Directory services: Microsoft Entra ID, Entra Domain Services

Azure identity, access, and security

📘Microsoft Certified: Azure Fundamentals (AZ-900)

In Azure, directory services are the backbone of identity management. They help organizations manage users, groups, and access to resources. Two main services under this topic are:

  1. Microsoft Entra ID (formerly Azure Active Directory or Azure AD)
  2. Microsoft Entra Domain Services (Azure AD DS)

Let’s go through each in detail.

1. Microsoft Entra ID (Entra ID)

Microsoft Entra ID is a cloud-based identity and access management service. It is the main service that controls who can sign in, who can access resources, and how they authenticate.

Key Features:

  • User and Group Management
    • You can create users (employees, contractors) and organize them into groups.
    • Groups simplify permissions—for example, instead of giving every user access to a resource individually, you give a group access.
  • Authentication & Single Sign-On (SSO)
    • Users can log in once and access multiple applications without re-entering passwords.
    • Supports cloud apps (like Microsoft 365, Salesforce) and some on-premises apps.
  • Multi-Factor Authentication (MFA)
    • Adds an extra security layer: users may need a text message, email, or mobile app verification besides the password.
  • Device Management
    • Devices (like company laptops or phones) can be registered or joined to Entra ID.
    • This ensures that only trusted devices access corporate resources.
  • Conditional Access
    • Access to resources can depend on conditions, like user location, device status, or risk level.
    • Example: Users logging in from an unusual location may be prompted for MFA.
  • Integration with Applications
    • Entra ID can manage access to thousands of cloud applications.
    • Developers can also use it for authentication in their own apps using standards like OAuth, OpenID Connect, and SAML.

Exam Tip:

  • Know that Microsoft Entra ID is the central identity service in Azure.
  • Know the difference between users, groups, roles, and conditional access policies.

2. Microsoft Entra Domain Services (Entra DS)

Microsoft Entra Domain Services (Entra DS) provides managed domain services in Azure. Think of it as giving you traditional Active Directory features in the cloud without managing domain controllers yourself.

Key Features:

  • Domain Join
    • Virtual machines (VMs) and servers in Azure can join a domain without needing a traditional on-premises Active Directory.
  • LDAP, Kerberos, NTLM support
    • Legacy applications that rely on LDAP (Lightweight Directory Access Protocol) or Kerberos authentication can still work.
  • Group Policy
    • You can create policies that control settings on machines joined to this domain.
  • High Availability & Managed Service
    • Microsoft automatically handles updates, replication, and patching.
    • You don’t have to manage domain controllers yourself.

Use Cases in IT Environments:

  • Running legacy apps in Azure that require Active Directory features.
  • Using domain-joined VMs in Azure without a full on-premises AD setup.
  • Simplifying hybrid setups where some workloads are on-premises and some are in Azure.

Exam Tip:

  • Understand that Entra DS is for legacy apps or domain-joined machines in Azure.
  • Remember: It is a managed service—Microsoft handles maintenance.

Key Differences: Entra ID vs Entra DS

FeatureMicrosoft Entra IDMicrosoft Entra Domain Services (DS)
TypeCloud identity & access managementManaged domain service
UsersCloud users, external usersCloud users from Entra ID
AuthenticationSSO, MFA, OAuth, SAMLLDAP, Kerberos, NTLM
Device JoinYesYes, domain-joined VMs
MaintenanceManaged by Microsoft, mostly configurationFully managed, including patches and updates
Best ForModern cloud appsLegacy apps and domain-joined VMs

Exam Tip: Often the exam will ask which service to use:

  • Entra ID → modern cloud authentication
  • Entra DS → legacy apps needing domain services

Summary for AZ-900 Exam

  • Microsoft Entra ID: Main cloud identity service. Controls users, groups, devices, apps, authentication, and security policies.
  • Microsoft Entra DS: Managed domain service. Provides traditional AD features like LDAP/Kerberos and group policies for VMs and legacy apps.
  • Key Concept: Entra ID is for cloud-first identity management; Entra DS is for applications that still need traditional AD features in the cloud.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by