Azure Active Directory Pocket Book — Uplatz
60+ deep-dive flashcards • Single column • Identity & Access • OAuth/OIDC & SAML • Security & Compliance • Admin & Hybrid • Interview Q&A
Cheat-friendly explanations • Readable code • Production-oriented tips
1) What is Azure Active Directory (Entra ID)?
Azure AD (now under Microsoft Entra) is Microsoft’s cloud identity and access management for users, apps, and devices. It provides authentication (who you are) and authorization (what you can access) for Microsoft 365, Azure, SaaS, and custom apps.
# Show current tenant and subscription
az account show --query "{tenantId:tenantId, sub:name}" -o tsv2) Tenant, Directory & Domain
A tenant is your dedicated AAD instance. It owns a directory with identities, custom domains, and policies. Add verified custom domains for friendly sign-ins (e.g., @contoso.com).
az ad signed-in-user show --query "{id:id, user:displayName, upn:userPrincipalName}"3) Azure AD vs on-prem AD
On-prem AD: Kerberos/LDAP, Windows domain-joined, LAN-centric. Azure AD: internet-facing, OAuth2/OIDC/SAML/SCIM, zero-trust. Use Azure AD DS only when legacy LDAP/Kerberos is required.
4) Objects & Principals
Objects include users, groups, devices, service principals (apps), and roles. App registrations create an application object; consents make service principals in tenants.
az ad sp list --display-name "Microsoft Graph" --query "[0].appId"5) Identity Types
Member users (internal), Guest users (B2B), Managed identities for Azure services, and App registrations for client/API apps.
6) Licensing Snapshot
Free → P1 → P2 tiers. P1 adds Conditional Access & self-service; P2 adds Identity Protection & PIM. Choose per security posture and governance needs.
7) Basic Admin Tools
Use Azure Portal, az CLI, Microsoft Graph PowerShell, and REST Graph API. Prefer Microsoft Graph over legacy Azure AD Graph (deprecated).
# Install Graph PowerShell
pwsh -c "Install-Module Microsoft.Graph -Scope CurrentUser"8) Directory Roles vs Azure RBAC
Directory roles control Azure AD (users, apps, policies). Azure RBAC controls Azure resources (VMs, storage). Assign the right type in the right plane.
9) Groups
Security groups (access control) and Microsoft 365 groups (collaboration). Dynamic groups populate based on rules (e.g., department = Finance).
az ad group create --display-name "Finance-Readers" --mail-nickname "finreaders"10) Devices & Join Types
Azure AD Registered (BYOD), Azure AD Joined (cloud-first corp devices), Hybrid Joined (on-prem + cloud). Device compliance feeds Conditional Access.
11) App Registrations
Register apps to obtain a Client ID and define redirect URIs. App types: SPA, native/mobile, web, machine-to-machine (M2M).
az ad app create --display-name myweb --web-redirect-uris https://app.contoso.com/auth/callback12) Service Principals
When an app is used in a tenant, a service principal is created there. It’s the “identity” of the app within that tenant.
az ad sp create --id <APP_ID>13) OAuth2 Grant Types
Authorization Code (with PKCE for public clients), Client Credentials (M2M), Device Code (TVs/CLI), and Resource Owner (legacy—avoid).
14) OpenID Connect (OIDC)
OIDC adds identity to OAuth: returns id_token with profile claims (name, email, sub). Access tokens authorize API calls.
15) Scopes, Roles & Consent
Delegated scopes (on behalf of user) vs Application roles (app permissions without user). Admin consent is required for high-privilege permissions.
16) Token Lifetimes & Refresh
Default access tokens are short-lived; refresh tokens renew sessions. Use Refresh Token Rotation for better security in SPAs/mobile.
17) Validate Tokens
Validate issuer, audience, signature (via JWKS), expiry, scopes. Do not trust tokens without verification.
