Exam Notes
Policies are additive - if any policy blocks, access is blocked. If multiple policies grant with different requirements, all requirements must be met. Always exclude break-glass accounts from blocking policies.
Identity & Authentication
Identity & Access Management
Identity is the foundation of Azure security. Microsoft Entra ID (formerly Azure AD) provides identity services for authentication, authorization, and identity governance across cloud and hybrid environments.
IdentityWho are you?
→
AuthenticationProve it
→
AuthorizationWhat can you do?
→
AccessGranted
Microsoft Entra ID
Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It's the backbone of identity for Microsoft 365, Azure, and thousands of SaaS applications.
Core Capabilities
- Single Sign-On (SSO) - One identity, many apps
- Multi-Factor Authentication - Something you know + have + are
- Application Management - Enterprise app gallery
- Device Management - Join, register, compliance
- Self-Service - Password reset, group management
License Tiers
- Free - Basic identity, SSO (10 apps)
- P1 - Conditional Access, hybrid identity, dynamic groups
- P2 - Identity Protection, PIM, access reviews
- Governance - Lifecycle workflows, entitlement management
Hybrid Identity
- Entra Connect - Sync on-prem AD to cloud
- Password Hash Sync - Hash synced to cloud
- Pass-through Auth - Validate against on-prem
- Federation (ADFS) - On-prem handles auth
Authentication Methods
- Password (legacy, avoid if possible)
- Microsoft Authenticator app
- FIDO2 security keys
- Windows Hello for Business
- Certificate-based authentication
Entra External ID: B2B
B2B collaboration enables secure sharing with external partners, suppliers, and vendors. Guest users authenticate with their own identity provider but access your resources.
How B2B Works
- Invite external users as guests
- Guests use their own credentials (work, personal, social)
- Your tenant controls access to your resources
- No password sync or federation required
Identity Providers
- Microsoft Entra ID (work accounts)
- Microsoft accounts (personal)
- Google federation
- SAML/WS-Fed identity providers
- Email one-time passcode (fallback)
Cross-Tenant Access
- Inbound - Control how externals access you
- Outbound - Control how your users access others
- Trust settings - Trust MFA, device claims
- Configure per organization or default
B2B Direct Connect
- Mutual trust between two Entra tenants
- Users don't appear as guests
- Seamless access to shared channels (Teams)
- Requires both orgs to configure trust
Azure AD B2C / Entra External ID: B2C
Azure AD B2C is a customer identity and access management (CIAM) solution for consumer-facing applications. It handles millions of users and billions of authentications daily.
B2C vs B2B
| B2B | B2C | |
|---|---|---|
| Users | Partners, suppliers | Consumers, customers |
| Scale | Thousands | Millions |
| Tenant | Your Entra tenant | Separate B2C tenant |
| Branding | Limited | Fully customizable |
User Flows & Custom Policies
- User Flows - Predefined, configurable journeys
- Sign up, sign in, password reset, profile edit
- Custom Policies - XML-based, full control
- Complex orchestration, API integrations
Social Identity Providers
- Google, Facebook, Apple
- Twitter, LinkedIn, GitHub
- Amazon, WeChat, QQ
- Any OpenID Connect or SAML provider
Key Features
- Custom branded sign-in pages
- Progressive profiling
- Age gating and parental consent
- API connectors for custom logic
Conditional Access
Conditional Access is the Zero Trust policy engine. It evaluates signals (user, device, location, risk) and enforces access decisions (allow, block, require MFA) for every authentication.
SignalsUser, Device, Location, Risk
→
Policy EngineEvaluate Conditions
→
DecisionAllow, Block, Require
Policy Components
Assignments (IF)
- Users/Groups - Who it applies to
- Cloud Apps - Which apps
- Conditions - When to trigger
Conditions
- User/sign-in risk level
- Device platform (iOS, Windows)
- Location (named, IP ranges)
- Client apps (browser, mobile)
Access Controls (THEN)
- Block - Deny access
- Grant - Allow with requirements
- Require MFA, compliant device
- Session controls (sign-in frequency)
Identity Protection
Identity Protection uses Microsoft's threat intelligence to detect identity-based risks in real-time and enables automated responses to protect users.
User Risk
Risk that an account has been compromised.
- Leaked credentials (dark web)
- Threat intelligence signals
- Anomalous user behavior
Remediation: Force password change
Sign-in Risk
Risk that a sign-in attempt is not legitimate.
- Anonymous IP address
- Atypical travel (impossible travel)
- Malware-linked IP
- Unfamiliar sign-in properties
Remediation: Require MFA
Risk Levels & Policies
| Risk Level | Description | Recommended Action |
|---|---|---|
| High | Strong indicators of compromise | Block or require password change |
| Medium | Moderate risk indicators | Require MFA |
| Low | Minor anomalies detected | Allow or require MFA |
| None | No risk detected | Allow |
Access Reviews
Access Reviews enable periodic verification of user access rights. Reviewers confirm whether users still need access, helping maintain least-privilege principles.
What Can Be Reviewed
- Group memberships
- Application assignments
- Entra role assignments
- Azure resource role assignments
- Access package assignments
Reviewer Options
- Self-review - Users attest their own access
- Manager - User's manager reviews
- Group owners - Owners review members
- Specific users - Designated reviewers
Review Settings
- Duration - Days to complete review
- Recurrence - One-time, weekly, monthly, quarterly, annually
- Auto-apply - Remove access automatically if denied
- No response action - What happens if reviewer doesn't respond
Service Principals
A service principal is an identity for an application. It defines what the application can access and is used for automated authentication (no human involved).
App Registration vs Service Principal
- App Registration - Global definition of the app
- Service Principal - Instance in a specific tenant
- One app registration can have multiple service principals
- Multi-tenant apps create SP in each tenant
Authentication Options
- Client Secret - Password-based (expires)
- Certificate - More secure, longer validity
- Federated Credentials - No secrets (GitHub, K8s)
Best Practices
- Prefer managed identities over service principals when possible
- Use certificates over client secrets
- Use federated credentials for CI/CD (no secrets to manage)
- Follow least privilege - only grant required permissions
Managed Identities
Managed identities eliminate the need for developers to manage credentials. Azure automatically manages the identity and provides tokens for Azure resource authentication.
System-Assigned
- Created as part of Azure resource
- Lifecycle tied to the resource
- One identity per resource
- Deleted when resource is deleted
- Use when: Single resource needs access
User-Assigned
- Created as standalone Azure resource
- Independent lifecycle
- Can be shared across multiple resources
- Must be explicitly deleted
- Use when: Multiple resources need same access
Supported Services
Azure Key Vault
Azure Key Vault safeguards cryptographic keys, secrets, and certificates. It provides centralized secrets management with access policies and audit logging.
key
Keys
RSA/EC keys for encryption, signing. HSM-backed available.
password
Secrets
Connection strings, passwords, API keys. Versioned.
verified_user
Certificates
X.509 certificates. Auto-renewal with CAs.
Access Control
- RBAC - Control who manages the vault
- Access Policies - Legacy, key/secret/cert permissions
- RBAC for data plane - Recommended, granular roles
- Network rules (firewall, private endpoints)
Tiers
- Standard - Software-protected keys
- Premium - HSM-backed keys (FIPS 140-2 Level 2)
- Managed HSM - Dedicated HSM (FIPS 140-2 Level 3)
Exam Notes
Soft delete is enabled by default (90 days). Purge protection prevents permanent deletion even by admins. Use managed identities to access Key Vault from Azure services - no secrets in code.
Quick Reference
| Concept | Purpose | Key Points |
|---|---|---|
| Entra ID | Cloud identity provider | SSO, MFA, hybrid sync |
| B2B | External collaboration | Guest users, cross-tenant access |
| B2C | Customer identity | Consumer scale, social login, custom flows |
| Conditional Access | Zero Trust policies | Signals → Decisions (if/then) |
| Identity Protection | Risk detection | User risk, sign-in risk, auto-remediate |
| Access Reviews | Periodic attestation | Verify continued access need |
| Service Principals | App identities | Secrets, certificates, federated |
| Managed Identities | No-secrets auth | System-assigned or user-assigned |
| Key Vault | Secrets management | Keys, secrets, certificates, HSM |