Glossary
Search Azure terms
Open a clear definition, then continue into exam context, architecture, commands, operational examples, common mistakes, and related concepts.
Search all
Commands
Learning guides
Concept graph
Compare
Search-first Azure knowledge base
Term results
Search for a term or click a category. Results render only after you ask for them, so the glossary does not dump every available term on first load. Each result includes Quick peek and Open full term page actions.
Start with a search or a category.
Try managed identity , resource group , az group , private endpoint , or click Databases to load all database-related terms.
Showing 57 identity terms.
Identity
learning-path-anchor
System-assigned managed identity
A system-assigned managed identity lets one Azure resource authenticate without a stored password, client secret, or certificate managed by your app team. You turn it on for a resource such as a web app, function, virtual machine, data factory, or automation account. Azure creates an identity for that resource, and the resource can request...
Managed identities
intermediate
4 commands
Aliases: system assigned identity, resource managed identity, SystemAssigned identity, managed service identity
Quick peek
Open full term page
Identity
learning-path-anchor
Tenant ID
A tenant ID is the globally unique identifier for a Microsoft Entra tenant.
Microsoft Entra
fundamentals
4 commands
Aliases: Tenant ID, tenant id, Azure Tenant ID, Microsoft Entra tenant ID, directory ID, tenantId
Quick peek
Open full term page
Identity
premium
Access package
An access package bundles resources someone may need for a job or project. Instead of asking separately for groups, apps, or sites, a user requests the package, and Entra applies approval, duration, review, and removal rules.
Identity operations
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Access review
An access review is a governance check asking, “Should this access still exist?” It lets owners, managers, users, or admins review access to groups, apps, access packages, and privileged roles, then keep or remove access based on decisions and recommendations.
Governance
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Active assignment
An active assignment is privileged access that is usable immediately for its assignment period without requiring activation. In Microsoft Entra Privileged Identity Management, active assignments differ from eligible assignments, which require an activation step such as MFA, justification, or approval before privileges can be used.
Privileged access
intermediate
4 commands
Aliases: PIM active assignment, active role assignment, standing privileged assignment
Quick peek
Open full term page
Identity
premium
Admin consent
Admin consent is a Microsoft Entra approval that grants an application requested permissions, often tenant-wide, to access protected resources. In everyday Azure work, teams use it to approve SaaS apps, internal applications, or multi-tenant integrations that need permissions users cannot safely grant themselves. The useful evidence is application ID, service principal, requested scopes or app
Microsoft Entra ID
intermediate
4 commands
Aliases: tenant-wide admin consent, application permission consent, Entra admin consent
Quick peek
Open full term page
Identity
premium
App registration
An app registration is the identity profile for an application, not the application code itself. It tells Microsoft Entra ID how the app is allowed to sign in users or request tokens. It contains values developers copy into configuration, such as client ID, tenant, redirect URI, credentials, and permissions. When sign-in breaks, consent fails, or tokens contain the wrong audience, the app registration is often where engineers look first. It is the contract between the app, Entra ID, administrators, and downstream APIs.
Applications
fundamentals
5 commands
Aliases: Microsoft Entra app registration, application registration
Quick peek
Open full term page
Identity
premium
App role
An app role is an application-defined permission or responsibility, such as Reader, Approver, or Orders.Write. The resource application defines the role, and users, groups, or client applications can be assigned to it. When the user or application gets a token, the role can appear as a claim for.
Identity operations
fundamentals
4 commands
Aliases: application role, Microsoft Entra app role
Quick peek
Open full term page
Identity
premium
App role assignment
An app role assignment is the actual grant that connects a principal to an app role. The principal might be a user, group, or service principal, and the role is defined by the resource application. Without an assignment, the role exists but nobody receives it. With an assignment, tokens or.
Identity operations
intermediate
4 commands
Aliases: application role assignment, Microsoft Entra app role assignment
Quick peek
Open full term page
Identity
premium
Application permission
An application permission is an app-only permission, also exposed as an app role, that lets a client application access a resource without a signed-in user after consent is granted.
Identity operations
fundamentals
4 commands
Aliases: application permission
Quick peek
Open full term page
Identity
premium
Assignment managed identity
Assignment managed identity is the identity Azure Policy uses when a policy assignment must change resources during remediation. It matters most for effects such as modify and deployIfNotExists, where Policy is not just reporting non-compliance but attempting to fix or deploy something. The identity needs Azure RBAC permissions at the right scope. Without those.
