This chapter covers foundational identity concepts including authentication, authorization, identity providers, directories, and the principles of zero trust. Understanding these concepts is critical for the SC-900 exam as they form the basis for all Microsoft security, compliance, and identity solutions. Approximately 15-20% of exam questions touch identity concepts, either directly or as prerequisites for understanding related technologies like Conditional Access and identity protection.
Jump to a section
Think of an organization's identity system like an international airport's passport control. Every person (user) has a passport (digital identity) issued by a trusted authority (identity provider like Microsoft Entra ID). When you arrive at a new country (resource), the immigration officer (authentication system) checks your passport to confirm you are who you claim to be. They verify the photo (biometrics or password), check the hologram (digital signature), and ensure the passport hasn't expired (credential lifetime). Once authenticated, they stamp your passport with a visa (authorization token) that specifies exactly what you're allowed to do—which areas you can enter, how long you can stay, and whether you can work or just visit. The visa is not the passport; it's a separate permission granted based on your identity. If you try to enter a restricted area, security (access control) checks your visa and denies entry if permissions are insufficient. The entire process relies on trust: the destination country trusts the issuing authority's validation of your identity. Similarly, in IT, resources trust the identity provider's authentication and authorization decisions. This model enables single sign-on (a global visa that works across multiple countries in a union) and federation (two countries agreeing to accept each other's passports).
What is Identity and Why Does It Exist?
Identity is the unique representation of an entity—such as a user, device, application, or service—within a digital system. The primary purpose of identity is to establish trust: to answer the questions "who are you?" and "what are you allowed to do?" Before identity systems, resources were secured by simple shared secrets (passwords) with no granular control. Identity evolved to provide centralized management, auditability, and fine-grained access control.
Authentication vs. Authorization
Authentication (AuthN) is the process of verifying that an entity is who they claim to be. It answers "Are you valid?" The entity presents credentials (something you know, have, or are) and the system validates them against a trusted source. Authorization (AuthZ) occurs after authentication and determines what an authenticated entity is allowed to do. It answers "What can you access?" The critical distinction: authentication establishes identity; authorization grants permissions.
Identity Providers (IdPs)
An Identity Provider (IdP) is a service that creates, maintains, and manages identity information and provides authentication services to relying applications. Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based IdP. In a federated identity model, the IdP authenticates the user and issues a security token (like a SAML assertion or JWT) that the relying party trusts. This decouples authentication from the application, enabling single sign-on (SSO).
Directories
A directory is a hierarchical data store that holds information about objects such as users, groups, and devices. Microsoft Entra ID is both an IdP and a directory service. It stores identity attributes (name, email, department, group memberships) and provides APIs for querying and updating this data. On-premises, Active Directory Domain Services (AD DS) serves a similar role but uses different protocols (LDAP, Kerberos) and is not directly cloud-compatible.
Key Concepts in Microsoft Entra ID
Tenant: A dedicated instance of Microsoft Entra ID that an organization receives when signing up for a Microsoft cloud service (like Azure, Microsoft 365). Each tenant is isolated and has its own directory.
Identity: An object that can be authenticated. Users, service principals, and managed identities are all identities.
User Principal Name (UPN): The user's sign-in name, usually in email format (e.g., user@contoso.com). The UPN must be unique within the tenant.
Object ID: A globally unique identifier (GUID) assigned to every directory object. It never changes and is used for programmatic access.
Groups: Collections of users or devices used to assign permissions. Two types: security groups (for access control) and Microsoft 365 groups (for collaboration).
Service Principal: An identity for an application or service. It is used to authenticate and authorize the application to access resources.
Managed Identity: An Azure-managed identity for Azure resources (like VMs or Functions) that eliminates the need for developers to manage credentials.
Authentication Methods
Password-based: Traditional username and password. Least secure; vulnerable to phishing and brute force.
Multi-Factor Authentication (MFA): Requires two or more verification methods (password + phone call, authenticator app, or biometric). Microsoft Entra MFA is a feature of Microsoft Entra ID P1/P2.
Passwordless: Uses biometrics (Windows Hello, FIDO2 security keys) or authenticator app (Microsoft Authenticator). Eliminates password-related risks.
Certificate-based: Uses X.509 certificates for authentication, common in high-security environments.
