Implement and manage Microsoft Entra identity and access
Bridging on-premises Active Directory to the cloud, securing how users prove who they are, and controlling access dynamically with Identity Protection and Conditional Access.
- Identity synchronization — IdFix, Entra Connect Sync vs Cloud Sync, Connect Health, troubleshooting
- Authentication — methods, SSPR, Password Protection, troubleshooting sign-in
- Secure access — Identity Protection, Conditional Access, MFA
2.1 Identity synchronization with Microsoft Entra
Authentication models (foundational)
| Model | Where password is validated | Needs on-prem servers? | Notes |
|---|---|---|---|
| Password Hash Sync (PHS) | In the cloud (hash-of-a-hash synced) | No (just sync) | Simplest, most resilient; enables leaked-credential detection in Identity Protection recommended |
| Pass-through Auth (PTA) | On-prem AD (via lightweight agents) | Yes — agents | Password never stored in cloud; needs HA agents |
| Federation (AD FS) | On-prem AD FS farm | Yes — AD FS infra | Most complex; for advanced/3rd-party MFA, smartcards |
Seamless SSO
Seamless single sign-on (SSSO) can be layered on PHS or PTA to auto-sign-in domain-joined devices on the corporate network. Not needed (and not used) with AD FS or with Hybrid/Entra-joined modern devices that use PRT.
Prepare for sync — IdFix & prerequisites
Before syncing, clean the directory. IdFix is the free tool that scans on-prem AD for errors and fixes them in bulk:
- Detects duplicate or invalid proxyAddresses and userPrincipalName values, invalid characters, length issues, and blank/format problems.
- UPNs should use a routable, verified domain (not
.local). Add a UPN suffix in AD and verify the domain in Entra first.
Caveat — IdFix scope
IdFix is specifically for directory object/attribute remediation before sync (duplicates, invalid UPN/proxyAddresses). It does not configure sync or test connectivity — that's a common distractor.
Entra Connect Sync vs Entra Cloud Sync
| Capability | Entra Connect Sync | Entra Cloud Sync |
|---|---|---|
| Architecture | Full app + SQL on a Windows server you maintain | Lightweight cloud-managed agent(s); config lives in the cloud |
| Multiple disconnected forests | One server can't sync disjoint forests easily | ✅ Can sync multiple disconnected forests |
| High availability | Needs staging server | ✅ Built-in via multiple agents |
| Device sync / Hybrid Join | ✅ Supported | ❌ Not supported (yet) |
| Pass-through auth, large/complex filtering, Exchange hybrid writeback | ✅ Full feature set | Limited; growing |
| Group writeback, complex sync rules | ✅ | Limited |
| Object volume per agent | Very large | Up to ~150k objects per agent |
Caveat — which to choose
Pick Cloud Sync for: multiple disconnected forests, simple needs, lightweight HA, no on-prem footprint. Pick Connect Sync when you need device/Hybrid Join sync, Exchange hybrid writeback, complex transformations, or pass-through auth at scale. Both can run side-by-side during migration but must not manage the same objects.
Sync features (Connect Sync):
- Filtering — limit scope by domain, OU, or attribute.
- Password writeback — required so SSPR/PIM password changes flow back to on-prem AD (needs Entra ID P1).
- Device writeback, group writeback, and Exchange hybrid options.
- Default sync cycle is every 30 minutes; force with
Start-ADSyncSyncCycle -PolicyType Delta. - Source Anchor / immutableID (default
ms-DS-ConsistencyGuid) uniquely and permanently links on-prem to cloud objects.
# Force a delta (incremental) sync cycle on the Connect server
Start-ADSyncSyncCycle -PolicyType Delta
# Full (initial) sync
Start-ADSyncSyncCycle -PolicyType InitialMonitor with Entra Connect Health
Microsoft Entra Connect Health uses agents to surface sync health, errors, latency, and alerts in the Entra admin center. Requires Entra ID P1 (roughly one P1 licence per agent monitored). It can monitor three roles, each with its own agent:
- Connect Health for sync — sync errors, latency, object/export counts, alerts on failed runs.
- Connect Health for AD FS — token requests/sec, failed sign-ins, bad-password attempts (extranet lockout signals).
- Connect Health for AD DS — domain-controller health, replication status, LDAP/Kerberos performance.
Troubleshooting synchronization
- Synchronization Service Manager (miisclient) and Synchronization Rules Editor on the Connect server diagnose run profiles & rule logic.
