Azure Identity & Entra ID (Microsoft Entra ID)

“Welcome back. Today we're covering identity — arguably the most important security topic in Azure. In the cloud, identity is the new perimeter. Your network firewall used to be your main defence; now it's who can authenticate and what they're allowed to do. Get identity right and your environment is secure. Get it wrong and you're one leaked password away from disaster.”

“Microsoft Entra ID, formerly known as Azure Active Directory, is Microsoft's cloud identity platform. Every Azure subscription is backed by an Entra ID tenant. It manages who your users are, what groups they belong to, and which applications they can access. It provides Single Sign-On across Microsoft 365, Azure, and thousands of third-party SaaS applications. If you've ever logged into Office 365, you've used Entra ID.”

“Users represent individual identities — people in your organization or external guests. Groups let you manage permissions at scale. Instead of assigning access to each person one by one, you put them in a group and assign permissions once to the group. When someone joins or leaves a team, you just update group membership. Best practice: never assign permissions directly to individual users — always use groups.”

“Role-Based Access Control is how Azure manages permissions. Every RBAC assignment has three components: who gets access — the security principal; what they can do — the role; and where — the scope. The scope can be as broad as an entire subscription or as narrow as a single storage account. Permissions flow down the hierarchy — if you assign a role at subscription scope, it applies to all resource groups and resources within it.”

“Azure comes with over 300 built-in roles. The four fundamental ones are: Owner — complete control including granting access to others; Contributor — can create and manage all resources but can't grant access; Reader — view-only, perfect for auditors or monitoring teams; and User Access Administrator — can manage who has access but can't touch the resources themselves. For most scenarios, these four cover your needs.”

“Least privilege is the golden rule of access management. Give people only the permissions they need for their job, scoped to only the resources they need to access. If someone needs to read logs from one storage account, give them Storage Blob Data Reader on that specific account — not Contributor on the entire subscription. Privileged Identity Management, or PIM, takes this further by making admin access time-limited and approval-based.”

“Multi-Factor Authentication is the single highest-impact security control you can enable. Microsoft's data shows MFA blocks 99.9% of automated account attacks. Even if a password is stolen, the attacker can't get in without the second factor. Use Conditional Access policies to enforce MFA based on conditions — for example, require MFA when signing in from outside the corporate network or when accessing sensitive applications.”

“Applications and services also need identities to authenticate with Azure. A Service Principal is like a user account for your app. But managing service principal credentials — rotating secrets, avoiding leaks — is painful. Managed Identity solves this by letting Azure automatically manage the identity and credentials for you. Your app code just requests a token, Azure handles everything else. No secrets in your code or config files. Always use Managed Identity when available.”

“Let's put this into practice. I'll create a user, add them to a group, assign the Reader role scoped to a resource group, then sign in as that user to confirm they can view resources but not make changes. Then I'll enable MFA and show how the authentication flow changes. These are everyday tasks for an Azure administrator.”

“Excellent. You now understand the identity fundamentals that underpin all of Azure security. Entra ID manages who your users are, RBAC controls what they can do, and Managed Identity keeps your applications secure without credential management overhead. In the next video we shift to developer services — Azure App Service, the easiest way to deploy web applications without managing servers.”