This guide is for professionals familiar with Microsoft Entra features like user management, role assignment, and conditional access. It systematically maps the core concepts, use cases, and key differences between Microsoft Entra and Alibaba Cloud Resource Access Management (RAM). This helps you locate equivalent features in multi-cloud scenarios and avoid misunderstandings caused by differing designs and terminology.
Why you need this guide
Alibaba Cloud RAM and Microsoft Entra differ significantly in terminology and architecture. If you are familiar with Azure's identity and access management system (Microsoft Entra) and now need to perform similar tasks on Alibaba Cloud, directly applying your Azure experience may lead to misunderstandings. For example:
In Azure, a "role" is a collection of permissions, whereas in Alibaba Cloud, a "RAM role" is an identity entity. The two concepts are fundamentally different.
Azure separates identity management from resource access control, while Alibaba Cloud RAM provides unified control.
Alibaba Cloud does not have the concept of a "service principal." Instead, programmatic identities are implemented using an AccessKey or through role assumption.
This guide provides systematic concept and scenario mapping to help you build a complete mental model for transitioning from Azure/Microsoft Entra to Alibaba Cloud access control.
In this guide
This guide contains the following topics:
Product mapping: Understand the mapping of core services between Azure and Alibaba Cloud and their differences in design philosophy.
Core concept mapping: Establish the terminology mapping between the two platforms for resource architecture, identity entities, and permission models, and understand their key differences.
Scenario guidance: Explore the Alibaba Cloud solutions that correspond to Azure/Microsoft Entra for common scenarios such as identity authentication, cross-tenant access, log auditing, and development integration.
Product mapping
Before diving into the details, let's establish a high-level overview. The following table lists the core services in the Microsoft Entra ecosystem and their Alibaba Cloud equivalents.
Azure service | Alibaba Cloud service | Description |
The core identity and access management service for each cloud platform. Provides features such as multi-factor authentication (MFA), single sign-on (SSO), application integration, and token issuance. For more information, see Identity authentication and application integration. | ||
Alibaba Cloud RAM uses policies to centrally manage all resources within an account. For more information, see Permission concept mapping. | ||
APIs for managing identity entities, application access, and policy assignments. For more information, see Development and SDKs. | ||
Provides cross-account/tenant access capabilities. For more information, see Cross-account/tenant access. |
Design philosophy differences
Both Azure and Alibaba Cloud provide identity and access management capabilities, but they use different architectural approaches:
Microsoft Entra ID is a dedicated service for identity and access management in Azure. An Entra ID tenant is a dedicated identity boundary for centrally organizing entities such as users, applications, and access policies. This boundary is independent of Azure resource subscriptions. This design facilitates unified identity governance in complex enterprise environments.
Alibaba Cloud integrates access control as a built-in feature of an Alibaba Cloud account. The Alibaba Cloud account serves as both an identity and a resource management boundary. RAM users, roles, and policies are all defined and effective within the scope of the account. This design makes the link between identities and resources more direct, enabling a rapid setup of access control systems.
Core concept mapping
This section systematically maps the terminology and key differences between the core concepts of the two platforms from the perspectives of resource architecture, identity entities, and permission models.
Resource management architecture
Both platforms use a hierarchical tree to organize resources, but the names and meanings of the levels differ.
Azure concept | Alibaba Cloud concept | Level | Description |
Tenant | Management account | Top-level container | The top-level management container for an enterprise. The management account is the owner of the entire Resource Directory and has full control over the Resource Directory, folders, and member accounts. The Root folder is the top-level node of the directory structure. |
Management Group | Folder | Organizational unit | A hierarchical structure for organizing and managing multiple subscriptions/accounts. Both support nested sub-management groups/folders. |
Subscription | Member account | Isolation boundary | A member account is logically equivalent to an Azure subscription and serves as a resource isolation boundary. |
Resource Group | Resource group | Grouping unit | A container for resources. In Alibaba Cloud, a resource group is not used for resource lifecycle management. |
Resource | Resource | Resource | A specific cloud resource, such as a virtual machine, storage, or database. |
Azure resource hierarchy
Azure uses a five-level hierarchy: tenant → management group → subscription → resource group → resource. The tenant acts as an identity boundary. Management groups are used for unified compliance control and logical organization across multiple subscriptions. A subscription is the basic unit for billing and resource isolation.
Alibaba Cloud resource hierarchy
Alibaba Cloud uses a hierarchy of management account → folder → member account → resource group → resource. The management account owns the Resource Directory. Folders are used to organize member accounts, and member accounts are the resource isolation boundaries.
Key differences
Identity vs. resource boundaries: A Microsoft Entra ID tenant is an independent identity boundary used to isolate identity-related data such as users, applications, and access policies. You cannot directly create Azure resources within a tenant. An Alibaba Cloud management account is essentially an Alibaba Cloud account and can create resources directly. However, in an enterprise context, it is not recommended to create business resources under the management account.
