Authentication and Access
Every sign-in is a fresh access decision, and Conditional Access is the gate that makes it
Zero Trust says verify explicitly: trust nothing because of where a request comes from, and re-decide access on every sign-in using whatever signals are available at that moment. In Microsoft Entra ID that decision is a single if-then gate called Conditional Access, and this whole domain is the machinery feeding it. A policy reads "if these signals match (who, what resource, where, what risk), then enforce these controls (block, or grant only with multifactor authentication, MFA, or a compliant device)." The classic trap is treating the older per-user MFA toggle or Security Defaults as the way you require strong authentication today; both predate this gate and are being retired in its favor. Plan from the gate: decide what each sign-in must prove, then arrange the other three subtopics to supply the credentials, the risk signal, and the network reach that gate needs.
The domain unfolds in four steps: credentials, the gate, the risk signal, then the network
Read the four subtopics as one pipeline into that gate. First, Authentication Methods is where you enable and scope the strong credentials a population can register, ranked by phishing resistance (passkeys and Windows Hello for Business at the top, SMS and voice at the bottom), so there is something solid for the gate to demand. Second, Conditional Access is the gate itself: it ANDs its assignments, ANDs the grant controls you select, and lets a Block in any matching policy override every grant. Third, ID Protection adds a sharper input by scoring user risk and sign-in risk, which you consume as a risk condition in a Conditional Access policy rather than through the standalone legacy risk policies (retiring October 1, 2026). Fourth, Global Secure Access extends the same identity-aware gate beyond app sign-in to network traffic itself, tunneling internet, Microsoft 365, and private-app traffic so Conditional Access can apply to it. Each step exists to make the gate's decision stronger or wider.
When two answers both work, choose the more phishing-resistant, signal-aware option
The exam consistently rewards the stronger end of the Zero Trust spectrum. Between two methods that both satisfy MFA, prefer the phishing-resistant one (passkey, Windows Hello for Business, certificate-based authentication) over a phishable one (Authenticator push, SMS). Between enforcing a control statically and enforcing it on a signal, prefer the signal: require MFA on elevated sign-in risk rather than on everyone all the time. And between blocking traffic at the edge generically and routing it through the identity-aware gate, prefer the gate. Two guardrails ride along with this instinct: test a new Conditional Access policy in report-only mode before turning it On, and exclude emergency-access (break-glass) accounts from every policy so one misconfiguration cannot lock out all administrators.
How each subtopic feeds the one access-decision gate
| Step | Role at the gate | Signature control | Drill into |
|---|---|---|---|
| Register the credential | Supplies the strong factors the gate can demand | Authentication methods policy, phishing-resistant tier, Temporary Access Pass | Authentication Methods |
| Make the decision | The if-then gate that grants, blocks, or adds requirements per sign-in | Assignments AND grant controls; Block overrides; report-only | Conditional Access |
| Sharpen the signal | Scores user risk and sign-in risk for the gate to act on | Risk-based Conditional Access; MFA-registration prerequisite | ID Protection |
| Widen the reach | Extends the identity-aware gate to network traffic, not just app sign-in | Traffic forwarding profiles; Internet Access and Private Access | Global Secure Access |