This chapter covers Azure authentication methods, a critical topic for the AZ-900 exam under Domain 2 (Azure Architecture and Services), Objective 2.5. Authentication is the foundation of cloud security — it verifies the identity of users and services before granting access to Azure resources. On the exam, this objective area carries approximately 15-20% weight, with authentication questions appearing in both multiple-choice and scenario-based formats. Understanding the differences between authentication methods, their use cases, and how they integrate with Azure Active Directory is essential for passing the exam.
Jump to a section
Imagine a large hotel with thousands of guests. Each guest receives a key card that grants access only to their assigned room and common areas like the lobby and gym. The hotel's master key system is like Azure Active Directory (Azure AD) — it manages identities and access rights. When a guest checks in, the front desk (Azure AD) creates an identity (guest profile) and issues a key card (token) with specific permissions (claims). The key card is valid only for the duration of the stay (token lifetime) and can be revoked if the guest misbehaves (conditional access). If a guest tries to enter another room, the door lock checks the card's permissions (authentication) and denies entry (authorization). This is exactly how Azure AD works: it authenticates users (verifies identity) and authorizes access (grants permissions) to resources based on policies. The hotel's different key types (guest, staff, manager) correspond to different roles in Azure RBAC. The key card's magnetic stripe or chip contains encrypted data that the door reader decrypts — analogous to OAuth 2.0 tokens that are cryptographically signed and validated by Azure AD. If the hotel uses multi-factor authentication, a guest might also need to enter a PIN sent to their phone (like Azure MFA). This system ensures that only the right people access the right areas at the right time, just as Azure authentication methods secure cloud resources.
What Is Authentication and Why Does It Matter?
Authentication is the process of proving that you are who you claim to be. In the cloud, this is the first line of defense against unauthorized access. Azure offers multiple authentication methods to verify identities, each with different levels of security and user experience. The business problem it solves is simple: how do you ensure that only legitimate users and applications can access your Azure resources, while keeping bad actors out? Without strong authentication, anyone with a username and password could potentially access your data. Azure authentication methods range from simple password-based sign-in to passwordless and multi-factor authentication (MFA).
How Azure Authentication Works
Azure authentication relies on Azure Active Directory (Azure AD), a cloud-based identity and access management service. When a user attempts to sign in, Azure AD validates their credentials against its directory. Here's the step-by-step mechanism:
User initiates sign-in: The user navigates to an Azure portal, Office 365, or a custom application that uses Azure AD for authentication.
Authentication request: The application sends an authentication request to Azure AD's endpoint (e.g., https://login.microsoftonline.com).
Credential validation: Azure AD checks the provided credentials (password, MFA code, etc.) against the user's identity in the directory. If the credentials are correct, Azure AD issues an access token.
Token issuance: The token is a JSON Web Token (JWT) that contains claims about the user (e.g., user ID, roles, expiration time). The token is cryptographically signed by Azure AD.
Token validation: The application validates the token's signature and claims. If valid, the user is granted access to the resource.
This process happens in milliseconds and can be extended with additional checks like conditional access policies.
Key Authentication Methods
Azure supports several authentication methods, each suitable for different scenarios:
Password-based authentication: The most common method. Users sign in with a username and password. Azure AD enforces password policies (complexity, expiration) and can synchronize passwords from on-premises Active Directory via Azure AD Connect.
Multi-factor authentication (MFA): Requires two or more verification methods: something you know (password), something you have (phone, token), or something you are (biometric). Azure MFA is available as part of Azure AD Premium or as a standalone service.
Passwordless authentication: Eliminates passwords entirely. Methods include Windows Hello for Business (biometric/PIN), Microsoft Authenticator app (phone sign-in), FIDO2 security keys, and SMS or email codes.
Federated authentication: Uses an on-premises identity provider (e.g., Active Directory Federation Services) to authenticate users. Azure AD trusts the federation server's authentication assertions.
Certificate-based authentication: Uses X.509 certificates to authenticate users or devices. Common for government and high-security environments.
OAuth 2.0 and OpenID Connect: Protocols that enable delegated access and single sign-on (SSO). Azure AD acts as the authorization server.
Tiers and Pricing
Azure AD comes in four editions: Free, Office 365 Apps, Premium P1, and Premium P2. The Free edition includes basic authentication (password, MFA via security defaults). Premium P1 adds conditional access and self-service password reset. Premium P2 adds identity protection and privileged identity management. MFA is included in all editions but with limitations: Free edition only supports MFA via security defaults for all users, while Premium editions allow granular MFA policies.
