Entra ID Extended Services
Why This Topic Matters
Beyond core directory objects, Entra ID includes services that enable hybrid identity, legacy app support, external collaboration, automated governance and modern access security. These building blocks are critical for real-world enterprise deployments and AZ-104 scenarios.
A. External Services
A.1 Entra Connect — hybrid synchronization
Two tools to sync on-prem AD to Entra:
| Entra Connect Sync | Entra Cloud Sync | |
|---|---|---|
| Architecture | Heavy on-prem agent + local SQL | Lightweight agents on-prem |
| Auth methods | PHS, PTA, Federation (ADFS), SSO | PHS, SSO (no Federation/PTA) |
| Writeback | Password, Exchange Hybrid, Device, Group | Password, Group, Exchange Hybrid (no DEVICE) |
| Object limits | Very large | ~150k objects/domain |
| MS direction | Maintenance | Recommended |
Notes:
- Connect Sync tolerates a single active agent (secondary in staging) → manual failover. Cloud Sync runs multiple agents in parallel (HA).
- Hybrid auth options:
- PHS: password hash sync — Entra validates in cloud; resilient if on-prem is down.
- PTA: pass-through auth — on-prem validates passwords; outage affects sign-in.
- Federation (ADFS): on-prem delegation (complex). Microsoft recommends PHS+CAP where possible.
- SSO: seamless SSO is an add-on to PHS/PTA for domain-joined devices.
Properties of synced objects are typically mastered on-prem (read-only in Entra) unless writeback is enabled.
A.1b Microsoft Identity Manager (MIM)
On-prem identity management solution for complex hybrid scenarios (SSPR, certificate management and multi-system sync). Use MIM when you need broad on-prem identity orchestration that Entra’s cloud-native features don’t cover.
A.2 Entra Domain Services (Entra DS)
Managed AD DS in Azure that provides LDAP, NTLM, Kerberos and GPOs for legacy apps that cannot use OAuth/SAML.
Key points:
- One-way sync: Entra ID → Entra DS.
- Deployed into a dedicated VNet subnet with two managed DCs (HA).
- Users must change password after activation to generate Kerberos/NTLM hashes.
- No schema extensions and limited trust scenarios; subnet reserved for Entra DS resources.
Setup summary:
- Create managed domain and dedicated subnet.
- Configure VNet DNS to point to the managed DCs’ IPs.
- Choose sync scope (All or scoped groups).
- Join VMs and manage GPOs in the managed domain.
A.3 External Identities
Options:
- B2B Collaboration: invite partner users as guests (per-user).
- B2B Direct Connect: cross-tenant trust between organizations (no guest object; supports Teams Shared Channels today).
- Entra External ID for Customers (formerly B2C): separate tenant for consumer/customer identities, supports social IdPs and scale (MAU pricing).
B. Entra ID Governance
Licensing recap
- P2: PIM, Access Reviews, Entitlement Management basics.
- Entra ID Governance add-on: advanced entitlement features and lifecycle workflows.
- P1: required for some hybrid SSPR writeback and role/group assignability.
B.1 Entitlement Management (Access Packages)
Access packages bundle resources (groups, apps, SharePoint) into requestable packages with approval workflows, expiration and delegation via catalogs.
Concepts: Resource → Catalog → Access Package. Use catalogs to delegate ownership and keep packages organized; packages are the unit users request from myaccess.microsoft.com.
B.2 PIM (Privileged Identity Management)
Make privileged roles eligible (time-bound) rather than permanently active. PIM supports approval, justification, MFA and time limits for activation (P2 required).
B.3 Access Reviews
Periodic revalidation of access for groups, apps, roles and access packages. Configure reviewers, recurrence, auto-apply and decision helpers to prevent permission sprawl.
B.4 SSPR
Self-Service Password Reset for cloud and hybrid users (password writeback via Connect Sync or Cloud Sync). Modern authentication-method configuration is in Entra > Protection > Authentication methods > Policies (legacy UI deprecated).
C. Authentication Methods (cross-cutting)
Centralized policy for MFA and SSPR methods. Migrate legacy per-user MFA and legacy SSPR methods to the unified Authentication Methods policies.
Common methods (recommended order): Microsoft Authenticator, FIDO2 / Passkeys, Windows Hello for Business, certificate-based auth. Avoid SMS/email when possible (weaker).
Security Defaults vs Conditional Access: Security Defaults (free) is an all-or-nothing option; Conditional Access (P1+) provides granular controls. They are mutually exclusive.
D. Entra ID Security
Identity Protection (detection) and Conditional Access (response) together form modern identity security.
D.1 Identity Protection
ML-driven signals produce sign-in and user risk scores used by Conditional Access. Risk-based actions require P2 signals (consumption in CAP).
D.2 Conditional Access (CAP)
CAP is the central policy engine: IF
Policy blocks: Assignments (users), Target resources, Conditions, Grant controls, Session controls. Start in report-only, validate with What-if, then enable.
Best practices:
- Exclude 1–2 break-glass Global Admins.
- Use report-only and the What-if tool before enforcing policies.
E. Entra ID Connection — Application Proxy
App Proxy publishes internal apps to the internet without opening inbound firewall ports. A lightweight connector establishes an outbound TLS tunnel to Azure and forwards requests to the internal app.
Highlights:
- Pre-authentication via Entra ID enables applying Conditional Access to legacy apps.
- No inbound firewall changes; connector runs outbound only.
- Connector Groups provide HA and geographic routing.
Quick publish steps:
- Install connector on an on-prem Windows server.
- Publish internal URL in
Enterprise applications > On-premises applicationwith Entra pre-auth. - Assign users/groups and (optionally) protect the app with Conditional Access.
This post expands on Entra ID’s extended services: hybrid sync, legacy support, governance and modern access security.