{"id":4693,"date":"2025-08-21T09:58:41","date_gmt":"2025-08-21T09:58:41","guid":{"rendered":"https:\/\/uplatz.com\/blog\/?p=4693"},"modified":"2025-08-30T11:41:39","modified_gmt":"2025-08-30T11:41:39","slug":"azure-active-directory-pocket-book","status":"publish","type":"post","link":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/","title":{"rendered":"Azure Active Directory Pocket Book"},"content":{"rendered":"<p><!-- ############################################################ --><br \/>\n<!-- Azure Active Directory Pocket Book \u2014 Uplatz (Single Column, ~60 Cards) --><\/p>\n<div style=\"margin: 16px 0;\">\n<style>\n  \/* Scope *\/<br \/>  .wp-azuread-pb{font-family:Arial,Helvetica,sans-serif;max-width:980px;margin:0 auto;}<\/p>\n<p>  \/* Header *\/<br \/>  .wp-azuread-pb .heading{<br \/>    background:linear-gradient(135deg,#e0f2fe,#dbeafe);<br \/>    color:#0f172a;padding:28px;border-radius:18px;text-align:center;<br \/>    margin-bottom:26px;box-shadow:0 10px 24px rgba(0,0,0,.08);border:1px solid #cbd5e1<br \/>  }<br \/>  .wp-azuread-pb .heading h2{margin:0;font-size:2.3rem;font-weight:800;letter-spacing:.2px}<br \/>  .wp-azuread-pb .heading p{margin:8px 0 0;font-size:1.02rem;opacity:.95}<\/p>\n<p>  \/* Section title *\/<br \/>  .wp-azuread-pb .section-title{<br \/>    margin:26px 0 14px;padding:12px 16px;background:#f8fafc;border-left:8px solid #2563eb;<br \/>    border-radius:12px;font-weight:800;color:#0f172a;font-size:1.12rem;<br \/>    box-shadow:0 2px 8px rgba(0,0,0,.05);border:1px solid #e2e8f0<br \/>  }<\/p>\n<p>  \/* Cards (single column, stacked) *\/<br \/>  .wp-azuread-pb .card{<br \/>    background:#fff;border-left:6px solid #2563eb;padding:18px;border-radius:14px;<br \/>    box-shadow:0 6px 14px rgba(0,0,0,.06);border:1px solid #e5e7eb;margin-bottom:16px;<br \/>    transition:transform .12s ease,box-shadow .12s ease<br \/>  }<br \/>  .wp-azuread-pb .card:hover{transform:translateY(-2px);box-shadow:0 12px 22px rgba(0,0,0,.08)}<br \/>  .wp-azuread-pb .card h3{margin:0 0 10px;font-size:1.18rem;color:#0f172a}<br \/>  .wp-azuread-pb .card p{margin:0;font-size:.97rem;color:#334155;line-height:1.62}<\/p>\n<p>  \/* Color helpers for variety *\/<br \/>  .bg-blue{border-left-color:#2563eb;background:#f0f9ff}<br \/>  .bg-green{border-left-color:#16a34a;background:#f0fdf4}<br \/>  .bg-amber{border-left-color:#f59e0b;background:#fffbeb}<br \/>  .bg-violet{border-left-color:#7c3aed;background:#f5f3ff}<br \/>  .bg-rose{border-left-color:#e11d48;background:#fff1f2}<br \/>  .bg-cyan{border-left-color:#0891b2;background:#ecfeff}<br \/>  .bg-indigo{border-left-color:#4f46e5;background:#eef2ff}<br \/>  .bg-emerald{border-left-color:#059669;background:#ecfdf5}<br \/>  .bg-slate{border-left-color:#334155;background:#f8fafc}<\/p>\n<p>  \/* Mono *\/<br \/>  .mono{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace}<br \/>  .wp-azuread-pb code{background:#f1f5f9;padding:0 4px;border-radius:4px;border:1px solid #e2e8f0}<br \/>  .wp-azuread-pb pre{background:#f5f5f5;color:#111827;border:1px solid #e5e7eb;padding:12px;border-radius:10px;overflow:auto;font-size:.92rem;line-height:1.55}<\/p>\n<p>  \/* Small utils *\/<br \/>  .muted{color:#64748b}<br \/>  .tight ul{margin:0;padding-left:18px}<br \/>  .tight li{margin:4px 0}<br \/>  .q{font-weight:700}<br \/><\/style>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-5051\" src=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-1024x576.jpg\" alt=\"\" width=\"840\" height=\"473\" srcset=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-1024x576.jpg 1024w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-300x169.jpg 300w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-768x432.jpg 768w, https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory.jpg 1280w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/p>\n<div class=\"wp-azuread-pb\">\n<div class=\"heading\">\n<h2>Azure Active Directory Pocket Book \u2014 Uplatz<\/h2>\n<p>60+ deep-dive flashcards \u2022 Single column \u2022 Identity &amp; Access \u2022 OAuth\/OIDC &amp; SAML \u2022 Security &amp; Compliance \u2022 Admin &amp; Hybrid \u2022 Interview Q&amp;A<\/p>\n<p class=\"muted\">Cheat-friendly explanations \u2022 Readable code \u2022 Production-oriented tips<\/p>\n<\/div>\n<p><!