Comparison to On-Premises
On-premises, authentication is typically handled by Active Directory Domain Services (AD DS) using Kerberos or NTLM protocols. In Azure, authentication is cloud-based, using modern protocols like OAuth 2.0, OpenID Connect, and SAML. The key differences: - Scalability: Azure AD scales globally without hardware constraints. - Integration: Azure AD integrates with thousands of SaaS applications out of the box. - Security: Azure AD provides built-in MFA, conditional access, and identity protection. - Management: Azure AD is managed via the Azure portal, PowerShell, or CLI, whereas on-premises AD requires domain controllers and Group Policy.
Azure Portal and CLI Touchpoints
In the Azure portal, authentication methods are configured under Azure Active Directory > Security > Authentication methods. Here you can enable or disable methods like Microsoft Authenticator app, FIDO2 keys, and certificate-based authentication. You can also set up password protection (banned passwords) and smart lockout thresholds.
Using Azure CLI, you can manage authentication policies:
# Enable MFA for a user
az ad user update --id user@domain.com --force-change-password-next-sign-in --password "NewPassword123!"
# List authentication methods for a user
az rest --method GET --uri "https://graph.microsoft.com/v1.0/users/user@domain.com/authentication/methods"PowerShell cmdlets:
# Get MFA status for a user
Get-MsolUser -UserPrincipalName user@domain.com | Select-Object StrongAuthenticationMethodsConcrete Business Scenarios
Scenario 1: A healthcare organization needs to protect patient data. They enforce MFA for all users accessing Azure resources. Administrators configure conditional access policies that require MFA when accessing from outside the corporate network.
Scenario 2: A startup wants to eliminate passwords for better user experience. They implement passwordless authentication using the Microsoft Authenticator app. Users sign in with their phone's biometrics.
Scenario 3: A government agency requires high assurance. They use certificate-based authentication with smart cards. Azure AD validates the certificates against a trusted certification authority.
Enable Security Defaults
Security defaults are a set of basic security policies that Microsoft recommends for all tenants. They enforce MFA for all users, require administrators to use MFA, and block legacy authentication protocols. To enable them, go to Azure Active Directory > Properties > Manage Security defaults. This is the easiest way to improve authentication security for small organizations. Behind the scenes, Azure AD creates conditional access policies that apply to all users. Important: Security defaults are available in all Azure AD editions, but once enabled, you cannot create custom conditional access policies until you disable security defaults.
Configure MFA Policies
For more granular control, use conditional access policies to require MFA based on user, location, device, or application. In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access. Create a new policy, assign users and groups, and configure conditions (e.g., risk level, location). Under 'Grant', select 'Require multi-factor authentication'. Azure AD will evaluate the policy at sign-in and prompt for MFA if conditions are met. This is the recommended approach for organizations that need custom MFA enforcement.
Register Authentication Methods
Users must register their authentication methods before they can use MFA or passwordless sign-in. Administrators can enforce registration via conditional access policy (e.g., require registered MFA methods). Users register by visiting https://aka.ms/mfasetup. They can add methods like Microsoft Authenticator app, phone (SMS/call), or FIDO2 key. Behind the scenes, Azure AD stores the registration in the user's authentication methods profile. If a user loses their phone, they must re-register. Admins can reset a user's MFA registration from the Azure portal.
Implement Passwordless Sign-In
Passwordless authentication methods eliminate the need for passwords. To enable, go to Azure Active Directory > Security > Authentication methods > Passwordless. Enable methods like Microsoft Authenticator app (phone sign-in) or FIDO2 security keys. Users then register their device or key. When signing in, they use biometrics (fingerprint, face) or PIN on their registered device. Azure AD uses public key cryptography to verify the user's identity. This method is more secure than passwords because there is no shared secret that can be stolen.
Set Up Self-Service Password Reset
Self-service password reset (SSPR) allows users to reset their own passwords without administrator intervention. To configure, go to Azure Active Directory > Password reset. Enable SSPR for selected users or all users. Choose authentication methods (e.g., email, phone, security questions). Azure AD Premium P1 or P2 is required for SSPR with writeback (password synchronization to on-premises AD). When a user forgets their password, they go to https://passwordreset.microsoftonline.com and follow prompts. Azure AD verifies their identity using the registered methods before allowing a password change.