# Node sample: express-jwt
npm i express-jwt jwks-rsa
# Configure with authority https://login.microsoftonline.com/{tenant}/v2.018) MSAL Examples (Node & React)
// React (PKCE)
npm i @azure/msal-browser @azure/msal-react
// Node API protecting routes
npm i passport-azure-ad jsonwebtoken19) Expose an API & Define Scopes
In App Registration → Expose an API → set Application ID URI → add scopes & roles. Clients request scopes like api://APP-ID/Orders.Read.
20) Resource-specific Consent (RSC)
For Teams/Graph scenarios, RSC lets resource owners grant app access to data in their scope (e.g., a particular team).
21) Multi-tenant Apps
Support “Accounts in any org” and handle home vs guest tenants. At sign-in, users may consent in their own tenant, creating a new service principal there.
22) SAML SSO
Many SaaS apps use SAML. Azure AD is the identity provider (IdP) issuing SAML assertions to the service provider (SP). Map claims properly (NameID, email).
23) SCIM Provisioning
Automate account lifecycle in SaaS apps. Azure AD pushes user/group creates/updates/deletes to the app via SCIM endpoints.
24) Conditional Access (CA)
Enforce controls based on signals: user risk, device compliance, location, app sensitivity. Example: require MFA when off corporate network.
25) CA Policy Example
# Pseudo-steps
Users: All Users (exclude break-glass)
Apps: All cloud apps
Conditions: Locations = Not "Trusted"
Grant: Require MFA26) Identity Protection
Detects risky sign-ins (impossible travel, leaked password) and risky users. Automate remediation (force password reset, require MFA).
27) MFA Options
TOTP (Authenticator), SMS/Voice (less preferred), FIDO2 security keys (best). Educate users; register backup methods.
# List a user's MFA methods (example)
az ad mfa auth-method list --user alice@contoso.com28) Passwordless
FIDO2 keys, Windows Hello for Business, and Authenticator app notifications remove password risk entirely.
29) Break-glass Accounts
Maintain at least two emergency Global Admin accounts with strong MFA exemptions, long passwords, and strict monitoring—use only if CA locks everyone out.
30) Secure Defaults
If you don’t use CA yet, enable Secure Defaults to enforce baseline protections (MFA for admins, legacy auth blocked).
31) Legacy Auth & Protocols
Block POP/IMAP/SMTP basic auth; enforce Modern Auth everywhere to stop password spraying and token replay on legacy endpoints.
32) Device Compliance (Intune)
Combine CA with device compliance to allow access only from healthy, encrypted, policy-compliant devices.
33) Azure AD Connect (Hybrid)
Sync users/groups from on-prem AD. Options: Password Hash Sync (simple), Pass-Through Auth (verifies against on-prem), Federation (ADFS).
34) Hybrid Join & SSO
Hybrid Azure AD Join enables seamless SSO for domain-joined devices, even off VPN (with cloud trust / certificate trust models in Entra).
35) B2B Collaboration
Invite external users to your tenant; they authenticate with their home IdP. Control access via groups and CA, apply Terms of Use & access reviews.
36) B2C (Customer Identity)
Separate tenant for customer-facing apps. Custom branded sign-up/sign-in, social logins, custom policies, fine control of user journeys.
37) Lifecycle & Provisioning
Use HR as a system of record → automatic user creation, group assignment, app provisioning (SCIM), and timely deprovisioning.
38) Access Reviews
Periodic checks for group/app access. Owners attest or revoke. Reduces permission creep and license waste.
39) Privileged Identity Management (PIM)
Just-in-Time elevation for admin roles. Requires approval and sets time-bound access with audit history and MFA.
40) Entitlement Management
Bundle resources as Access Packages (groups, apps, SharePoint) with governance: approval, expiration, re-certification.
41) Custom Domains & Branding
Add verified domains and customize Company Branding (logo, colors, help links) to improve user trust and reduce phishing risk.
42) Tenant Restrictions & Cross-Tenant Access
Limit sign-ins to approved tenants and configure cross-tenant policies for secure collaboration.
43) Licenses & Cost Control
Map features to license needs (P1/P2). Reclaim inactive accounts, automate license assignment via dynamic groups, and audit consumption.
