner who signs in with their own credentials is a guest, added through B2B collaboration[5], not a member. And keep identity types separate from Entra products: users, workload identities, and devices are identity types, while ID Protection and ID Governance are separate products in the Entra family, not identity types.
Entra ID versus AD DS
If a scenario needs Kerberos, LDAP, NTLM, or Group Policy in Azure, the answer is Microsoft Entra Domain Services[2], not Entra ID. Entra ID is a cloud identity service and does not provide those legacy directory protocols.
Hybrid identity authentication methods
| Criterion | Password hash sync (PHS) | Pass-through auth (PTA) | Federation (AD FS) |
|---|---|---|---|
| Where sign-in is verified | In the cloud, by Entra ID | On-premises AD, via an agent | On-premises AD FS |
| On-premises servers needed | None beyond Entra Connect | One or more lightweight agents | AD FS plus a proxy (WAP) farm |
| Relative setup effort | Lowest, the recommended default | Moderate | Highest |
| Enforces on-prem account state at sign-in | No, subject to sync delay | Yes | Yes |
| TLS certificate required | No | No | Yes |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Microsoft Entra ID is cloud identity, not Active Directory Domain Services
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service; it authenticates users, apps, and devices over internet protocols such as SAML, OAuth 2.0, and OpenID Connect. It is not on-premises AD DS relocated to the cloud, so it has no domain controllers, organizational units, or Group Policy. When a workload in Azure needs Kerberos, LDAP, NTLM, or Group Policy, that job belongs to Microsoft Entra Domain Services, a separate managed-domain product.
Trap Answering Microsoft Entra ID when a scenario requires LDAP, Kerberos, or Group Policy in Azure; those legacy directory features come from Microsoft Entra Domain Services, not from Entra ID.
- Microsoft Entra is the family; Entra ID is the directory inside it
Microsoft Entra is the umbrella name for a set of identity and network access products, and Entra ID is the foundational directory and access service at its center. Specialized siblings sit on top of it: Entra ID Protection for risk detection, Entra ID Governance for access reviews and lifecycle, Entra External ID for customer and partner identity, and Entra Workload ID for application identities. On the exam a described capability usually maps to one specific product rather than to Entra ID in general.
Trap Picking Entra ID Governance to detect risky sign-ins; risk detection is Entra ID Protection, while Governance handles access reviews and identity lifecycle.
- Entra ID identities are users, workload identities, and devices
Everything Entra ID authenticates is an identity, grouped as human identities (users) and machine identities (workload identities and devices). Users are members or guests; workload identities are applications, service principals, and managed identities; devices get an identity through registration or join. Knowing which bucket a thing falls into is the core of the identity-types objective.
Trap Listing groups as an Entra ID identity type; groups are collections used to assign access, not one of the identity types (users, workload identities, devices).
- External collaborators are guests added through B2B, not members
A member is a user from your own organization; a guest is an external person invited through Entra External ID B2B collaboration who signs in with their own home credentials, so you never issue or manage a password for them. Member versus guest is the user distinction SC-900 tests.
Trap Creating a full internal member account for an outside partner instead of inviting them as a B2B guest; the guest keeps their own home identity and you avoid managing their credentials.
5 questions test this
- You need to give a partner company's users access to a shared application in your tenant while allowing them to sign in with their own…
- Partner company users need to access applications in your Microsoft Entra tenant by using their own organizational accounts. Which identity…
- Your organization wants to grant external partner users access to a shared application while leaving their accounts managed in the…
- An organization invites users from a partner company to access shared resources by using Microsoft Entra B2B collaboration. What is true…
- Your organization wants external partner employees to access a shared SharePoint Online site by signing in with their own organization…
- A workload identity is an identity for software, not for a person
Workload identities let applications, services, scripts, and containers authenticate to Entra ID. In Entra ID they take three forms: an application, a service principal, and a managed identity. Reach for one wherever code, rather than a human, needs to sign in and access a protected resource.
3 questions test this
- In Microsoft Entra ID, what are applications, service principals, and managed identities collectively known as?
- Which type of identity in Microsoft Entra ID is assigned to applications and services so that they can authenticate and access resources…
- In Microsoft Entra, which identity types are classified as workload identities?
- The application object is the blueprint; the service principal holds the permissions
An application object is the single global definition of an app, living in the tenant where it was registered, and it acts as a template. A service principal is the local instance of that app inside a specific tenant, and it is the security principal that actually receives permissions and role assignments. One application object maps to many service principals, one in every tenant that uses the app.
Trap Assigning permissions to the application object; access is granted to the service principal, which is the app's local instance in the tenant.
- A managed identity is a service principal that removes stored secrets
A managed identity is a special type of service principal that an Azure resource uses to obtain Entra ID tokens with no credential to store or rotate, and it is available at no extra cost. It works only with resources and services that support Entra ID authentication.
8 questions test this
- Select the answer that correctly completes the sentence. A managed identity is a special type of [answer choice] in Microsoft Entra ID.
- What type of identity in Microsoft Entra ID eliminates the need for developers to manage credentials when Azure resources need to access…
- A developer needs to grant an Azure virtual machine access to secrets stored in Azure Key Vault without placing any credentials in the…
- A developer has an application hosted outside of Azure that needs to authenticate to Microsoft Entra ID to access protected resources. What…
- An organization wants its Azure-hosted applications to access Azure Key Vault without developers having to store or rotate secrets in code.…
- You need to enable an Azure virtual machine to access Azure Key Vault without storing credentials in code. What should you use?
- What is a primary benefit of using managed identities for Azure resources?
- Select the answer that correctly completes the sentence. Internally, managed identities are [answer choice] that can only be used with…
- System-assigned managed identity is 1:1 with its resource; user-assigned is reusable
A system-assigned managed identity is created on a single Azure resource and shares that resource's lifecycle, so it is deleted with the resource and cannot be shared, a strict one-to-one binding. A user-assigned managed identity is a standalone Azure resource with its own lifecycle that you can attach to many resources, making it the reusable choice when several workloads need the same access or when the identity must outlive any one resource.
Trap Choosing a system-assigned managed identity when several resources must share one identity; system-assigned is bound to a single resource, so shared access needs a user-assigned identity.
6 questions test this
- Select the answer that correctly completes the sentence. When an Azure resource with a system-assigned managed identity is deleted, the…
- What are the two types of managed identities available in Microsoft Entra ID?
- What happens to a system-assigned managed identity when the Azure resource it is enabled on is deleted?
- What is a characteristic of a user-assigned managed identity?
- A company needs a single Microsoft Entra identity that can be shared across several Azure virtual machines and whose lifecycle is…
- What happens to a system-assigned managed identity when the Azure resource it is associated with is deleted?
- Devices need an identity for Conditional Access and Intune
Giving a device an identity in Entra ID lets policy engines weigh the device in an access decision, which is what enables device-based Conditional Access and Microsoft Intune management. Without a device identity, Entra ID cannot require, for example, a compliant or managed device.
3 questions test this
- You want corporate devices to be represented in Microsoft Entra ID so that their state can be evaluated by Conditional Access policies.…
- What can you create in Microsoft Entra ID to provide a single identity for devices, enabling you to manage and secure the devices that…
- You configure a Conditional Access policy with the grant control set to require the device to be marked as compliant. From which service…
- Entra registered is for personal devices; Entra joined is for org-owned
A device gets an Entra ID identity in one of three ways. Entra registered covers personal, bring-your-own devices, including phones and tablets. Entra joined is for organization-owned devices that live only in the cloud. Entra hybrid joined is for organization-owned devices joined to both on-premises AD and Entra ID, typically a transition step for companies that still run an on-premises domain.
Trap Requiring Entra join for a personal phone; a personal, bring-your-own device only needs Entra registration, while join is for organization-owned devices.
- Hybrid identity gives one identity that works on-premises and in the cloud
Hybrid identity provides a single user identity for authentication and authorization across both on-premises Active Directory and the cloud, so people use the same account everywhere. It is built through directory synchronization plus a chosen sign-in method, and it applies only to organizations that already run an on-premises directory.
6 questions test this
- What is the result of implementing hybrid identity with Microsoft Entra ID?
- A user account originates in on-premises Active Directory and is synchronized to Microsoft Entra ID so the user can access both on-premises…
- Select the answer that correctly completes the sentence. Configuring hybrid identity with Microsoft Entra ID lets users access on-premises…
- Your organization uses both on-premises Active Directory and Microsoft Entra ID. What does configuring hybrid identity provide for your…
- What is the primary benefit of implementing a hybrid identity solution that integrates on-premises Active Directory with Microsoft Entra ID?
- What is the primary benefit of implementing hybrid identities in Microsoft Entra ID for an enterprise?
- Entra Connect synchronizes accounts; it is not the authentication method
Microsoft Entra Connect, and the lighter-weight Entra Cloud Sync, is the tool that synchronizes users and groups from on-premises Active Directory into Entra ID. How a hybrid sign-in is actually verified is a separate choice among three authentication methods, and any sync configuration can sit under any of them.
