MS Entra 101
Series Overview
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. Throughout my career building enterprise applications and microservices, MS Entra has been the backbone of authentication and authorization for countless projects.
This series distills years of hands-on experience into a practical guide for developers and architects working with Microsoft's identity platform.
What You'll Learn
This comprehensive series covers everything from foundational concepts to production-ready implementations:
Part 1: Introduction to Microsoft Entra ID
Understanding MS Entra ID (formerly Azure AD)
Core identity concepts and terminology
Tenants, directories, and organizational structure
Identity types: users, groups, service principals, managed identities
Part 2: Applications and Service Principals
App registrations vs enterprise applications
Service principals and their lifecycle
Multi-tenant application architecture
Redirect URIs and platform configurations
Part 3: Authentication Protocols and Flows
OAuth 2.0 implementation in MS Entra
OpenID Connect (OIDC) flows
SAML integration patterns
Authorization code flow, client credentials, and more
PKCE for public clients
Part 4: Tokens and Token Management
ID tokens, access tokens, and refresh tokens
JWT structure and claims
Token validation and verification
JWKS (JSON Web Key Sets) and key rotation
Token lifetimes and renewal strategies
Part 5: API Permissions and Consent
Delegated vs application permissions
Microsoft Graph API permissions
Admin consent vs user consent
Permission scopes and least privilege
Consent frameworks and user experience
Part 6: Protecting APIs with MS Entra
Securing custom APIs with MS Entra
Token validation in backend services
Well-known endpoints and discovery
API middleware and authentication flows
Multi-tenant API considerations
Part 7: Advanced Features
Conditional Access policies
Multi-factor authentication (MFA)
B2B and B2C scenarios
Managed identities for Azure resources
Enterprise application SSO configurations
Part 8: Production Best Practices
Security best practices and hardening
Monitoring, logging, and auditing
Tenant management strategies
Troubleshooting common issues
Performance optimization
Who This Series Is For
Backend Developers: Building APIs secured with MS Entra
Full-Stack Engineers: Implementing authentication flows
Cloud Architects: Designing identity architecture
DevOps Engineers: Managing service principals and CI/CD integration
Security Engineers: Understanding identity-based security
Prerequisites
Basic understanding of authentication concepts (username/password, tokens)
Familiarity with REST APIs and HTTP
Experience with TypeScript/JavaScript or similar programming languages
Access to an Azure subscription (free tier works fine)
What Makes This Series Different
Rather than theoretical explanations, this series draws from real production experiences:
Actual code examples from microservices projects
Real-world scenarios and architecture decisions
Production issues I've encountered and resolved
Best practices learned through trial and error
No fake scenarios—everything is based on personal projects
Series Structure
Each part follows a consistent format:
Personal Context: Real scenario from my experience
Core Concepts: Fundamental knowledge
Code Examples: Production-ready TypeScript/Node.js implementations
Common Pitfalls: Issues I've faced and how to avoid them
Best Practices: Lessons learned in production
Getting Started
Start with Part 1: Introduction to Microsoft Entra ID to build a solid foundation, then progress through each part sequentially. Each part builds on previous knowledge while remaining independently useful as reference material.
Author's Note: Microsoft rebranded Azure Active Directory to Microsoft Entra ID in 2023. You'll see both names in documentation and APIs. This series uses "MS Entra" or "Entra ID" primarily, with "Azure AD" noted where relevant for clarity.
Let's dive in!
Last updated