-- ===================== SECTION 1 ===================== --><\/p>\n<div class=\"section-title\">Section 1 \u2014 Fundamentals<\/div>\n<div class=\"card bg-blue\">\n<h3>1) What is Azure Active Directory (Entra ID)?<\/h3>\n<p>Azure AD (now under Microsoft Entra) is Microsoft\u2019s cloud identity and access management for users, apps, and devices. It provides authentication (who you are) and authorization (what you can access) for Microsoft 365, Azure, SaaS, and custom apps.<\/p>\n<pre><code class=\"mono\"># Show current tenant and subscription\r\naz account show --query \"{tenantId:tenantId, sub:name}\" -o tsv<\/code><\/pre>\n<\/div>\n<div class=\"card bg-green\">\n<h3>2) Tenant, Directory &amp; Domain<\/h3>\n<p>A tenant is your dedicated AAD instance. It owns a directory with identities, custom domains, and policies. Add verified custom domains for friendly sign-ins (e.g., <code>@contoso.com<\/code>).<\/p>\n<pre><code class=\"mono\">az ad signed-in-user show --query \"{id:id, user:displayName, upn:userPrincipalName}\"<\/code><\/pre>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>3) Azure AD vs on-prem AD<\/h3>\n<p>On-prem AD: Kerberos\/LDAP, Windows domain-joined, LAN-centric. Azure AD: internet-facing, OAuth2\/OIDC\/SAML\/SCIM, zero-trust. Use Azure AD DS only when legacy LDAP\/Kerberos is required.<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>4) Objects &amp; Principals<\/h3>\n<p>Objects include users, groups, devices, service principals (apps), and roles. App registrations create an application object; consents make service principals in tenants.<\/p>\n<pre><code class=\"mono\">az ad sp list --display-name \"Microsoft Graph\" --query \"[0].appId\"<\/code><\/pre>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>5) Identity Types<\/h3>\n<p><b>Member<\/b> users (internal), <b>Guest<\/b> users (B2B), <b>Managed identities<\/b> for Azure services, and <b>App registrations<\/b> for client\/API apps.<\/p>\n<\/div>\n<div class=\"card bg-cyan\">\n<h3>6) Licensing Snapshot<\/h3>\n<p>Free \u2192 P1 \u2192 P2 tiers. P1 adds Conditional Access &amp; self-service; P2 adds Identity Protection &amp; PIM. Choose per security posture and governance needs.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>7) Basic Admin Tools<\/h3>\n<p>Use Azure Portal, <code>az<\/code> CLI, Microsoft Graph PowerShell, and REST Graph API. Prefer Microsoft Graph over legacy Azure AD Graph (deprecated).<\/p>\n<pre><code class=\"mono\"># Install Graph PowerShell\r\npwsh -c \"Install-Module Microsoft.Graph -Scope CurrentUser\"<\/code><\/pre>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>8) Directory Roles vs Azure RBAC<\/h3>\n<p>Directory roles control Azure AD (users, apps, policies). Azure RBAC controls Azure resources (VMs, storage). Assign the right type in the right plane.<\/p>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>9) Groups<\/h3>\n<p>Security groups (access control) and Microsoft 365 groups (collaboration). Dynamic groups populate based on rules (e.g., department = Finance).<\/p>\n<pre><code class=\"mono\">az ad group create --display-name \"Finance-Readers\" --mail-nickname \"finreaders\"<\/code><\/pre>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>10) Devices &amp; Join Types<\/h3>\n<p>Azure AD Registered (BYOD), Azure AD Joined (cloud-first corp devices), Hybrid Joined (on-prem + cloud). Device compliance feeds Conditional Access.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 2 ===================== --><\/p>\n<div class=\"section-title\">Section 2 \u2014 Authentication, OAuth2\/OIDC &amp; Tokens<\/div>\n<div class=\"card bg-green\">\n<h3>11) App Registrations<\/h3>\n<p>Register apps to obtain a Client ID and define redirect URIs. App types: SPA, native\/mobile, web, machine-to-machine (M2M).<\/p>\n<pre><code class=\"mono\">az ad app create --display-name myweb --web-redirect-uris https:\/\/app.contoso.com\/auth\/callback<\/code><\/pre>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>12) Service Principals<\/h3>\n<p>When an app is used in a tenant, a service principal is created there. It\u2019s the \u201cidentity\u201d of the app within that tenant.<\/p>\n<pre><code class=\"mono\">az ad sp create --id &lt;APP_ID&gt;<\/code><\/pre>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>13) OAuth2 Grant Types<\/h3>\n<p>Authorization Code (with PKCE for public clients), Client Credentials (M2M), Device Code (TVs\/CLI), and Resource Owner (legacy\u2014avoid).