Azure Policy
intermediate
2 commands
Aliases: Policy assignment identity, Azure Policy managed identity, policy remediation identity, assignment identity
Quick peek
Open full term page
Identity
premium
Azure tenant
An Azure tenant is the Microsoft Entra directory that provides identity and access management for users, groups, applications, service principals, devices, and Azure resources associated with an organization.
Azure identity
fundamentals
5 commands
Aliases: tenant, Microsoft Entra tenant, tenant ID
Quick peek
Open full term page
Identity
premium
B2B collaboration
Microsoft Entra B2B collaboration lets organizations invite external users and business partners to access applications and resources while keeping control of corporate data and access policies.
External identities
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Break-glass account
A break-glass account is an emergency access account reserved for tenant recovery when normal administrative sign-in or Conditional Access paths fail.
Privileged access
fundamentals
3 commands
Aliases: emergency access account
Quick peek
Open full term page
Identity
premium
Certificate credential
A certificate credential lets an app authenticate with a certificate instead of a shared secret.
Applications
fundamentals
3 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Client ID
A client ID is the application identifier assigned to an app registration by Microsoft Entra ID. Microsoft Learn describes the Application, or client, ID as the value that uniquely identifies an application in the Microsoft identity platform across tenants and clouds.
Applications
fundamentals
4 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Client secret
A client secret is a password-style credential added to an app registration so a confidential application can authenticate to Microsoft Entra ID. Microsoft Learn recommends managing credentials carefully and also supports certificates and federated credentials for stronger automation patterns and rotation.
Applications
fundamentals
4 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Conditional Access
Conditional Access is the rule system that decides what a user, workload, or agent must prove before getting into an application. It is not just an MFA switch. A policy can ask who is signing in, where the request comes from, what device is used, which app is targeted, and whether risk signals look suspicious. Then it can allow access, block it, require stronger authentication, demand a compliant device, or.
Access control
fundamentals
4 commands
Aliases: Conditional Access, Microsoft Entra Conditional Access, conditional-access, Entra Conditional Access
Quick peek
Open full term page
Identity
premium
Conditional Access policy
Require phishing-resistant or multifactor authentication for privileged administrators accessing Azure management portals.; Block or challenge risky sign-ins based on sign-in risk, user risk, unfamiliar location, or impo
Privileged access
fundamentals
4 commands
Aliases: Conditional Access policy
Quick peek
Open full term page
Identity
premium
Consent grant
the Microsoft Entra permission approval that lets an application call an API with delegated user scopes or application roles
Identity operations
fundamentals
3 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Delegated permission
A delegated permission is a Microsoft identity platform permission that lets an application act on behalf of a signed-in user, limited by both the granted permission and the user’s own access.
Identity operations
intermediate
4 commands
Aliases: OAuth delegated permission, Microsoft Graph delegated permission, user delegated permission
Quick peek
Open full term page
Identity
premium
Directory
A directory is the Microsoft Entra identity container associated with users, groups, applications, service principals, devices, and tenant-level identity configuration.
Tenant identity
fundamentals
4 commands
Aliases: Microsoft Entra directory, tenant directory, identity directory, Azure AD directory
Quick peek
Open full term page
Identity
premium
Directory role
A directory role grants permissions to manage Microsoft Entra tenant resources such as users, groups, applications, devices, roles, and security settings.
Privileged access
intermediate
4 commands
Aliases: Microsoft Entra role, administrator role, Entra directory role, tenant administrator role
Quick peek
Open full term page
Identity
premium
Eligible assignment
An eligible assignment grants a user or principal the ability to activate a privileged Microsoft Entra or Azure RBAC role when needed instead of holding it permanently.
Privileged access
intermediate
4 commands
Aliases: PIM eligible assignment, eligible role assignment
Quick peek
Open full term page
Identity
premium
Enterprise application
Enterprise application properties in Microsoft Entra ID configure the organization-specific service principal settings for an application, including user assignment, single sign-on, provisioning, and ownership.
Microsoft Entra applications
intermediate
4 commands
Aliases: Entra enterprise application, service principal application, enterprise app
Quick peek
Open full term page
Identity
premium
Entitlement management
Entitlement management uses access packages to govern access to groups, applications, SharePoint sites, and other resources for internal and external identities.
