This chapter covers designing identity solutions for Azure, a critical domain for the AZ-305 exam. Identity governance ensures that the right people have the right access to the right resources at the right time. Approximately 20-25% of AZ-305 exam questions touch on identity topics, making it one of the highest-weighted areas. You will learn how to design and implement identity management, authentication, authorization, and governance using Azure Active Directory (Azure AD), Privileged Identity Management (PIM), and related services.
Jump to a section
Think of an organization as a public library. Patrons (users) need library cards (identities) to borrow books (access resources). The library issues cards based on proof of identity (identity verification). Each card has an expiration date (credential lifecycle). The library has a catalog (Azure AD) listing all patrons and their borrowed books. A librarian (identity governance) periodically reviews who has what books and revokes cards if patrons have left town (automated access reviews). If a patron loses a card, the library issues a new one with a new number (password reset/self-service). The library also has a policy: only patrons with a 'research' card can access rare books (Privileged Identity Management). Security cameras (audit logs) monitor who enters special collections. This system ensures only authorized patrons access resources, and the librarian can prove compliance with library board regulations (audit reports).
What is Identity Governance?
Identity governance is the process of managing and controlling digital identities and their access to resources. It encompasses identity lifecycle management, access certification, and privileged access management. Azure AD provides the foundation for identity governance in Azure.
Why Identity Governance Matters
Organizations need to ensure that only authorized users have access to sensitive data and systems. Regulatory compliance (e.g., GDPR, HIPAA, SOX) requires strict access controls and audit trails. Identity governance helps prevent security breaches, insider threats, and data leaks. The AZ-305 exam tests your ability to design identity solutions that meet these requirements.
Core Components of Azure AD Identity Governance
Azure AD: The cloud-based identity and access management service. It provides authentication (sign-in) and authorization (access to resources).
Azure AD B2B (Business-to-Business): Allows external users (partners, vendors) to access your resources using their own identities.
Azure AD B2C (Business-to-Consumer): For customer-facing applications, allowing users to sign in with social or local accounts.
Azure AD Domain Services: Provides managed domain services like domain join, group policy, and LDAP.
Privileged Identity Management (PIM): Manages, controls, and monitors access to privileged roles in Azure AD, Azure, and other Microsoft Online Services.
Entitlement Management: Automates access request workflows, access reviews, and assignment of access packages.
Access Reviews: Periodic reviews of group memberships, application access, and role assignments to ensure only the right people have access.
Identity Protection: Detects and remediates identity-based risks using machine learning.
Conditional Access: Enforces policies to control access based on signals like user location, device, and risk level.
How Azure AD Authenticates Users
User attempts to sign in to an application.
Application redirects to Azure AD login endpoint (e.g., https://login.microsoftonline.com/tenant-id).
Azure AD presents the sign-in page. User enters credentials.
Azure AD validates credentials against its directory. If multi-factor authentication (MFA) is required, it prompts for second factor.
If authentication succeeds, Azure AD issues an access token (JWT) containing claims about the user (e.g., user ID, roles).
Application validates the token and grants access.
Azure AD Editions
Free: Included with Azure subscription. Supports up to 500,000 directory objects. Features: user/group management, on-premises directory sync (Azure AD Connect), basic reports.
Office 365 Apps: Included with Office 365 subscriptions. Additional features: self-service password reset for cloud users, writeback for on-premises.
Premium P1: Includes self-service group management, dynamic groups, conditional access, Microsoft Identity Manager (MIM) sync, cloud app discovery.
Premium P2: Includes Identity Protection, Privileged Identity Management (PIM), Identity Governance (access reviews, entitlement management).
Designing Identity Solutions
When designing identity solutions, consider: - Identity source: Cloud-only or hybrid (on-premises Active Directory synced to Azure AD). - Authentication method: Password hash sync, pass-through authentication, federation (AD FS). - User provisioning: Manual, bulk, or automated via HR systems (e.g., Workday, SAP SuccessFactors). - Access governance: Use PIM for just-in-time privileged access, entitlement management for self-service access requests. - Conditional access policies: Enforce MFA, block legacy authentication, require compliant devices. - Identity protection: Configure user risk and sign-in risk policies.