Scenario 1: A Global Enterprise Enforcing MFA
A multinational corporation with 50,000 employees uses Azure AD Premium P2. They need to protect sensitive financial data. The IT team creates a conditional access policy that requires MFA for all users accessing the finance application, but only if the sign-in risk is medium or higher. They also block legacy authentication protocols that don't support MFA. The team configures the policy in the Azure portal under Conditional Access, targeting the finance app group. They set conditions: sign-in risk level > medium, and grant control: require MFA. Users are prompted for MFA via the Microsoft Authenticator app. If a user's sign-in is risky (e.g., from an unfamiliar location), they must provide an additional verification code. Cost: Azure AD Premium P2 licenses cost about $9/user/month. Incorrect setup: If the policy is too broad, it could lock out legitimate users; if too narrow, security gaps remain. The team tests with a pilot group before rolling out widely.
Scenario 2: A Small Business Using Security Defaults
A 20-person marketing agency uses Azure AD Free. They want basic security without complexity. They enable Security Defaults, which automatically enforces MFA for all users, blocks legacy authentication, and requires administrators to use MFA. No additional configuration is needed. Users register their phones for MFA via SMS or the Authenticator app. The agency avoids the cost of Premium licenses. However, they cannot customize policies. If a user loses their phone, an admin must reset their MFA registration. The downside: Security defaults apply to all users equally; there is no way to exempt a service account. To work around this, they create a separate tenant for service accounts with security defaults disabled.
Scenario 3: A Government Agency Using Certificate-Based Authentication
A government agency requires the highest level of assurance. They issue smart cards to all employees with X.509 certificates. They configure Azure AD to accept certificate-based authentication. The IT team uploads the trusted certificate authority (CA) certificates to Azure AD. Users insert their smart card into a reader, enter a PIN, and the certificate is presented to Azure AD. Azure AD validates the certificate chain and maps the certificate to a user in the directory. This method prevents password theft and phishing. However, it requires significant infrastructure: smart cards, readers, and a PKI. If a certificate expires, the user cannot sign in. The team must manage certificate revocation lists (CRLs) and ensure Azure AD checks them. Incorrect setup: If the CA certificate is not uploaded properly, all certificate-based sign-ins fail.
Objective 2.5: Describe Azure Authentication Methods
This objective tests your understanding of the different ways Azure authenticates users and services. The exam expects you to know:
The types of authentication methods (password, MFA, passwordless, federated, certificate-based)
The difference between authentication and authorization
How Azure AD supports single sign-on (SSO)
The role of MFA and passwordless in security
The concept of security defaults vs. conditional access
Common Wrong Answers and Why Candidates Choose Them
'Authentication and authorization are the same thing.' Candidates confuse these two terms. Authentication verifies identity; authorization determines what the authenticated user can do. The exam often asks to identify which is which.
'MFA requires at least three verification methods.' MFA means multi-factor, but it requires two or more factors, not necessarily three. Candidates incorrectly assume 'multi' means three or more.
'Passwordless authentication is less secure than passwords.' This is false. Passwordless methods use cryptographic keys, which are more resistant to phishing and theft. Candidates may think passwords are more familiar and thus more secure.
'Security defaults are only available in Premium editions.' Security defaults are available in all Azure AD editions, including Free. Candidates often associate security features with paid tiers.
Specific Terms and Values on the Exam
Azure AD: The identity provider for Azure.
MFA: Multi-factor authentication — requires two or more factors.
SSO: Single sign-on — one authentication for multiple resources.
Conditional Access: Policies that enforce access controls based on conditions.
Security Defaults: Basic security policies for all tenants.
Passwordless: Authentication without a password (Windows Hello, FIDO2, Authenticator app).
Federated Identity: Trusting an external identity provider.
Edge Cases and Tricky Distinctions
Legacy authentication: The exam may ask which authentication methods are blocked by security defaults (e.g., POP3, IMAP, SMTP). These are protocols that don't support MFA.
Service principals: For applications, authentication uses service principals and client secrets or certificates, not user passwords.
Managed identities: Azure resources can authenticate to Azure AD without storing credentials.
Memory Trick: 'AAA' — Authentication, Authorization, Access
Use 'AAA' to remember the order: Authenticate first, then Authorize, then Access. Authentication is the first step. Also, think 'MFA = More Factors = More secure.' For passwordless, remember 'No Password = No Phish.'
