Microsoft Entra ID (formerly Azure Active Directory)
Microsoft Entra IDMicrosoft's cloud-based identity and access management (IAM) service — the backbone of authentication for Azure, Microsoft 365, and thousands of SaaS apps. Uses OAuth 2.0, OIDC, and SAML (not Kerberos/NTLM like on-premises AD DS). is the cloud IAM service that underpins authentication across Azure, Microsoft 365, and thousands of SaaS apps. Key capabilities:
- Authentication — verifies who you are.
- Authorization — determines what you can do after authentication.
- SSO (Single Sign-On) — sign in once and access multiple apps without re-entering credentials.
- Application management — register and manage cloud/on-premises apps.
- B2B/B2C — collaborate with external users or let customers sign in with social identities.
Microsoft Entra Connect synchronizes on-premises Active Directory Domain Services (AD DS) with Entra ID, enabling hybrid identity scenarios. For legacy apps that require traditional AD features without managing domain controllers, Microsoft Entra Domain ServicesProvides managed domain services such as domain join, Group Policy, LDAP, and Kerberos/NTLM authentication — all without deploying, managing, or patching domain controllers. Useful for lifting and shifting legacy apps that require traditional AD features. provides managed domain join, Group Policy, LDAP, and Kerberos/NTLM as a fully managed service.
Authentication Methods
| Method | Description |
|---|---|
| Password | Traditional username + password |
| MFA (Multi-Factor Authentication) | Requires a second verification factor — something you have (Authenticator app, hardware token, SMS) or something you are (biometrics) |
| Passwordless | Eliminates the password entirely: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator app (phone sign-in) |
| SSO | One login for many apps; reduces password fatigue and attack surface |
MFA is one of the most effective controls against credential attacks. Even if a password is stolen, a second factor blocks unauthorized access.
Passwordless authentication is the most phishing-resistant approach because there is no password to steal. FIDO2 security keys use public-key cryptography and are hardware-bound.
External Identities
Microsoft Entra External Identities covers two scenarios:
- B2B Collaboration — invite external users (partners, vendors) to your tenant using their existing identity (Microsoft, Google, etc.). They appear as guest users.
- B2C (External Customers) — separate service for consumer-facing apps; lets customers sign in with social identities (Google, Facebook) or local accounts.
Conditional Access
Conditional AccessThe policy engine of Microsoft Entra ID that evaluates signals and enforces access controls before granting access. Signals include user identity, group membership, device compliance, location (IP/network), application being accessed, and sign-in risk score. Requires Microsoft Entra ID P1 minimum. is the policy engine that evaluates contextual signals — identity, device compliance, location, and risk score — before granting access. It requires Microsoft Entra ID P1 at minimum. Common Conditional Access policy actions:
- Require MFA for all admin sign-ins.
- Block access from untrusted locations.
- Require a compliant or Hybrid Entra joined device.
- Limit session duration.
- Block legacy authentication protocols.
Security defaults provide a free baseline (requires MFA for all users, blocks legacy auth) but are less granular than Conditional Access.
Azure RBAC (Role-Based Access Control)
Azure RBACControls authorization — what authenticated users can do with Azure resources. Roles are assigned to security principals (users, groups, managed identities, service principals) at a scope. RBAC is additive — permissions from multiple assignments are combined with no explicit deny in standard RBAC. controls what authenticated users can do with Azure resources by assigning roles to security principals at a scope. Permissions are additive — multiple role assignments are combined, with no explicit deny in standard RBAC. Scope hierarchy (broadest to narrowest):
- Management Group → 2. Subscription → 3. Resource Group → 4. Resource
Built-in roles:
| Role | Permissions |
|---|---|
| Owner | Full access + can grant access to others |
| Contributor | Full access to resources; cannot grant access to others |
| Reader | View resources only; no modifications |
| User Access Administrator | Manage user access to resources; no resource management |
Zero Trust
Zero TrustA security model based on three principles: Verify Explicitly (always authenticate using all available data points), Use Least Privilege Access (just-in-time and just-enough-access), and Assume Breach (minimize blast radius, segment access, verify end-to-end encryption). contrasts with the traditional perimeter model ("trust everything inside the firewall"). In Zero Trust, location inside the corporate network does not automatically grant trust — every access request is verified explicitly.
Defense-in-Depth
Defense-in-depthA layered security strategy where multiple independent controls slow down attackers. Each layer provides protection in case a previous layer is bypassed. uses multiple independent security layers so that bypassing one layer does not grant full access. The layers from outermost to innermost are:
| Layer | Examples |
|---|---|
| Physical | Badge access, security cameras, locked datacenters |
| Identity and access | MFA, Conditional Access, RBAC, Privileged Identity Management |
| Perimeter | DDoS Protection, Azure Firewall, WAF |
| Network | NSGs, VNet segmentation, private endpoints |
| Compute | VM endpoint protection, patching, Just-in-Time VM access |
| Application | Secure coding, OWASP practices, App Service authentication |
| Data | Encryption at rest and in transit, Azure Key Vault |
Microsoft Defender for Cloud
Microsoft Defender for CloudA cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that assesses Azure (and multi-cloud/on-premises) security posture with a Secure Score, detects threats, and provides actionable remediation recommendations. Works natively across Azure, AWS, and GCP. provides both posture management and threat protection across Azure, AWS, and GCP from a single pane of glass. Key features:
- Secure Score — a percentage showing how well your configuration aligns with security best practices.