Hybrid Identity Options
Password Hash Synchronization (PHS): Hashes of on-premises AD passwords are synced to Azure AD. Users use the same password for cloud and on-premises.
Pass-Through Authentication (PTA): Password validation happens on-premises via an agent. No password hash is stored in the cloud.
Federation (AD FS): Users authenticate to on-premises AD FS, which issues a token for Azure AD. Useful for complex authentication requirements.
Privileged Identity Management (PIM)
PIM provides time-based and approval-based role activation. Key concepts: - Eligible role: User is eligible but must activate the role (with optional MFA, justification, approval). - Active role: User is permanently assigned the role (not recommended for privileged roles). - Activation: User activates role for a set duration (default 1 hour, max 8 hours). - Approval: Optional approval workflow for role activation. - Audit: All activations are logged. PIM also generates alerts for suspicious activity.
Entitlement Management
Entitlement management automates access request workflows. Key concepts: - Access package: A bundle of resources (groups, apps, SharePoint sites) that a user can request. - Catalog: A container for access packages. - Policy: Defines who can request, approval requirements, and expiration. - Access review: Periodic review of access package assignments.
Access Reviews
Access reviews allow administrators to recertify access. They can be scheduled (e.g., quarterly) or ad hoc. Reviewers can be the user's manager, resource owner, or delegate. Results can be automatically applied (remove access if not approved).
Conditional Access Policies
Conditional Access policies are if-then statements: If a user wants to access a resource, then they must meet certain conditions. Common conditions: - User/group membership: Target specific users. - Location: Allow or block access from certain IP ranges or countries. - Device platform: Require iOS, Android, Windows, or macOS. - Application: Target specific cloud apps. - Sign-in risk: Integrate with Identity Protection. - Client app: Block legacy authentication.
Identity Protection
Identity Protection uses signals from Azure AD (e.g., impossible travel, leaked credentials, anonymous IP addresses) to calculate user risk and sign-in risk. Administrators can configure risk-based conditional access policies to block or require MFA.
Designing for Compliance and Audit
Azure AD audit logs: Record all changes to directory objects, sign-in activities, and provisioning.
Azure Monitor: Integrate audit logs with Log Analytics for advanced querying and alerting.
Azure Policy: Enforce compliance rules for Azure resources.
Microsoft 365 Compliance Center: For compliance and data governance.
Best Practices
Use PIM for all privileged roles (Global Admin, etc.).
Implement least privilege: assign only necessary permissions.
Enable MFA for all users, especially admins.
Use conditional access to block legacy authentication.
Schedule regular access reviews.
Use entitlement management for self-service access.
Enable identity protection and configure risk policies.
Use Azure AD Connect Health to monitor hybrid identity infrastructure.
Common Exam Scenarios
Designing a hybrid identity solution for a company with on-premises AD.
Implementing PIM for privileged access.
Configuring conditional access policies for remote workers.
Setting up access reviews for compliance.
Using entitlement management to automate access requests.
Choose Identity Source and Sync
Determine if users will be cloud-only or synced from on-premises AD. For hybrid, install Azure AD Connect on a server. Configure synchronization options: password hash sync, pass-through authentication, or federation. Select the appropriate sync scope (all users, filtered by OU/attribute). Run initial sync and verify in Azure AD portal. Monitor sync health using Azure AD Connect Health.
Configure Authentication Methods
Based on business requirements, select authentication method. For PHS, no additional agent needed. For PTA, install agents on multiple servers for high availability. For federation, deploy AD FS and Web Application Proxy. Enable seamless SSO for domain-joined devices. Configure self-service password reset (SSPR) if needed. Test authentication flow.
Implement Privileged Identity Management
Enable PIM in Azure AD Premium P2. Configure roles: assign eligible members to Global Admin, Exchange Admin, etc. Set activation settings: require MFA, approval, justification, and maximum activation duration (e.g., 4 hours). Create alerts for suspicious activations. Test activation flow. Review PIM audit logs regularly.
Set Up Entitlement Management
Create catalogs for different departments. Create access packages containing groups, apps, and sites. Define policies: who can request (internal users, external users), approval process (manager, resource owner), and expiration (e.g., 90 days). Publish access packages to My Access portal. Test request flow. Schedule access reviews.
Configure Conditional Access Policies
Create policies in Azure AD Conditional Access. Target all users or specific groups. Select cloud apps (e.g., Office 365, Azure Management). Configure conditions: location (trusted IPs), device platform, client apps (block legacy auth), sign-in risk. Set access controls: require MFA, require compliant device, require approved client app. Enable policy in report-only mode first, then enforce. Monitor sign-in logs.
Scenario 1: Large Enterprise with Hybrid Identity
A multinational company with 50,000 employees uses on-premises Active Directory. They want to migrate to cloud but need to maintain on-premises AD for legacy apps. They deploy Azure AD Connect with password hash sync and seamless SSO. They enable PIM for all privileged roles, requiring MFA and approval for activation. They use entitlement management to automate access to HR systems. They schedule quarterly access reviews for all privileged groups. Common issues: sync failures due to network latency, duplicate attributes, and large group sync. They monitor using Azure AD Connect Health and set up alerts for sync errors.
Scenario 2: Startup with Cloud-Only Identity
A startup with 200 employees uses cloud-only Azure AD. They enable self-service password reset and MFA. They use conditional access to block access from untrusted locations and require compliant devices. They use Identity Protection to detect risky sign-ins and automatically block high-risk users. They use PIM for admin roles. They do not need on-premises sync. Common issues: users forgetting to enroll in MFA, legacy apps not supporting modern authentication. They use app proxy for legacy apps.
Scenario 3: Healthcare Organization Compliance
A healthcare provider must comply with HIPAA. They use Azure AD Premium P2 for identity governance. They implement access reviews for all users accessing patient data. They use conditional access to require MFA and compliant devices. They enable audit logging and integrate with Azure Sentinel for security monitoring. They use entitlement management to grant temporary access to external researchers. Common issues: reviewers ignoring access review requests, resulting in stale access. They automate removal of access after review period expires.
What AZ-305 Tests on Identity Governance
The AZ-305 exam tests your ability to design identity solutions that are secure, scalable, and compliant. Key objectives (from exam skills measured):
Design identity management (1.1)
Design authentication and authorization (1.2)
Design governance (1.3)
Common Exam Traps
Confusing PIM with Azure AD Roles: Candidates often think PIM is for Azure resource roles (e.g., Contributor). PIM manages Azure AD roles (e.g., Global Admin) and Azure resource roles (via Azure RBAC). The exam will test that PIM can manage both.
Assuming PIM is the only way to manage privileged access: Azure AD Privileged Identity Management is for Azure AD roles and Azure resource roles. For other resources, use Azure RBAC with just-in-time access via PIM.
Misunderstanding Access Reviews vs. Entitlement Management: Access reviews are periodic recertifications. Entitlement management automates access requests. They work together but are different features.
Selecting Federation when not needed: Federation is complex and only needed for advanced scenarios (e.g., smartcard authentication, on-premises MFA). Most organizations use PHS or PTA.
Specific Numbers and Terms
Azure AD Free: 500,000 directory objects.
PIM activation max duration: 8 hours.
Conditional Access: report-only mode for testing.
Identity Protection: user risk (high, medium, low) and sign-in risk.
Entitlement management: access packages, catalogs, policies.
Azure AD Connect: multiple forests supported, but only one sync server.
Edge Cases
Guest users: B2B collaboration users can be added to PIM roles, but they need Azure AD Premium license.
Emergency access: Break-glass accounts (cloud-only, long complex passwords, excluded from conditional access).
Directory synchronization: If on-premises AD is deleted, you need to rebuild Azure AD Connect.
