Types of Identities in Microsoft Entra
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Microsoft Entra ID Fundamentals: Understanding Identity Types
Introduction: The Foundation of Modern Security
In the landscape of modern enterprise computing, the concept of a "perimeter" has effectively vanished. Employees no longer work exclusively from behind a corporate firewall, and applications are no longer hosted solely in a local server room. As organizations shift toward cloud-based infrastructures and hybrid environments, the identity of the user, device, or service has become the new primary security boundary. Microsoft Entra ID (formerly Azure Active Directory) serves as the central hub for managing these identities, and understanding the different types of identities within this ecosystem is the most critical step for any administrator, architect, or security professional.
When we talk about "identity" in Microsoft Entra, we are not just talking about a person’s username and password. We are talking about the digital representation of an entity that needs to authenticate to a resource and be authorized to perform specific actions. Whether it is a software developer needing access to a production database, a printer needing to send logs to a cloud storage bucket, or a partner organization needing to collaborate on a shared project, every interaction starts with an identity. Failing to categorize these identities correctly leads to massive security vulnerabilities, such as over-privileged service accounts or unauthorized guest access. By mastering the types of identities available in Entra, you ensure that your security posture is built on a foundation of "least privilege" and rigorous governance.
1. User Identities: The Human Element
User identities represent the people who interact with your organization’s digital resources. These are the most common identities you will encounter, and they are typically categorized based on their relationship with the organization.
Cloud-Only Identities
Cloud-only identities are created directly within the Microsoft Entra ID tenant. They do not have a counterpart in an on-premises Active Directory (AD) environment. These are ideal for "born-in-the-cloud" organizations or for administrative accounts that you want to keep separate from your primary on-premises infrastructure for security reasons.
- Management: Managed entirely through the Microsoft Entra admin center or Graph API.
- Authentication: Passwords are stored and validated directly by Entra ID.
- Use Case: Ideal for temporary staff, contractors who don't need on-premises access, or dedicated global administrator accounts that should never rely on the availability of an on-premises domain controller.
Synchronized Identities (Hybrid)
Most established enterprises use Microsoft Entra Connect or Microsoft Entra Cloud Sync to bridge their existing on-premises Active Directory with Entra ID. In this scenario, the "source of authority" remains the on-premises AD. When a user is created or updated locally, those changes flow into the cloud.
- Authentication: You have options here, such as Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or Federated Authentication (using AD FS or third-party providers).
- Benefit: This allows users to maintain a single identity for both legacy on-premises applications and modern cloud services.
Callout: Source of Authority The "Source of Authority" is the directory where the identity is created and managed. If an identity is synchronized from on-premises, you cannot edit the user's name or email address in the Entra portal; you must perform that action in the on-premises Active Directory. Understanding the source of authority prevents "configuration drift" and ensures that identity management processes remain consistent.
2. Guest Identities: Collaboration Without Borders
In today’s business world, collaboration is constant. You will frequently need to provide external partners, vendors, or consultants access to your internal resources. Microsoft Entra B2B (Business-to-Business) collaboration allows you to invite these external users into your directory without creating a full internal user account for them.
How Guest Identities Function
When you invite a guest, you are essentially creating a "pointer" to their home identity. They keep their own credentials from their own organization (or a social identity like Google or Microsoft account), and your Entra ID simply trusts their authentication.
- Security: You retain control over what they can access through Conditional Access policies.
- Efficiency: You do not have to manage passwords or lifecycle events for these users. If they leave their own company, their access to your tenant is automatically cut off because their home account is disabled.
Note: Always enable the "Guest User Access" restrictions in your Entra ID settings. By default, guests might be able to see other users or groups in your directory. You can configure "Guest User Access Restrictions" to limit their view to only their own profile or to specific groups.
3. Workload Identities: The Non-Human Workforce
Workload identities are perhaps the most overlooked and dangerous category of identities. These represent software, services, and applications that need to authenticate to other resources. If an attacker gains access to a poorly secured workload identity, they can often move laterally through your environment with the permissions assigned to that service.