Federated Authentication: Relies on an external IdP (e.g., ADFS, third-party SAML IdP) to authenticate users. The trust is established via federation metadata exchange.
Authorization Models
Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are added to roles. Common in Azure for managing Azure resources.
Attribute-Based Access Control (ABAC): Permissions are granted based on user attributes (department, location, clearance level) and resource attributes (classification, sensitivity). Microsoft Entra ID uses ABAC in Conditional Access policies.
Privileged Identity Management (PIM): A Microsoft Entra ID P2 feature that provides just-in-time privileged access, approval workflows, and access reviews.
Zero Trust Principles
Zero Trust is a security model that assumes breach and verifies each request as though it originates from an open network. The three core principles: - Verify explicitly: Always authenticate and authorize based on all available data points (user identity, location, device health, service, data classification, anomalies). - Use least privileged access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. - Assume breach: Minimize blast radius, segment access, verify end-to-end encryption, and use analytics to detect and respond to threats.
Identity Lifecycle Management
Identity lifecycle encompasses creation, management, and removal of identities. Key processes: - Provisioning: Creating identities in the directory, often automated via HR systems (e.g., SAP, Workday) to Microsoft Entra ID using provisioning agents. - De-provisioning: Disabling or deleting identities when a user leaves the organization. Automated via HR-driven deprovisioning. - Access Reviews: Periodic reviews of group memberships and application access to ensure least privilege. Microsoft Entra Access Reviews is a P2 feature. - Entitlement Management: Automation of access request workflows, approval processes, and assignment of access packages. Part of Microsoft Entra ID Governance.
Federation and Single Sign-On
Federation establishes trust between an IdP (e.g., Microsoft Entra ID) and a relying party (e.g., Salesforce). When a user signs in, the IdP authenticates and issues a token (SAML 2.0, WS-Federation, or OIDC) that the relying party accepts. This enables SSO: the user signs in once and accesses multiple applications without re-entering credentials. Federation uses metadata (XML documents) exchanged between IdP and SP to establish trust.
Conditional Access
Conditional Access is a Microsoft Entra ID P1/P2 feature that enforces access control decisions based on signals. It's the "if-then" policy engine: if a user wants to access a resource, then they must meet specific conditions (e.g., MFA from untrusted locations, compliant device, approved client app). Policies consist of assignments (users, groups, cloud apps, conditions) and access controls (grant or block, session controls).
Identity Protection
Microsoft Entra ID Protection (P2 feature) uses machine learning to detect identity-based risks: leaked credentials, impossible travel, anonymous IP addresses, unfamiliar sign-in properties, and more. It can automatically remediate by requiring MFA, blocking sign-in, or forcing password reset.
Key Integration Points
Microsoft Entra ID Connect: Synchronizes identities from on-premises AD DS to Microsoft Entra ID for hybrid identity. Supports password hash sync, pass-through authentication, and federation with ADFS.
Microsoft Entra Domain Services: Provides managed domain services (Kerberos, LDAP, NTLM) for Azure VMs without needing to deploy domain controllers.
Azure AD B2B: Allows external users (partners, vendors) to access your applications using their own identities. Uses invitation-based model.
Azure AD B2C: Customer-facing identity management for consumer applications, supporting social logins (Google, Facebook) and local accounts.
Exam-Relevant Numbers and Defaults
Microsoft Entra ID Free includes up to 500,000 directory objects.
Microsoft Entra ID P1 starts at $6/user/month; P2 at $9/user/month.
MFA default grace period: 14 days for users to register.
Conditional Access policies are evaluated every time a user signs in.
Access Reviews default duration: 30 days.
Password expiration policy in Microsoft Entra ID: default 90 days (can be disabled).
Session token lifetime: by default, refresh tokens are valid for 90 days if not revoked.
Common Misconfigurations
Not enforcing MFA for all users, especially administrators.
Overly permissive Conditional Access policies that allow access from untrusted locations.
Failure to deprovision former employees, leading to orphaned accounts.
Using service principals with excessive permissions (e.g., Global Admin) instead of granular roles.
Summary of Core Concepts
Identity is the cornerstone of security. Authentication proves identity; authorization defines access. Microsoft Entra ID is the central identity platform for Microsoft cloud services, supporting modern protocols (OAuth 2.0, OIDC, SAML) and providing advanced features like Conditional Access and Identity Protection. Zero Trust principles (verify explicitly, least privilege, assume breach) guide the design of identity security. Understanding these concepts is essential for SC-900 and for implementing secure identity solutions in any organization.