- Duplicate attribute resiliency quarantines conflicting
proxyAddresses/UPN instead of failing the whole sync. - Sync errors appear in the Entra admin center under Health & monitoring; common causes: data mismatch, duplicates, large object changes blocked by the export deletion threshold (default 500 — a mass change is blocked until you allow it).
- For Cloud Sync, use the provisioning logs and agent status in the portal.
Accidental deletion threshold
If more than 500 objects would be deleted in one cycle, Connect halts the export to prevent mass deletion. Re-run after confirming, or temporarily raise the threshold with Enable-ADSyncExportDeletionThreshold.
2.2 Implement and manage authentication
Authentication methods
Managed centrally in the Authentication methods policy (Entra admin center → Protection → Authentication methods). Microsoft is migrating legacy MFA/SSPR method management into this single converged policy — target users by group.
| Method | Strength | Notes |
|---|---|---|
| Passkey (FIDO2) / Windows Hello | Phishing-resistant strongest | Microsoft's recommended direction |
| Certificate-based auth (CBA) | Phishing-resistant | Smartcards / PKI |
| Microsoft Authenticator | Strong | Push w/ number matching (now enforced), or passwordless phone sign-in |
| OATH hardware/software tokens | Medium | TOTP codes |
| SMS / Voice call | Weakest | Phishable; avoid as primary |
| Temporary Access Pass (TAP) | Onboarding | Time-limited passcode to bootstrap passwordless / register methods |
Number matching & additional context
Authenticator number matching is enabled by default and mandatory — the user types the number shown on the sign-in screen, defeating "MFA fatigue" prompt-bombing. You can also show app/location context.
Self-Service Password Reset (SSPR)
- Lets users reset/unlock their own password without helpdesk. Scope: None / Selected (group) / All.
- Requires a defined number of authentication methods (default 1 or 2) from the registered options.
- Combined registration lets users register SSPR + MFA methods at once.
- For hybrid users to reset their on-prem password via SSPR, you must enable password writeback in Entra Connect/Cloud Sync (Entra ID P1).
Caveat — SSPR for admins
Admin (privileged) accounts always require two methods and a strong default policy — you can't reduce it. And SSPR write-back to on-prem AD requires password writeback configured in the sync engine.
Microsoft Entra Password Protection
- Blocks weak passwords using a global banned-password list (Microsoft-managed) plus a custom banned list (up to ~1000 terms — org names, products) you define.
- Uses fuzzy matching (leetspeak, substring) and a points-based scoring system.
- On-premises Password Protection extends the same banning to AD DS via a DC agent + proxy service — runs in audit or enforce mode. Requires Entra ID P1.
Investigate & resolve authentication issues
- Sign-in logs (Entra → Monitoring) show interactive/non-interactive sign-ins with failure reason & error code, CA policy applied, and device/location. Four log types: interactive, non-interactive, service principal, managed identity.
- Sign-in diagnostic wizard guides remediation of common failures (MFA, CA block, etc.).
- Watch for legacy authentication (POP/IMAP/SMTP basic auth) — it bypasses MFA and should be blocked via Conditional Access.
| Error code | Meaning | Typical fix |
|---|---|---|
| 50126 | Invalid username or password | Reset/verify credentials |
| 50053 | Account locked (smart lockout) or too many attempts | Wait out lockout / investigate spray |
| 50055 | Password expired | Reset password |
| 53003 | Blocked by a Conditional Access policy | Review which CA policy applied |
| 53004 | MFA registration required / blocked | Complete security-info registration |
| 500121 | MFA challenge not completed (timeout/denied) | Re-attempt / check Authenticator |
| 50057 / 50058 | Account disabled / session info missing | Re-enable account / re-auth |
Migrating auth methods — staged rollout
Staged rollout moves selected groups from federated (AD FS) to cloud authentication (PHS or PTA) for testing before cutting the whole domain over with Set-MsolDomainAuthentication/Graph. It is a test feature — not for permanent mixed-state operation.
2.3 Implement and manage secure access
Microsoft Entra Identity Protection
Uses Microsoft's threat intelligence to detect risk and respond automatically. Requires Entra ID P2.
| Risk type | What it measures | Example signals |
|---|---|---|
| User risk | Probability the identity is compromised | Leaked credentials, anomalous user behaviour |
| Sign-in risk | Probability a given sign-in isn't the legit owner | Anonymous IP/Tor, atypical travel, unfamiliar sign-in properties, malware-linked IP, password spray |
Three policy types:
- User risk policy — e.g. require secure password change when user risk is High.
