Domain 2 of 4

Microsoft Entra

Domain · 25–30% of the SC-900 exam

One identity control plane, four questions about a single sign-in

Microsoft Entra is one identity control plane, and this domain is that plane answering four questions about a single sign-in, in order. Start with the names, because the exam leans on them: Microsoft Entra is the product family, while Microsoft Entra ID (the service formerly called Azure Active Directory) is the directory that actually holds identities and authenticates them. The same sign-in then passes four gates this page calls who, prove, permit, and review: who is this identity and what kind is it, how does it prove that, under what conditions may it proceed and what may it then do, and is it still trustworthy enough to keep that access. The gates are distinct, and the most common SC-900 trap is collapsing them, for example reading 'the user passed MFA (multifactor authentication)' as 'the user is in and may act', when proving who you are is a different gate from what you may do; that authentication-versus-authorization split is defined in Identity concepts.

The domain unfolds in four steps, one sign-in at a time

The domain unfolds in four steps, each owned by one subtopic, and reading them in order is the fastest way to hold it. First, who: Entra ID and Identity Types establishes that Entra ID is cloud identity rather than a domain controller in the cloud, and sorts what it governs into users (including guests), workload identities (including managed identities), and devices, plus hybrid identity for accounts that span on-premises and cloud. Second, prove: Authentication and MFA is the catalog of methods and what actually counts as MFA, namely evidence from two different factor categories rather than two passwords, including passwordless and phishing-resistant options and the password protections that harden the weakest factor. Third, permit, which is two halves on one page: Conditional Access and RBAC first uses Conditional Access, an if-then policy engine that runs after the first factor, to decide the conditions under which the sign-in may proceed, then uses RBAC (role-based access control) to decide what the identity may do once in. Fourth, review: Identity Protection and Governance keeps the identity honest over time, with ID Protection judging live sign-in and user risk and ID Governance managing the standing grant through tools such as Privileged Identity Management and access reviews.

When two answers both work, verify explicitly and grant least privilege

This whole domain is Microsoft Entra putting Zero Trust into practice, so when two options both seem to work, choose the one that reflects Zero Trust's guiding principles: verify explicitly, use least privilege access, and assume breach (three principles resting on seven foundational pillars, not six). Verify explicitly is why Conditional Access checks identity, device, location, and risk at sign-in rather than trusting the network, and it needs a Microsoft Entra ID P1 (Premium P1) license. Least privilege is why the exam rewards the narrowest built-in role at the smallest scope and eligible-not-active access through Privileged Identity Management (PIM). One instinct pays off across the family: match the job to the product, since most questions really ask which Entra member owns a task, and never assume permissions carry between systems, because Microsoft Entra roles and Azure roles are separate and a Global Administrator has no access to Azure subscriptions until they explicitly elevate.

The four questions Entra asks about one sign-in (and where each is covered)

StepThe question it answersEntra answers withDrill into
WhoWhich identity is this, and what kind?Entra ID directory; users and guests, workload and managed identities, devices; hybrid identityEntra ID and Identity Types
ProveHow does it prove it is that identity?Authentication methods, MFA, passwordless and phishing-resistant options, password protectionAuthentication and MFA
PermitUnder what conditions may it proceed, and what may it do?Conditional Access (conditions to get in) and RBAC (permissions once in); Entra roles and Azure roles are separate systemsConditional Access and RBAC
ReviewIs it still trustworthy, and should it keep that access?ID Protection (live user and sign-in risk) and ID Governance (PIM, access reviews)Identity Protection and Governance

Subtopics in this domain