User Initiates Sign-In
The user navigates to a resource (e.g., Office 365 portal) and enters their UPN and password. The client application (browser or native app) sends an authentication request to the Microsoft Entra ID authorization endpoint. The request includes the resource identifier, redirect URI, and requested permissions (scopes). The client must be registered in Microsoft Entra ID to receive a response.
Microsoft Entra ID Authenticates
Microsoft Entra ID receives the credentials and validates them against its directory. It checks if the user exists, if the password is correct, if the account is enabled, and if any authentication policies (like MFA) are required. If MFA is needed, the user is prompted to provide a second factor (e.g., authenticator app code). After successful authentication, Microsoft Entra ID creates an authentication context with a unique session ID.
Conditional Access Evaluation
Before issuing a token, Microsoft Entra ID evaluates any applicable Conditional Access policies. It checks signals: user risk, sign-in risk, location (IP range, country), device compliance (Intune), and application sensitivity. If a policy requires MFA or device compliance and conditions are not met, access is blocked or additional controls are enforced. This step occurs after authentication but before authorization.
Token Issuance
If authentication and Conditional Access succeed, Microsoft Entra ID issues a security token. For OIDC/OAuth 2.0, this is a JSON Web Token (JWT) containing claims: issuer (iss), subject (sub), audience (aud), expiration (exp), and custom claims like roles and groups. The token is sent to the client application via the redirect URI. The token has a default lifetime of 1 hour for access tokens; refresh tokens last 90 days.
Resource Access with Token
The client application presents the access token to the resource (e.g., SharePoint Online). The resource validates the token's signature using Microsoft Entra ID's public keys (fetched from the well-known OpenID Connect metadata endpoint). It checks the audience claim to ensure the token was meant for it, and verifies expiration and issuer. If valid, the resource grants access based on claims (e.g., group membership).
Enterprise Scenario 1: Hybrid Identity with Microsoft Entra ID Connect
A large enterprise with 50,000 on-premises Active Directory users wants to enable SSO for Microsoft 365 and Azure. They deploy Microsoft Entra ID Connect to synchronize identities. The challenge: they need to maintain on-premises AD as the authoritative source (e.g., for HR systems). They choose Password Hash Synchronization (PHS) for simplicity, enabling automatic password sync every 2 minutes. For high security, they enable Seamless SSO (using Kerberos delegation) so users don't need to re-enter passwords on corporate devices. Performance consideration: sync servers should be sized for the object count; 50,000 objects require at least 4 vCPUs and 8 GB RAM. Common misconfiguration: forgetting to sync the 'ImmutableID' attribute correctly, causing duplicate user objects in Microsoft Entra ID.
Enterprise Scenario 2: Conditional Access for Remote Workforce
A financial services firm mandates that all remote access to internal apps requires MFA and a compliant device (Intune-managed, no jailbreak). They create a Conditional Access policy: 'All users' and 'All cloud apps' with conditions 'Locations: Any location except trusted IPs (corporate offices)' and 'Client apps: Browser and mobile apps'. Grant controls: 'Require MFA' and 'Require device to be marked as compliant'. If a user tries to access from an untrusted location on a non-compliant device, access is blocked. They also enable session control: 'Use app enforced restrictions' to prevent data download on unmanaged devices. Performance: Conditional Access evaluation adds ~200ms to sign-in. Common issue: overly restrictive policies lock out users; they use 'Report-only' mode initially to test impact.
Enterprise Scenario 3: External Collaboration with Azure AD B2B
A tech company collaborates with 500 external partners. Instead of creating guest accounts manually, they use Azure AD B2B to invite partners to access a SharePoint site. Each partner uses their own corporate identity (e.g., partner@partnercompany.com). When a partner signs in, Microsoft Entra ID federates with the partner's IdP (if supported) or issues a Microsoft account. They enforce MFA for guest users via Conditional Access. Governance: they set guest access to expire after 90 days using Access Reviews. Misconfiguration: if the partner's domain is not verified in Microsoft Entra ID, invitations may fail. They also need to ensure that the external users are subject to the same compliance policies as internal users.
