Glossary
Search Azure terms
Open a clear definition, then continue into exam context, architecture, commands, operational examples, common mistakes, and related concepts.
Search all
Commands
Learning guides
Concept graph
Compare
Search-first Azure knowledge base
Term results
Search for a term or click a category. Results render only after you ask for them, so the glossary does not dump every available term on first load. Each result includes Quick peek and Open full term page actions.
Start with a search or a category.
Try managed identity , resource group , az group , private endpoint , or click Databases to load all database-related terms.
Showing 50 of 533 matching terms. Narrow the search to reduce the list.
Identity
premium
Azure tenant
An Azure tenant is the Microsoft Entra directory that provides identity and access management for users, groups, applications, service principals, devices, and Azure resources associated with an organization.
Azure identity
fundamentals
5 commands
Aliases: tenant, Microsoft Entra tenant, tenant ID
Quick peek
Open full term page
Identity
premium
Directory
A directory is the Microsoft Entra identity container associated with users, groups, applications, service principals, devices, and tenant-level identity configuration.
Tenant identity
fundamentals
4 commands
Aliases: Microsoft Entra directory, tenant directory, identity directory, Azure AD directory
Quick peek
Open full term page
Databases
premium
Microsoft Entra authentication for SQL
Microsoft Entra authentication for SQL is the use of Microsoft Entra identities to authenticate to Azure SQL Database, SQL Managed Instance, or related SQL resources. Teams should manage it with clear ownership, monitoring, rollback evidence, and production change discipline.
Azure SQL identity
intermediate
4 commands
Aliases: Azure SQL Entra authentication, Azure AD authentication for SQL, SQL Entra auth
Quick peek
Open full term page
Identity
learning-path-anchor
System-assigned managed identity
A system-assigned managed identity lets one Azure resource authenticate without a stored password, client secret, or certificate managed by your app team. You turn it on for a resource such as a web app, function, virtual machine, data factory, or automation account. Azure creates an identity for that resource, and the resource can request...
Managed identities
intermediate
4 commands
Aliases: system assigned identity, resource managed identity, SystemAssigned identity, managed service identity
Quick peek
Open full term page
Identity
learning-path-anchor
Tenant ID
A tenant ID is the globally unique identifier for a Microsoft Entra tenant.
Microsoft Entra
fundamentals
4 commands
Aliases: Tenant ID, tenant id, Azure Tenant ID, Microsoft Entra tenant ID, directory ID, tenantId
Quick peek
Open full term page
Analytics
learning-path-anchor
Synapse workspace managed identity
A Synapse workspace managed identity is the workspace's own identity in Microsoft Entra ID. Instead of saving passwords, keys, or connection strings inside pipelines and notebooks, Synapse can use this identity to ask for tokens and reach trusted Azure resources. It is commonly used for Data Lake Storage, Key Vault, SQL, and linked service...
Synapse Analytics
intermediate
8 commands
Aliases: Synapse managed service identity, Synapse MSI, workspace system-assigned identity, Synapse workspace identity
Quick peek
Open full term page
Management and Governance
learning-path-anchor
Tenant deployment
A tenant deployment is a Resource Manager deployment executed at Microsoft Entra tenant scope.
ARM deployments
intermediate
5 commands
Aliases: Tenant deployment, tenant deployment, Azure Tenant deployment, tenant scope deployment, az deployment tenant, ARM tenant deployment
Quick peek
Open full term page
Management and Governance
learning-path-anchor
Tenant scope
Tenant scope is the highest Azure Resource Manager deployment and governance context tied to a Microsoft Entra tenant.
Management scopes
fundamentals
5 commands
Aliases: Tenant scope, tenant scope, Azure Tenant scope, tenant level scope, ARM tenant scope, targetScope tenant
Quick peek
Open full term page
Management and Governance
learning-path-anchor
Tenant root group
The tenant root group is the highest management group scope associated with a Microsoft Entra tenant.