- Security alerts — real-time detections of suspicious activity (brute force, crypto mining).
- Regulatory compliance dashboard — maps your configuration against ISO 27001, PCI DSS, NIST.
- Defender plans — enhanced threat protection per workload type (Defender for Servers, Containers, SQL, etc.).
Authentication Method Security Spectrum
| Method | Phishing resistance | User friction | Setup complexity |
|---|---|---|---|
| Password only | Low | Low | Very low |
| Password + MFA (SMS) | Medium | Medium | Low |
| Password + MFA (Authenticator app) | High | Low-medium | Low |
| Passwordless (FIDO2 key) | Very high | Very low (tap) | Medium |
| Passwordless (Windows Hello) | Very high | Very low (biometric) | Medium |
Passwordless is the most secure — no password exists to steal via phishing, brute force, or credential stuffing.
RBAC Built-in Roles — Key Distinctions
| Role | Create/Modify Resources | Grant Access to Others | Read Resources |
|---|---|---|---|
| Owner | Yes | Yes | Yes |
| Contributor | Yes | No | Yes |
| Reader | No | No | Yes |
| User Access Administrator | No | Yes | Yes |
Critical distinction: Owner vs. Contributor — Owner can manage role assignments; Contributor cannot. This is a high-frequency AZ-900 exam question.
Zero Trust vs. Perimeter Security — Contrast
| Attribute | Perimeter Model | Zero Trust Model |
|---|---|---|
| Trust assumption | Inside network = trusted | Never trust, always verify |
| Authentication | One-time at network edge | Continuous, every request |
| Lateral movement risk | High (breach = full access) | Low (segmented, least privilege) |
| Response to breach | Detect and contain | Assume breach, minimize blast radius |
| Key Azure tools | VPN, firewall | Conditional Access, RBAC, PIM, MFA |
Microsoft Defender for Cloud — Three Core Functions
| Function | What it does | Key output |
|---|---|---|
| Assess (CSPM) | Evaluates security posture against best practices | Secure Score + recommendations |
| Protect (CWPP) | Detects threats on workloads in real time | Security alerts |
| Remediate | Provides prioritized, actionable fixes | One-click remediation steps |
Explore Identity and Security in the Azure Portal
Step 1 — View Microsoft Entra ID Users and Roles
- Sign in to portal.azure.com.
- Search for Microsoft Entra ID (formerly Azure Active Directory).
- Click Users → select any user → Assigned roles — see their directory role assignments.
- Click Enterprise applications → see registered SaaS apps that use SSO.
Step 2 — Explore Conditional Access Policies
- In Microsoft Entra ID, navigate to Security → Conditional Access.
- Click + New policy and observe the available Signals (Users, Cloud apps, Conditions) and Grant controls (Require MFA, Require compliant device).
- Note that Conditional Access requires Entra ID P1 — check the license requirement note.
- Cancel without saving.
Step 3 — View RBAC Role Assignments
- Navigate to your Subscription → Access control (IAM).
- Click Role assignments — observe who has Owner, Contributor, and Reader roles.
- Click + Add → Add role assignment — browse the built-in roles available and their descriptions.
- Cancel without saving.
Step 4 — Open Microsoft Defender for Cloud
- Search for Microsoft Defender for Cloud in the portal.
- Open the Overview page and find the Secure Score — note the percentage and the gap to 100%.
- Click Recommendations — observe how recommendations are ranked by impact on the Secure Score.
- Click Regulatory compliance — see which compliance standards are mapped to your environment.
AZ-900 Exam Focus
Exam Trap
"Microsoft Entra ID is the same as Active Directory Domain Services" — False. Entra ID is a cloud IAM service using OAuth/OIDC/SAML. AD DS is an on-premises service using Kerberos/NTLM/LDAP. They serve different purposes and are not interchangeable. Use Microsoft Entra Connect to sync between them.
Exam Trap
"RBAC denies access explicitly" — False. Azure RBAC is additive — permissions from multiple role assignments are combined (union). To explicitly deny, you need Azure Policy (deny effects) or RBAC deny assignments (advanced feature).
Exam Trap
"Conditional Access is available in all Microsoft Entra ID tiers" — False. Conditional Access requires Microsoft Entra ID P1 at minimum. The free tier only gets Security Defaults, which are less flexible.
Exam Trap
"Defender for Cloud only works with Azure" — False. Defender for Cloud natively supports multi-cloud environments including AWS and GCP, as well as on-premises servers via Azure Arc.
Exam Trap
"Owner and Contributor roles have the same permissions" — False. Owner includes the right to grant access to others (manage role assignments). Contributor has full resource access but cannot manage role assignments. This distinction is a very common exam question.
Must Memorize
Zero Trust three principles: Verify Explicitly · Use Least Privilege Access · Assume Breach
RBAC four key roles: Owner (full + grant) · Contributor (full, no grant) · Reader (view only) · User Access Administrator (grant only, no resources)
Question — click to flip
Q: What is the difference between Microsoft Entra ID and Active Directory Domain Services (AD DS)?
Question — click to flip
Q: What is the difference between the Owner and Contributor RBAC roles?
Question — click to flip
Q: What are the three principles of Zero Trust?
Question — click to flip
Q: What does Microsoft Defender for Cloud's Secure Score measure?
Question — click to flip
Q: What license is required for Conditional Access in Microsoft Entra ID?
Question — click to flip
Q: What is defense-in-depth and how many layers does it have?