<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>14) OpenID Connect (OIDC)<\/h3>\n<p>OIDC adds identity to OAuth: returns <code>id_token<\/code> with profile claims (name, email, sub). Access tokens authorize API calls.<\/p>\n<\/div>\n<div class=\"card bg-cyan\">\n<h3>15) Scopes, Roles &amp; Consent<\/h3>\n<p><b>Delegated scopes<\/b> (on behalf of user) vs <b>Application roles<\/b> (app permissions without user). Admin consent is required for high-privilege permissions.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>16) Token Lifetimes &amp; Refresh<\/h3>\n<p>Default access tokens are short-lived; refresh tokens renew sessions. Use Refresh Token Rotation for better security in SPAs\/mobile.<\/p>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>17) Validate Tokens<\/h3>\n<p>Validate issuer, audience, signature (via JWKS), expiry, scopes. Do not trust tokens without verification.<\/p>\n<pre><code class=\"mono\"># Node sample: express-jwt\r\nnpm i express-jwt jwks-rsa\r\n# Configure with authority https:\/\/login.microsoftonline.com\/{tenant}\/v2.0<\/code><\/pre>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>18) MSAL Examples (Node &amp; React)<\/h3>\n<pre><code class=\"mono\">\/\/ React (PKCE)\r\nnpm i @azure\/msal-browser @azure\/msal-react\r\n\r\n\/\/ Node API protecting routes\r\nnpm i passport-azure-ad jsonwebtoken<\/code><\/pre>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>19) Expose an API &amp; Define Scopes<\/h3>\n<p>In App Registration \u2192 Expose an API \u2192 set Application ID URI \u2192 add scopes &amp; roles. Clients request scopes like <code>api:\/\/APP-ID\/Orders.Read<\/code>.<\/p>\n<\/div>\n<div class=\"card bg-green\">\n<h3>20) Resource-specific Consent (RSC)<\/h3>\n<p>For Teams\/Graph scenarios, RSC lets resource owners grant app access to data in their scope (e.g., a particular team).<\/p>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>21) Multi-tenant Apps<\/h3>\n<p>Support \u201cAccounts in any org\u201d and handle home vs guest tenants. At sign-in, users may consent in their own tenant, creating a new service principal there.<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>22) SAML SSO<\/h3>\n<p>Many SaaS apps use SAML. Azure AD is the identity provider (IdP) issuing SAML assertions to the service provider (SP). Map claims properly (NameID, email).<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>23) SCIM Provisioning<\/h3>\n<p>Automate account lifecycle in SaaS apps. Azure AD pushes user\/group creates\/updates\/deletes to the app via SCIM endpoints.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 3 ===================== --><\/p>\n<div class=\"section-title\">Section 3 \u2014 Security, Conditional Access &amp; MFA<\/div>\n<div class=\"card bg-cyan\">\n<h3>24) Conditional Access (CA)<\/h3>\n<p>Enforce controls based on signals: user risk, device compliance, location, app sensitivity. Example: require MFA when off corporate network.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>25) CA Policy Example<\/h3>\n<pre><code class=\"mono\"># Pseudo-steps\r\nUsers: All Users (exclude break-glass)\r\nApps: All cloud apps\r\nConditions: Locations = Not \"Trusted\"\r\nGrant: Require MFA<\/code><\/pre>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>26) Identity Protection<\/h3>\n<p>Detects risky sign-ins (impossible travel, leaked password) and risky users. Automate remediation (force password reset, require MFA).<\/p>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>27) MFA Options<\/h3>\n<p>TOTP (Authenticator), SMS\/Voice (less preferred), FIDO2 security keys (best). Educate users; register backup methods.<\/p>\n<pre><code class=\"mono\"># List a user's MFA methods (example)\r\naz ad mfa auth-method list --user alice@contoso.com<\/code><\/pre>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>28) Passwordless<\/h3>\n<p>FIDO2 keys, Windows Hello for Business, and Authenticator app notifications remove password risk entirely.<\/p>\n<\/div>\n<div class=\"card bg-green\">\n<h3>29) Break-glass Accounts<\/h3>\n<p>Maintain at least two emergency Global Admin accounts with strong MFA exemptions, long passwords, and strict monitoring\u2014use only if CA locks everyone out.<\/p>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>30) Secure Defaults<\/h3>\n<p>If you don\u2019t use CA yet, enable Secure Defaults to enforce baseline protections (MFA for admins, legacy auth blocked).