Management groups
fundamentals
4 commands
Aliases: Tenant root group, tenant root group, Azure Tenant root group, root management group, root group
Quick peek
Open full term page
Identity
premium
Federated identity credential
A Federated identity credential is a Microsoft Entra credential object that defines the issuer, subject, and audience trusted for workload identity federation. Teams use it to allow a specific external workload identity to authenticate as an Entra application or user-assigned managed identity without storing a client secret or certificate. It is not a role assignment, token issued by Azure, user sign-in method, broad trust for every workflow in a repository, or evidence that the workload can access resources without RBAC.
Workload identity
intermediate
6 commands
Aliases: Microsoft Entra federated identity credential, FIC, workload identity credential, OIDC federation credential
Quick peek
Open full term page
Containers
premium
AKS managed identity
An AKS managed identity is a Microsoft Entra identity that an AKS cluster uses to manage Azure resources without stored service principal secrets.
AKS identity
Intermediate
5 commands
Aliases: Azure Kubernetes Service managed identity, aks managed identity
Quick peek
Open full term page
AI and Machine Learning
premium
Azure OpenAI managed identity
Azure OpenAI managed identity uses Microsoft Entra identities so Azure workloads can call model endpoints without stored keys.
Azure OpenAI
intermediate
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Integration
premium
Event Grid managed identity delivery
Event Grid managed identity delivery is the pattern where Event Grid uses a managed identity on a topic, domain, or system topic to authenticate event delivery to supported destinations. In Azure, it shows up when teams want to deliver events to Azure destinations without storing destination keys or embedding secrets in event subscription configuration. Teams use it to review system-assigned or user-assigned identity, Event Grid topic or domain identity settings, destination RBAC role assignments, delivery identity settings, dead-letter identity settings, and monitoring before changing production behavior.
Event routing
advanced
5 commands
Aliases: Event Grid managed identity event delivery, managed identity delivery for Event Grid
Quick peek
Open full term page
Containers
premium
Kubelet identity
Kubelet identity controls how AKS nodes authenticate to Azure resources for node-level tasks, especially pulling container images from registries without embedded secrets. Teams see it in aks identity profile, node pools. It is not cluster control-plane identity, workload identity, pod managed identity, service account token, kubeconfig credential, or container registry admin user; confusing them can create image pull failures, overbroad registry access. Use the term when reviewing access, monitoring, cost, recovery, or performance. It keeps architects, operators, security reviewers, and support teams focused on the same setting, resource, or behavior.
AKS identity
Intermediate
5 commands
Aliases: AKS kubelet identity, node pool kubelet identity, AKS node managed identity, identityProfile kubeletidentity
Quick peek
Open full term page
Integration
premium
Service Bus managed identity
Service Bus managed identity means using Microsoft Entra managed identities so Azure-hosted applications can access Service Bus without stored credentials. Applications receive RBAC roles such as Data Sender or Data Receiver, while Service Bus namespace identities may also be assigned for service-managed scenarios such as encryption configuration.
Service Bus
fundamentals
5 commands
Aliases: Service Bus identity-based access, Service Bus Entra authentication, managed identity for Service Bus, Service Bus secretless authentication, Service Bus RBAC identity
Quick peek
Open full term page
Analytics
premium
Data Factory managed identity
The Microsoft Entra identity assigned to a Data Factory so pipelines and linked services can access Azure resources without embedded passwords.
Data integration and orchestration
Intermediate
4 commands
Aliases: Data Factory managed identity, ADF managed identity, data factory managed identity
Quick peek
Open full term page
Internet of Things
premium
Device identity
A device identity is the IoT Hub identity registry entry that represents a permitted device or module, including its device ID, authentication material, status, and connection-related metadata.
IoT identity
fundamentals
4 commands
Aliases: IoT Hub device identity, IoT device registry identity, device registry entry, IoT device ID
Quick peek
Open full term page
Web
premium
Function app managed identity
Function app managed identity is a Microsoft Entra identity assigned to a function app so its code and supported bindings can access Azure resources without storing passwords or connection strings. Teams use it to replace secrets in app settings with identity-based access to services such as Storage, Service Bus, Key Vault, Event Hubs, SQL, or monitoring resources. In daily Azure work, it shows up when engineers grant a function app data-plane permissions, remove leaked connection strings, configure identity-based bindings, or investigate why a trigger cannot reach its dependency.
