Entra ID Objects and Synchronization β
Source: Azure Master Class v3 - Part 2 - Identity by John Savill
Timestamps:00:38:00-01:04:00
Entra ID Object Types β
πΊ Video Reference: 00:38:06
Entra ID contains many types of objects. Most are security principalsβentities that can be authenticated.
Users β
πΊ Video Reference: 00:38:35
Key Principle: Carbon-Based Life Forms Only β
When we say user, it should be tied to a specific human being:
| Identity Type | Use User Account? | Better Alternative |
|---|---|---|
| Human employee | β Yes | β |
| Automation script | β No | Service Principal |
| Application | β No | Service Principal |
| CI/CD pipeline | β No | Managed Identity / Service Principal |
Don't Use User Accounts for Automations
Applications and automations can't comply with MFA requirements. Microsoft is rolling out mandatory MFA, and organizations using user accounts for automations are now stuck.
User Properties β
| Property | Description | Example |
|---|---|---|
| Display Name | Friendly name | John Smith |
| User Principal Name | Sign-in name | john@contoso.com |
| User Type | Member or Guest | Member |
| On-premises Sync | Synced from AD? | Yes/No |
| Identities | Origin of identity | contoso.onmicrosoft.com |
User Types β
| Type | Description | Default Rights |
|---|---|---|
| Member | Internal to organization | Full directory read |
| Guest | External identity (B2B) | Limited visibility |
Creating Users β
| Method | Use Case |
|---|---|
| Manual (Portal) | Single user creation |
| Bulk Operations | CSV file upload |
| HR Integration | Automated from Workday, SAP, etc. |
| PowerShell/Graph | Scripted provisioning |
Groups β
πΊ Video Reference: 00:44:10
Always use groups for permission assignment instead of direct user assignments.
Why Groups Over Direct Assignment? β
| Direct User Assignment | Group Assignment |
|---|---|
| β Forgotten over time | β Easy to audit |
| β Permission creep | β Role-based control |
| β Manual management | β Can be dynamic |
| β Hard to audit | β Clear purpose |
Group Types β
| Type | Purpose | Example Use |
|---|---|---|
| Security | Resource access, RBAC | Azure permissions, app access |
| Microsoft 365 | Collaboration | Teams, SharePoint, shared mailbox |
Membership Types β
| Type | How Members Join | Best For |
|---|---|---|
| Assigned | Manual addition | Specific users |
| Dynamic User | Attribute-based rules | Department, location, job title |
| Dynamic Device | Device attribute rules | OS version, compliance state |
Dynamic Group Examples β
Example 1: Job Title Based
user.jobTitle -startsWith "Hero"All users whose job title starts with "Hero" (Hero, Heroine) auto-join.
Example 2: Recent Hires (Last 365 days)
user.employeeHireDate -ge now().addDays(-365)New employees automatically added, removed after one year.
P1 License Required
Dynamic group membership requires Entra ID P1 licensing.
Service Principals (App Registrations) β
πΊ Video Reference: 00:47:55
For applications and automations, use Service Principals instead of user accounts.
Components β
| Component | Description |
|---|---|
| App Registration | The identity definition |
| Enterprise App | The service principal in your tenant |
| Credentials | How the app authenticates |
Credential Options β
| Type | Security | Management | Best For |
|---|---|---|---|
| Client Secret | ββ | Rotate manually | Simple scenarios |
| Certificate | βββ | Rotate periodically | Better security |
| Federated Credential | ββββ | No secrets to manage | GitHub Actions, external IDPs |
Federated Credentials (Workload Identity Federation) β
πΊ Video Reference: 00:48:22
Instead of storing secrets, exchange tokens from a trusted external identity provider:
Example: GitHub Actions to Azure
- GitHub workflow gets a token from GitHub's IDP
- Federation trust in Entra says "GitHub repo X can act as this identity"
- Token exchange happensβno secrets stored in GitHub!
Managed Identities β
πΊ Video Reference: 00:51:27
For Azure resources talking to other Azure resources, use Managed Identities.
Benefits β
- β No credentials to manage
- β Automatic token rotation
- β Azure handles everything
- β Works with RBAC
Types β
| Type | Scope | Use Case |
|---|---|---|
| System-Assigned | One resource | VM needs to access Key Vault |
| User-Assigned | Multiple resources | Several VMs share identity |
How It Works β
No Secrets Required
The Azure control plane knows which resource is making the requestβno credentials stored in code or config!
Devices β
πΊ Video Reference: 00:52:54
Device States β
| State | Sign-in Account | Management | Best For |
|---|---|---|---|
| Registered | Personal (MSA) | MDM optional | BYOD |
| Joined | Entra account | Full MDM | Corporate owned |
| Hybrid Joined | AD + Entra | GPO + MDM | Existing AD environment |
Supported Platforms β
| Platform | Registered | Joined | Hybrid |
|---|---|---|---|
| Windows 10/11 | β | β | β |
| macOS | β | β | β |
| iOS | β | β | β |
| Android | β | β | β |
Synchronization from Active Directory β
πΊ Video Reference: 00:55:11
Most organizations have Active Directory on-premises and synchronize to Entra ID.
Key Principle: AD is the Source of Truth β
HR Integration Option β
Workday, SAP, and others can provision users directly via the Entra provisioning service.
Sync Topology Rules β
πΊ Video Reference: 00:57:48
| Rule | Description |
|---|---|
| One tenant β One sync engine | An Entra tenant can only sync from one Entra Connect instance |
| One AD β Multiple tenants | Possible with multiple sync instances (only one does writeback) |
| Multiple forests β One tenant | Single Entra Connect can sync from multiple AD forests |
Sync Technologies β
| Technology | Description | Best For |
|---|---|---|
| Entra Connect Sync | Windows-based sync engine | Legacy, full features |
| Entra Cloud Sync | Lightweight provisioning agent | Newer, simpler, multi-forest |
Entra Connect vs Cloud Sync β
| Feature | Connect Sync | Cloud Sync |
|---|---|---|
| Architecture | Windows server required | Lightweight agent |
| Multi-forest (disconnected) | β | β |
| Pass-through Auth | β | β |
| Writeback | Full | Limited |
| Management | On-prem | Cloud portal |
Cloud Sync is the Future
Microsoft is moving toward Cloud Sync. Use it for new deployments if it meets your requirements.
Cloud Sync Setup β
- Install provisioning agents on domain controllers (or servers with same security tier)
- Create configuration in Entra portal
- Map attributes and scoping (OUs, groups)
- Enable sync
Quick Reference β
Object Comparison β
| Object | Can Authenticate? | Created Where | Primary Use |
|---|---|---|---|
| User | β | Entra or AD | Human identity |
| Group | β | Entra or AD | Permission grouping |
| Service Principal | β | Entra | App/automation identity |
| Managed Identity | β | Azure resource | Azure resource identity |
| Device | β* | Entra or AD | Device identity |
*Devices have associated identity but don't "authenticate" in the traditional sense.
Best Practices β
| Scenario | Recommendation |
|---|---|
| New employee | Create in AD or HR system, let sync |
| Application auth | Service Principal with federated credential |
| Azure resource auth | Managed Identity |
| Permission assignment | Always use groups |
| Multiple forests | Evaluate Cloud Sync |
Further Reading β
- π Users in Entra ID
- π Dynamic Groups
- π Service Principals
- π Managed Identities
- π Workload Identity Federation
- π Entra Cloud Sync
- π Compare Sync Options