Optional Resource Directory: An Azure subscription must be associated with a tenant and must be part of the management group hierarchy. Alibaba Cloud's Resource Directory is an optional feature. The hierarchical structure of a management account and folders is available only after you enable Resource Directory. If Resource Directory is not enabled, an Alibaba Cloud account can be used as a standalone top-level container.
Identity concept mapping
The following table maps identity entity concepts between the two platforms.
Microsoft Entra term | Alibaba Cloud RAM term | Entity type | Description |
Human identity | A RAM user is an identity entity within an account and cannot exist across accounts (unlike Entra ID guest users). | ||
Programmatic identity | A RAM user can create an AccessKey for programmatic authentication. Using an AccessKey is similar to using a service principal's client secret. | ||
Programmatic identity | Enables workloads to access cloud resources without managing long-term credentials. The equivalent feature in Alibaba Cloud is implemented based on a RAM role. | ||
Grouping | A RAM user group is used only for batch authorization. | ||
User or service principal granted the | RAM user or RAM role granted the | Administrator | A RAM super administrator has full control over all resources (including identities) within the account. An Entra ID global administrator can only manage identities, not subscriptions. |
Key differences
Human identity design: Microsoft Entra ID strictly separates human and programmatic identities. Its user entity is specifically designed for natural persons, such as internal employees or external partners. In contrast, an Alibaba Cloud RAM user is a general-purpose identity. Its use case is determined by the configured credentials: it acts as a human identity when configured with a console login password, and as a programmatic identity when it has an AccessKey.
Programmatic identity design: An Entra ID service principal is an entity specifically designed for application authentication. Features like application registration, enterprise applications, and managed identities all rely on service principals. Alibaba Cloud, however, does not have a separate identity type for programs. Both RAM users and RAM roles can be used by programs or services. A program can use a RAM user's AccessKey as a long-term access credential, or it can temporarily assume a RAM role to obtain more secure, short-term access permissions.
Permission concept mapping
The following table maps permission management concepts between the two platforms.
Azure/Microsoft Entra term | Alibaba Cloud RAM term | Description |
A collection of permissions that defines what actions an identity can perform. | ||
Associates a policy with an identity entity. | ||
A collection of permissions predefined by the cloud provider. | ||
A collection of permissions defined by the user based on their needs. | ||
Condition-based access control, such as source IP restrictions or MFA requirements. |
Key differences
Semantic differences between roles and policies
In Azure/Microsoft Entra, a role represents a collection of permissions and serves as a container for permissions, not an identity. In Alibaba Cloud RAM, a RAM role is a type of identity that must be assumed by another identity and granted a policy before it can perform actions. The concept of a role in Entra ID corresponds to a policy in Alibaba Cloud RAM.
Differences in policy scope
The Microsoft ecosystem splits permissions: Entra RBAC roles are specifically for controlling access to resources within the Entra tenant (such as users, groups, and service principals), whereas control over cloud resources (such as virtual machines and storage) is handled by Azure RBAC. In contrast, Alibaba Cloud uses a unified management model. The scope of a RAM policy covers all services and resources under a single cloud account.
In addition, a RAM policy offers a high degree of flexibility in authorization granularity. It supports control from the high-level service level and the specific action level down to the most granular resource level.NoteThe level of permission control granularity varies among Alibaba Cloud services. For details on the authorization granularity supported by each cloud service, see Alibaba Cloud services that support RAM.
Scenarios
Based on the architectural and conceptual differences described earlier, this section maps specific solutions between Microsoft Entra and Alibaba Cloud for common scenarios such as identity authentication, cross-account access, log auditing, and development integration.
Identity authentication and application integration
Both platforms provide capabilities for multi-factor authentication, enterprise single sign-on, and application integration, but there are differences in their design and implementation.
Microsoft Entra | Alibaba Cloud | Use case | Description |
RAM user/user group management | Manage users/groups | Manage users and user groups, such as creating, deleting, and modifying attributes. | |
Multi-factor authentication | RAM supports various MFA methods, including virtual MFA (corresponding to Entra's Software OATH tokens), passkeys, security mobile phones (corresponding to Entra's SMS), and security emails. | ||
Identity federation | Alibaba Cloud supports both user SSO and role SSO modes for integration with an enterprise IdP. CloudSSO is suitable for multi-account scenarios within a Resource Directory. | ||
Enterprise SSO | OAuth application management provides authorization integration for scenarios involving Alibaba Cloud services. Alibaba Cloud IDaaS acts as an independent identity provider (IdP) for enterprise application integration. | ||
- | Account synchronization | Synchronize on-premises enterprise identities to the cloud. | |
Credential token service | Alibaba Cloud STS is used to issue temporary security credentials in role assumption scenarios. The OAuth service is used to issue access tokens for OIDC/OAuth applications. |
Key differences
Identity federation
Entra ID can act as an identity provider (IdP) to integrate with enterprise or SaaS applications for unified authentication. It can also act as a service provider (SP) to trust and connect with ADFS or other third-party IdPs. In contrast, Alibaba Cloud RAM primarily acts as a service provider (SP) to trust and integrate with an enterprise's existing IdP.
