Authentication Concepts and Methods

Authentication Concepts and Methods – SC-900 Exam Guide

Why Authentication Concepts and Methods Matter

Authentication is the foundation of security in any modern IT environment. It is the process by which a system verifies the identity of a user, device, or service before granting access to resources. Without proper authentication, organizations cannot enforce access controls, protect sensitive data, or maintain compliance with regulations. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam, understanding authentication is critical because it underpins nearly every other security and identity concept tested.

What Is Authentication?

Authentication (often abbreviated as AuthN) is the act of proving that someone or something is who or what they claim to be. It is distinct from authorization (AuthZ), which determines what an authenticated entity is allowed to do. Think of authentication as showing your ID at the door and authorization as being told which rooms you can enter once inside.

The three classical factors of authentication are:

• Something you know – Passwords, PINs, security questions
• Something you have – A phone, a hardware token, a smart card
• Something you are – Biometrics such as fingerprints, facial recognition, or iris scans

When two or more of these factors are combined, it is called Multi-Factor Authentication (MFA).

Key Authentication Concepts for SC-900

1. Single-Factor Authentication (SFA)
Uses only one factor, typically a password. This is the least secure method because passwords can be guessed, stolen, or phished.

2. Multi-Factor Authentication (MFA)
Requires two or more different factors. For example, entering a password (something you know) and then approving a push notification on a registered phone (something you have). MFA dramatically reduces the risk of compromised accounts. Microsoft states that MFA can block over 99.9% of account compromise attacks.

3. Passwordless Authentication
Eliminates the use of passwords entirely, replacing them with more secure and convenient methods. Microsoft supports several passwordless methods:
• Windows Hello for Business – Uses biometrics or a PIN tied to a specific device
• Microsoft Authenticator app – Allows sign-in via phone notification with number matching
• FIDO2 security keys – Hardware keys that use public-key cryptography and are phishing-resistant

4. Self-Service Password Reset (SSPR)
A feature in Microsoft Entra ID (formerly Azure AD) that allows users to reset their own passwords without calling a help desk. SSPR can require one or two authentication methods such as email, phone, authenticator app, or security questions.

5. Federated Authentication
A trust relationship is established between an identity provider (IdP) and a service provider. When a user authenticates against a federated IdP (like Active Directory Federation Services or AD FS), the service provider trusts that authentication. This enables single sign-on (SSO) across different organizations or domains.

6. Single Sign-On (SSO)
Allows a user to sign in once and access multiple applications without re-entering credentials. SSO improves user experience and reduces password fatigue. It works through protocols such as SAML, OAuth 2.0, and OpenID Connect.

7. Certificate-Based Authentication
Uses digital certificates (X.509) to verify identity. This is commonly used for device authentication and in enterprise environments for high-security scenarios.

8. Token-Based Authentication
After initial authentication, a token (such as a JSON Web Token or JWT) is issued to the user. This token is presented for subsequent requests, eliminating the need to re-authenticate for every interaction. OAuth 2.0 and OpenID Connect rely on token-based mechanisms.

How Authentication Works in Microsoft Entra ID

1. A user attempts to access a resource (e.g., Microsoft 365, an Azure application).
2. The user is redirected to Microsoft Entra ID for authentication.
3. The user provides credentials (password, biometric, security key, etc.).
4. If MFA is required (via Conditional Access policy or security defaults), the user must complete an additional verification step.
5. Microsoft Entra ID validates the credentials, checks Conditional Access policies, and if everything passes, issues security tokens.
6. The tokens are used to access the requested resource.

