Microsoft Entra ID Overview and Features: A Complete Guide for SC-900
Why is Microsoft Entra ID Important?
Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) is the cornerstone of Microsoft's identity and access management (IAM) solution. In today's cloud-first world, identity has become the new security perimeter. Organizations no longer rely solely on firewalls and network boundaries to protect resources. Instead, they use identity-based security to control who can access what, when, and from where. Microsoft Entra ID is critically important because it serves as the central identity provider for millions of organizations worldwide, managing authentication and authorization for Microsoft 365, Azure, and thousands of third-party SaaS applications. For the SC-900 exam, understanding Microsoft Entra ID is essential because it underpins nearly every security, compliance, and identity concept tested.
What is Microsoft Entra ID?
Microsoft Entra ID is a cloud-based identity and access management (IAM) service provided by Microsoft. It enables employees, partners, and customers to sign in and access resources such as:
- Internal resources: Apps on a corporate network, intranet portals, and cloud apps developed by the organization.
- External resources: Microsoft 365, Azure portal, and thousands of other SaaS applications.
Microsoft Entra ID is not the same as on-premises Active Directory Domain Services (AD DS). While AD DS is a traditional directory service for on-premises environments using LDAP, Kerberos, and Group Policy, Microsoft Entra ID is a cloud-native service that uses modern authentication protocols like OAuth 2.0, OpenID Connect, and SAML.
Key Features of Microsoft Entra ID
1. Authentication
Microsoft Entra ID verifies the identity of users and services. It supports modern authentication mechanisms including:
- Password-based authentication
- Multi-Factor Authentication (MFA)
- Passwordless authentication (Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator app)
- Self-service password reset (SSPR)
2. Single Sign-On (SSO)
SSO allows users to sign in once and access multiple applications without being prompted to authenticate again. This improves user experience and reduces password fatigue. Microsoft Entra ID supports SSO to thousands of pre-integrated SaaS applications (e.g., Salesforce, ServiceNow, Dropbox) as well as custom applications.
3. Application Management
Microsoft Entra ID provides a centralized platform to manage cloud and on-premises applications. It includes an application gallery with thousands of pre-integrated apps, and supports application proxy for secure remote access to on-premises web applications.
4. Device Management
Devices can be registered or joined to Microsoft Entra ID. This allows organizations to enforce device-based Conditional Access policies, ensuring that only compliant and trusted devices can access corporate resources. Integration with Microsoft Intune enhances device management capabilities.
5. Conditional Access
Conditional Access is a powerful feature that acts as the policy engine for Zero Trust. It brings together identity signals (user, device, location, application, risk level) to make automated access control decisions. For example, a policy might require MFA when a user signs in from an unfamiliar location or block access from non-compliant devices.
6. Identity Protection
Microsoft Entra ID Protection uses machine learning and Microsoft's threat intelligence to detect and respond to identity-based risks. It can identify:
- User risk: Leaked credentials, unusual user behavior
- Sign-in risk: Unfamiliar sign-in properties, anonymous IP addresses, impossible travel
Risk-based Conditional Access policies can automatically respond to these threats.
7. Privileged Identity Management (PIM)
PIM provides just-in-time (JIT) privileged access to Azure AD and Azure resources. Instead of having permanent admin roles, users can activate roles when needed, with time-bound access, approval workflows, and audit trails. This reduces the attack surface of privileged accounts.
8. Business-to-Business (B2B) Collaboration
Microsoft Entra External ID (B2B) allows organizations to securely share applications and resources with guest users from other organizations. Guest users authenticate with their own identity provider (e.g., their own Azure AD tenant, Google, or a one-time passcode).
9. Business-to-Customer (B2C) Identity
Microsoft Entra External ID (B2C) provides customer identity and access management. It allows organizations to create customized sign-up and sign-in experiences for consumer-facing applications, supporting social identity providers like Google, Facebook, and Apple.
10. Managed Identities
Managed identities eliminate the need for developers to manage credentials for Azure service-to-service communication. There are two types:
- System-assigned: Tied to a specific Azure resource and deleted when the resource is deleted.
- User-assigned: Created as standalone resources and can be shared across multiple Azure resources.
11. Role-Based Access Control (RBAC)
Microsoft Entra ID uses built-in and custom roles to manage access. Azure AD roles control access to Azure AD resources (e.g., Global Administrator, User Administrator), while Azure RBAC roles control access to Azure resources (e.g., Owner, Contributor, Reader).
How Microsoft Entra ID Works
Microsoft Entra ID operates as a cloud-based identity provider using the following workflow:
1. User attempts access: A user tries to access a resource (e.g., Microsoft 365, an Azure resource, or a SaaS app).
2. Authentication request: The application redirects the user to Microsoft Entra ID for authentication.
3. Identity verification: Microsoft Entra ID verifies the user's identity through credentials, MFA, or passwordless methods.
4. Policy evaluation: Conditional Access policies are evaluated based on signals such as user identity, device compliance, location, application sensitivity, and real-time risk detection.
5. Token issuance: If authentication is successful and policies are satisfied, Microsoft Entra ID issues a security token (using protocols like OAuth 2.0 or SAML).
6. Access granted: The token is presented to the application, which grants access based on the permissions and roles assigned to the user.
Microsoft Entra ID Editions
Microsoft Entra ID is available in several editions:
- Free: Included with Azure subscriptions and Microsoft 365. Provides basic identity management, SSO for up to 10 apps per user, and user/group management.
