AzureAZ-104

Microsoft Entra ID (Azure Active Directory) Explained for AZ-104

Microsoft Entra ID is the identity foundation of every Azure deployment. Every user who logs in, every service that needs permissions, and every application that integrates with Azure goes through it. Many people assume it works like traditional Active Directory because the names are similar. It does not. Entra ID is a cloud-native identity platform built for internet-scale authentication using modern protocols like OAuth 2.0 and SAML, not Kerberos and LDAP. Understanding the difference between what Entra ID does and what on-premises AD does is the most important distinction for the AZ-104 exam.

8 min

3 sections · 6 exam key points

5 practice questions

Entra ID concepts: tenants, users, and groups

A tenant is a dedicated instance of Entra ID for your organization, created when you sign up for any Microsoft cloud service. Your tenant has its own set of users, groups, applications, and policies. Every Azure subscription is associated with exactly one tenant, and a tenant can be associated with multiple subscriptions.

Users in Entra ID can be cloud-only (created directly in the tenant) or synchronized from on-premises Active Directory using Entra ID Connect (formerly Azure AD Connect). Synchronized users authenticate through Entra ID but their source of truth remains the on-premises AD. Guest users are added from outside the organization using B2B collaboration and authenticate with their home identity provider.

Groups come in two types: Security groups control access to resources and can be assigned to Azure roles. Microsoft 365 groups are designed for collaboration and include shared mailboxes, calendars, and Teams channels. Dynamic groups automatically manage membership based on rules, such as adding all users in the Sales department automatically based on their department attribute.

Authentication, MFA, and Conditional Access

Entra ID supports multiple authentication methods. Password Hash Synchronization (PHS) syncs a hash of the on-premises password hash to the cloud, letting users authenticate directly against Entra ID. Pass-through Authentication (PTA) validates credentials against on-premises AD in real time, without storing any password in the cloud. Federation uses ADFS or a third-party identity provider: Entra ID trusts the federated identity and does not validate the password at all.

Multi-Factor Authentication in Entra ID adds a second verification step using the Microsoft Authenticator app, phone call, SMS, or hardware token. MFA can be enforced per user or conditionally through Conditional Access policies.

Conditional Access is the policy engine that controls access based on conditions: who is signing in, from what device, from what location, to what application, and what risk level is detected. A policy might require MFA only when a user signs in from outside the corporate network, or block access entirely from certain countries. This is how Zero Trust access control is implemented in Microsoft environments.

Roles, licenses, and how to choose the correct answer

Entra ID has its own set of built-in roles separate from Azure RBAC roles. Global Administrator has the highest privilege in Entra ID: managing users, groups, applications, and all Entra ID settings. Global Administrator does not automatically grant access to Azure resources in subscriptions. That access is controlled by Azure RBAC separately. Conflating these two systems is a common mistake on the exam.

Entra ID comes in Free, P1, and P2 tiers. The Free tier covers basic identity management. P1 adds Conditional Access, hybrid identity, and group-based access. P2 adds Identity Protection (risk-based sign-in policies) and Privileged Identity Management (PIM) for just-in-time role activation.

Entra ID vs on-premises AD: Entra ID uses OAuth 2.0, SAML, OpenID Connect. On-premises AD uses Kerberos and LDAP. Entra ID is cloud-only and has no domain controllers. Joining an Azure VM to Entra ID is done through Entra ID Join, not traditional domain join.

Global Admin manages Entra ID. Owner in Azure RBAC manages Azure resources. These are separate systems with separate roles.

Entra ID vs on-premises Active Directory

Feature	Entra ID (Azure AD)	On-premises Active Directory
Protocol	OAuth 2.0, SAML, OpenID Connect	Kerberos, LDAP, NTLM
Domain controllers	None (cloud-managed)	Required (on-prem servers)
Primary use	Cloud app authentication, SaaS SSO	Windows domain, on-prem resources
Flat structure	Flat (no OUs)	Hierarchical (OUs, domains, forests)
Device join	Entra ID Join	Domain join

Key exam facts — AZ-104

Tenant: dedicated Entra ID instance per organization. One tenant per subscription.
Global Administrator: highest Entra ID role. Does NOT automatically grant Azure resource access.
Azure RBAC and Entra ID roles are separate systems. Do not confuse them.
Conditional Access: control access based on user, device, location, application, and risk.
PHS: syncs password hash to cloud. PTA: validates on-premises in real time. Federation: trusts external IdP.
Entra ID P2: adds Identity Protection and PIM for risk-based and just-in-time access.

Common exam traps

Global Administrator in Entra ID has full access to all Azure resources.

Global Administrator manages Entra ID: users, groups, and applications. It does not automatically grant access to Azure resources in subscriptions. Azure resource access is controlled by Azure RBAC roles (Owner, Contributor, Reader) assigned at subscription, resource group, or resource level.

Entra ID is just a cloud version of on-premises Active Directory.

Entra ID and on-premises AD are fundamentally different. Entra ID uses modern internet protocols (OAuth, SAML, OIDC) and has no concept of domain controllers or Organizational Units. It is designed for cloud applications and internet-scale authentication, not traditional Windows domain services.

All Conditional Access features are available in the free tier of Entra ID.

Conditional Access requires Entra ID P1 or P2 licenses (or is included in Microsoft 365 E3/E5). The free tier provides basic authentication but no policy-based access control. Many security features organizations depend on require paid licensing.

Practice questions — Azure Entra ID

These questions are representative of what you will see on AZ-104 exams. The correct answer and explanation are shown immediately below each question.

Q1.A user is the Global Administrator in an Azure Entra ID tenant. They attempt to delete a Virtual Machine in an Azure subscription linked to that tenant but get an 'Access Denied' error. Why?