- Sign-in risk policy — e.g. require MFA when sign-in risk is Medium+.
- MFA registration policy — force users to register MFA so remediation is possible.
Best practice — drive risk via Conditional Access
Microsoft now recommends managing user-risk and sign-in-risk conditions inside Conditional Access policies rather than the legacy standalone IP policies — gives you full CA controls (e.g. require password change and MFA).
Investigating & remediating risk
Risk is scored Low / Medium / High. Reports: Risky users, Risky sign-ins, Risk detections, and Risky workload identities (apps/service principals). Remediation closes the loop:
| Admin / automatic action | Effect on risk |
|---|---|
| Self-remediation (MFA + secure password change) | Auto-clears user risk if policy allows |
| Confirm user compromised | Raises risk to High, feeds Microsoft ML |
| Confirm user safe | Marks as safe, ignored in future scoring |
| Dismiss user risk | Sets risk to none (no learning signal) |
| Reset password / block sign-in | Forces secure reset / stops the account |
Caveat — leaked credentials need PHS
The leaked credentials risk detection only works when Password Hash Synchronization is enabled (Microsoft must hold a hash to compare). With pure PTA/federation, that specific detection won't fire. Confirm compromised vs Confirm safe also train the risk engine — Dismiss does not.
Planning Conditional Access
Conditional Access (CA) is the "if-then" policy engine: if these signals are present, then enforce these controls. Requires Entra ID P1.
Hybrid join · app protection · ToU] AC -->|Session| Z[App-enforced · CAE · sign-in frequency]
Caveat — Block always wins
If multiple CA policies apply, an explicit Block beats any Grant. All grant requirements in a policy must be met. Always exclude break-glass / emergency access accounts from CA policies (and from MFA enforcement) to avoid lock-out.
Implementing Conditional Access policies
Assignments (the "if"): Users/groups (incl. guests, directory roles), target resources (cloud apps, user actions like register security info, auth context), conditions (locations/named locations, device platforms, client apps, sign-in/user risk, filter for devices).
Access controls (the "then"):
- Grant: Block, or Grant with — require MFA, require compliant device (Intune), require Hybrid Entra joined device, require approved client app / app protection policy, require password change, require Terms of Use. Combine with AND/OR ("require all" / "require one").
- Session: app-enforced restrictions, Conditional Access App Control (Defender for Cloud Apps), sign-in frequency, persistent browser session, Continuous Access Evaluation (CAE), token protection.
Report-only mode & What If
Deploy new policies in Report-only mode first to see impact in sign-in logs without enforcing. Use the What If tool to simulate which policies would apply to a given user/app/condition. Templates are available for common scenarios.
Security defaults (free) give a baseline (MFA for admins, block legacy auth). You cannot use CA policies while Security defaults are enabled — disable defaults first. CA is the granular, recommended approach for P1+.
MFA via Conditional Access
- Preferred way to require MFA: a CA policy granting access only with Require multifactor authentication, targeted at users/apps/conditions.
- Authentication strengths let a CA policy demand a specific method class — e.g. "phishing-resistant MFA" (FIDO2/CBA/Windows Hello) for admins.
- Legacy per-user MFA (enabled/enforced state) still exists but is being deprecated in favour of CA-driven MFA.
Caveat — trusted locations & named locations
Define Named locations (IP ranges or countries) and mark trusted ones to reduce friction (e.g. no MFA from HQ) — but for security questions, conditions like "require MFA except trusted locations" are common. Country/region locations can also block high-risk geographies.
Recommended Conditional Access baseline
Microsoft's "secure foundation" set of policies — recognise these scenarios on the exam:
| Policy | Target → Control |
|---|---|
| Require MFA for admins | Directory roles → Require MFA (or phishing-resistant strength) |
| Require MFA for all users | All users → Require MFA |
| Block legacy authentication | Client apps = legacy → Block |
| Require MFA for risky sign-ins | Sign-in risk = Medium+ → Require MFA (P2) |
| Require secure password change for risky users | User risk = High → Require password change + MFA (P2) |
| Require compliant / Hybrid-joined device | All users → Grant: compliant device OR Hybrid join |
| Require MFA to register security info | User action = register security info → Require MFA |
Authentication strengths
Three built-in strengths — MFA, Passwordless MFA, and Phishing-resistant MFA (FIDO2 / Windows Hello / CBA) — plus custom strengths. A CA policy grant of "require authentication strength" enforces a specific method class, which is stronger than the generic "require MFA".