44) Sign-in & Audit Logs
Export logs to Log Analytics or Sentinel. Track risky sign-ins, app consent, role changes, and policy edits.
# Graph PowerShell examples
Connect-MgGraph -Scopes "AuditLog.Read.All, Directory.Read.All"
Get-MgAuditLogSignIn -Top 5 | Select-Object UserDisplayName,AppDisplayName,Status45) KQL Quick Queries
// Sign-in failures by app (Log Analytics)
SigninLogs
| where ResultType != 0
| summarize fails=count() by AppDisplayName
| order by fails desc46) Microsoft Graph REST
Access everything programmatically: users, groups, apps, CA policies, PIM. Prefer app-only tokens for automation.
GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,mail47) Least-Privilege Automation
Create a dedicated app registration for automation with only necessary Application permissions; store certs/keys in Key Vault.
48) Alerting & Sentinel
Build alerts for excessive consent, risky sign-ins, or sudden CA changes. Stream logs to Sentinel and use out-of-the-box analytics rules.
49) Backup & DR Considerations
Export config-as-code where possible (CA policies via Graph, app registrations metadata), document break-glass, and test recovery procedures.
50) Compliance & Data Residency
Understand your tenant region, data storage for logs, and regulatory requirements (GDPR, HIPAA). Use access reviews and audit logs to evidence controls.
51) React SPA Login (MSAL)
npm i @azure/msal-browser @azure/msal-react
// Initialize PublicClientApplication with auth: { clientId, authority, redirectUri }
// Wrap App in MsalProvider; call instance.loginRedirect({ scopes: ["User.Read"] })SPA uses Authorization Code + PKCE. Tokens are stored in browser storage—use rotation and silent renew.
52) Node/Express API Protect
npm i express passport passport-azure-ad
// Use BearerStrategy with your tenant's v2.0 issuer & audience; check scopes on routes.Validate access tokens on each request; deny if missing required scope.
53) .NET Minimal API
// Program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
app.UseAuthentication(); app.UseAuthorization();54) Expose API & Scope Mapping
Add app roles (e.g., Orders.Read, Orders.Write), map to roles claim for app-only, scp for delegated.
55) Admin Consent Flow
Tenant admins approve app permissions at /adminconsent endpoint; store consent status and fail closed if not granted.
56) Multi-Tenant Sign-in
Use common/organizations endpoints for discovery, then switch to home tenant authority after login to acquire tokens correctly.
57) Q: Service Principal vs App Registration?
Answer: App registration is the global definition of an app. A service principal is the local instance of that app in a tenant that can be assigned roles/permissions.
58) Q: Why PKCE for SPAs?
Answer: PKCE replaces a client secret (unsafe in browsers) with a per-flow code verifier/challenge to prevent code interception.
59) Q: Common CA pitfalls?
Answer: Lockouts from overly broad rules; forgetting break-glass exclusions; not excluding service accounts; blocking legacy auth without testing.
60) Q: Token “invalid audience”?
Answer: Your API expects a token intended for it. Acquire token with the API’s Application ID URI or aud set correctly.
61) Q: Rotate credentials safely?
Answer: Prefer certificates to client secrets; overlap validity during rollout; store in Key Vault; update CI/CD secrets first.
62) Q: B2B vs B2C?
Answer: B2B is org-to-org collaboration in your tenant; users sign in with their home IdP. B2C is separate customer-facing identity platform with branded user journeys.
63) Q: Throttling & rate limits?
Answer: Microsoft Graph enforces per-app/tenant limits. Implement retry with exponential backoff; avoid chatty loops; use delta queries where possible.
64) Troubleshoot Sign-in
Check sign-in logs for conditional policies applied, device state, and failure codes. Verify redirect URIs and reply URLs, time skew, and CORS in SPAs.
65) Hardening Checklist
Enforce MFA, block legacy auth, protect admins with PIM, monitor risky sign-ins, review third-party consents, and run access reviews quarterly.