- P1 (Premium Plan 1): Adds Conditional Access, dynamic groups, self-service group management, hybrid identity features, and application proxy.
- P2 (Premium Plan 2): Includes everything in P1, plus Identity Protection and Privileged Identity Management (PIM).
- Microsoft Entra ID Governance: Additional governance capabilities including access reviews, entitlement management, and lifecycle workflows.
Hybrid Identity with Microsoft Entra ID
Many organizations use a hybrid approach, connecting on-premises Active Directory with Microsoft Entra ID. This is achieved through:
- Microsoft Entra Connect: Synchronizes on-premises AD identities to Microsoft Entra ID (using password hash sync, pass-through authentication, or federation).
- Microsoft Entra Connect Cloud Sync: A lighter-weight synchronization agent for simpler hybrid scenarios.
The three primary hybrid authentication methods are:
- Password Hash Synchronization (PHS): A hash of the on-premises password is synced to the cloud. Simplest method and recommended for most scenarios.
- Pass-Through Authentication (PTA): Authentication is validated directly against on-premises AD without storing passwords in the cloud.
- Federation (AD FS): Authentication is handled by an on-premises federation service. Most complex but provides the most control.
Microsoft Entra ID vs. Active Directory Domain Services (AD DS)
This is a commonly tested concept on the SC-900 exam:
- AD DS is an on-premises directory service using LDAP, Kerberos, NTLM, and Group Policy.
- Microsoft Entra ID is a cloud-based identity service using HTTP/HTTPS protocols like SAML, OAuth, OpenID Connect, and WS-Federation.
- Microsoft Entra ID does not use Group Policy, LDAP, or Kerberos in the traditional sense.
- Microsoft Entra ID has a flat structure (no OUs or forests), using tenants instead.
Exam Tips: Answering Questions on Microsoft Entra ID Overview and Features
Tip 1: Know the Terminology Change
The SC-900 exam now uses the name Microsoft Entra ID instead of Azure Active Directory. However, some questions may still reference Azure AD. Understand that they refer to the same service.
Tip 2: Understand the Editions and What Each Includes
Pay close attention to which features belong to which edition. A common exam question will describe a scenario and ask which license or edition is required. Remember:
- Conditional Access = P1 or higher
- Identity Protection = P2
- Privileged Identity Management = P2
- Basic SSO and MFA = Free tier (with Security Defaults)
Tip 3: Differentiate Between Entra ID and AD DS
Exam questions often test whether you understand the differences between the cloud-based Microsoft Entra ID and the on-premises Active Directory Domain Services. Remember that Entra ID uses modern web-based protocols, not LDAP or Kerberos.
Tip 4: Understand Conditional Access as a Zero Trust Policy Engine
Many questions will present scenarios asking how to enforce access policies. Conditional Access is the answer when the scenario involves evaluating multiple signals (user, device, location, risk) to make access decisions. Remember: Conditional Access policies use if/then logic — if a condition is met, then enforce a control.
Tip 5: Know the Authentication Methods
Be familiar with the three hybrid authentication methods (PHS, PTA, Federation) and understand when each is appropriate. PHS is the simplest and most commonly recommended. Passwordless methods like FIDO2, Windows Hello, and Microsoft Authenticator are considered more secure than passwords + MFA.
Tip 6: Managed Identities are for Azure Resources
If a question asks about securely connecting Azure services without storing credentials in code, the answer is managed identities. Know the difference between system-assigned and user-assigned managed identities.
Tip 7: B2B vs B2C — Know the Difference
B2B is for collaborating with external business partners (guest users). B2C is for consumer-facing applications with custom sign-in experiences. If the scenario mentions partners or guest users, think B2B. If it mentions customers or consumers, think B2C.
Tip 8: Privileged Identity Management (PIM) is About Least Privilege
PIM enables just-in-time access to privileged roles. If a question asks about reducing standing admin access or implementing time-limited admin roles, PIM is the answer. Remember that PIM requires a P2 license.
Tip 9: Identity Protection = Risk Detection and Response
If a question describes detecting risky sign-ins, leaked credentials, or automated risk-based policies, the answer involves Microsoft Entra ID Protection. It identifies user risk and sign-in risk and can trigger Conditional Access policies automatically.
Tip 10: Focus on Concepts, Not Configuration
The SC-900 is a fundamentals exam. You will not be asked to configure Microsoft Entra ID step by step. Instead, focus on understanding what each feature does, why it is important, and when to use it. Scenario-based questions are common — read the entire scenario carefully before selecting an answer.
Tip 11: Remember the Role of Microsoft Entra ID in Zero Trust
Microsoft Entra ID is central to the Zero Trust security model. The principles of Zero Trust — verify explicitly, use least privilege access, and assume breach — all map directly to Entra ID features like MFA, Conditional Access, PIM, and Identity Protection. If a question references Zero Trust and identity, Microsoft Entra ID is almost always part of the answer.
Summary
Microsoft Entra ID is the foundational identity and access management service in the Microsoft ecosystem. It provides authentication, SSO, application and device management, Conditional Access, Identity Protection, Privileged Identity Management, and support for external identities (B2B and B2C). Understanding its features, editions, and role in Zero Trust architecture is critical for success on the SC-900 exam. Focus on understanding concepts, differentiating between similar features, and matching scenarios to the correct Entra ID capability.