Identity Governance
intermediate
4 commands
Aliases: Microsoft Entra entitlement management, Entra entitlement management, access package governance
Quick peek
Open full term page
Identity
premium
Federated credential
A Federated credential is a Microsoft Entra trust configuration that allows a workload to exchange a token from an external identity provider for an Entra access token without using a stored secret. Teams use it to let approved external workloads such as pipelines, automation systems, or Kubernetes workloads authenticate to Azure using signed tokens instead of long-lived client secrets. It is not a user password, general RBAC grant, certificate, managed identity by itself, or permission to access Azure resources without matching issuer, subject, audience, and role assignment controls.
Workload identity
intermediate
6 commands
Aliases: workload federated credential, OIDC credential, external identity federation credential, federated trust credential
Quick peek
Open full term page
Identity
premium
Federated identity credential
A Federated identity credential is a Microsoft Entra credential object that defines the issuer, subject, and audience trusted for workload identity federation. Teams use it to allow a specific external workload identity to authenticate as an Entra application or user-assigned managed identity without storing a client secret or certificate. It is not a role assignment, token issued by Azure, user sign-in method, broad trust for every workflow in a repository, or evidence that the workload can access resources without RBAC.
Workload identity
intermediate
6 commands
Aliases: Microsoft Entra federated identity credential, FIC, workload identity credential, OIDC federation credential
Quick peek
Open full term page
Identity
premium
Global Administrator
Global Administrator is the highest-impact Microsoft Entra administrator role most tenants use, with broad authority over directory settings, users, applications, roles, and cross-service administration. Teams use it to perform rare tenant-level administration, recover from access emergencies, manage privileged identity settings, and approve sensitive directory changes. In daily Azure work, it shows up when engineers review privileged role assignments, configure PIM, investigate tenant takeover risk, elevate access for Azure resource recovery, or audit emergency accounts. Review owner, scope, evidence, dependencies, and rollback before production change.
Privileged access
advanced
4 commands
Aliases: Global Admin, Microsoft Entra Global Administrator, tenant global administrator
Quick peek
Open full term page
Identity
premium
Group
A Microsoft Entra group is an identity object that collects users, devices, service principals, or other groups so access, collaboration, or administration can be managed together.
Microsoft Entra
fundamentals
4 commands
Aliases: Microsoft Entra group, security group, Microsoft 365 group
Quick peek
Open full term page
Identity
premium
Guest user
A guest user is an external identity invited into a Microsoft Entra tenant so a partner, contractor, or external collaborator can access approved resources.
External identities
fundamentals
4 commands
Aliases: B2B guest user, external guest user, Microsoft Entra guest
Quick peek
Open full term page
Identity
premium
Identity Governance
Identity Governance is a Microsoft Entra set of capabilities for managing identity lifecycle, access lifecycle, access reviews, entitlement management, and privileged access.
Identity operations
intermediate
4 commands
Aliases: Entra ID Governance, identity governance, Identity Governance, Microsoft Entra Identity Governance
Quick peek
Open full term page
Identity
premium
Identity Protection
Identity Protection is a Microsoft Entra capability that detects, investigates, and helps remediate risky users and risky sign-ins.
Security
intermediate
4 commands
Aliases: Entra ID Protection, identity protection, Identity Protection, identity risk protection, Microsoft Entra ID Protection
Quick peek
Open full term page
Identity
premium
Log Analytics Data Reader
A Log Analytics Data Reader assignment is an Azure built-in RBAC role for letting approved users, groups, or workload identities query the Log Analytics logs they are allowed to view across workspaces and tables without granting workspace administration, table management, or broader monitoring control.
Azure RBAC
fundamentals
4 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Managed identity
A managed identity is an automatically managed Microsoft Entra identity assigned to a supported Azure resource. It lets workloads authenticate to services that support Microsoft Entra authentication without storing passwords, certificates, or client secrets in code, configuration, or deployment pipelines.
Microsoft Entra workload identity
intermediate
3 commands
Aliases: Managed identity, system-assigned managed identity, user-assigned managed identity, Azure workload identity, secretless authentication, system-assigned identity, user-assigned identity, Microsoft Entra ID, Microsoft Entra workload identity
Quick peek
Open full term page
Identity
premium
Microsoft 365 group
Microsoft 365 group is a collaboration-backed group object in Microsoft Entra ID used for shared membership across Microsoft 365 resources and some Azure access patterns. Teams should manage it with clear ownership, monitoring, rollback evidence, and production change discipline.