A.Global Administrators automatically have Owner rights on all Azure subscriptions

B.Entra ID roles and Azure RBAC roles are separate; Global Admin does not grant Azure resource access

C.The VM has a delete lock applied that prevents deletion

D.The user's MFA session has expired

Explanation: Entra ID roles (including Global Administrator) and Azure RBAC roles are separate access control systems. Global Administrator manages Entra ID itself: users, groups, applications, authentication policies. It does not automatically grant any Azure resource permissions. To manage Azure resources, the user needs an Azure RBAC role (Owner, Contributor) at the subscription, resource group, or resource level.

Q2.An organization wants to require MFA only when employees sign in from outside the corporate network, but not when on-premises. Which Entra ID feature enables this?

A.Password Hash Synchronization

B.Privileged Identity Management (PIM)

C.Conditional Access policies

D.Entra ID P1 group-based licensing

Explanation: Conditional Access is Entra ID's policy engine that controls access based on conditions including user identity, device compliance, location (IP ranges/named locations), and risk level. A policy can require MFA when signing in from outside the corporate IP range while allowing direct access from internal trusted IPs. Conditional Access requires Entra ID P1 or P2 licensing.

Q3.An organization uses on-premises Active Directory and wants to allow employees to sign in to Azure resources using their existing corporate credentials without storing any password hashes in the cloud. Which hybrid identity option should be used?

A.Password Hash Synchronization (PHS)

B.Pass-through Authentication (PTA)

C.Federation with ADFS

D.Entra ID Connect with cloud-only accounts

Explanation: Pass-through Authentication validates credentials against on-premises AD in real time. No password hashes are stored in the cloud — authentication requests are forwarded to on-premises agents. PHS does store hashed password hashes in Entra ID. Federation with ADFS also avoids cloud password storage but requires more infrastructure. PTA is the simpler option for no-cloud-password-storage requirements.

Q4.What is Privileged Identity Management (PIM) in Entra ID and which license tier is required?

A.PIM allows just-in-time elevation of privileged roles; requires Entra ID P2

B.PIM synchronizes on-premises admin accounts to the cloud; requires Entra ID P1

C.PIM is a password manager for service accounts; available in the free tier

D.PIM manages application registrations; requires Entra ID P1

Explanation: Privileged Identity Management (PIM) provides just-in-time privileged access. Instead of being permanently assigned high-privilege roles (Global Admin, Owner), users request role activation for a limited time window when needed. This reduces standing privileges and the risk from compromised accounts. PIM requires Entra ID P2 (included in Microsoft 365 E5).

Q5.A company adds a partner organization's employees as guest users in their Entra ID tenant. How do these guest users authenticate?

A.They create a new Entra ID account in the host tenant and use new credentials

B.They authenticate with their home organization's identity provider using B2B collaboration

C.They use the host organization's MFA policies exclusively

D.Guest users cannot authenticate using external credentials

Explanation: Azure Entra ID B2B collaboration allows guest users to authenticate using their own organization's identity provider (Entra ID, Google, any SAML/OIDC provider). They don't need a new account in the host tenant. The host organization can apply Conditional Access policies to these guest sessions, but authentication itself happens at the guest's home organization.

Frequently asked questions — Azure Entra ID

What is the difference between Entra ID and on-premises Active Directory?

Entra ID (formerly Azure Active Directory) is a cloud-native identity platform using modern protocols: OAuth 2.0, SAML, and OpenID Connect. It is designed for internet-scale authentication of cloud apps and SaaS services. On-premises AD uses Kerberos and LDAP, manages Windows domain resources, and requires domain controllers. Entra ID has no domain controllers, no Group Policy Objects, and no Organizational Units. They are fundamentally different systems that can be connected via Entra ID Connect for hybrid identity.

What is Conditional Access in Entra ID?

Conditional Access is Entra ID's policy-based access control engine. It evaluates access requests based on multiple signals: user identity, device compliance (managed/compliant vs unmanaged), network location (trusted IP ranges), application being accessed, and sign-in risk score. Policies can require MFA, block access, or require a compliant device based on these conditions. Conditional Access requires Entra ID P1 or P2 licensing.

What is the difference between Entra ID roles and Azure RBAC roles?

Entra ID roles (Global Administrator, User Administrator, etc.) control actions within Entra ID itself: managing users, groups, applications, and authentication policies. Azure RBAC roles (Owner, Contributor, Reader) control actions on Azure resources (VMs, storage accounts, subscriptions). These are separate systems. Being Global Admin does not grant you any Azure resource permissions, and vice versa. An Owner on a subscription has full resource access but cannot manage Entra ID users unless also assigned an Entra ID role.

What hybrid identity authentication methods does Entra ID support?

Password Hash Synchronization (PHS): syncs a hash of on-premises password hashes to Entra ID. Users authenticate directly against Entra ID. Pass-through Authentication (PTA): forwards authentication to on-premises AD agents in real-time; no passwords stored in cloud. Federation: Entra ID trusts an external IdP (ADFS, Ping Identity); authentication happens entirely at the federation server. PHS offers the best resilience (works when on-premises AD is unavailable). PTA and Federation offer no cloud password storage.

How is Entra ID tested on AZ-104?

AZ-104 tests user and group management (cloud-only, synced, guest), authentication methods (PHS, PTA, Federation), Conditional Access policy configuration, MFA methods, Entra ID roles vs Azure RBAC roles, PIM for just-in-time access, Entra ID license tiers (P1 vs P2 features), and hybrid identity with Entra ID Connect. Common trap questions: Global Admin does not grant Azure resource access, and Conditional Access requires P1/P2 licensing.

Practice this topic

AZ-104practice questions

Test yourself on Azure Entra ID

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime