3.1 Microsoft Entra ID Foundations
Key Takeaways
- Microsoft Entra ID is the current identity service name to use for SC-900 Entra scenarios.
- Identity is treated as a primary security perimeter because access decisions start with who or what is signing in.
- Authentication proves identity, while authorization decides what that identity can access.
- Directory services, identity providers, and federation are core vocabulary for Entra questions.
Microsoft Entra ID as the identity plane
Microsoft Entra ID is the current identity service name used throughout the SC-900 objective area for Microsoft Entra. The exam expects a foundational view: identities need a trusted place to prove who or what they are before Microsoft cloud services can evaluate access. That identity plane supports business users, administrators, devices, applications, and workloads. It also connects the earlier SC-900 concepts of authentication, authorization, identity providers, directory services, Active Directory, and federation.
- Use Microsoft Entra ID as the current product name.
- Treat identity as a primary security perimeter in cloud scenarios.
- Read sign-in scenarios as authentication first, then authorization.
- Expect Entra questions to connect identity decisions to security outcomes.
Foundation terms to separate
A directory service stores identity information that services can use when a sign-in or access request happens. An identity provider is the trusted system that issues identity assertions for users or other principals. Federation lets one trusted identity system rely on another, which matters in organizations that have existing directory investments. SC-900 does not require deep deployment steps here, but it does expect you to recognize the role each concept plays.
| Term | Exam-level meaning |
|---|---|
| Authentication | Proves the identity of a user, app, device, or workload |
| Authorization | Decides what an authenticated identity may access |
| Directory service | Stores identity objects and related information |
| Federation | Trust relationship that lets identity cross system boundaries |
How to reason through Entra questions
When a question describes access to Microsoft 365 or Azure resources, start by identifying the identity involved and the proof required for sign-in. Then look for the policy or role decision that grants or limits access. This sequence keeps authentication and authorization from blending together. It also helps with product matching: Entra ID handles identity and access scenarios, while Defender, Sentinel, and Purview address different security or compliance outcomes elsewhere in the guide.
- First identify the principal: user, group, device, app, or workload.
- Next identify the sign-in proof: password, multifactor method, or another authentication method.
- Then identify the access decision: role, policy, or governance process.
- Finally check whether the scenario is identity-focused or belongs to another Microsoft solution area.
What not to overcomplicate
For this fundamentals exam, Entra ID questions usually test recognition and purpose, not deep administration. If a scenario asks where identity information is managed for Microsoft cloud access, stay with Entra ID. If it asks how the identity proves itself, think authentication. If it asks what the identity can do after sign-in, think authorization. That simple split is enough for many first-pass answer eliminations.
- Product match: Microsoft Entra ID for identity.
- Process match: authentication for proof.
- Permission match: authorization for allowed actions.
- Study priority: understand concepts before memorizing configuration details.
Which product name should you use as the current Microsoft cloud identity service in SC-900 scenarios?
A user proves who they are during sign-in. Which identity concept is being described?
Why does SC-900 treat identity as a primary security perimeter?