Microsoft Entra ID
fundamentals
4 commands
Aliases: M365 group, Office 365 group, Microsoft 365 collaboration group
Quick peek
Open full term page
Identity
premium
Microsoft Entra group
Entra group means a Microsoft Entra ID group object used to manage membership, access assignments, application permissions, and governance workflows as a unit. Teams should manage it with clear ownership, monitoring, rollback evidence, and production change discipline.
Directory groups
intermediate
4 commands
Aliases: Entra group, Azure AD group, directory group
Quick peek
Open full term page
Identity
premium
Microsoft Entra ID
Microsoft Entra ID is the cloud identity platform that stores tenant identities and provides authentication, authorization, application registration, and access governance for Azure. Teams should manage it with clear ownership, monitoring, rollback evidence, and production change discipline.
Identity platform
fundamentals
4 commands
Aliases: Entra ID, Azure Active Directory, Azure AD, AAD
Quick peek
Open full term page
Identity
premium
Multifactor authentication
Multifactor authentication means a Microsoft Entra sign-in control that requires two or more verification factors before access is granted. You see it when teams protect Azure portal access, privileged roles, risky sign-ins, and sensitive applications from password-only compromise. Think of it as stronger proof of user identity during sign-in, not a replacement for least privilege or role review. It matters because the setting changes how teams design, secure, operate, and troubleshoot the workload. Before changing it in production, know the owner, dependency, evidence, expected result, and rollback path.
Access control
fundamentals
4 commands
Aliases: MFA
Quick peek
Open full term page
Identity
premium
Object ID
An Object ID is the unique ID for a specific thing inside Microsoft Entra ID. That thing might be a user, group, service principal, managed identity, or enterprise application object. It is not the friendly display name, and it is not always the same as an application client ID. In Azure operations, the Object ID is the value people often need when assigning RBAC roles, checking ownership, troubleshooting identity, or proving exactly which principal was granted access.
Microsoft Entra
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Service principal
A service principal is the local Microsoft Entra identity for an application or automation instance in a tenant. It represents the app for sign-in, consent, and authorization, and it can receive Azure RBAC roles or API permissions without using a human user account.
Azure identity
fundamentals
6 commands
Aliases: Microsoft Entra service principal, Service principal, application service principal, automation identity, service principal, service-principal
Quick peek
Open full term page
Identity
field-manual-complete
OAuth 2.0
OAuth 2.0 is the system many Azure applications use to get permission to call an API without handing a password to that API. The application sends a user or workload through a trusted Microsoft identity flow, receives an access token, and presents that token to the resource. In practice, OAuth 2.0 explains why app registrations, scopes, consent prompts, redirect URIs, client secrets, certificates, and managed identities all show up when teams secure Azure-hosted applications.
Authentication
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
verified
OpenID Connect
OpenID Connect is an authentication protocol layer built on OAuth 2.0. In Microsoft Entra ID, apps use it for single sign-on by requesting ID tokens, discovering provider metadata, validating claims, and securely combining sign-in with access-token acquisition when needed.
Authentication
fundamentals
7 commands
Aliases: OIDC, OpenID Connect protocol, Microsoft identity platform OIDC, Entra ID OpenID Connect, ID token sign-in
Quick peek
Open full term page
Identity
field-manual-complete
Privileged Identity Management
Privileged Identity Management, usually called PIM, is the Microsoft Entra feature that keeps powerful access from being permanently active unless someone really needs it.
Access control
fundamentals
5 commands
Aliases: PIM
Quick peek
Open full term page
Identity
verified
Privileged Role Administrator
Privileged Role Administrator is the role you give to someone who manages other administrators, not ordinary application users.
Privileged access
fundamentals
6 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
verified
RBAC
Azure role-based access control is an authorization system built on Azure Resource Manager. It grants users, groups, service principals, and managed identities specific roles at management group, subscription, resource group, resource, or environment scopes so teams can apply least privilege.