Azure Functions
intermediate
4 commands
Aliases: Azure Functions managed identity, managed identity for Functions, function app identity
Quick peek
Open full term page
Identity
premium
Identity Governance
Identity Governance is a Microsoft Entra set of capabilities for managing identity lifecycle, access lifecycle, access reviews, entitlement management, and privileged access.
Identity operations
intermediate
4 commands
Aliases: Entra ID Governance, identity governance, Identity Governance, Microsoft Entra Identity Governance
Quick peek
Open full term page
Identity
premium
Identity Protection
Identity Protection is a Microsoft Entra capability that detects, investigates, and helps remediate risky users and risky sign-ins.
Security
intermediate
4 commands
Aliases: Entra ID Protection, identity protection, Identity Protection, identity risk protection, Microsoft Entra ID Protection
Quick peek
Open full term page
Integration
premium
Logic Apps managed identity
A Logic Apps managed identity is the Microsoft Entra identity assigned to a Logic Apps workflow or Standard logic app resource so the workflow can authenticate to supported Azure resources without storing passwords, shared keys, or long-lived secrets in governed production environments.
Azure Logic Apps
intermediate
4 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
Managed identity
A managed identity is an automatically managed Microsoft Entra identity assigned to a supported Azure resource. It lets workloads authenticate to services that support Microsoft Entra authentication without storing passwords, certificates, or client secrets in code, configuration, or deployment pipelines.
Microsoft Entra workload identity
intermediate
3 commands
Aliases: Managed identity, system-assigned managed identity, user-assigned managed identity, Azure workload identity, secretless authentication, system-assigned identity, user-assigned identity, Microsoft Entra ID, Microsoft Entra workload identity
Quick peek
Open full term page
Security
premium
Managed identity for data access
Managed identity for data access is the pattern of using a managed identity to let a workload read or write data without embedded secrets. Teams use it when pipelines, applications, jobs, or analytics services need secure access to storage, databases, or other data services. In plain English, it gives operators a named control for least-privilege data access, reduced secret exposure, and cleaner audit trails instead of leaving the decision hidden in a portal setting, script, or deployment file. Treat it as production-ready only when the owner, dependencies, permission boundary, monitoring signal, and rollback evidence are clear.
Data access security
intermediate
3 commands
Aliases: Managed identity for data access, Microsoft Entra ID, Data access security
Quick peek
Open full term page
Identity
premium
Assignment managed identity
Assignment managed identity is the identity Azure Policy uses when a policy assignment must change resources during remediation. It matters most for effects such as modify and deployIfNotExists, where Policy is not just reporting non-compliance but attempting to fix or deploy something. The identity needs Azure RBAC permissions at the right scope. Without those.
Azure Policy
intermediate
2 commands
Aliases: Policy assignment identity, Azure Policy managed identity, policy remediation identity, assignment identity
Quick peek
Open full term page
Identity
verified
Workload identity
A workload identity is an identity assigned to software, such as an application, service, script, or container, so it can authenticate to Microsoft Entra protected resources. In Azure, examples include app registrations, service principals, managed identities, and federated workload identities.
Workload identity
fundamentals
6 commands
Aliases: No aliases yet
Quick peek
Open full term page
Containers
field-manual-complete
AKS workload identity
AKS workload identity lets a pod sign in to Azure as an approved identity without storing a password, client secret, or long-lived key inside the container. You connect a Kubernetes service account to a Microsoft Entra application or managed identity through federation. When the pod runs, Azure trusts the service account token from the cluster OIDC issuer and issues access tokens for allowed resources. The result is cleaner secret handling for applications running in AKS.
