Identity management: Active Directory and Entra ID from a Service Desk perspective

With my transition to an IT Service Desk, a completely new chapter began for me. Before I started here, I knew what a user account was, but I didn’t realize at all what happens in the background when a new user joins the company, forgets their password, or moves to another position. The heart of all this are the Identity and Access Management (IAM) tools, typically Active Directory (AD) and its cloud brother Microsoft Entra ID (formerly known as Azure Active Directory).

And working with user identities represents one of the main pillars of IT support, without which the enterprise environment would collapse.

The traditional pillar: Active Directory (On-Premise)

Think of Active Directory as a huge corporate “phone and key” directory. When a user sits down at their computer and enters their name and password, verification is usually handled by a server running locally on the company network (a so-called Domain Controller) using Active Directory.

What I deal with most often from a Service Desk perspective regarding AD:

• Password Resets & Account Unlocks: An absolute classic. The user “definitely entered the correct password several times,” the account is locked for security reasons, and my job is to unlock it.
• User Creation and Deactivation (Offboarding): When someone leaves, their account must be canceled or disabled down to the last access. In AD, not only must the account itself be disabled, but also the respective groups must be removed, emails canceled, and it must be moved to the correct Organizational Unit (OU) called DisabledUsers. Speed and accuracy are the alpha and omega here from a security point of view.
• Management of distribution and security groups: Should Joe from marketing have access to the “Invoicing” shared drive? If so, he must be added to the correct security group in AD.

Cloud evolution: Microsoft Entra ID

While AD rules the company’s local network and desktop computers, Entra ID manages everything in the cloud (Office 365, Teams, SharePoint, as well as thousands of third parties via Single Sign-On).

In modern enterprises (including the one where I work), these two systems usually continually synchronize in terms of identities (via Entra Connect). If I block a user on a local server in a branch office, Entra ID registers this within a few moments and automatically revokes their access to the corporate OneDrive as well.

What is specific to support in Entra ID:

• Assigning O365 licenses: Entra ID is the place to decide whether a user is entitled to Visio, or whether we should even turn on corporate Teams for them.
• MFA (Multi-Factor Authentication) management: If a user loses a corporate mobile phone, or does a “factory reset” on the old one and gets a new one without migrating the Authenticator app. In Entra ID, resetting these MFA methods is handled so that the person can log into the company again at all. Here we always verify exactly against HR and the manager, because simply turning off MFA smells of a huge security risk (social engineering).
• Enforcing modern security policies (Conditional Access): Here we no longer fully intervene as an L1 Service Desk into the depths and configuration rules, but we can clearly trace through Entra ID logs why a user failed to access system “A” from their home network; it will show exactly what security profile did not give them the green light due to insufficient device security (Intune compliance).

Why do I even enjoy it?

Although Active Directory and Entra ID are presented only as some kind of “lists and folders,” they lie at the very center of the IT infrastructure. I have gained immense respect for them, and thanks to this, I understand the essence of security certifications. Managing identities means managing the entire trust in IT systems; who we are, what we are allowed to do, and with what. As a huge bonus, through AD and Entra ID, one learns perfectly how to understand the organization of a given company, how different processes communicate, and where they connect.