<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>31) Legacy Auth &amp; Protocols<\/h3>\n<p>Block POP\/IMAP\/SMTP basic auth; enforce Modern Auth everywhere to stop password spraying and token replay on legacy endpoints.<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>32) Device Compliance (Intune)<\/h3>\n<p>Combine CA with device compliance to allow access only from healthy, encrypted, policy-compliant devices.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 4 ===================== --><\/p>\n<div class=\"section-title\">Section 4 \u2014 Admin, Hybrid Identity &amp; Lifecycle<\/div>\n<div class=\"card bg-cyan\">\n<h3>33) Azure AD Connect (Hybrid)<\/h3>\n<p>Sync users\/groups from on-prem AD. Options: Password Hash Sync (simple), Pass-Through Auth (verifies against on-prem), Federation (ADFS).<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>34) Hybrid Join &amp; SSO<\/h3>\n<p>Hybrid Azure AD Join enables seamless SSO for domain-joined devices, even off VPN (with cloud trust \/ certificate trust models in Entra).<\/p>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>35) B2B Collaboration<\/h3>\n<p>Invite external users to your tenant; they authenticate with their home IdP. Control access via groups and CA, apply Terms of Use &amp; access reviews.<\/p>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>36) B2C (Customer Identity)<\/h3>\n<p>Separate tenant for customer-facing apps. Custom branded sign-up\/sign-in, social logins, custom policies, fine control of user journeys.<\/p>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>37) Lifecycle &amp; Provisioning<\/h3>\n<p>Use HR as a system of record \u2192 automatic user creation, group assignment, app provisioning (SCIM), and timely deprovisioning.<\/p>\n<\/div>\n<div class=\"card bg-green\">\n<h3>38) Access Reviews<\/h3>\n<p>Periodic checks for group\/app access. Owners attest or revoke. Reduces permission creep and license waste.<\/p>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>39) Privileged Identity Management (PIM)<\/h3>\n<p>Just-in-Time elevation for admin roles. Requires approval and sets time-bound access with audit history and MFA.<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>40) Entitlement Management<\/h3>\n<p>Bundle resources as <em>Access Packages<\/em> (groups, apps, SharePoint) with governance: approval, expiration, re-certification.<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>41) Custom Domains &amp; Branding<\/h3>\n<p>Add verified domains and customize Company Branding (logo, colors, help links) to improve user trust and reduce phishing risk.<\/p>\n<\/div>\n<div class=\"card bg-cyan\">\n<h3>42) Tenant Restrictions &amp; Cross-Tenant Access<\/h3>\n<p>Limit sign-ins to approved tenants and configure cross-tenant policies for secure collaboration.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>43) Licenses &amp; Cost Control<\/h3>\n<p>Map features to license needs (P1\/P2). Reclaim inactive accounts, automate license assignment via dynamic groups, and audit consumption.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 5 ===================== --><\/p>\n<div class=\"section-title\">Section 5 \u2014 Monitoring, Graph API &amp; Automation<\/div>\n<div class=\"card bg-emerald\">\n<h3>44) Sign-in &amp; Audit Logs<\/h3>\n<p>Export logs to Log Analytics or Sentinel. Track risky sign-ins, app consent, role changes, and policy edits.<\/p>\n<pre><code class=\"mono\"># Graph PowerShell examples\r\nConnect-MgGraph -Scopes \"AuditLog.Read.All, Directory.Read.All\"\r\nGet-MgAuditLogSignIn -Top 5 | Select-Object UserDisplayName,AppDisplayName,Status<\/code><\/pre>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>45) KQL Quick Queries<\/h3>\n<pre><code class=\"mono\">\/\/ Sign-in failures by app (Log Analytics)\r\nSigninLogs\r\n| where ResultType != 0\r\n| summarize fails=count() by AppDisplayName\r\n| order by fails desc<\/code><\/pre>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>46) Microsoft Graph REST<\/h3>\n<p>Access everything programmatically: users, groups, apps, CA policies, PIM. Prefer app-only tokens for automation.<\/p>\n<pre><code class=\"mono\">GET https:\/\/graph.microsoft.com\/v1.0\/users?