AKS Identity
intermediate
5 commands
Aliases: Microsoft Entra Workload ID for AKS, pod workload identity, AKS OIDC federation
Quick peek
Open full term page
Identity
field-manual-complete
Privileged Identity Management
Privileged Identity Management, usually called PIM, is the Microsoft Entra feature that keeps powerful access from being permanently active unless someone really needs it.
Access control
fundamentals
5 commands
Aliases: PIM
Quick peek
Open full term page
Identity
verified
Resource identity
A resource identity is the Azure identity a workload uses when it needs permission to call another service. Most teams see it as a system-assigned or user-assigned managed identity on a VM, App Service, Function, container app, automation account, or data service. Instead of storing a password or client secret, the resource receives a Microsoft Entra identity and uses tokens. Operators then grant that identity roles on Key Vault, Storage, SQL, Cosmos DB, or other dependencies.
Identity operations
fundamentals
5 commands
Aliases: Workload identity for a resource, Managed identity surface
Quick peek
Open full term page
Identity
field-manual-complete
User-assigned managed identity
A standalone managed identity that can be attached to one or more Azure resources.
Managed identities
fundamentals
5 commands
Aliases: UAMI, user managed identity, reusable managed identity
Quick peek
Open full term page
Compute
verified
VM system-assigned identity
VM system-assigned identity is a Microsoft Entra managed identity created directly on an Azure virtual machine. Azure manages its credentials, ties its lifecycle to that VM, and lets the guest request tokens for authorized Azure resources without storing secrets in code.
Virtual Machines
intermediate
5 commands
Aliases: VM system-assigned identity, vm system-assigned identity
Quick peek
Open full term page
Compute
verified
VM user-assigned identity
VM user-assigned identity is a reusable managed identity resource attached to a virtual machine so software on that VM can request Microsoft Entra tokens without stored credentials. Its lifecycle and permissions are managed separately from the VM across rebuilds and fleets.
Virtual Machines
intermediate
5 commands
Aliases: VM user-assigned managed identity, user-assigned managed identity for virtual machines, virtual machine user-assigned identity, managed identity attached to VM
Quick peek
Open full term page
Identity
verified
Workload identity federation
Workload identity federation lets an external workload exchange a trusted token for Microsoft Entra access tokens without storing long-lived secrets. Microsoft Entra validates the issuer, subject, and audience in a federated credential, then allows automation such as GitHub Actions, Kubernetes, or other platforms to access protected resources.
Identity operations
fundamentals
5 commands
Aliases: Federated workload identity, OIDC federation for workloads, Federated identity credential, Secretless workload authentication
Quick peek
Open full term page
Analytics
learning-path-anchor
Synapse Spark pool
A Synapse Spark pool is the workspace compute definition Azure Synapse uses to start Apache Spark sessions. It records node size, node count, autoscale behavior, runtime version, packages, and idle timeout so notebooks, Spark jobs, and pipelines get repeatable distributed processing.
Synapse Analytics
fundamentals
8 commands
Aliases: Apache Spark pool, Spark pool, Synapse Apache Spark pool, serverless Spark pool
Quick peek
Open full term page
Identity
premium
Federated credential
A Federated credential is a Microsoft Entra trust configuration that allows a workload to exchange a token from an external identity provider for an Entra access token without using a stored secret. Teams use it to let approved external workloads such as pipelines, automation systems, or Kubernetes workloads authenticate to Azure using signed tokens instead of long-lived client secrets. It is not a user password, general RBAC grant, certificate, managed identity by itself, or permission to access Azure resources without matching issuer, subject, audience, and role assignment controls.
Workload identity
intermediate
6 commands
Aliases: workload federated credential, OIDC credential, external identity federation credential, federated trust credential
Quick peek
Open full term page
AI and Machine Learning
premium
Foundry hub
A Foundry hub is a hub-style Microsoft Foundry resource used in selected scenarios to group AI projects with shared security, connections, data access, and governance settings. Teams use it to organize related AI projects that need common connections, managed identities, network controls, storage, security review, and platform governance across teams or application portfolios. It is not a whole Azure tenant, a model deployment by itself, a replacement for project-level permissions, or the required resource shape for every modern Foundry scenario.
