Identity Providers and Their Role

Identity Providers and Their Role – A Complete Guide for SC-900

Why Identity Providers Matter

In today's cloud-first world, organizations need a centralized and secure way to manage who can access their resources. Identity Providers (IdPs) are the backbone of modern authentication and authorization. Without an IdP, every application would need to maintain its own user database, manage its own passwords, and enforce its own security policies — leading to inconsistency, security gaps, and a poor user experience. Understanding Identity Providers is essential for the SC-900 exam because they form the foundation of how security, compliance, and identity work together in Microsoft's ecosystem.

What Is an Identity Provider?

An Identity Provider (IdP) is a service that creates, maintains, and manages identity information while providing authentication services to applications. Think of an IdP as a trusted authority that vouches for a user's identity. When a user tries to access an application, the application doesn't verify the user's credentials itself — instead, it delegates that responsibility to the IdP.

Common examples of Identity Providers include:
- Microsoft Entra ID (formerly Azure Active Directory) – Microsoft's cloud-based identity and access management service
- Active Directory Federation Services (AD FS) – An on-premises identity provider from Microsoft
- Google Identity – Google's identity platform
- Facebook Login, Apple ID – Social identity providers
- Okta, Ping Identity – Third-party identity providers

How Identity Providers Work

Identity Providers operate using a trust-based model. Here is the typical flow:

1. User Requests Access: A user attempts to access an application or resource (called a Service Provider or Relying Party).

2. Redirect to IdP: The application redirects the user to the configured Identity Provider for authentication.

3. Authentication: The IdP prompts the user for credentials (username/password, multifactor authentication, biometrics, etc.) and verifies the user's identity against its directory.

4. Token Issuance: Upon successful authentication, the IdP generates a security token (such as a SAML assertion, OAuth token, or OpenID Connect ID token) that contains claims about the user's identity and attributes.

5. Token Sent to Application: The token is sent back to the application. The application trusts the token because it trusts the IdP.

6. Access Granted: The application reads the claims in the token and grants or denies access based on the information provided.

This process relies on a trust relationship between the Identity Provider and the Service Provider. The Service Provider must be configured to trust tokens issued by the IdP, and the IdP must be configured to issue tokens for the Service Provider.

Key Concepts Related to Identity Providers

Federation: Federation is the process of establishing trust between two or more identity domains. When organizations federate, users in one domain can access resources in another domain without needing separate credentials. Federation relies on Identity Providers and standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect (OIDC).

Single Sign-On (SSO): SSO is one of the primary benefits of using an IdP. Once a user authenticates with the Identity Provider, they can access multiple applications without re-entering credentials. The IdP maintains the session and issues tokens for each application the user accesses.

Claims-Based Identity: Tokens issued by IdPs contain claims — pieces of information about the user such as their name, email address, group memberships, and roles. Applications use these claims to make authorization decisions.

Authentication Protocols:
- SAML (Security Assertion Markup Language): An XML-based protocol commonly used for enterprise SSO
- OAuth 2.0: An authorization framework that allows third-party applications to obtain limited access to a service
- OpenID Connect (OIDC): An authentication layer built on top of OAuth 2.0, widely used for modern web and mobile applications

Microsoft Entra ID as an Identity Provider

For the SC-900 exam, Microsoft Entra ID is the primary Identity Provider you need to understand. Key points include:

- It is a cloud-based identity and access management service
- It supports SAML, OAuth 2.0, OpenID Connect, and WS-Federation protocols
- It provides SSO to thousands of pre-integrated SaaS applications (e.g., Microsoft 365, Salesforce, ServiceNow)
- It supports multifactor authentication (MFA) and Conditional Access policies
- It can act as an IdP for both internal users (employees) and external users (partners, customers) through Microsoft Entra External ID (B2B and B2C)
- It supports hybrid identity scenarios where on-premises Active Directory is synchronized with Entra ID using Microsoft Entra Connect

The Role of Identity Providers in Zero Trust

Identity Providers are central to the Zero Trust security model. In Zero Trust, identity is the primary security perimeter. The IdP:
- Verifies every user explicitly before granting access
- Enforces least-privilege access through token claims and Conditional Access
- Enables continuous evaluation of user risk and session health
- Integrates with threat intelligence to detect compromised identities

Common vs. Decentralized Identity

While traditional IdPs are centralized (the IdP stores and manages identities), the industry is also moving toward decentralized identity, where users control their own identity using standards like verifiable credentials. Microsoft supports this through Microsoft Entra Verified ID. For the SC-900 exam, know that decentralized identity shifts control from organizations to individuals while still relying on trust frameworks.

Exam Tips: Answering Questions on Identity Providers and Their Role

1. Know the definition: An Identity Provider is a service that authenticates users and issues security tokens. If a question asks what an IdP does, remember: it creates, stores, and manages digital identities and provides authentication services.

2. Understand federation: Exam questions may describe a scenario where two organizations need to share resources. The answer typically involves federation between their Identity Providers. Remember that federation establishes a trust relationship so users don't need separate accounts.

3. Distinguish authentication from authorization: The IdP handles authentication (verifying who you are). Authorization (what you can do) is typically handled by the application using claims from the token. Don't confuse the two.

4. Know the protocols: If a question mentions XML-based tokens or enterprise SSO, think SAML. If it mentions modern web/mobile apps, think OpenID Connect. If it's about delegated authorization (e.g., an app accessing resources on behalf of a user), think OAuth 2.0.

5. Microsoft Entra ID is the star: Most SC-900 questions about IdPs will center on Microsoft Entra ID. Know its capabilities: cloud-based, supports multiple protocols, provides SSO, supports MFA and Conditional Access, and works for both internal and external identities.

6. Look for SSO keywords: If a question describes a scenario where a user logs in once and accesses multiple applications, the answer relates to SSO enabled by an Identity Provider.

7. External identity scenarios: Questions about giving partners or customers access to your resources often point to Microsoft Entra External ID (B2B/B2C), which allows external IdPs (like Google or Facebook) to be used for authentication.

8. Trust relationships are key: Remember that the Service Provider must trust the Identity Provider. If a question asks about how an application verifies a user's identity, the answer involves the trust relationship with the IdP and the security token.

9. Hybrid identity: If a scenario involves both on-premises and cloud resources, think about Microsoft Entra Connect synchronizing on-premises AD with Entra ID, allowing a single identity to work across both environments.

10. Eliminate distractors: In multiple-choice questions, look out for answers that confuse IdP responsibilities with firewall or network security functions. An IdP deals with identity and authentication, not network-level security controls.

Summary

Identity Providers are foundational to modern security architecture. They centralize authentication, enable SSO, support federation across organizational boundaries, and are critical to implementing Zero Trust. For the SC-900 exam, focus on understanding what an IdP does, how Microsoft Entra ID functions as an IdP, the protocols involved (SAML, OAuth, OIDC), and how IdPs enable secure access for both internal and external users. Mastering these concepts will give you a strong foundation for answering exam questions on this topic confidently.