$select=id,displayName,mail<\/code><\/pre>\n<\/div>\n<div class=\"card bg-green\">\n<h3>47) Least-Privilege Automation<\/h3>\n<p>Create a dedicated app registration for automation with only necessary <code>Application<\/code> permissions; store certs\/keys in Key Vault.<\/p>\n<\/div>\n<div class=\"card bg-amber\">\n<h3>48) Alerting &amp; Sentinel<\/h3>\n<p>Build alerts for excessive consent, risky sign-ins, or sudden CA changes. Stream logs to Sentinel and use out-of-the-box analytics rules.<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>49) Backup &amp; DR Considerations<\/h3>\n<p>Export config-as-code where possible (CA policies via Graph, app registrations metadata), document break-glass, and test recovery procedures.<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>50) Compliance &amp; Data Residency<\/h3>\n<p>Understand your tenant region, data storage for logs, and regulatory requirements (GDPR, HIPAA). Use access reviews and audit logs to evidence controls.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 6 ===================== --><\/p>\n<div class=\"section-title\">Section 6 \u2014 Developer Recipes<\/div>\n<div class=\"card bg-cyan\">\n<h3>51) React SPA Login (MSAL)<\/h3>\n<pre><code class=\"mono\">npm i @azure\/msal-browser @azure\/msal-react\r\n\/\/ Initialize PublicClientApplication with auth: { clientId, authority, redirectUri }\r\n\/\/ Wrap App in MsalProvider; call instance.loginRedirect({ scopes: [\"User.Read\"] })<\/code><\/pre>\n<p>SPA uses Authorization Code + PKCE. Tokens are stored in browser storage\u2014use rotation and silent renew.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>52) Node\/Express API Protect<\/h3>\n<pre><code class=\"mono\">npm i express passport passport-azure-ad\r\n\/\/ Use BearerStrategy with your tenant's v2.0 issuer &amp; audience; check scopes on routes.<\/code><\/pre>\n<p>Validate access tokens on each request; deny if missing required scope.<\/p>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>53) .NET Minimal API<\/h3>\n<pre><code class=\"mono\">\/\/ Program.cs\r\nbuilder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)\r\n .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection(\"AzureAd\"));\r\napp.UseAuthentication(); app.UseAuthorization();<\/code><\/pre>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>54) Expose API &amp; Scope Mapping<\/h3>\n<p>Add app roles (e.g., <code>Orders.Read<\/code>, <code>Orders.Write<\/code>), map to <code>roles<\/code> claim for app-only, <code>scp<\/code> for delegated.<\/p>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>55) Admin Consent Flow<\/h3>\n<p>Tenant admins approve app permissions at <code>\/adminconsent<\/code> endpoint; store consent status and fail closed if not granted.<\/p>\n<\/div>\n<div class=\"card bg-green\">\n<h3>56) Multi-Tenant Sign-in<\/h3>\n<p>Use common\/organizations endpoints for discovery, then switch to home tenant authority after login to acquire tokens correctly.<\/p>\n<\/div>\n<p><!-- ===================== SECTION 7 ===================== --><\/p>\n<div class=\"section-title\">Section 7 \u2014 Interview Q&amp;A &amp; Troubleshooting<\/div>\n<div class=\"card bg-amber\">\n<h3>57) Q: Service Principal vs App Registration?<\/h3>\n<p><span class=\"q\">Answer:<\/span> App registration is the global definition of an app. A service principal is the local instance of that app in a tenant that can be assigned roles\/permissions.<\/p>\n<\/div>\n<div class=\"card bg-violet\">\n<h3>58) Q: Why PKCE for SPAs?<\/h3>\n<p><span class=\"q\">Answer:<\/span> PKCE replaces a client secret (unsafe in browsers) with a per-flow code verifier\/challenge to prevent code interception.<\/p>\n<\/div>\n<div class=\"card bg-rose\">\n<h3>59) Q: Common CA pitfalls?<\/h3>\n<p><span class=\"q\">Answer:<\/span> Lockouts from overly broad rules; forgetting break-glass exclusions; not excluding service accounts; blocking legacy auth without testing.<\/p>\n<\/div>\n<div class=\"card bg-cyan\">\n<h3>60) Q: Token \u201cinvalid audience\u201d?<\/h3>\n<p><span class=\"q\">Answer:<\/span> Your API expects a token intended for it. Acquire token with the API\u2019s <code>Application ID URI<\/code> or <code>aud<\/code> set correctly.<\/p>\n<\/div>\n<div class=\"card bg-indigo\">\n<h3>61) Q: Rotate credentials safely?<\/h3>\n<p><span class=\"q\">Answer:<\/span> Prefer certificates to client secrets; overlap validity during rollout; store in Key Vault; update CI\/CD secrets first.