Microsoft Foundry
intermediate
6 commands
Aliases: Azure AI Foundry hub, Foundry hub resource, hub-based project, AI hub
Quick peek
Open full term page
DevOps
premium
Service connection
Service connection is an Azure DevOps project resource that stores how a pipeline authenticates to Azure or another external service. In Azure Resource Manager connections, it can use workload identity federation, a managed identity, or a service principal so pipeline tasks can deploy safely.
CI/CD
fundamentals
6 commands
Aliases: Azure DevOps service connection, service endpoint, Azure Pipelines service connection, Azure RM service connection
Quick peek
Open full term page
Identity
premium
Service principal
A service principal is the local Microsoft Entra identity for an application or automation instance in a tenant. It represents the app for sign-in, consent, and authorization, and it can receive Azure RBAC roles or API permissions without using a human user account.
Azure identity
fundamentals
6 commands
Aliases: Microsoft Entra service principal, Service principal, application service principal, automation identity, service principal, service-principal
Quick peek
Open full term page
Identity
premium
Access package
An access package bundles resources someone may need for a job or project. Instead of asking separately for groups, apps, or sites, a user requests the package, and Entra applies approval, duration, review, and removal rules.
Identity operations
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Identity
premium
App registration
An app registration is the identity profile for an application, not the application code itself. It tells Microsoft Entra ID how the app is allowed to sign in users or request tokens. It contains values developers copy into configuration, such as client ID, tenant, redirect URI, credentials, and permissions. When sign-in breaks, consent fails, or tokens contain the wrong audience, the app registration is often where engineers look first. It is the contract between the app, Entra ID, administrators, and downstream APIs.
Applications
fundamentals
5 commands
Aliases: Microsoft Entra app registration, application registration
Quick peek
Open full term page
Identity
premium
B2B collaboration
Microsoft Entra B2B collaboration lets organizations invite external users and business partners to access applications and resources while keeping control of corporate data and access policies.
External identities
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Integration
premium
Event Grid domain
Event Grid domain is an Event Grid resource that provides one publishing endpoint for many related domain topics in a large or multi-tenant event solution. In Azure, it shows up when a platform needs to manage thousands of related topics, tenant-specific subscriptions, or application-specific event streams without creating unrelated standalone topics. Teams use it to review domain endpoint, domain topics, access keys or identity controls, event subscriptions, RBAC, filters, publishing application logic, metrics, and tenant ownership model before changing production behavior. It is not a DNS custom domain, Event Grid namespace custom hostname, single custom topic, or Service Bus namespace.
Event routing
advanced
5 commands
Aliases: Azure Event Grid domain, event domain
Quick peek
Open full term page
Integration
premium
Event Grid subject filter
An Event Grid subject filter is an event subscription filter that matches events by subject prefix, subject suffix, or both so only selected events are delivered. Teams use it to send only events with matching subject paths to a destination, such as one container, device group, tenant, department, or workflow. It is not the same as advanced filtering on data fields or a security boundary by itself. In production, confirm the source, subscription, destination, filters, schema, identity, retry behavior, failure handling, monitoring, and owner before treating the route as safe.
Event Grid
intermediate
5 commands
Aliases: subject begins with filter, subject ends with filter
Quick peek
Open full term page
Integration
premium
Event Hubs dedicated cluster
An Event Hubs dedicated cluster is a single-tenant Dedicated tier Event Hubs deployment that provides reserved capacity for enterprise-scale streaming workloads. Teams use it to run high-volume, low-latency event streaming workloads with isolated capacity instead of sharing a multitenant namespace tier. It is not a single event hub entity, a consumer group, a Kafka cluster you manage yourself, or a small development namespace. In production, confirm the namespace, event hub, partitions, identity, network path, consumer groups, checkpoints, metrics, owner, and rollback plan before treating the stream design as healthy.
