Identity and Authentication with Entra

Key Takeaways

  • Microsoft Entra ID manages users, groups, authentication methods, Conditional Access, MFA, SSO, and admin roles for Microsoft 365.
  • Conditional Access enforces access controls at sign-in based on user, location, device, app, and risk signals.
  • PIM provides just-in-time, time-bound activation of privileged roles instead of standing Global Admin access.
  • MFA should be enforced via Conditional Access for all users, especially admins accessing governance portals.
  • Authentication verifies identity; authorization (SharePoint permissions, admin roles) determines what the identity can access — Copilot inherits both.
Last updated: July 2026

Quick Answer: Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity service for Microsoft 365. It manages users, groups, authentication methods, Conditional Access, MFA, SSO, and admin roles. Privileged Identity Management (PIM) provides just-in-time activation of privileged roles.

Identity is the front door to every Copilot interaction. When a user signs in to Microsoft 365 Copilot, Entra ID authenticates them and Conditional Access policies evaluate whether the session meets security requirements. AB-900 tests foundational Entra concepts that protect admin portals and user sessions in AI-enabled tenants.

Microsoft Entra ID Overview

Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. It is the directory behind every Microsoft 365 sign-in:

CapabilityWhat It DoesAdmin Location
User managementCreate, license, and disable accountsEntra admin center > Users
Group managementSecurity groups, Microsoft 365 Groups, dynamic groupsEntra admin center > Groups
App registrationsEnterprise apps and SSO integrationsEntra admin center > Applications
Conditional AccessPolicy-based access controlsEntra admin center > Protection > Conditional Access
Authentication methodsMFA, FIDO2, Windows Hello, SMSEntra admin center > Protection > Authentication methods
Roles and administratorsAdmin role assignmentsEntra admin center > Roles and administrators
Identity Secure ScoreSecurity posture recommendationsEntra admin center > Identity Secure Score

Entra ID is shared across Microsoft 365 and Azure. AB-900 focuses on the M365 administration angle — protecting admin portals, enforcing MFA, and controlling who can change Copilot or Purview settings.

Authentication Methods

Authentication verifies identity ("who are you?"). Entra ID supports multiple methods:

MethodDescriptionAB-900 Notes
PasswordTraditional username/passwordShould be paired with MFA for all users
Microsoft Authenticator appPush notification or OTPRecommended primary MFA method
FIDO2 security keysHardware passwordless tokenPhishing-resistant; good for admins
Windows Hello for BusinessBiometric or PIN on managed devicesPasswordless option for enterprises
SMS / Voice callLegacy MFA methodsLess secure; being deprecated in many tenants
Temporary Access Pass (TAP)Time-limited password for onboardingUsed during MFA registration

On the Exam: Multi-Factor Authentication (MFA) requires two or more verification methods. Conditional Access is the recommended enforcement mechanism — not per-user MFA settings alone.

Conditional Access Policies

Conditional Access is Entra ID's policy engine. It evaluates signals at sign-in and enforces controls:

Common signals (conditions):

  • User or group membership
  • IP location or named locations
  • Device compliance or platform (iOS, Android, Windows)
  • Application being accessed (Office 365, Azure portal, Copilot admin tools)
  • Sign-in risk level (from Entra ID Protection)

Common access controls (grant/block):

  • Require MFA
  • Require compliant or hybrid-joined device
  • Require approved client app
  • Block access entirely
  • Session controls (sign-in frequency, persistent browser)

High-Value Conditional Access Examples for AB-900

Policy GoalExample Configuration
Protect admin portalsRequire MFA for all users in admin roles accessing Azure/M365 portals
Block legacy authBlock legacy authentication protocols (IMAP, POP, SMTP AUTH)
Require compliant devicesGrant access only from Intune-compliant devices
Block risky sign-insBlock or require MFA when sign-in risk is medium or high

Common Trap: Conditional Access applies at sign-in time to control session access. It does not classify email content (that is DLP in Purview) or assign Copilot licenses (that is M365 admin center).

Single Sign-On (SSO)

Single Sign-On (SSO) lets users authenticate once and access multiple applications without re-entering credentials. In Microsoft 365:

  • Cloud SSO — users sign in to Entra ID and access M365 apps seamlessly.
  • Federation — Entra ID trusts an on-premises identity provider (AD FS or third-party) so users use corporate credentials.
  • Password Hash Sync / Pass-through Authentication — hybrid identity models connecting on-premises Active Directory to Entra ID.

SSO improves user experience and centralizes authentication logging. For Copilot, SSO means the same identity and permissions apply across Word, Teams, Outlook, and the Copilot chat experience.

Privileged Identity Management (PIM)

Privileged Identity Management (PIM) provides just-in-time (JIT), time-bound activation of privileged Entra roles:

Without PIMWith PIM
Admin holds Global Admin role permanentlyAdmin is eligible for Global Admin; must activate when needed
Standing access increases breach riskActivation requires justification, MFA, and optional approval
Harder to audit when admin access was usedActivation is logged with reason and duration

Key PIM concepts for AB-900:

  • Eligible assignment — user can activate the role when needed.
  • Active assignment — user holds the role without activation (avoid for highly privileged roles).
  • Activation — time-limited (e.g., 1-8 hours) with optional approval workflow.
  • Applicable roles — Global Administrator, Exchange Administrator, SharePoint Administrator, etc.

On the Exam: PIM reduces standing privileged access. A scenario asking how to limit Global Admin exposure between scheduled maintenance windows points to PIM eligible assignments with time-bound activation.

Identity Secure Score

Identity Secure Score is a percentage in the Entra admin center measuring identity security posture against Microsoft best practices:

  • Enable MFA for all users (especially admins)
  • Block legacy authentication
  • Reduce number of Global Administrators
  • Enable Conditional Access policies
  • Protect privileged roles with PIM

It is a recommendation dashboard, not an enforcement tool. AB-900 may ask what improves the score versus what enforces a control (Conditional Access enforces; Secure Score measures).

Authentication vs Authorization

TermMeaningM365 Example
AuthenticationVerify identityUser signs in with password + Authenticator app
AuthorizationDetermine what identity can accessSharePoint site Members group grants edit access

Entra ID handles authentication and role-based admin authorization. SharePoint/Exchange permissions handle resource authorization. Copilot inherits the authenticated user's resource permissions via Microsoft Graph.

Test Your Knowledge

Which Entra ID feature enforces MFA or blocks access based on sign-in signals like location, device, and risk?

A
B
C
D
Test Your Knowledge

What is the primary benefit of Privileged Identity Management (PIM) for Global Administrator?

A
B
C
D
Test Your Knowledge

Which authentication approach is recommended for enforcing MFA across all admin portal sign-ins?

A
B
C
D
Test Your Knowledge

Identity Secure Score in the Entra admin center primarily measures what?

A
B
C
D