Domain 2 of 3 · Chapter 4 of 4

Identity, Access & Security

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Azure Fundamentals premium course — no separate purchase.

Included in this chapter:

  • Directory services: Microsoft Entra ID and Microsoft Entra Domain Services
  • Authentication vs authorization, and the authentication methods
  • External identities and Conditional Access
  • Azure role-based access control (RBAC)
  • Zero Trust, defense-in-depth, and Microsoft Defender for Cloud
  • Recognizing these questions on the exam

Microsoft Entra ID vs Microsoft Entra Domain Services

AspectMicrosoft Entra IDMicrosoft Entra Domain Services
What it isCloud identity and access management (IDaaS)Managed domain with traditional AD features
Former nameAzure Active Directory / Azure ADAzure AD Domain Services / Azure AD DS
ProtocolsModern web: OAuth 2.0, OpenID Connect, SAML, RESTLegacy: domain join, group policy, LDAP, Kerberos/NTLM
You run domain controllers?No: fully managed cloud serviceNo: Microsoft runs the DCs, you just enable it
Typical useSSO, MFA, app and Azure resource accessLift-and-shift VMs needing legacy domain features

Decision tree

Are the users outside your org? Yes External ID Microsoft Entra External ID No VM needs domain join, group policy, LDAP, Kerberos/NTLM? Yes Managed domain Microsoft Entra Domain Services No Apply MFA based on risk, location, or device? Yes Policy controls Conditional Access No Cloud sign-in + SSO Microsoft Entra ID Microsoft Entra ID is the foundation; Domain Services, External ID, and Conditional Access extend it for specific needs.

Cheat sheet

  • Microsoft Entra ID is Azure's cloud identity and access service
  • Azure AD is now Microsoft Entra ID: same product, new name
  • Entra ID is not a cloud version of Active Directory
  • Entra Domain Services gives you a managed domain with no DCs to run
  • Need legacy domain features for a lift-and-shift VM? Use Entra Domain Services
  • Authentication proves who you are; authorization decides what you may do
  • Single sign-on means authenticate once, reach many apps
  • MFA needs two or more factors from different categories
  • Two factors from the same category is not MFA
  • Passwordless replaces the password with a stronger factor
  • B2B collaboration invites partners in as guests on their own credentials
  • Keep customer identities out of your employee directory
  • Conditional Access turns sign-in signals into an access decision
  • Conditional Access lets you demand MFA only when risk warrants it
  • An RBAC role assignment is principal + role definition + scope
  • Know the four fundamental built-in roles: Owner, Contributor, Reader, UAA
  • Only Owner and User Access Administrator can hand out roles
  • RBAC scope inherits down the resource hierarchy
  • RBAC is additive, so assign least privilege at the narrowest scope
  • Zero Trust: verify explicitly, least privilege, assume breach
  • Defense-in-depth stacks independent layers so one failure isn't a breach
  • Data is the innermost defense-in-depth layer
  • Defender for Cloud does posture management plus workload protection
  • Secure Score summarizes your posture and rises as you remediate
  • Defender for Cloud covers Azure, hybrid, and other clouds
  • Conditional Access needs P1, and every matching policy must be satisfied

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/whatis
  2. https://learn.microsoft.com/en-us/entra/identity/domain-services/overview
  3. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
  4. https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview
  5. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
  6. https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
  7. https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview
  8. https://learn.microsoft.com/en-us/azure/security/fundamentals/overview
  9. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction