Identity & Access Fundamentals

AuthN vs. AuthZ, tenants, users, groups and roles — the building blocks of Module 01
🟢 Beginner ⏱ 10 Minutes 📘 AZ-104 · Prerequisites
Why This Matters

Identity & Governance is the largest single domain on the AZ-104 exam (20–25%). Module 01 builds directly on the concepts below — read this first if terms like "tenant," "directory," or "role-based access" are new to you.

Authentication vs. Authorization

These two terms are often confused but mean different things:

  • Authentication (AuthN)proving who you are (e.g., signing in with a username and password, or MFA).
  • Authorization (AuthZ)what you're allowed to do once you're signed in (e.g., can you create a VM in this subscription?).

Microsoft Entra ID (formerly Azure AD) handles authentication. Role-Based Access Control (RBAC) handles authorization. Module 01 covers both — Lab 01 focuses on Entra ID identities, Lab 02 on RBAC.

Sign-in request │ ▼ Authentication (Entra ID) "Who are you?" │ ✓ identity verified ▼ Authorization (Azure RBAC) "What can you do?" │ ├── Contributor → can manage resources ├── Reader → can view only └── No role → "signed in" but can't do anything ✗

Tenants & Directories

A Microsoft Entra tenant (directory) is a dedicated, isolated instance of Entra ID — essentially "your organization's identity database" in the cloud. When you sign up for Azure, a tenant is created automatically. Every user, group, and app registration lives inside a tenant.

Example: Your organization contoso.com has one Entra tenant. All employees' user accounts, the security groups they belong to, and any custom applications registered for SSO all live in that one tenant — even if the organization has multiple Azure subscriptions (billing/resource containers) underneath it.

⚠️ Note

A tenant is not the same as a subscription. One tenant can be linked to many subscriptions; Module 01 (Lab 03) covers how subscriptions, management groups, and resource groups relate.

Users, Groups & Roles

  • A user is an identity that can sign in (a person, or in some cases a service).
  • A group is a collection of users (and/or other groups) — used to assign permissions or licenses to many users at once instead of individually.
  • A role is a named set of permissions. Entra ID has built-in administrator roles (e.g., User Administrator, Global Administrator) that control what someone can do to the directory itself (manage users, reset passwords, etc.) — distinct from Azure RBAC roles, which control what someone can do to Azure resources (VMs, storage, networks).
Entra ID rolesAzure RBAC roles
Controls access toThe directory (users, groups, licenses)Azure resources (subscriptions, resource groups, individual resources)
Example roleUser AdministratorContributor, Reader, Virtual Machine Contributor
Covered inLab 01Lab 02

Why This Distinction Matters on the Exam

A classic exam scenario: "User A can sign in but can't create any resources." This is almost always an Azure RBAC problem (no role assignment on the subscription/resource group), not an Entra ID problem — because signing in successfully already proves authentication works. Knowing which layer (AuthN vs. AuthZ) a symptom points to is a recurring exam pattern.

How This Connects to Other Topics

Glossary

Unfamiliar term? Check the AZ-104 Glossary for quick definitions of every concept used across these docs.

Module 01 — Identity & Governance

Start with Entra ID Overview (tenants, users, groups in practice), then RBAC Fundamentals (authorization in depth).

Key Takeaways

💡 Summary
  • Authentication (AuthN) = proving who you are (Entra ID)
  • Authorization (AuthZ) = what you can do (Azure RBAC)
  • Tenant = your organization's isolated identity directory
  • Tenant ≠ Subscription — one tenant can have many subscriptions
  • Users / Groups / Roles = the building blocks of identity and access
  • Entra roles ≠ Azure RBAC roles — different systems, both needed
  • "Can sign in but can't do anything" → almost always an RBAC issue

Next Steps

  1. Recap: Read Cloud Computing Fundamentals if you haven't yet
  2. Recap: Read Networking Basics (needed for Module 04)
  3. Begin: Module 01: Entra ID Overview — apply tenants, users & groups
  4. Continue: Module 01: RBAC Fundamentals — apply authorization
Azure AZ-104 Professional Concept Documentation
Module 00 — Prerequisites
Generated June 15, 2026
© 2026 — AZ-104 Learning Hub. For study purposes only.