Skip to content

Entra ID conceptsΒΆ

This page describes core concepts and glossary for Entra ID.

TenantsΒΆ

A tenant represents an organization in Entra ID. Each tenant has their own separate sets of applications, users and groups.

An application in one tenant cannot interact with other applications in other tenants.

To log in to a tenant, you must use an account specific to that tenant. This is indicated by the domain name of the account, which is the part after the @ symbol.

See the tenants reference for a list of available tenants.

Client IDΒΆ

An Entra ID client has its own ID that uniquely identifies the client within a tenant, and is used in authentication requests to Entra ID.

Your application's Entra ID client ID is available at runtime as an environment variable.

You should generally not hard code or otherwise depend on the client ID of other applications.

Client NameΒΆ

An Entra ID client has an associated name within a tenant.

All clients provisioned through NAIS will be registered in Entra ID using the following naming scheme:

<cluster>:<namespace>:<app-name>

For example:

dev-gcp:aura:nais-testapp

The name is not guaranteed to be unique and should not be used for authorization. If you want to unambiguously identify a client, use their client ID instead.

ScopesΒΆ

A scope is a parameter that is set when requesting a token. The term scope in this case is synonymous with permission.

Generally, we will use it to indicate the intended audience (or target, or recipient) for the requested token. The audience is found in the aud claim in the JWT returned from Entra ID. Its value should be equal to the recipient's unique client ID.

If you're requesting a token to consume another application, you must use the /.default scope. The scope has the following format:

api://<cluster>.<namespace>.<app-name>/.default

For example:

api://dev-gcp.aura.nais-testapp/.default

The /.default scope indicates that your application is requesting all available permissions granted by the target application.

GroupsΒΆ

A group in Entra ID is a collection of users. The group itself can be granted access to applications.

Group IdentifierΒΆ

Each group is identified by its object ID, which is immutable and unique.

The group name is not unique and should never be used by itself for authorization purposes.

In other words, two groups within the same tenant with the exact same name will have different object IDs. Groups with the same name will also have different IDs across different tenants.

Group ManagementΒΆ

There are primarily two ways to create and manage groups in Entra ID:

  1. Self-service through Microsoft at https://mygroups.microsoft.com, or
  2. "Identrutina" - consult the #identrutina Slack channel for assistance. You will also have to ask for the group to be synchronized to Entra ID.

Finding the group identifierΒΆ

You can find the object ID for a given group in two ways.

First, make sure that you're logged in with an account with a domain that matches one of the tenants. Then, do one of the following:

  1. If you either own or are a direct member of the group, visit https://mygroups.microsoft.com and find the desired group.

    Browsing the detailed view for the group should reveal the ID in the address bar within the query parameter objectId.

  2. Otherwise, visit the Groups view in the Entra ID Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups

    You should be able to search and filter the list of groups.

    Consult the #tech-azure Slack channel for assistance if you do not have access to this page. Check the pinned/bookmarked posts first.