<\/p>\n<\/div>\n<div class=\"card bg-emerald\">\n<h3>62) Q: B2B vs B2C?<\/h3>\n<p><span class=\"q\">Answer:<\/span> B2B is org-to-org collaboration in your tenant; users sign in with their home IdP. B2C is separate customer-facing identity platform with branded user journeys.<\/p>\n<\/div>\n<div class=\"card bg-slate\">\n<h3>63) Q: Throttling &amp; rate limits?<\/h3>\n<p><span class=\"q\">Answer:<\/span> Microsoft Graph enforces per-app\/tenant limits. Implement retry with exponential backoff; avoid chatty loops; use delta queries where possible.<\/p>\n<\/div>\n<div class=\"card bg-blue\">\n<h3>64) Troubleshoot Sign-in<\/h3>\n<p>Check sign-in logs for conditional policies applied, device state, and failure codes. Verify redirect URIs and reply URLs, time skew, and CORS in SPAs.<\/p>\n<\/div>\n<div class=\"card bg-green\">\n<h3>65) Hardening Checklist<\/h3>\n<p>Enforce MFA, block legacy auth, protect admins with PIM, monitor risky sign-ins, review third-party consents, and run access reviews quarterly.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Azure Active Directory Pocket Book \u2014 Uplatz 60+ deep-dive flashcards \u2022 Single column \u2022 Identity &amp; Access \u2022 OAuth\/OIDC &amp; SAML \u2022 Security &amp; Compliance \u2022 Admin &amp; Hybrid \u2022 <span class=\"readmore\"><a href=\"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/\">Read More &#8230;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2529,2462],"tags":[],"class_list":["post-4693","post","type-post","status-publish","format-standard","hentry","category-azure-active-directory","category-pocket-book"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Azure Active Directory Pocket Book | Uplatz Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure Active Directory Pocket Book | Uplatz Blog\" \/>\n<meta property=\"og:description\" content=\"Azure Active Directory Pocket Book \u2014 Uplatz 60+ deep-dive flashcards \u2022 Single column \u2022 Identity &amp; Access \u2022 OAuth\/OIDC &amp; SAML \u2022 Security &amp; Compliance \u2022 Admin &amp; Hybrid \u2022 Read More ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/\" \/>\n<meta property=\"og:site_name\" content=\"Uplatz Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-21T09:58:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-30T11:41:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"uplatzblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:site\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"uplatzblog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/\"},\"author\":{\"name\":\"uplatzblog\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\"},\"headline\":\"Azure Active Directory Pocket Book\",\"datePublished\":\"2025-08-21T09:58:41+00:00\",\"dateModified\":\"2025-08-30T11:41:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/\"},\"wordCount\":1483,\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/Azure-Active-Directory-1024x576.jpg\",\"articleSection\":[\"Azure Active Directory\",\"Pocket Book\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/\",\"name\":\"Azure Active Directory Pocket Book | Uplatz Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/Azure-Active-Directory-1024x576.jpg\",\"datePublished\":\"2025-08-21T09:58:41+00:00\",\"dateModified\":\"2025-08-30T11:41:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#primaryimage\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/Azure-Active-Directory.jpg\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/Azure-Active-Directory.jpg\",\"width\":1280,\"height\":720},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/azure-active-directory-pocket-book\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure Active Directory Pocket Book\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"name\":\"Uplatz Blog\",\"description\":\"Uplatz is a global IT Training &amp; Consulting company\",\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\",\"name\":\"uplatz.com\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"width\":1280,\"height\":800,\"caption\":\"uplatz.com\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Uplatz-1077816825610769\\\/\",\"https:\\\/\\\/x.com\\\/uplatz_global\",\"https:\\\/\\\/www.instagram.