Entra Platform Infrastructure

This topic covers the Azure infrastructure that usually surrounds Entra-backed systems after identity leaves the portal and starts flowing through APIs, workers, queues, storage accounts, analytics pipelines, and hybrid boundaries. It is not a generic Azure curriculum; it stays focused on the services and design choices that matter when Entra, Microsoft Graph, and identity-driven automation need a platform to run on.

Overview

• What it covers: Microsoft Graph as the control plane, Azure Functions compute, messaging with Event Hubs and Service Bus, state in Cosmos DB and Azure Storage, analytics in Azure Data Explorer, and VM or network boundaries for hybrid integration points
• Who it is for: Builders operating Entra automations, provisioning flows, sync-adjacent workers, and identity integrations that depend on Azure services outside the core Entra product surface
• Out of scope: AKS, Azure SQL, API Management, broad observability coverage, and general Azure architecture guidance that is not specific to Entra-backed systems

Contents

Concepts

• Entra Foundation - Where Entra stops, where platform infrastructure starts, and the service boundaries that matter for identity workloads.
• Microsoft Graph Control Plane - How Graph acts as the API boundary for identity data, automation triggers, and administrative workflows.
• Azure Functions for Identity Workloads - Why Functions is the default compute layer for event-driven identity jobs and Graph-powered automation.
• Cosmos DB for Identity State - How to model durable workflow state, checkpoints, and integration metadata for identity systems.
• Azure Storage Basics - When blobs, queues, tables, and GPv2 accounts fit identity artifacts, exports, and transient handoff data.
• Event Hubs for Identity Events - Streaming patterns for high-volume identity or audit-adjacent events and downstream consumers.
• Service Bus for Workflows - Reliable command and workflow messaging for retries, ordering, and controlled backpressure.
• Azure Data Explorer and KQL - Fast investigation and telemetry analysis for identity pipelines, diagnostics, and operational questions.
• VMs, Networking, and Boundaries - Where VMs, private networking, and hybrid edges still matter for identity integrations.

Quickstart

• Graph to Functions Automation - A minimal builder path for turning Graph-driven events or polling into Azure Functions automation.
• Event Stream to Data Explorer - Wire high-volume event ingestion into Azure Data Explorer for operational analysis.
• Reliable Worker with Service Bus - Build a worker pattern with durable messaging, retries, and failure handling.
• State and Artifacts - Choose Cosmos DB and Azure Storage roles for workflow state, exports, and supporting artifacts.
• Hybrid Worker on VM - Run identity-connected workers at the network edge when cloud-only execution cannot reach the target system.

Deep Dives

• Messaging Selection and Failure Modes - Choose between Event Hubs and Service Bus, then design around their failure behavior and trade-offs.
• Cosmos DB Design for Integrations - Partitioning, consistency, and container design choices for identity-oriented integrations.
• Diagnostics with Data Explorer - Use KQL and Data Explorer patterns to debug and operate Entra-adjacent systems.
• Private Connectivity and Hybrid Boundaries - Network isolation, private access, and boundary design for hybrid identity infrastructure.

Platform Mental Model

Treat Entra as the identity authority and Graph as the programmable control plane, then attach the rest of the platform based on workload shape. Functions runs short-lived automation and event handlers, Service Bus coordinates durable workflows, Event Hubs handles high-volume streams, Cosmos DB stores workflow state and integration metadata, Azure Storage holds larger artifacts and simple durable data, and Azure Data Explorer answers operational questions once events start accumulating. VMs and private networking sit at the edge when an identity workflow has to cross into on-premises systems, locked-down networks, or systems that cannot be reached safely from pure serverless infrastructure.

For deeper product-specific coverage, prefer linking to Entra Connect Sync, Entra Cloud Sync, and Entra Application Provisioning instead of repeating their internal behavior here.

Resources

• Microsoft Learn: Microsoft Entra fundamentals
• Microsoft Learn: Microsoft Graph fundamentals
• Microsoft Learn: Azure Functions
• Microsoft Learn: Azure Cosmos DB
• Microsoft Learn: Azure Storage
• Microsoft Learn: Azure Event Hubs
• Microsoft Learn: Azure Service Bus
• Microsoft Learn: Azure Data Explorer
• Microsoft Learn: Azure Virtual Machines

Writing Rules

• Use current Microsoft terminology throughout.
• Keep the builder lens first: explain how to assemble and operate systems, not just what each service is.
• Use diagrams only when they clarify a boundary or flow.
• Link to existing local Entra topics instead of repeating product-specific depth that already lives elsewhere.