SC-900 Exam Focus: Identity Concepts (Domain: SCI Concepts, Objective 1.2)
The SC-900 exam tests your ability to describe identity concepts, authentication vs. authorization, identity providers, and the role of Microsoft Entra ID. Specific sub-objectives: 'Describe identity as a security boundary', 'Describe authentication vs. authorization', 'Describe identity providers', 'Describe Active Directory vs. Microsoft Entra ID', and 'Describe the concept of Zero Trust'.
Common Wrong Answers and Why Candidates Choose Them
Confusing authentication with authorization: Many candidates answer that MFA is an authorization method. Wrong—MFA is authentication. Authorization is about permissions, not identity verification.
Thinking Microsoft Entra ID is just a cloud version of AD DS: While both are directories, they use different protocols. AD DS uses Kerberos and LDAP; Microsoft Entra ID uses REST, OAuth, SAML. AD DS is not directly accessible from the cloud without federation or sync.
Believing Conditional Access is only for blocking access: It also grants access with controls (e.g., require MFA, require compliant device) and session controls (e.g., app restrictions).
Assuming Zero Trust means no trust at all: Zero Trust means never trust implicitly; always verify. It still requires trust but only after verification.
Specific Numbers and Terms That Appear on the Exam
SAML 2.0: The protocol most often referenced for federation.
OAuth 2.0 / OpenID Connect: Modern protocols for delegated access and authentication.
Microsoft Entra ID P1/P2: Know the difference: P1 adds Conditional Access, P2 adds Identity Protection and PIM.
MFA: Know that it's a feature of Microsoft Entra ID P1 and P2 (not Free).
Azure AD Join: For devices; Hybrid Azure AD Join for hybrid environments.
Password Hash Sync vs. Pass-Through Authentication vs. Federation: Know the differences.
Edge Cases the Exam Loves to Test
Service principals vs. managed identities: Managed identities are for Azure resources; service principals are for applications.
Guest user access: B2B guests have limited directory permissions by default.
Device-based Conditional Access: Requires Azure AD joined or Hybrid Azure AD joined devices.
Identity Protection risk levels: Low, Medium, High. Know that 'High' risk user sign-in can be auto-blocked.
How to Eliminate Wrong Answers
If a question mentions 'verifying identity', it's about authentication; if it mentions 'permissions', it's about authorization.
If a question asks about 'cloud identity provider', the answer is Microsoft Entra ID (not AD DS).
If a question talks about 'just-in-time access', think PIM (P2 feature).
If a question mentions 'device compliance', think Intune and Conditional Access.
By understanding these patterns and the underlying mechanisms, you can confidently answer identity concept questions on the SC-900 exam.
Authentication verifies identity; authorization grants permissions.
Microsoft Entra ID is an Identity Provider (IdP) and directory service for cloud apps, not a replacement for AD DS.
Zero Trust principles: verify explicitly, use least privilege, assume breach.
Conditional Access policies evaluate signals (user, device, location, risk) to enforce access controls.
MFA is a feature of Microsoft Entra ID P1 and P2 (not Free).
Federation enables SSO across organizations using SAML or OIDC.
Identity Protection (P2) detects risks like leaked credentials and impossible travel.
PIM (P2) provides just-in-time privileged access and access reviews.
Password Hash Sync (PHS) is the simplest hybrid identity option for SSO.
Guest users in Azure AD B2B have limited directory permissions by default.
Device compliance for Conditional Access requires Azure AD join or Intune enrollment.
Access tokens default to 1 hour; refresh tokens default to 90 days.
These come up on the exam all the time. Here's how to tell them apart.
Authentication
Verifies identity: 'Who are you?'
Uses credentials: password, MFA, certificate
Occurs first in the access flow
Output: a security token or session
Example: user logs in with username and password
Authorization
Determines permissions: 'What can you do?'
Uses policies: RBAC, ABAC, Conditional Access
Occurs after authentication
Output: access granted or denied
Example: user is allowed to read a file based on group membership
On-Premises Active Directory (AD DS)
Uses Kerberos, LDAP, NTLM protocols
Hierarchical database with domains and OUs
Supports group policies and computer accounts
Requires on-premises domain controllers
Not natively cloud-accessible; needs VPN or federation
Microsoft Entra ID
Uses REST, OAuth, SAML, OpenID Connect
Flat directory structure (no OUs); uses administrative units
No group policies; uses Conditional Access and Intune
Cloud-based; no servers to manage
Native cloud access via internet; supports B2B and B2C
Mistake
Microsoft Entra ID is the same as Active Directory Domain Services (AD DS) but in the cloud.
