3.2 Identity Types and Directory Objects
Key Takeaways
- SC-900 Entra questions can involve users, groups, devices, service principals, and workload identities.
- Groups help administrators manage access for multiple identities instead of assigning everything one by one.
- Device identity matters because access decisions can consider more than the person signing in.
- Service principals and workload identities represent non-human access needs for applications and automation.
Identity is broader than a person
SC-900 uses identity in a broad way. A user is the most familiar identity type, but modern access decisions also involve groups, devices, applications, and workloads. Microsoft Entra ID provides the directory context for those identities so the organization can authenticate them and make consistent authorization decisions. This matters on the exam because a scenario may not say user at all; it may describe an application needing access or a device being part of a sign-in condition.
- Users represent people who sign in.
- Groups collect identities for simpler management.
- Devices can be known objects in access scenarios.
- Service principals and workload identities support app and automation access.
Common object matching
A group is useful when many identities need the same access pattern. Instead of reasoning about each person separately, the organization can manage membership and then apply access decisions to the group. Devices are important because identity security is not only about the user name and password; a request from an unknown or unmanaged device can carry different risk. Service principals and workload identities shift the same identity logic to software that needs to call services.
| Object type | Best exam clue |
|---|---|
| User | A person signs in to use a Microsoft cloud service |
| Group | Access is managed for a set of users or identities |
| Device | The endpoint itself is part of the access decision |
| Workload identity | An app, service, or automation needs access |
Scenario reading pattern
Read each Entra identity question by asking whether the requester is human or non-human, and whether the access should be assigned directly or through a management container. If the scenario emphasizes many users, a group is usually the simplest conceptual match. If it emphasizes an application or automated process, think about service principals and workload identities. If the scenario mentions the computer, phone, or endpoint state, the device identity may be part of the decision.
- Human requester: think user identity first.
- Repeated assignments: look for group-based management.
- Endpoint clue: consider device identity.
- App or automation clue: consider service principal or workload identity.
Why object type changes the answer
The same access story can produce a different answer when the requesting object changes. A person needing application access is a user scenario. Many people needing the same access points to a group. A device appearing in the access decision makes endpoint identity relevant. An automated process needing access points away from a human user and toward workload identity concepts.
- Identify the requester before choosing the control.
- Do not assume every identity is a person.
- Use groups when the problem emphasizes scale and repeatability.
- Treat app and automation access as identity problems too.
Which identity object is most directly associated with managing access for many users as a set?
A background application needs to access a cloud resource without a human typing credentials. Which identity category is the best match?
Why can a device identity matter in an access scenario?