Token services
Microsoft Entra and Alibaba Cloud RAM have distinct differences in their token issuance architectures. Entra ID uses a unified token distribution service that natively supports OAuth 2.0 and OIDC protocols. All identity entities (users, applications, service principals) obtain JWT-formatted access tokens through this single endpoint. Alibaba Cloud RAM, on the other hand, provides two relatively independent token services:
STS service: Responsible for issuing temporary security credentials (STS tokens) in role assumption or role SSO scenarios.
OAuth service: Used to issue JWT-formatted access tokens for official tools (like Alibaba Cloud CLI) and OIDC/OAuth applications registered in RAM.
Cross-account/tenant access
Both platforms support cross-account access scenarios (known as cross-tenant in Entra ID), but they use different implementation mechanisms.
Microsoft Entra | Alibaba Cloud | Use case | Description |
Cross-account access for enterprise users | In Alibaba Cloud, this is primarily achieved by assuming a RAM role in the target account. | ||
Cross-account access for enterprise applications | Entra ID supports registering applications as multi-tenant. Alibaba Cloud uses STS AssumeRole to get a temporary security credential. | ||
Application access for consumer users | RAM does not provide this feature. Use Alibaba Cloud IDaaS CIAM instead. |
Key differences
In Entra ID, cross-tenant access primarily relies on the B2B collaboration mechanism. The target tenant needs to invite an external user as a guest and add them to its directory, then assign application or resource access roles.
In Alibaba Cloud, cross-account access is achieved through role assumption, which does not require creating any identity entity in the target account. A program or user can obtain a temporary security credential by calling the STS service (using interfaces such as AssumeRole, AssumeRoleWithSAML, or AssumeRoleWithOIDC) to dynamically assume the identity of a RAM role in the target account to access resources.
In addition to the general solution of RAM role assumption, Alibaba Cloud also provides resource-based cross-account authorization mechanisms (such as configuring an OSS Bucket Policy or using Resource Sharing) as supplementary solutions for specific products.
Logging and auditing
Both platforms provide comprehensive operational auditing and logging capabilities.
Microsoft Entra | Alibaba Cloud | Description |
Both are used to track console and API operations. ActionTrail is a separate service in Alibaba Cloud, not a built-in feature of RAM. | ||
ActionTrail (sign-in events) | In Alibaba Cloud, console sign-in events are recorded in ActionTrail logs. There is no separate sign-in log service. | |
Both are used to configure long-term storage and analysis of logs. |
Key differences
Log categorization: Entra ID separates sign-in logs from audit logs to quickly distinguish authentication behavior from administrative actions during security tracing. In contrast, Alibaba Cloud uses a centralized management model, consolidating identity authentication events like console sign-ins into the ActionTrail service.
Audit scope mapping: Entra ID audit logs focus solely on the identity side, recording operations on directory objects within the tenant (such as users, groups, and applications). Operations on cloud resources are recorded by Azure activity logs. Therefore, in terms of concept mapping, the combination of Entra ID audit logs and Azure activity logs corresponds to Alibaba Cloud's ActionTrail, which covers both RAM identity operations and global cloud resource operations.
Development and SDKs
Both platforms provide comprehensive development tools and SDKs.
Microsoft Entra | Alibaba Cloud RAM | Use case | Description |
OAuth/OIDC application integration | Both can be used to build OAuth/OIDC applications and integrate with the cloud authentication platform. | ||
API calls | Both provide full lifecycle management for identity entities (such as users and groups), application access, and policy assignment. | ||
Identity authentication SDK | The credentials provider module in the Alibaba Cloud SDK provides credential management features. Both support a credential chain. | ||
- | Authentication library | Authentication libraries like MSAL help developers integrate applications with the Microsoft Identity Platform. Alibaba Cloud lacks a corresponding authentication library; you must use a third-party OAuth/OIDC library. |
Only some Alibaba Cloud OpenAPI operations currently support calls using an access token (Bearer Token). For details, see Credentials. In contrast, you call all Azure REST API and Microsoft Graph operations using access tokens issued by the Entra token service.
Key differences
API architecture design: Microsoft Entra uses a single global entry point. All calls related to identities, applications, and policies use the Microsoft Graph API. In contrast, Alibaba Cloud RAM uses a design that divides functions into modules, using the following three independent API endpoints for different scenarios:
IMS (Identity Management Service): Manages the lifecycle of identity entities (such as users and groups), SSO configuration, and OAuth application management.
RAM (Resource Access Management service): Handles policy management and authorization configuration.
STS (Security Token Service): Facilitates role assumption and issues temporary security credentials.