Trap Naming Microsoft Entra Connect as an authentication method; Entra Connect only synchronizes directory objects, while sign-in is verified by password hash sync, pass-through authentication, or federation.
- Password hash synchronization verifies sign-in in the cloud and is the simplest method
With password hash synchronization (PHS), a hash of the on-premises password hash is synchronized to Entra ID, which then verifies sign-ins itself, in the cloud. It needs nothing on-premises beyond the sync server, so it is the simplest option, and Microsoft recommends enabling it even alongside another method so cloud sign-in survives an on-premises outage.
Trap Assuming password hash synchronization validates the password on-premises; PHS verifies sign-in in the cloud, unlike pass-through authentication, where an on-premises agent performs the check.
4 questions test this
- What does Microsoft Entra Connect synchronize to Microsoft Entra ID when password hash synchronization is enabled?
- What is a characteristic of password hash synchronization in Microsoft Entra Connect?
- Which sign-in method synchronizes a hash of a user's on-premises Active Directory password to Microsoft Entra ID so that users can sign in…
- You use password hash synchronization for hybrid identity. The on-premises server running Microsoft Entra Connect unexpectedly goes offline…
- Pass-through authentication validates the password on-premises via an agent
Pass-through authentication (PTA) installs a lightweight agent on an on-premises server that validates the user's password directly against Active Directory, so the password check never happens in the cloud. It suits organizations that must enforce on-premises account state, such as disabled, locked out, expired, or sign-in hours, at every sign-in.
Trap Standing up AD FS when pass-through authentication would do; PTA validates against on-premises AD with a lightweight agent and needs no federation server farm or TLS certificate.
- Federation hands sign-in off to a trusted system such as AD FS
Federated authentication delegates sign-in to a separate trusted system, typically on-premises Active Directory Federation Services (AD FS), which verifies the password on-premises. It fits requirements Entra ID cannot meet natively, such as certain third-party MFA or smartcard scenarios, but it needs its own server farm and a TLS certificate, which makes it the most complex option.
7 questions test this
- Which authentication option for hybrid identity redirects sign-in requests to a separate trusted authentication system, such as Active…
- Which statement best describes federation in a hybrid identity scenario with Microsoft Entra ID?
- In a hybrid identity deployment, what is the purpose of configuring federation between on-premises Active Directory and Microsoft Entra ID?
- What does federation between Microsoft Entra ID and another identity provider establish to enable users to access resources across…
- In a federated identity scenario with Microsoft Entra ID, what is the primary function of an identity provider (IdP)?
- In a federated hybrid identity configuration that uses Active Directory Federation Services (AD FS), how are users authenticated when they…
- With federated authentication for hybrid identity, where is the user's password actually validated when they sign in to a Microsoft cloud…
- Entra Cloud Sync uses a lightweight cloud-managed provisioning agent
Microsoft Entra Cloud Sync synchronizes on-premises Active Directory identities using a lightweight provisioning agent installed on-premises, with all synchronization configuration managed in the cloud. It supports scenarios that Connect Sync handles poorly, such as synchronizing from multiple disconnected AD forests during mergers and acquisitions.
Trap Assuming Cloud Sync and Connect Sync are interchangeable; Cloud Sync's agent is lightweight and cloud-configured, whereas Connect Sync installs a heavier server configured on-premises.
4 questions test this
- What is a key difference between Microsoft Entra Cloud Sync and Microsoft Entra Connect Sync?
- What does Microsoft Entra Cloud Sync use to synchronize identities from on-premises Active Directory to Microsoft Entra ID?
- Your organization wants to use a lightweight, agent-based synchronization solution that does not require an on-premises synchronization…
- Which scenario is a key benefit of using Microsoft Entra Cloud Sync?
Also tested in
- AZ-104 Microsoft Azure Administrator
- AZ-900 Microsoft Azure Fundamentals
- SC-300 Microsoft Certified: Identity and Access Administrator Associate
- SC-300 Microsoft Certified: Identity and Access Administrator Associate
- SC-300 Microsoft Certified: Identity and Access Administrator Associate
- SC-300 Microsoft Certified: Identity and Access Administrator Associate
References
- What is Microsoft Entra?
- Overview of Microsoft Entra Domain Services
- Authentication for Microsoft Entra hybrid identity solutions
- Managed identities for Azure resources
- Microsoft Entra External ID Overview
- Apps & service principals in Microsoft Entra ID
- What is device identity in Microsoft Entra ID?
- What is hybrid identity with Microsoft Entra ID?