Understanding the IAM Ecosystem: A Comprehensive Guide
Exploring the World of IAM
Understanding Identity: From Active Directory to Microsoft Entra ID
Identity is one of those things in IT that works quietly in the background until the day it doesn’t. The moment the wrong person accesses the wrong resource, Identity and Access Management (IAM) suddenly becomes the most important system in the organization.
Today’s focus is on the foundations of identity and how Active Directory and Microsoft Entra ID fit into the bigger picture.
The Core Problem IAM Solves
At its heart, IAM answers a very old but critical question:
Who gets to access what, and under which conditions?
Every organization has:
Users: employees, contractors, service accounts, applications
Resources: files, servers, printers, databases, SaaS apps
IAM acts as the security layer between these two. Its job is not just to block access, but to allow the right access at the right time.
In Microsoft environments, this responsibility is mainly handled by:
Active Directory (AD) for on-premises resources.
Microsoft Entra ID for cloud-based resources.
Different systems, same goal.
The Three Pillars of Access Management
Every access decision, no matter how modern the technology, follows three fundamental steps.
1. Identification – Who are you?
This is the claim of identity.
A username, email address, or UPN
Must be unique within the system
No proof yet, just a statement
At this stage, the system only knows who you say you are.
2. Authentication – Prove it
Authentication validates the identity claim using one or more factors:
Something you know – password or PIN
Something you have – phone, smart card, security key
Something you are – fingerprint or face
Using more than one factor results in Multi-Factor Authentication (MFA), which dramatically reduces the risk of compromise.
Authentication answers:
“Are you really this person?”
3. Authorization – What are you allowed to do?
Once identity is verified, permissions are evaluated.
Can the user read, write, or delete?
Which apps or servers are allowed?
What data is restricted?
Authorization is enforced through roles, groups, and access control lists (ACLs).
Authentication confirms identity.
Authorization limits power.
Active Directory vs Microsoft Entra ID
Although they share similar concepts, these two systems were built for different worlds.
Active Directory (On-Premises)
Designed for traditional corporate networks.
Manages users, computers, printers, file servers
Relies on protocols like Kerberos and LDAP
Uses Domain Controllers as its core
Assumes devices are inside the corporate network
Microsoft Entra ID (Cloud)
Designed for the internet and modern work.
Manages Microsoft 365, Azure, and SaaS apps
Uses OAuth, OpenID Connect, and SAML
No domain controllers to manage
Built for remote access, mobile devices, and Zero Trust
They solve the same problem, but with very different assumptions.
Hybrid Identity: The Reality for Most Organizations
Very few companies are fully on-prem or fully cloud. Most operate in a hybrid identity model.
In a hybrid setup:
Users exist in on-prem Active Directory
Identities are synced to Entra ID
Users authenticate once and access both environments
This enables:
Single Sign-On (SSO)
Cloud-based MFA for on-prem resources
A seamless user experience
Hybrid identity is no longer a transition phase. It’s the standard operating model.
Azure AD vs Microsoft Entra ID: Clearing the Confusion
Azure Active Directory was renamed to Microsoft Entra ID to avoid confusion with classic Active Directory.
Key points to remember:
Same service, new name
No breaking changes
Existing scripts, APIs, and logins continue to work
Windows Server Active Directory was not renamed
If documentation mentions Azure AD, it still applies to Entra ID today.
The Microsoft Entra Family
“Entra” is now a suite of identity and network security services.
Some notable members include:
Entra ID – core identity platform
Entra External ID – access for partners and customers
Entra ID Governance – access reviews and lifecycle management
Entra Verified ID – digital credentials and identity proofs
Entra Permissions Management – multi-cloud permission visibility
Entra Private Access – modern replacement for traditional VPNs
Identity has expanded beyond users to include devices, applications, and workloads.
Inside Active Directory
Objects and Attributes
Everything in AD is stored as an object:
Users
Computers
Groups
Printers
Each object contains attributes such as name, email, SID, and group membership.
Domain Controllers
Domain Controllers are the backbone of AD.
Store the directory database
Replicate changes with each other
Handle authentication and ticket issuance
Without Domain Controllers, there is no domain.
Tokens, Kerberos, and Authorization
When a domain user signs in:
Credentials are validated
AD issues a security token
The token contains group memberships
Resources compare the token against ACLs
Kerberos enables this process by using tickets instead of repeatedly sending passwords, allowing true Single Sign-On within the network.
Microsoft Entra ID Is Not “AD in the Cloud”
A common misconception is that Entra ID is simply Active Directory hosted in Azure. It isn’t.
Active Directory uses Kerberos and LDAP
Entra ID uses token-based authentication
Running a Domain Controller in Azure is still on-prem AD, just hosted elsewhere
They are fundamentally different systems designed for different access models.
Hybrid Authentication Methods
When syncing identities to the cloud, organizations can choose how authentication works:
Password Hash Sync (PHS) – simplest and most common
Pass-Through Authentication (PTA) – cloud validates via on-prem
Federation (AD FS) – powerful but complex
Today, PHS is the recommended default for most environments.
Devices as an Identity Signal
Modern IAM increasingly trusts devices, not just users.
Common device states:
Entra Registered – personal or BYOD devices
Entra Joined – cloud-native corporate devices
Hybrid Entra Joined – domain-joined and cloud-synced devices
Trusted devices reduce authentication prompts while improving security.
Windows Hello for Business: Password-less at the OS Level
Windows Hello for Business replaces passwords with:
A device-bound cryptographic key stored in TPM
A local unlock method such as PIN or biometrics
The most modern and recommended trust model today is Cloud Kerberos Trust, especially in hybrid environments.
Password-less Authentication in the Cloud
Cloud authentication is also moving away from passwords.
Modern options include:
Microsoft Authenticator phone sign-in
FIDO2 security keys
These methods:
Are MFA by design
Require physical presence
Provide SSO across cloud and on-prem resources
Passwords are becoming a fallback, not a primary method.
Azure MFA and Conditional Access
Azure MFA provides the verification mechanisms, while Conditional Access decides when and how they are enforced.
Conditional Access can evaluate:
User or group
Location
Device state
Sign-in risk
The result is contextual, adaptive security instead of static rules.
Key Takeaways
IAM is built on Identification, Authentication, and Authorization
Active Directory and Entra ID serve different environments
Hybrid identity is the norm, not the exception
Devices and cryptographic keys are replacing passwords
MFA and Conditional Access are central to modern security
