Cyber Intelligence
Identity & Access · 30% of exam

L1. Entra ID for the AZ-500

Course outlineLesson 1 of 18

Master the Microsoft Entra ID concepts tested on AZ-500: tenant architecture, B2B vs B2C federation, built-in admin roles, and the identity primitives that underpin every other exam domain.

What Is Microsoft Entra ID?

Microsoft Entra ID (formerly Azure Active Directory) is the cloud-based identity and access management service that sits at the heart of every Azure subscription. For the AZ-500 exam, you need to understand it not just as a login service but as the policy enforcement boundary for your entire environment.

A tenant is a dedicated instance of Entra ID that an organization receives when signing up for a Microsoft cloud service. Everything including users, groups, service principals, and applications lives inside a tenant. Each Azure subscription is linked to exactly one tenant, but a single tenant can manage multiple subscriptions.

B2B vs B2C

B2B (Business-to-Business): Used when external partner users need access to your internal resources. External users are invited as guests and represented by a guest object in your tenant. You control which resources they can reach via Conditional Access and RBAC. B2C (Business-to-Customer): A separate service for customer-facing applications. B2C tenants are completely independent from your corporate Entra ID tenant. The AZ-500 exam tests your understanding of when to use each: B2C never appears in your corporate identity perimeter.

Built-in Admin Roles

The exam frequently tests the principle of least-privilege across admin roles. Key roles to know:

RoleScope
Global AdministratorFull tenant control: break-glass only
Security AdministratorManage security policies, read security data
Security ReaderRead-only access to security features
User AdministratorManage users and groups, reset passwords
Exam tip: The Security Administrator role cannot reset passwords for other admins. Only Global Administrator or Privileged Authentication Administrator can do this.

Directory vs Subscription RBAC

Entra ID roles (directory roles) are separate from Azure RBAC roles (subscription/resource roles). A Global Administrator does not automatically have Owner access to Azure subscriptions. They must explicitly elevate access via the "Access management for Azure resources" toggle in Entra ID settings.

This distinction is a common exam trap.

Exam Focus Points
  • A tenant is a dedicated Entra ID instance: one subscription maps to one tenant, not the reverse
  • B2B = external partners as guests in your tenant; B2C = customer-facing identity (separate tenant entirely)
  • Global Administrator does not automatically have Azure subscription Owner rights: requires manual elevation
  • Security Administrator cannot reset admin passwords: only Global Admin or Privileged Authentication Admin can
  • Directory (Entra) roles and Azure RBAC roles are completely separate hierarchies
Knowledge Check

1. What is the primary difference between Azure AD B2B and B2C?

2. Which Entra ID admin role can manage security policies but cannot reset passwords for other administrators?

3. In Entra ID, what is the relationship between a tenant and a directory?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available