3.4 Authentication Methods and Sign-in Assurance
Key Takeaways
- Authentication methods are the ways an identity proves itself during sign-in.
- Password-only authentication is weaker than approaches that require additional proof.
- Authentication is separate from authorization even though both appear in the same access flow.
- SC-900 questions often ask you to choose the capability that strengthens sign-in assurance.
Authentication methods in the access flow
Authentication is the proof step. Before a user can open a cloud app or an administrator can manage a tenant, the identity must prove that it is legitimate. An authentication method is the kind of proof used in that sign-in process. A password is one method, but the Entra objective also includes multifactor authentication and password management topics because relying on a single shared secret creates security risk.
- Authentication answers who or what is signing in.
- Methods are the proof mechanisms used during sign-in.
- Stronger proof can reduce the risk of stolen or guessed credentials.
- Authorization decisions should be evaluated after the identity is authenticated.
Keep proof and permission separate
A common SC-900 trap is mixing up a successful sign-in with permission to do everything. Authentication says the identity was verified. Authorization says what the verified identity can access. Microsoft Entra ID topics span both ideas, but this section is about the sign-in proof side. Later access-management sections cover Conditional Access, roles, governance, and risk-based decisions.
| Question clue | Best concept |
|---|---|
| Prove the user is who they claim to be | Authentication |
| Decide whether access is allowed | Authorization |
| Require more than one kind of proof | Multifactor authentication |
| Manage forgotten or weak passwords | Password management and protection |
Exam scenario pattern
If a scenario says users can sign in with only a password and the organization wants stronger identity verification, look for an authentication improvement. If the scenario says users are signed in but should not reach a sensitive app unless conditions are met, that is closer to Conditional Access. If the scenario says an administrator has too much power for too long, that belongs with roles or Privileged Identity Management. Separating these clues keeps the Entra domain easier to navigate.
- Weak sign-in proof suggests authentication methods or multifactor authentication.
- Forgotten or compromised passwords suggest password management or protection.
- Permission boundaries suggest authorization, roles, or access policies.
- Time-bound administrative access suggests privileged access governance.
Why method choice matters
Authentication method choice affects the confidence an organization can place in a sign-in event. A password-only sign-in gives one kind of evidence. A sign-in with additional proof gives stronger assurance that the requester is legitimate. SC-900 usually describes this as a security objective rather than a setup screen, so read for the outcome: stronger sign-in assurance, less credential risk, or better account recovery.
- Outcome: prove the identity with enough confidence.
- Weakness: a single password can be guessed, reused, or stolen.
- Improvement: require stronger or additional proof.
- Boundary: permission assignment is still authorization.
Which statement best describes an authentication method?
A user signs in successfully but still cannot open an admin portal. Which concept explains the second decision?
Which scenario points most directly to strengthening authentication?