1. Identity Hierarchy & Architecture

Entra ID serves as the centralized identity control plane for the Microsoft 365 ecosystem.

  • The Tenant: The primary boundary for all identity objects and security configurations.
  • The Identity Plane: Manages the relationship between Users, Devices, and Applications to determine access to resources like SharePoint, Teams, and Fabric.
  • Object Relationships: Access is typically granted by adding Users or Devices to Groups, which are then assigned permissions to specific resources or applications.

2. Users & Devices (The Core Entities)

  • User Types:
    • Members: Internal accounts, typically synced from on-premises AD, with full directory visibility.
    • Guests: External users invited via B2B collaboration; they exist as guest objects in the directory.
    • Agents: AI-driven identities assigned a unique Entra Agent ID and their own dedicated M365 resources (Email, OneDrive).
  • Device States (Trust Signals):
    • Entra Registered: Used for BYOD/personal devices; allows for Mobile Application Management (MAM) without full device control.
    • Entra Joined: Cloud-native corporate devices fully managed via Intune.
    • Hybrid Entra Joined: Legacy domain-joined devices synced from on-premises AD to Entra ID.

3. The Group Ecosystem (Logical Containers)

  • Distribution Lists (DLs): Legacy, mail-flow only containers; they do not have a Security SID and cannot be used for resource permissions.
  • Security Groups: The primary tool for assigning permissions and licenses; these are security-principals only and do not have an email address.
  • Mail-Enabled Security Groups: A “hybrid” container that possesses a Security SID for permissions and an email address for distribution. These are ideal for granting resource access while maintaining a single point of contact for notifications.
  • Microsoft 365 Groups: The modern “connective tissue” that automatically provisions an Exchange mailbox, SharePoint site, and Teams overlay.
  • Dynamic Groups: Membership is automatically calculated based on user attributes (e.g., JobTitle -eq "Manager"), ensuring access is updated as users move within the organization.

Source of Authority (SoA) & Management

  • Synced Groups: If a group is synchronized from on-premises Active Directory, it cannot be edited in Entra ID or the M365 Admin Center. All membership and attribute changes (like email aliases) must occur on-premises.
  • Cloud-Native Groups: Created and managed entirely within the Entra ID portal or M365 Admin Center.
  • Writeback: In hybrid environments, certain groups created in the cloud can be “written back” to on-premises AD if the specific synchronization feature is enabled.

4. Application Identity: App Reg vs. Enterprise Apps

Understanding the distinction between these two views of the same application is critical for security governance.

  • App Registrations (The Definition): The developer’s “blueprint” of the application. This is where API permissions (e.g., Graph User.Read.All) and application secrets are defined.
  • Enterprise Applications (The Service Principal): The local instance of an application in your tenant. This is where admins:
    • Manage who is assigned to use the app.
    • Provide “Admin Consent” for permissions.
    • Apply Conditional Access policies specifically to that app.

5. Tenant-to-Tenant Relationships & B2B

Cross-tenant access settings govern how your organization interacts with external Entra ID tenants.

  • B2B Collaboration (Standard Guests): The external user is invited and a guest object is created in your directory. The user must switch tenants to access your resources.
  • B2B Direct Connect (Shared Channels): Does not create a guest user object in your directory. Users access shared resources (like Teams channels) directly from their home tenant.
  • Cross-Tenant Access Settings: Admins configure Inbound and Outbound policies to trust MFA and device compliance signals from specific partner organizations, reducing friction for guests.

6. The Zero Trust Engine: CA & Risk Management

  • Conditional Access (CA): Evaluates signals (Who, What, Where, Risk) to make a real-time decision (Block, Grant, MFA).
  • Identity Protection (Requires Entra ID P2):
    • User Risk: Analyzes leaked credentials and account compromise indicators.
    • Sign-in Risk: Detects anomalous behavior, such as “Impossible Travel” between two locations.
  • Risky User Policies: Automated policies that force a password reset via Self-Service Password Reset (SSPR) when a High User Risk is detected.