Domain 2 of 4 · Chapter 4 of 4

Identity Protection and Governance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security, Compliance, and Identity Fundamentals premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • Two questions: govern the grant, protect the sign-in
  • Microsoft Entra ID Governance and the access lifecycle
  • Access reviews: is this access still needed?
  • Privileged Identity Management: just-in-time access
  • Microsoft Entra ID Protection: is this sign-in risky?
  • Exam-pattern recognition: the confusable pairs

Governance and protection capabilities at a glance

CapabilityQuestion it answersProductCore mechanism
Entitlement managementWhich resources should this identity get, and for how long?Entra ID GovernanceAccess packages with an approval step and automatic expiry
Access reviewsDoes this identity still need this access?Entra ID GovernanceRecurring recertification by a reviewer, auto-removal on denial
Privileged Identity ManagementShould this admin hold this privileged role right now?Entra ID GovernanceEligible assignment activated just-in-time, time-bound
Microsoft Entra ID ProtectionIs this sign-in or account compromised?Entra ID ProtectionRisk detection scored low, medium, or high feeding a risk-based policy

Decision tree

Live or suspicious sign-in, or a possibly compromised account? Microsoft Entra ID Protection risk-based policy Yes No Privileged admin role held only when it is used? Privileged Identity Management eligible, activate just-in-time Yes No Recertify that existing access is still justified? Access reviews recurring recertification Yes No Entitlement management access package: request, approve, expire

Cheat sheet

  • Governance decides the standing grant; protection judges the live sign-in
  • Entra ID Governance bundles four capabilities, it is not one feature
  • ID Governance answers four questions about access
  • ID Governance is its own license, on top of P1 and P2
  • Entitlement management grants access as requestable access packages
  • Lifecycle workflows automate joiner, mover, and leaver tasks
  • Access reviews recertify existing access on a recurring schedule
  • Access review decisions can go to the owner, the user, or a delegate, and denials auto-remove
  • Access reviews recertify; PIM time-boxes the immediate need
  • A PIM eligible assignment must be activated; an active one is standing
  • PIM activation can require MFA, justification, and approval, and is time-bound
  • PIM governs Entra roles, Azure resource roles, and groups
  • PIM alerts on activation and keeps a downloadable audit history
  • PIM governs how you hold a role, not what the role can do
  • User risk means the account is compromised; sign-in risk means the login is suspicious
  • Leaked credentials is a user-risk detection, always rated high
  • Anonymous IP, atypical travel, and unfamiliar sign-in properties are sign-in risks
  • ID Protection rates risk as low, medium, or high
  • ID Protection supplies risk; Conditional Access enforces the response
  • A password change remediates user risk; dismissing only clears the flag
  • ID Protection risk signals can export to Microsoft Sentinel
  • Entitlement management is built from catalogs, access packages, policies, and connected organizations
  • Entra ID Protection provides risky users, risky sign-ins, and risk detections reports

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is Microsoft Entra ID Governance?
  2. What are lifecycle workflows?
  3. What is entitlement management?
  4. What are risk detections? (Microsoft Entra ID Protection)
  5. What are access reviews?
  6. What is Privileged Identity Management?
  7. What is Microsoft Entra ID Protection?
  8. Risk detection types and levels
  9. Microsoft Entra ID Protection risk-based access policies
  10. Remediate risks and unblock users