How to Eliminate Wrong Answers
If a question asks about 'just-in-time' access, think PIM.
If a question asks about 'automated access requests', think entitlement management.
If a question asks about 'periodic recertification', think access reviews.
If a question asks about 'risk-based policies', think Identity Protection + Conditional Access.
Azure AD Free supports up to 500,000 directory objects.
PIM activation maximum duration is 8 hours.
Conditional Access policies can be tested in report-only mode before enforcement.
Identity Protection uses user risk and sign-in risk levels (low, medium, high).
Entitlement management uses access packages, catalogs, and policies.
Azure AD Connect supports multiple forests but only one sync server.
Break-glass accounts must be excluded from conditional access and monitored closely.
Access reviews can auto-apply results if configured.
PIM can manage both Azure AD roles and Azure resource roles.
Federation (AD FS) is only needed for advanced authentication requirements.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Sync (PHS)
Password hashes synced to Azure AD
No on-premises agent for authentication
User passwords not validated on-premises
Simpler deployment, less infrastructure
Supports cloud-only fallback if on-premises fails
Pass-Through Authentication (PTA)
Password validation happens on-premises
Requires agent(s) on on-premises servers
No password hash stored in Azure AD
Higher availability requirements (multiple agents)
User can still authenticate if cloud sync fails
Mistake
Azure AD is just a cloud version of Active Directory.
Correct
Azure AD is not a cloud version of AD. It is a completely different identity platform designed for web-based authentication using REST APIs and OAuth2/OpenID Connect. It does not support LDAP, Kerberos, or NTLM natively (Azure AD DS provides these).
Mistake
PIM is only for Azure AD roles.
Correct
PIM can also manage Azure resource roles (e.g., Contributor, Owner) via Azure RBAC integration. You can configure just-in-time access to Azure resources.
Mistake
Password hash sync stores passwords in plaintext in the cloud.
Correct
Password hash sync synchronizes a hash of the password, not the plaintext. The hash is a salted SHA256 hash. Azure AD never stores the actual password.
Mistake
Conditional Access policies apply to all sign-ins by default.
Correct
Conditional Access policies are not applied by default. They must be explicitly created and enabled. They apply to specific users, apps, and conditions. There is a baseline policy that can be enabled for MFA.
Mistake
Access reviews automatically revoke access after the review period ends.
Correct
Access reviews can be configured to auto-apply results, but by default, the administrator must manually apply the results. The auto-apply option must be explicitly enabled.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD is a cloud identity and access management service for web-based applications. Azure AD Domain Services (Azure AD DS) provides managed domain services like domain join, group policy, and LDAP, which are not natively available in Azure AD. Azure AD DS is used to lift-and-shift on-premises applications that require AD features.
Yes, PIM can manage Azure resource roles (e.g., Contributor, Owner) at management group, subscription, resource group, or resource level. You can configure just-in-time access, approval workflows, and audits for these roles.
You can create a Conditional Access policy that requires MFA for all users. Alternatively, you can enable the baseline policy 'Require MFA for all users' in Azure AD. However, Conditional Access provides more granular control (e.g., exclude break-glass accounts).
Only one Azure AD Connect sync server is supported per tenant. Staging servers are allowed for testing, but they are not active. You can have multiple sync servers for different forests only if they are all connected to the same tenant via a single sync server.
Use Azure AD B2B collaboration. Invite external users as guests in your Azure AD tenant. They can use their own identities to access shared apps. For more complex scenarios, use entitlement management to create access packages for external users.
Authentication is not affected immediately because users can still authenticate using cached credentials (for PHS) or on-premises agents (for PTA). However, user/group changes will not be reflected until sync resumes. Monitor sync health with Azure AD Connect Health.
Yes, you can create a Conditional Access policy targeting 'All cloud apps' with condition 'Client apps' set to 'Exchange ActiveSync clients' and 'Other clients' (which includes legacy authentication). Set access control to 'Block access'. This is a common security best practice.
You've just covered Designing Identity Solutions — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?