Identity and Authentication with Entra
Key Takeaways
- Microsoft Entra ID manages users, groups, authentication methods, Conditional Access, MFA, SSO, and admin roles for Microsoft 365.
- Conditional Access enforces access controls at sign-in based on user, location, device, app, and risk signals.
- PIM provides just-in-time, time-bound activation of privileged roles instead of standing Global Admin access.
- MFA should be enforced via Conditional Access for all users, especially admins accessing governance portals.
- Authentication verifies identity; authorization (SharePoint permissions, admin roles) determines what the identity can access — Copilot inherits both.
Quick Answer: Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity service for Microsoft 365. It manages users, groups, authentication methods, Conditional Access, MFA, SSO, and admin roles. Privileged Identity Management (PIM) provides just-in-time activation of privileged roles.
Identity is the front door to every Copilot interaction. When a user signs in to Microsoft 365 Copilot, Entra ID authenticates them and Conditional Access policies evaluate whether the session meets security requirements. AB-900 tests foundational Entra concepts that protect admin portals and user sessions in AI-enabled tenants.
Microsoft Entra ID Overview
Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. It is the directory behind every Microsoft 365 sign-in:
| Capability | What It Does | Admin Location |
|---|---|---|
| User management | Create, license, and disable accounts | Entra admin center > Users |
| Group management | Security groups, Microsoft 365 Groups, dynamic groups | Entra admin center > Groups |
| App registrations | Enterprise apps and SSO integrations | Entra admin center > Applications |
| Conditional Access | Policy-based access controls | Entra admin center > Protection > Conditional Access |
| Authentication methods | MFA, FIDO2, Windows Hello, SMS | Entra admin center > Protection > Authentication methods |
| Roles and administrators | Admin role assignments | Entra admin center > Roles and administrators |
| Identity Secure Score | Security posture recommendations | Entra admin center > Identity Secure Score |
Entra ID is shared across Microsoft 365 and Azure. AB-900 focuses on the M365 administration angle — protecting admin portals, enforcing MFA, and controlling who can change Copilot or Purview settings.
Authentication Methods
Authentication verifies identity ("who are you?"). Entra ID supports multiple methods:
| Method | Description | AB-900 Notes |
|---|---|---|
| Password | Traditional username/password | Should be paired with MFA for all users |
| Microsoft Authenticator app | Push notification or OTP | Recommended primary MFA method |
| FIDO2 security keys | Hardware passwordless token | Phishing-resistant; good for admins |
| Windows Hello for Business | Biometric or PIN on managed devices | Passwordless option for enterprises |
| SMS / Voice call | Legacy MFA methods | Less secure; being deprecated in many tenants |
| Temporary Access Pass (TAP) | Time-limited password for onboarding | Used during MFA registration |
On the Exam: Multi-Factor Authentication (MFA) requires two or more verification methods. Conditional Access is the recommended enforcement mechanism — not per-user MFA settings alone.
Conditional Access Policies
Conditional Access is Entra ID's policy engine. It evaluates signals at sign-in and enforces controls:
Common signals (conditions):
- User or group membership
- IP location or named locations
- Device compliance or platform (iOS, Android, Windows)
- Application being accessed (Office 365, Azure portal, Copilot admin tools)
- Sign-in risk level (from Entra ID Protection)
Common access controls (grant/block):
- Require MFA
- Require compliant or hybrid-joined device
- Require approved client app
- Block access entirely
- Session controls (sign-in frequency, persistent browser)
High-Value Conditional Access Examples for AB-900
| Policy Goal | Example Configuration |
|---|---|
| Protect admin portals | Require MFA for all users in admin roles accessing Azure/M365 portals |
| Block legacy auth | Block legacy authentication protocols (IMAP, POP, SMTP AUTH) |
| Require compliant devices | Grant access only from Intune-compliant devices |
| Block risky sign-ins | Block or require MFA when sign-in risk is medium or high |
Common Trap: Conditional Access applies at sign-in time to control session access. It does not classify email content (that is DLP in Purview) or assign Copilot licenses (that is M365 admin center).
Single Sign-On (SSO)
Single Sign-On (SSO) lets users authenticate once and access multiple applications without re-entering credentials. In Microsoft 365:
- Cloud SSO — users sign in to Entra ID and access M365 apps seamlessly.
- Federation — Entra ID trusts an on-premises identity provider (AD FS or third-party) so users use corporate credentials.
- Password Hash Sync / Pass-through Authentication — hybrid identity models connecting on-premises Active Directory to Entra ID.
SSO improves user experience and centralizes authentication logging. For Copilot, SSO means the same identity and permissions apply across Word, Teams, Outlook, and the Copilot chat experience.
Privileged Identity Management (PIM)
Privileged Identity Management (PIM) provides just-in-time (JIT), time-bound activation of privileged Entra roles:
| Without PIM | With PIM |
|---|---|
| Admin holds Global Admin role permanently | Admin is eligible for Global Admin; must activate when needed |
| Standing access increases breach risk | Activation requires justification, MFA, and optional approval |
| Harder to audit when admin access was used | Activation is logged with reason and duration |
Key PIM concepts for AB-900:
- Eligible assignment — user can activate the role when needed.
- Active assignment — user holds the role without activation (avoid for highly privileged roles).
- Activation — time-limited (e.g., 1-8 hours) with optional approval workflow.
- Applicable roles — Global Administrator, Exchange Administrator, SharePoint Administrator, etc.
On the Exam: PIM reduces standing privileged access. A scenario asking how to limit Global Admin exposure between scheduled maintenance windows points to PIM eligible assignments with time-bound activation.
Identity Secure Score
Identity Secure Score is a percentage in the Entra admin center measuring identity security posture against Microsoft best practices:
- Enable MFA for all users (especially admins)
- Block legacy authentication
- Reduce number of Global Administrators
- Enable Conditional Access policies
- Protect privileged roles with PIM
It is a recommendation dashboard, not an enforcement tool. AB-900 may ask what improves the score versus what enforces a control (Conditional Access enforces; Secure Score measures).
Authentication vs Authorization
| Term | Meaning | M365 Example |
|---|---|---|
| Authentication | Verify identity | User signs in with password + Authenticator app |
| Authorization | Determine what identity can access | SharePoint site Members group grants edit access |
Entra ID handles authentication and role-based admin authorization. SharePoint/Exchange permissions handle resource authorization. Copilot inherits the authenticated user's resource permissions via Microsoft Graph.
Which Entra ID feature enforces MFA or blocks access based on sign-in signals like location, device, and risk?
What is the primary benefit of Privileged Identity Management (PIM) for Global Administrator?
Which authentication approach is recommended for enforcing MFA across all admin portal sign-ins?
Identity Secure Score in the Entra admin center primarily measures what?