Correct
Microsoft Entra ID is not a cloud version of AD DS. It uses different protocols (REST, OAuth, SAML, OpenID Connect) instead of Kerberos and LDAP. It does not support group policies, computer objects, or NTLM authentication. It is an Identity Provider (IdP) and directory service for cloud applications, not a domain controller.
Mistake
Multi-factor authentication (MFA) is an authorization method.
Correct
MFA is an authentication method that requires two or more verification factors. Authorization determines what an authenticated user can do. MFA strengthens authentication but does not grant permissions.
Mistake
Zero Trust means you should not trust anyone inside the network.
Correct
Zero Trust means 'never trust, always verify'. It does not mean no trust; it means trust is never implicit and must be explicitly verified based on multiple signals. Trust is still granted but only after verification.
Mistake
Conditional Access policies only block access.
Correct
Conditional Access policies can also grant access with controls (e.g., require MFA, require compliant device, require approved client app) and enforce session controls (e.g., app restrictions, sign-in frequency). Block is just one possible outcome.
Mistake
Federation is required for single sign-on (SSO) with Microsoft Entra ID.
Correct
SSO can be achieved without federation using Password Hash Sync (PHS) and Seamless SSO. Federation is one option, but PHS provides SSO for cloud apps without needing an on-premises federation server.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Authentication (AuthN) is the process of verifying a user's identity, typically through a password, MFA, or certificate. Authorization (AuthZ) determines what resources and actions the authenticated user is allowed to access. In Microsoft Entra ID, authentication results in a token, while authorization is enforced by the resource (e.g., SharePoint) based on claims in the token, such as group membership. Exam tip: if the question mentions 'verifying identity', it's AuthN; if it mentions 'permissions', it's AuthZ.
No. Active Directory Domain Services (AD DS) is an on-premises directory service using Kerberos and LDAP. Microsoft Entra ID is a cloud-based Identity Provider that uses REST APIs, OAuth, SAML, and OpenID Connect. They serve different purposes: AD DS manages domain-joined computers and on-premises resources; Microsoft Entra ID manages cloud app access. They can be integrated via Microsoft Entra ID Connect for hybrid identity.
Azure AD B2B (Business-to-Business) allows you to invite external partners to access your organization's applications using their own identities. Azure AD B2C (Business-to-Customer) is a separate service for customer-facing applications, supporting social logins (Google, Facebook) and local accounts. B2B uses your existing Microsoft Entra tenant; B2C creates a separate tenant configured for consumer identity management.
Conditional Access is a Microsoft Entra ID P1/P2 feature that enforces access control policies based on signals. A policy consists of assignments (users, groups, cloud apps, conditions like location, device state, risk) and access controls (grant or block, session controls). When a user signs in, Microsoft Entra ID evaluates all applicable policies. If conditions are met, the specified controls are enforced (e.g., require MFA). If not, access is blocked.
Password Hash Sync (PHS) synchronizes password hashes from on-premises AD to Microsoft Entra ID, enabling cloud authentication. Pass-Through Authentication (PTA) validates passwords directly against on-premises AD without storing hashes in the cloud. PHS is simpler and provides backup authentication if on-premises servers are down. PTA is preferred by organizations that cannot store password hashes in the cloud due to compliance.
PIM is a Microsoft Entra ID P2 feature that provides just-in-time (JIT) privileged access, reducing the risk of standing admin rights. It allows users to activate roles for a limited time (e.g., 1 hour) after approval or via self-service. PIM also enforces MFA on activation, sends alerts, and provides access reviews to audit privileged roles.
SSO allows a user to sign in once and access multiple applications without re-entering credentials. Microsoft Entra ID supports SSO via federation (SAML/OIDC tokens) or seamless SSO (using Kerberos delegation with PHS). When a user first authenticates, Microsoft Entra ID issues a session token. Subsequent requests to other apps use this session to obtain access tokens without prompting for credentials.
You've just covered Identity Concepts — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?