Service Principals
A Service Principal is the local representation of an application object in a specific tenant. When you register an application in Entra ID, you create an Application Object (the "global" definition) and a Service Principal (the "local" instance in your tenant).
- Purpose: Used by applications to access resources like Microsoft Graph, Key Vault, or SQL databases.
- Authentication: Typically uses client secrets (passwords) or certificates. Always prefer certificates over secrets.
Managed Identities
Managed Identities are a feature of Azure resources (like Virtual Machines, App Services, or Functions). They eliminate the need for developers to manage credentials in their code.
- How it works: The identity is tied to the Azure resource itself. The code running on that resource requests a token from the local Azure Instance Metadata Service (IMDS).
- Security: There are no secrets to rotate, leak, or store in configuration files. This is the gold standard for securing cloud-native applications.
Callout: Service Principals vs. Managed Identities While both are "workload identities," they serve different purposes. A Service Principal is typically used for cross-tenant access or when the application is running outside of Azure. A Managed Identity is strictly for services running within the Azure ecosystem. If your code is running in an Azure VM, you should always use a Managed Identity instead of a hardcoded Service Principal secret.
4. Practical Implementation: Managing Identities
To manage these identities effectively, you must understand how to interact with the Microsoft Graph API. Below is an example of how you might use PowerShell to inspect a Service Principal.
Example: Inspecting a Service Principal
This script retrieves a service principal and checks if it has any associated credentials, which is a key security audit step.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.Read.All"
# Get a specific service principal by its Application ID
$appId = "your-application-id-here"
$sp = Get-MgServicePrincipal -Filter "appId eq '$appId'"
# Check for credentials
if ($sp.PasswordCredentials.Count -gt 0) {
Write-Host "WARNING: This application uses client secrets. Consider moving to certificate-based auth."
} else {
Write-Host "This application uses certificates or is a Managed Identity."
}
Step-by-Step: Creating a Managed Identity
- Navigate to your Azure resource (e.g., a Virtual Machine) in the Azure Portal.
- Under the Settings menu, select Identity.
- Set the Status to On.
- Click Save.
- Once enabled, go to the target resource (e.g., a Storage Account) and assign the appropriate Role-Based Access Control (RBAC) role to the identity you just created for the VM.
5. Best Practices and Industry Standards
Managing identities is not a "set it and forget it" task. It requires an ongoing commitment to hygiene and monitoring.
The Principle of Least Privilege
Never assign "Global Administrator" or "Owner" roles to an identity just because it is easier. Audit your identities regularly. If a Service Principal only needs to read logs from a specific storage account, give it the "Storage Blob Data Reader" role on that specific storage account, not the entire subscription.
Lifecycle Management
Identities often outlive their usefulness. When an employee leaves, their account must be disabled immediately. When a project ends, the Service Principal used for that project should be deleted.
- Automate: Use Entra ID Governance features like Access Reviews to periodically ask resource owners if their guest users or service principals still need access.
- Cleanup: Implement automated scripts to flag service principals that have not been used in the last 90 days.
Protecting Credentials
For human identities, Multi-Factor Authentication (MFA) is non-negotiable. For workload identities, rotate your client secrets every 90 days or switch to certificate-based authentication. If you are using certificates, ensure they are stored in a secure location like Azure Key Vault.
6. Common Pitfalls to Avoid
Even experienced administrators fall into common traps. Avoiding these will save you hours of troubleshooting and potential security breaches.
Pitfall 1: Hardcoding Secrets
Developers often put client secrets directly into source code (like GitHub or Azure DevOps). If that code is ever committed to a public repository, your identity is compromised.
- The Fix: Use Azure Key Vault. Your application should authenticate to the Key Vault using a Managed Identity, retrieve the secret at runtime, and never store it in the source code.
Pitfall 2: Over-provisioning Guest Users
Giving guests "Member" permissions can allow them to see your entire internal directory structure, including email addresses, phone numbers, and organizational charts.
- The Fix: Configure the "Guest user access" setting to "Guest user access is restricted to properties and memberships of their own directory objects."
Pitfall 3: Ignoring Service Principal Expirations
When a client secret or certificate expires, the application using it will break. If that application is a critical business process, you will have an outage.
- The Fix: Set up alerts in Entra ID for expiring credentials. You can use a Logic App to monitor the
endDateTimeproperty of your service principal credentials and send an email notification 30 days before expiration.
7. Comparison: Identity Types at a Glance
| Identity Type | Primary Use Case | Management | Secret Type |
|---|---|---|---|
| Cloud-Only User | Native Cloud Employees | Entra Portal | Password |
| Synchronized User | Hybrid Employees | On-Prem AD | Password (synced) |
| Guest User | External Partners | Entra Portal | Home Directory |
| Service Principal | App-to-App Access | Entra Portal | Secret or Cert |
| Managed Identity | Azure Resource Access | Azure Resource | System-assigned |
8. Advanced Considerations: The Future of Identity
As we look toward the future, the industry is moving away from static passwords entirely. Microsoft Entra ID is leading this charge with features like "Passwordless Authentication" (using FIDO2 security keys or the Microsoft Authenticator app) for human users. For workload identities, the trend is toward "Workload Identity Federation."
Workload Identity Federation
This allows your applications to access Azure resources without needing any client secrets or certificates at all. Instead of the application holding a secret, you establish a trust relationship between your external identity provider (like GitHub Actions or GitLab) and Microsoft Entra ID. When your CI/CD pipeline runs, it requests a token from Entra ID based on the identity of the pipeline itself. This is the most secure way to manage non-human access in modern DevOps workflows.
Warning: Do not attempt to manage identities manually in large organizations. Always use automation (Infrastructure as Code like Terraform or Bicep) to deploy and configure identities. Manual changes are the primary cause of configuration drift and inconsistent security policies.
9. Troubleshooting Identity Issues
When an identity cannot access a resource, the process of elimination is your best friend. Follow this logical flow:
- Check the Sign-in Logs: In the Entra ID portal, look at the "Sign-in logs." Filter by the user or application ID. This will tell you exactly why the authentication failed (e.g., "MFA required," "Conditional Access policy blocked," or "Invalid credentials").
- Audit Logs: If the authentication succeeded but the action was blocked, check the "Audit logs." This might show that the identity is missing the necessary RBAC role.
- Conditional Access: Check if any policies are blocking access based on location, device compliance, or risk level.
- Token Expiration: If an application is failing, check if the access token has expired or if the service principal credentials (secret/cert) have reached their end date.
10. Summary and Key Takeaways
Mastering the types of identities in Microsoft Entra is a journey, not a destination. As your organization grows, your identity landscape will become more complex, making it even more important to stick to the fundamentals.
Key Takeaways for Success:
- Know your source of authority: Always identify where an account is created so you know where to manage it, whether that is on-premises or in the cloud.
- Default to Managed Identities: Never create a Service Principal with a client secret if a Managed Identity can achieve the same result within Azure.
- Enforce Least Privilege: Regularly audit your identities and remove permissions that are no longer required to minimize your attack surface.
- Embrace Lifecycle Governance: Use automated tools to clean up inactive accounts and guest users to keep your directory lean and secure.
- Adopt Modern Authentication: Move away from legacy password-based authentication for both humans (MFA/Passwordless) and applications (Certificates/Workload Identity Federation).
- Monitor and Alert: Treat identity logs as critical security data. If you aren't monitoring your sign-in logs, you are effectively flying blind.
- Standardize with Code: Use Infrastructure as Code (IaC) to ensure that your identity configurations are repeatable, documented, and free from human error.
By focusing on these core principles, you ensure that your identity infrastructure is not just a collection of usernames and passwords, but a robust security perimeter that enables your organization to work securely from anywhere. The complexity of identity management is real, but by breaking it down into these manageable categories, you can build an environment that is both flexible for your users and secure for your data.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons