AZ-204 - Azure Authentication
Introduction to Entra ID (Azure AD)
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It handles authentication and authorization for Azure resources, Microsoft 365, and custom applications.
Core Capabilities
Authentication
Verifying user identity through passwords, multi-factor authentication (MFA), passwordless methods, and single sign-on (SSO).
Authorization
Controlling access to resources through role-based access control (RBAC), application permissions, and conditional access policies.
Application Management
Register and manage applications to integrate with Entra ID for authentication. Supports OAuth 2.0, OpenID Connect, and SAML.
What is an Entra ID (Azure AD) Tenant?
A tenant is a dedicated instance of Entra ID that an organization receives when it signs up for a Microsoft cloud service. Each tenant is distinct, separate, and has its own directory of users, groups, and app registrations.
Create an Entra ID (Azure AD) Tenant
You can create a new tenant via the Azure Portal under Microsoft Entra ID > Manage Tenants > Create. Choose between a Workforce tenant (for employees) or an External tenant (for customer-facing apps).
Microsoft Identity Platform
The Microsoft Identity Platform is the authentication and authorization framework that powers Entra ID. It provides SDKs, libraries (MSAL), and endpoints for integrating identity into applications.
Key Components
| Component | Purpose |
|---|---|
| OAuth 2.0 / OpenID Connect | Industry-standard protocols for authorization and authentication |
| MSAL (Microsoft Authentication Library) | SDK for acquiring tokens to access protected APIs |
| App Registrations | Define application identity, permissions, and authentication configuration |
| Tokens (ID, Access, Refresh) | JWT tokens issued by Entra ID for authentication and API access |
Create Users in Entra ID (Azure AD)
Users can be created directly in the tenant (cloud-only users), synced from on-premises Active Directory, or invited as external guests (B2B collaboration).
Register an Application for Entra ID (Azure AD)
App registration creates an identity for your application in Entra ID. It defines the application's client ID, redirect URIs, and API permissions.
Key Settings
Application (Client) ID
A unique GUID that identifies the application. Used in authentication requests.
Redirect URI
The URI where Entra ID sends authentication responses. Must match the URI configured in your application code.
Client Secret / Certificate
Credentials used by confidential client applications (server-side) to authenticate. Certificates are more secure than secrets.
API Permissions
Define what APIs and scopes the application can access. Permissions can be delegated (on behalf of a user) or application-level (without a user).
Use Application Quickstart to Code an Application
The Azure Portal provides Quickstart guides for various platforms (ASP.NET, Node.js, Python, etc.) that generate starter code pre-configured with your app registration details.
Overview of Microsoft Graph API
Microsoft Graph is a unified REST API that provides access to data across Microsoft 365 services including users, mail, calendar, files, teams, and more.
Base Endpoint
https://graph.microsoft.com/v1.0/ for production, https://graph.microsoft.com/beta/ for preview features.
Using Microsoft Graph API to Query Entra ID (Azure AD)
You can use Microsoft Graph to query users, groups, applications, and other directory objects in your Entra ID tenant.
GET https://graph.microsoft.com/v1.0/me
GET https://graph.microsoft.com/v1.0/groups
Authentication is required via OAuth 2.0 access tokens. Use MSAL to acquire tokens in your application code.
Key Terms
| Term | Definition |
|---|---|
| Microsoft Entra ID | Microsoft's cloud identity and access management service (formerly Azure Active Directory). |
| Tenant | A dedicated instance of Entra ID representing an organization, with its own directory of users, groups, and applications. |
| MSAL | Microsoft Authentication Library -- SDK for acquiring tokens to access Entra ID-protected APIs. |
| App Registration | The process of creating an application identity in Entra ID, defining client ID, redirect URIs, and API permissions. |
| Microsoft Graph | A unified REST API for accessing data across Microsoft 365 services (users, mail, calendar, files, etc.). |
| OAuth 2.0 | An industry-standard protocol for authorization, used by Entra ID to issue access tokens. |
| Delegated Permissions | Permissions granted to an app to act on behalf of a signed-in user. |
| Application Permissions | Permissions granted directly to an app (no user context), typically for background services or daemons. |
- Entra ID = formerly Azure AD. Know both names for the exam.
- MSAL is the recommended library for token acquisition -- replaces the older ADAL.
- Certificates are more secure than client secrets for confidential applications.
- Delegated permissions = on behalf of user. Application permissions = no user context (daemon apps).
- Microsoft Graph base URL: https://graph.microsoft.com/v1.0/
- App registration gives you a Client ID (Application ID) -- this is required for all authentication flows.
- A tenant has a unique ID (GUID) and a default domain (*.onmicrosoft.com).
Practice Questions
Q1. What is a Microsoft Entra ID tenant?
- A virtual machine running Active Directory
- A dedicated instance of Entra ID representing an organization
- A subscription to Azure services
- A resource group for identity services
Answer: B
A tenant is a dedicated instance of Microsoft Entra ID that an organization receives when signing up for a Microsoft cloud service. It contains the organization's directory of users, groups, and applications.
Q2. Which library should developers use to acquire tokens for Microsoft Entra ID-protected APIs?
- ADAL
- MSAL
- OpenSSL
- JWT.io
Answer: B
MSAL (Microsoft Authentication Library) is the recommended SDK for acquiring tokens. ADAL is deprecated and should not be used for new development.
Q3. A background service needs to call Microsoft Graph without a signed-in user. Which permission type should the app use?
- Delegated permissions
- Application permissions
- User permissions
- Anonymous permissions
Answer: B
Application permissions are used when an app needs to access resources without a user context (daemon/service apps). Delegated permissions require a signed-in user.
Q4. Which credential type is more secure for confidential client applications?
- Client secret
- Certificate
- API key
- SAS token
Answer: B
Certificates are more secure than client secrets for confidential client applications because they cannot be accidentally exposed in logs and provide stronger cryptographic proof of identity.
Q5. What is the base endpoint for Microsoft Graph API v1.0?
- https://management.azure.com/v1.0/
- https://graph.microsoft.com/v1.0/
- https://login.microsoftonline.com/v1.0/
- https://api.microsoft.com/graph/v1.0/
Answer: B
The Microsoft Graph API v1.0 base endpoint is https://graph.microsoft.com/v1.0/. The beta endpoint is https://graph.microsoft.com/beta/.
AZ-204 Developing Azure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.