Azure identity
fundamentals
5 commands
Aliases: Azure RBAC, role-based access control, role based access control
Quick peek
Open full term page
Identity
verified
Reader role
Reader is an Azure RBAC built-in role that grants read access to Azure Resource Manager control-plane information at the assigned scope. It can view resources and metadata but cannot create, update, delete, or manage access. It does not automatically grant service data-plane read permissions.
Azure RBAC
fundamentals
4 commands
Aliases: Azure Reader role, Reader RBAC role, view-only role, Azure RBAC Reader, control-plane read role
Quick peek
Open full term page
Identity
verified
Resource identity
A resource identity is the Azure identity a workload uses when it needs permission to call another service. Most teams see it as a system-assigned or user-assigned managed identity on a VM, App Service, Function, container app, automation account, or data service. Instead of storing a password or client secret, the resource receives a Microsoft Entra identity and uses tokens. Operators then grant that identity roles on Key Vault, Storage, SQL, Cosmos DB, or other dependencies.
Identity operations
fundamentals
5 commands
Aliases: Workload identity for a resource, Managed identity surface
Quick peek
Open full term page
Identity
field-manual-complete
Security group
A security group is a named set of identities that receive access together.
Identity operations
fundamentals
4 commands
Aliases: Microsoft Entra security group, Entra security group, access group
Quick peek
Open full term page
Identity
field-manual-complete
Token
A token is a security credential issued by Microsoft Entra ID or another identity provider to carry claims about an authenticated user, application, or workload. Azure services use access tokens to authorize requests to specific resources without sending passwords on each call.
Authentication
fundamentals
5 commands
Aliases: access token, bearer token, security token, OAuth token, Entra token
Quick peek
Open full term page
Identity
field-manual-complete
User
A user is a Microsoft Entra identity that usually represents a person who can sign in, receive group membership, and be assigned access. Azure uses the user object, its object ID, and its roles to evaluate authentication and authorization decisions.
Microsoft Entra ID
beginner
5 commands
Aliases: Microsoft Entra user, Entra user, user object, human identity, directory user
Quick peek
Open full term page
Identity
field-manual-complete
User consent
User consent is the process where a signed-in user allows an application to access protected resources on the user’s behalf. In Microsoft Entra ID, tenant settings and permission policies control whether users can grant consent and which delegated permissions are allowed.
Application consent
intermediate
5 commands
Aliases: OAuth user consent, delegated consent, application consent prompt, consent grant
Quick peek
Open full term page
Identity
field-manual-complete
User-assigned managed identity
A standalone managed identity that can be attached to one or more Azure resources.
Managed identities
fundamentals
5 commands
Aliases: UAMI, user managed identity, reusable managed identity
Quick peek
Open full term page
Identity
verified
Workload identity
A workload identity is an identity assigned to software, such as an application, service, script, or container, so it can authenticate to Microsoft Entra protected resources. In Azure, examples include app registrations, service principals, managed identities, and federated workload identities.
Workload identity
fundamentals
6 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
verified
Workload identity federation
Workload identity federation lets an external workload exchange a trusted token for Microsoft Entra access tokens without storing long-lived secrets. Microsoft Entra validates the issuer, subject, and audience in a federated credential, then allows automation such as GitHub Actions, Kubernetes, or other platforms to access protected resources.
Identity operations
fundamentals
5 commands
Aliases: Federated workload identity, OIDC federation for workloads, Federated identity credential, Secretless workload authentication
Quick peek
Open full term page
Identity
template-specs-upgraded
Role activation
Just-in-time elevation of eligible Microsoft Entra or Azure roles through Privileged Identity Management.
Privileged access
fundamentals
6 commands
Aliases: PIM activation, privileged role activation, eligible role activation, just-in-time role activation, Microsoft Entra role activation
Quick peek
Open full term page
Identity
template-specs-upgraded
SAML
Microsoft Learn describes SAML 2.0 as a protocol for authentication requests and responses that Microsoft Entra ID supports for single sign-on. Enterprise applications use SAML settings such as identifier, reply URL, claims, and signing certificates. and centralized policy enforcement. and enterprise SSO troubleshooting.
Authentication
fundamentals
6 commands
Aliases: Security Assertion Markup Language, SAML 2.0, SAML single sign-on, SAML SSO, federated SSO
Quick peek
Open full term page
No glossary terms matched that search.
Try a service name, acronym, command group, or category such as RBAC , az group , App Service , Application Insights , Databases , or Azure AI Search .
Clear filters and show matches
Reset search