Stage 7 · Master
AZ-900 — Azure Fundamentals
Identity & Security (Entra ID)
Entra ID, conditional access, and defense in depth — securing your Azure environment.
Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It handles authentication, authorization, and single sign-on for Azure resources and Microsoft 365.
- Authentication — Verifying identity (who are you?).
- Authorization — Determining access (what can you do?).
- Single Sign-On (SSO) — One login for multiple applications.
- Multi-Factor Authentication (MFA) — Additional verification beyond password.
- Conditional Access — Policies that control access based on conditions.
Active Directory is on-premises. Entra ID is cloud-based. They are different products with different features. Entra ID is the identity backbone for Azure, Microsoft 365, and thousands of third-party applications.
Authentication Methods
| Method | Description | Security Level |
|---|---|---|
| Password | Traditional username + password | Low |
| MFA | Password + phone/authenticator app | Medium |
| Passwordless | FIDO2 key, Windows Hello, phone sign-in | High |
| Certificate | X.509 certificate authentication | High |
| Managed Identity | Azure-managed credentials for resources | High |
Conditional Access
Conditional Access policies control access to resources based on conditions like user, location, device, risk level, and application. They are the core of modern identity security.
- User/Group — Apply to specific users or groups.
- Location — Block or require MFA from specific locations.
- Device — Require compliant or hybrid-joined devices.
- Application — Apply different policies per application.
- Risk level — Respond to sign-in or user risk.
- Require MFA — Force additional authentication.
Know the difference between authentication (who are you?) and authorization (what can you do?). The exam will test this distinction. Also know the principle of least privilege — grant only the minimum access needed.
Defense in Depth
Defense in depth uses multiple layers of security controls. If one layer fails, the next layer catches the threat. Azure provides security tools at every layer.
- Physical security — Data center access, biometric locks.
- Identity and access — Entra ID, MFA, RBAC.
- Perimeter — DDoS protection, Azure Firewall.
- Network — Network Security Groups, Application Security Groups.
- Compute — Endpoint protection, just-in-time VM access.
- Application — Web Application Firewall, API Management.
- Data — Encryption at rest and in transit, Key Vault.
Zero Trust Model
Zero Trust assumes no user, device, or network is inherently trusted. Every access request is verified regardless of origin. This is the modern security paradigm that replaces traditional perimeter-based security.
- Verify explicitly — Always authenticate and authorize based on all available data.
- Use least privilege access — Limit access with just-in-time and just-enough-access.
- Assume breach — Minimize blast radius, segment access, verify end-to-end encryption.
Key Terms to Memorize
- Entra ID — Cloud identity and access management.
- MFA — Multi-Factor Authentication.
- SSO — Single Sign-On.
- PIM — Privileged Identity Management (just-in-time admin access).
- PAM — Privileged Access Management.
- Identity Protection — Risk-based sign-in detection.
- Key Vault — Secrets, keys, and certificates management.
- Microsoft Defender for Cloud — Cloud Security Posture Management (CSPM).
Useful Commands
# Check sign-in logs
az ad sign-in list --output table
# List users
az ad user list --output table
# Check role assignments
az role assignment list --output table
# List Key Vault secrets
az keyvault secret list --vault-name my-vault --output table
# Check Defender status
az security status --output tableThese Azure CLI commands help you manage identity and security. You do not need to know CLI commands for the AZ-900 exam, but they are useful for hands-on practice.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.