Entra ID for the AZ-500: Tenants, Roles & Identity Basics

What Is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory) is the cloud-based identity and access management service that sits at the heart of every Azure subscription. For the AZ-500 exam, you need to understand it not just as a login service but as the policy enforcement boundary for your entire environment.

A tenant is a dedicated instance of Entra ID that an organization receives when signing up for a Microsoft cloud service. Everything including users, groups, service principals, and applications lives inside a tenant. Each Azure subscription is linked to exactly one tenant, but a single tenant can manage multiple subscriptions.

B2B vs B2C

B2B (Business-to-Business): Used when external partner users need access to your internal resources. External users are invited as guests and represented by a guest object in your tenant. You control which resources they can reach via Conditional Access and RBAC. B2C (Business-to-Customer): A separate service for customer-facing applications. B2C tenants are completely independent from your corporate Entra ID tenant. The AZ-500 exam tests your understanding of when to use each: B2C never appears in your corporate identity perimeter.

Built-in Admin Roles

The exam frequently tests the principle of least-privilege across admin roles. Key roles to know:

Exam tip: The Security Administrator role cannot reset passwords for other admins. Only Global Administrator or Privileged Authentication Administrator can do this.

Directory vs Subscription RBAC

Entra ID roles (directory roles) are separate from Azure RBAC roles (subscription/resource roles). A Global Administrator does not automatically have Owner access to Azure subscriptions. They must explicitly elevate access via the "Access management for Azure resources" toggle in Entra ID settings.

This distinction is a common exam trap.