Authentication verifies identity; authorization grants permissions.
Azure AD is the identity provider for Azure authentication.
MFA requires two or more factors: something you know, have, or are.
Security defaults enforce basic security (MFA for all users) in all Azure AD editions.
Passwordless methods (Windows Hello, FIDO2, Authenticator) are more secure than passwords.
Conditional access policies allow granular MFA enforcement based on conditions.
Federated authentication trusts an external identity provider (e.g., ADFS).
Certificate-based authentication uses X.509 certificates for high-assurance scenarios.
Self-service password reset (SSPR) enables users to reset passwords without admin help.
Legacy authentication protocols (POP3, IMAP) do not support MFA and are blocked by security defaults.
These come up on the exam all the time. Here's how to tell them apart.
Password-based Authentication
Requires a username and password.
Susceptible to phishing, brute-force, and credential theft.
User must remember complex passwords.
Azure AD enforces password policies (length, complexity, expiration).
Common but increasingly considered less secure.
Passwordless Authentication
Uses biometrics, PIN, or hardware key instead of passwords.
Resistant to phishing; no shared secret to steal.
User does not need to remember passwords.
Uses public key cryptography; Azure AD stores public key.
More secure and user-friendly, but requires compatible devices.
Mistake
Authentication and authorization are the same thing.
Correct
Authentication verifies identity (who you are), while authorization determines what you can do (permissions). They are distinct steps.
Mistake
MFA requires at least three factors.
Correct
MFA requires two or more factors (something you know, have, or are). Three factors are possible but not required.
Mistake
Passwordless authentication is less secure than passwords.
Correct
Passwordless methods use cryptographic keys, which are much harder to steal than passwords. They are more secure against phishing and brute-force attacks.
Mistake
Security defaults are only available in Azure AD Premium.
Correct
Security defaults are available in all Azure AD editions, including Free. They provide basic security without extra cost.
Mistake
Azure AD Connect synchronizes passwords in plain text.
Correct
Azure AD Connect synchronizes password hashes, not plain text passwords. The hashes are salted and hashed again before storage in Azure AD.
Authentication is the process of verifying who a user is (e.g., via password, MFA). Authorization determines what resources that user can access and what actions they can perform. In Azure AD, authentication happens first, then authorization is enforced via Role-Based Access Control (RBAC) or Azure AD roles. For the exam, remember: AuthN = identity, AuthZ = permissions.
Azure MFA requires users to provide two or more verification factors: something they know (password), something they have (phone, token), or something they are (biometric). When a user signs in, Azure AD evaluates the conditional access policy (or security defaults) and prompts for additional verification if required. The user can use the Microsoft Authenticator app, SMS, phone call, or OATH token. MFA is enforced via conditional access policies or security defaults.
Azure supports three passwordless methods: Windows Hello for Business (biometric/PIN on Windows devices), Microsoft Authenticator app (phone sign-in with biometric), and FIDO2 security keys (USB or NFC devices). These methods use public-private key pairs; Azure AD stores the public key. During sign-in, the device proves possession of the private key, eliminating the need for a password.
Security defaults are a set of basic security policies that Microsoft recommends for all tenants. They require MFA for all users, block legacy authentication, and require administrators to use MFA. They are enabled by default for new tenants and can be turned off only if you create custom conditional access policies. Security defaults are available in all Azure AD editions (Free, Office 365, Premium).
Yes, you can use federated authentication with Azure AD Connect and Active Directory Federation Services (AD FS). Users authenticate against on-premises AD, and Azure AD trusts the federation server. Alternatively, you can sync password hashes to Azure AD for cloud authentication. Both methods are supported, but federated authentication allows you to enforce on-premises policies (e.g., smart card logon).
Azure AD is a cloud-based identity and access management service for SaaS applications, Azure resources, and Office 365. Active Directory Domain Services (AD DS) is an on-premises directory service for Windows domain networks. Azure AD uses REST APIs and modern protocols (OAuth, SAML), while AD DS uses Kerberos and LDAP. They can be integrated via Azure AD Connect.
The easiest way is to enable Security Defaults in Azure AD. This automatically enforces MFA for all users. For more granular control, create a conditional access policy that requires MFA for all users. Go to Azure AD > Security > Conditional Access, create a new policy, assign all users, and under 'Grant' select 'Require multi-factor authentication'. Ensure no exclusions that could bypass MFA.
You've just covered Azure Authentication Methods — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?