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\",\"name\":\"uplatzblog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"caption\":\"uplatzblog\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure Active Directory Pocket Book | Uplatz Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/","og_locale":"en_US","og_type":"article","og_title":"Azure Active Directory Pocket Book | Uplatz Blog","og_description":"Azure Active Directory Pocket Book \u2014 Uplatz 60+ deep-dive flashcards \u2022 Single column \u2022 Identity &amp; Access \u2022 OAuth\/OIDC &amp; SAML \u2022 Security &amp; Compliance \u2022 Admin &amp; Hybrid \u2022 Read More ...","og_url":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/","og_site_name":"Uplatz Blog","article_publisher":"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","article_published_time":"2025-08-21T09:58:41+00:00","article_modified_time":"2025-08-30T11:41:39+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory.jpg","type":"image\/jpeg"}],"author":"uplatzblog","twitter_card":"summary_large_image","twitter_creator":"@uplatz_global","twitter_site":"@uplatz_global","twitter_misc":{"Written by":"uplatzblog","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#article","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/"},"author":{"name":"uplatzblog","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e"},"headline":"Azure Active Directory Pocket Book","datePublished":"2025-08-21T09:58:41+00:00","dateModified":"2025-08-30T11:41:39+00:00","mainEntityOfPage":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/"},"wordCount":1483,"publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"image":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#primaryimage"},"thumbnailUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-1024x576.jpg","articleSection":["Azure Active Directory","Pocket Book"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/","url":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/","name":"Azure Active Directory Pocket Book | Uplatz Blog","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#primaryimage"},"image":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#primaryimage"},"thumbnailUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory-1024x576.jpg","datePublished":"2025-08-21T09:58:41+00:00","dateModified":"2025-08-30T11:41:39+00:00","breadcrumb":{"@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#primaryimage","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory.jpg","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/08\/Azure-Active-Directory.jpg","width":1280,"height":720},{"@type":"BreadcrumbList","@id":"https:\/\/uplatz.com\/blog\/azure-active-directory-pocket-book\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/uplatz.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Azure Active Directory Pocket Book"}]},{"@type":"WebSite","@id":"https:\/\/uplatz.com\/blog\/#website","url":"https:\/\/uplatz.com\/blog\/","name":"Uplatz Blog","description":"Uplatz is a global IT Training &amp; Consulting company","publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/uplatz.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/uplatz.com\/blog\/#organization","name":"uplatz.com","url":"https:\/\/uplatz.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","width":1280,"height":800,"caption":"uplatz.com"},"image":{"@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","https:\/\/x.com\/uplatz_global","https:\/\/www.instagram.com\/","https:\/\/www.linkedin.com\/company\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz"]},{"@type":"Person","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e","name":"uplatzblog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","caption":"uplatzblog"}}]}},"_links":{"self":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4693","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/comments?post=4693"}],"version-history":[{"count":6,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4693\/revisions"}],"predecessor-version":[{"id":5055,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4693\/revisions\/5055"}],"wp:attachment":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media?parent=4693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/categories?post=4693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/tags?post=4693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}