Domain 1 of 4 · Chapter 2 of 2

Identity Concepts

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security, Compliance, and Identity Fundamentals premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • Why identity is the primary security perimeter
  • The four pillars, and authentication before authorization
  • Identity providers, tokens, and single sign-on
  • Directory services: AD DS versus Microsoft Entra ID
  • Federation across trust boundaries
  • Exam-pattern recognition: SC-900's confusable pairs

AD DS versus Microsoft Entra ID

AspectAD DS (on-premises)Microsoft Entra ID (cloud)
Deployment modelOn-premises directory on domain controllers you runCloud identity service (IDaaS) that Microsoft operates
StructureHierarchical: forests, domains, and organizational units (OUs)Flat: no OUs, users and groups in one directory
Policy enforcementGroup Policy pushed to domain-joined devicesConditional Access and Intune, with no Group Policy
ProtocolsKerberos, LDAP, NTLMSAML, WS-Federation, OpenID Connect, OAuth 2.0 over HTTP/HTTPS
Access delegationDomains, OUs, and groups delegate rightsMicrosoft Entra role-based access control (RBAC) and groups
Best fitOn-premises Windows servers and legacy line-of-business appsCloud and SaaS apps, mobile and remote users

Cheat sheet

  • Treat identity as the primary security perimeter, not the network
  • All four identity types need authentication and authorization, not just users
  • An identity infrastructure stands on four pillars, not authentication alone
  • Authentication proves who you are; authorization decides what you may do
  • Authorization runs only after authentication succeeds
  • Authorization should grant only the least privilege a role needs
  • An identity provider centralizes authentication so apps stop storing passwords
  • An ID token proves who signed in; an access token grants resource permission
  • OpenID Connect authenticates, OAuth 2.0 authorizes, SAML suits enterprise federation
  • Single sign-on means one sign-in to every app trusting the same identity provider
  • Microsoft Entra ID is Microsoft's cloud identity provider
  • A directory service stores the identity repository and answers who-can-reach-what
  • AD DS is the on-premises directory of domain controllers, OUs, and Group Policy
  • Microsoft Entra ID is not AD DS in the cloud
  • Federation is trust between separate identity providers across boundaries
  • A federation trust is one-way unless you configure both directions
  • Federation spans different identity providers; SSO stays within one
  • A directory stores identities; an identity provider authenticates them
  • SAML federation carries claims in XML security tokens called assertions

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Define identity as the primary security perimeter (SC-900 learning module)
  2. Define authentication and authorization (SC-900 learning module)
  3. Describe the role of the identity provider (SC-900 learning module)
  4. Describe the concept of directory services and Active Directory (SC-900 learning module)
  5. Compare Active Directory to Microsoft Entra ID
  6. Describe the concept of federation (SC-900 learning module)