Important Protocols to Know

• OAuth 2.0 – An authorization framework that allows third-party applications to access resources on behalf of a user. It uses access tokens.
• OpenID Connect (OIDC) – Built on top of OAuth 2.0, it adds an authentication layer. It provides ID tokens that contain identity information about the user.
• SAML (Security Assertion Markup Language) – An XML-based standard for exchanging authentication and authorization data between an IdP and a service provider. Commonly used for enterprise SSO.
• Kerberos – A network authentication protocol used primarily in on-premises Active Directory environments. Uses tickets rather than passwords for ongoing authentication.
• NTLM – An older Microsoft authentication protocol. It is less secure than Kerberos and is being phased out but may still appear in legacy environments.

Security Defaults and Conditional Access

Security Defaults are a set of basic identity security mechanisms provided free by Microsoft. When enabled, they require all users to register for and use MFA (via Microsoft Authenticator). They are ideal for organizations that do not have Microsoft Entra ID P1 or P2 licenses.

Conditional Access is a more advanced, policy-driven approach available with Microsoft Entra ID P1 or higher. It evaluates signals such as user identity, location, device state, application being accessed, and risk level to make real-time access decisions: allow access, deny access, or require additional verification (like MFA).

Password Protection in Microsoft Entra ID

Microsoft Entra ID provides:
• Global banned password list – Automatically blocks commonly known weak passwords
• Custom banned password list – Allows organizations to add their own list of banned terms
• Smart lockout – Locks out attackers while allowing legitimate users to continue signing in by distinguishing between familiar and unfamiliar locations

How to Answer SC-900 Exam Questions on Authentication

The SC-900 exam tests conceptual understanding rather than deep technical implementation. Questions will focus on:
• Differentiating between authentication and authorization
• Identifying correct authentication factors (know, have, are)
• Understanding when and why MFA is used
• Knowing the benefits of passwordless authentication
• Recognizing the role of SSO and federation
• Understanding how Conditional Access and Security Defaults enforce MFA


Exam Tips: Answering Questions on Authentication Concepts and Methods

1. Always distinguish AuthN from AuthZ: If a question asks about verifying identity, the answer relates to authentication. If it asks about permissions or what a user can do, it relates to authorization. This is one of the most commonly tested distinctions.

2. Know the three authentication factors cold: Something you know (password/PIN), something you have (phone/token/key), something you are (biometrics). MFA = two or more different factor types. Two passwords is NOT MFA because both are 'something you know.'

3. Passwordless does not mean less secure: Exam questions may test whether you understand that passwordless authentication (Windows Hello, FIDO2, Authenticator app) is actually more secure than traditional passwords because it eliminates phishing and credential theft risks.

4. MFA statistics matter: Remember that Microsoft claims MFA blocks over 99.9% of account compromise attacks. If a question asks about the single most effective measure to protect accounts, MFA is almost always the correct answer.

5. Security Defaults vs. Conditional Access: Security Defaults are free and provide baseline MFA for all users. Conditional Access requires a premium license and provides granular, policy-based control. If a question mentions a small organization with no premium licenses, Security Defaults is the answer. If it mentions granular, signal-based policies, Conditional Access is the answer.

6. Understand SSPR: Know that Self-Service Password Reset reduces help desk costs, can require one or two methods for verification, and can be combined with MFA registration for a unified experience.

7. Federation and SSO: Federation establishes trust between identity providers. SSO is the user experience benefit of not having to sign in multiple times. They are related but not identical concepts.

8. Read every option carefully: SC-900 questions often include plausible distractors. For example, a question might list 'fingerprint and facial recognition' as two-factor authentication — but both are biometrics (something you are), so this is actually single-factor with two methods, NOT MFA.

9. Focus on Microsoft terminology: The exam uses terms like Microsoft Entra ID, Microsoft Authenticator, Windows Hello for Business, and FIDO2 security keys. Be comfortable with these names and what each method provides.

10. Eliminate wrong answers first: On scenario-based questions, eliminate answers that confuse authentication with authorization, suggest deprecated methods as best practice, or recommend single-factor authentication for high-security scenarios.

By mastering these authentication concepts and applying these exam strategies, you will be well-prepared to handle any authentication-related question on the SC-900 exam with confidence.