Event Hubs
intermediate
5 commands
Aliases: Dedicated Event Hubs cluster, Event Hubs Dedicated tier cluster, Event Hubs cluster
Quick peek
Open full term page
Integration
premium
Event Hubs processing unit
An Event Hubs processing unit is reserved Premium tier capacity that provides isolated compute, memory, and storage resources for an Event Hubs namespace. Teams use it to size Premium Event Hubs workloads that need predictable streaming capacity, stronger tenant isolation, and room for busy producers and consumers. It is not a Standard throughput unit, a Dedicated capacity unit, a partition count, or an automatic guarantee that every consumer application will keep up. In production, confirm the namespace, event hub, partitions, identity, network path, consumer groups, checkpoints, metrics, owner, and rollback plan before treating the stream design as healthy.
Event Hubs
intermediate
5 commands
Aliases: processing unit, PU, Premium processing unit
Quick peek
Open full term page
Containers
premium
Image pull secret
Image pull secret is a Kubernetes secret that stores registry credentials so pods can pull private container images at deployment time.
Azure Container Registry
intermediate
5 commands
Aliases: Image pull secret, image pull secret, image-pull-secret
Quick peek
Open full term page
Security
premium
Key Vault
Azure Key Vault is a cloud service for storing and controlling access to secrets, keys, and certificates. It helps applications, administrators, and automation protect sensitive values with encryption, access control, logging, purge protection, private networking, and managed integration across Azure workloads.
Secrets and keys
Fundamentals
5 commands
Aliases: Key Vault, Azure Key Vault, vault, secrets store, certificate vault, secure secrets store, key vault resource
Quick peek
Open full term page
Security
premium
Key Vault access policy
Key Vault access policy controls which identities can read, write, list, delete, recover, sign, unwrap, or manage Key Vault objects when the vault uses policy-based access. Teams see it in key vault access policies blade, secret permissions. It is not Azure RBAC for Key Vault, a network firewall rule, a secret value, a certificate policy, or an application setting; confusing them can create overprivileged identities, broken secret retrieval. Use the term when reviewing access, monitoring, cost, recovery, or performance. It keeps architects, operators, security reviewers, and support teams focused on the same setting, resource, or behavior.
Secrets and keys
Intermediate
5 commands
Aliases: access policy, vault access policy, Key Vault policy permissions, data-plane access policy
Quick peek
Open full term page
Storage
premium
Trusted Microsoft services for storage
Trusted Microsoft services for Azure Storage are specific Azure services that Microsoft documents as eligible for storage firewall exceptions. Depending on the service, access may be based on tenant registration, supported operations, or managed identity authorization combined with Azure RBAC or Data Lake ACLs.
Storage platform
intermediate
5 commands
Aliases: trusted Azure services for Storage, storage trusted services list, Azure Storage trusted services, trusted services storage firewall
Quick peek
Open full term page
Analytics
learning-path-anchor
Synapse SQL on-demand
Synapse SQL on-demand is the serverless SQL pool model in Azure Synapse Analytics. It lets teams run T-SQL queries over data in the lake without provisioning dedicated warehouse capacity, storing only metadata objects while using external data sources, views, functions, and security objects.
Synapse Analytics
fundamentals
6 commands
Aliases: SQL on-demand, Synapse serverless SQL, serverless SQL in Synapse, built-in serverless SQL pool
Quick peek
Open full term page
Analytics
learning-path-anchor
Synapse Studio
Synapse Studio is the browser-based workspace experience for Azure Synapse Analytics. It exposes hubs for data, development, integration, monitoring, and management, letting users author notebooks and SQL scripts, build pipelines, configure connections, review access, and work with Git-backed or live artifacts.
Synapse Analytics
fundamentals
6 commands
Aliases: Azure Synapse Studio, Synapse web workspace, Synapse workspace UI, Synapse authoring experience
Quick peek
Open full term page
No glossary terms matched that search.
Try a service name, acronym, command group, or category such as RBAC , az group , App Service , Application Insights , Databases , or Azure AI Search .
Clear filters and show matches
Reset search