Learn

Entra Foundation

Microsoft Entra is a family of identity and network access products. It is the identity authority for Microsoft cloud services, owning tenants, users, groups, applications, policies, and the administrative surfaces that govern them.

This page draws the boundary: Entra owns identity. Everything else (compute, storage, messaging, analytics, networking) is platform infrastructure that runs alongside it.

The Entra Family

Microsoft Entra is a brand covering several products:

  • Microsoft Entra ID (formerly Azure Active Directory). Workforce identity, application registrations, groups, conditional access, and directory-backed access decisions. This is what most builders interact with daily.
  • Microsoft Entra ID Governance. Lifecycle governance: access reviews, entitlement management, lifecycle workflows, and privileged identity management.
  • Microsoft Entra Verified ID. Verifiable credentials and decentralized identity scenarios.
  • Microsoft Entra Internet Access and Microsoft Entra Private Access. Network access controls under the Global Secure Access umbrella, replacing traditional VPN and proxy approaches.

This topic focuses primarily on Entra ID and the Azure services that commonly surround systems built on it.

The Boundary

Entra owns identity. Platform infrastructure runs workloads.

flowchart LR
    Entra["Microsoft Entra\n(Identity Authority)"]
    MsGraph["Microsoft Graph\n(Unified API)"]
    Platform["Platform Services\n(Compute, Storage,\nMessaging, Analytics)"]

    Entra -->|"exposes state via"| MsGraph
    MsGraph -->|"read/write"| Entra
    MsGraph -->|"drives automation in"| Platform
    Platform -->|"calls back via"| MsGraph

Entra side: tenant configuration, users, groups, applications, service principals, provisioning jobs, audit logs, directory policies, admin actions. Reached through the Entra admin center or Microsoft Graph.

Platform side: Functions, queues, topics, streams, databases, storage accounts, analytics clusters, VMs, VNets, and private connectivity. These run the automation and workloads that act on identity data.

The boundary is clean in practice. Creating a group is an Entra action. Running a worker that notices the new group, enriches metadata, stores state, and sends commands to downstream systems is platform infrastructure.

What Entra Does Not Give You

Entra handles identity data and policies. It does not replace general application infrastructure:

  • No general-purpose workflow engine for custom jobs
  • No durable queue semantics for worker coordination
  • No arbitrary state storage for pipelines or reconciliation records
  • No streaming backbone for high-volume telemetry
  • No network isolation for agents reaching private systems

That is why Azure Functions, Service Bus, Event Hubs, Cosmos DB, Storage, Data Explorer, and networking choices appear around Entra-backed systems.

The Builder Mental Model

When working with Entra-adjacent systems, think in layers:

  1. Entra defines the source of truth for identity objects and policies.
  2. Microsoft Graph exposes the API for reading and changing that state.
  3. Compute runs the automation that calls Graph or responds to events.
  4. Messaging and streaming shape the workload for durable coordination or high-throughput event handling.
  5. Datastores hold surrounding state that Entra does not model: checkpoints, job progress, reconciliation results, exported artifacts.
  6. Networking appears only when required by hybrid targets, locked-down systems, or software that cannot run serverless.

If a service does not help explain one of those layers, it is probably outside scope for this topic.

Where To Go Deeper

When the problem shifts from platform architecture into product-specific sync or provisioning behavior, use the local Entra topics:

The rest of this topic assumes those systems exist, then explains the Azure platform pieces that commonly surround them.