11.2 Entra Playbook for Identity, Access, and Governance

Use Entra When the Scenario Is About Identity

The Microsoft Entra domain is one of the largest parts of SC-900 (about 25 to 30 percent), and many product-selection questions open with identity language. If the prompt mentions users, groups, devices, workload identities, authentication methods, multifactor authentication, password protection, Conditional Access, role assignment, access reviews, privileged identity, or sign-in risk, begin with Microsoft Entra. You will not build a tenant on the exam, but you must know which capability owns each task.

Microsoft Entra ID is the current name for the cloud identity and access service. Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID, with standalone plan names (Entra ID Free, P1, P2) updated in 2023. On the exam, use the current Entra name. This naming detail matters because old study notes that still say Azure AD can make a single service look like two separate answers in a product-selection list.

Authentication Versus Authorization

The exam consistently separates these four identity concepts, and product-selection items often hinge on telling them apart:

• Authentication (AuthN) answers who or what is signing in.
• Authorization (AuthZ) answers what the authenticated identity is allowed to do.
• Federation establishes trust between identity providers so users access resources across organizational boundaries with a single identity.
• Directory services store identity information and support lookup, management, and the single sign-on experience.

Hybrid identity questions often describe an organization that already runs on-premises Active Directory and wants users to reach cloud resources. The answer is not a firewall or a compliance tool — the scenario is still about identity, and Microsoft Entra ID supports hybrid identity and identity governance patterns that modernize access while preserving existing directory investments.

The Two Just-in-Time Traps

Conditional Access shows up constantly because it links Zero Trust thinking (verify explicitly, use least-privilege access, assume breach) to identity controls. A Zero Trust prompt that asks to evaluate sign-in signals and enforce a control such as MFA is an Entra Conditional Access item. A prompt that asks to reduce standing administrative access is an Entra PIM item.

The most tested nuance is the meaning of "just-in-time." Entra PIM uses eligible assignments so an admin must activate a privileged role only when needed, for a limited, optionally approval-gated window — just-in-time access to administrative roles. Microsoft Defender for Cloud also has a just-in-time feature, but it controls just-in-time network access to VM management ports such as RDP and SSH. If the scenario is about admin role activation, choose Entra PIM; if it is about locking down inbound RDP/SSH to a virtual machine, choose Defender for Cloud. Same phrase, different products.

Do not overfit every security word to Defender. Identity is a security control, and the SC-900 outline explicitly treats identity as the primary security perimeter. Defender products detect and protect against threats, but they do not decide whether identities can sign in, receive permissions, keep access, or activate privileged roles — those decisions are Entra's job, and recognizing that boundary clears a large share of identity questions quickly.

Governance, Risk, and the External-Identity Distinctions

The identity lane is wide, and SC-900 expects you to place several governance and risk capabilities precisely:

• Microsoft Entra ID Governance is the umbrella for lifecycle controls: access reviews (periodically recertify access), entitlement management (bundle resources into access packages users can request), and lifecycle workflows (automate joiner-mover-leaver tasks).
• Microsoft Entra ID Protection detects and remediates identity risk — risky users and risky sign-ins — and can feed risk signals into Conditional Access so risky logins are blocked or challenged with MFA.
• Microsoft Entra External ID handles business-to-business and business-to-customer identities, replacing the externally branded Azure AD B2B/B2C offerings for new scenarios.
• Microsoft Entra Permissions Management addresses multicloud permission visibility and least privilege across Azure, AWS, and Google Cloud.

A reliable trap distinguishes ID Protection from Defender for Identity. Both have "identity" in the name. ID Protection scores risk for cloud identities (risky sign-ins, leaked credentials, impossible-travel patterns) inside Entra. Defender for Identity monitors on-premises Active Directory using domain-controller signals to catch lateral movement and credential theft. If the scenario is cloud sign-in risk, pick Entra ID Protection; if it is on-premises domain attack detection, pick Defender for Identity.

Map Verbs to Entra Capabilities

A verb-first scan makes Entra items fast: prove who you are maps to authentication and MFA; decide what you can reach maps to authorization, roles, and RBAC; gate access on conditions maps to Conditional Access; recertify ongoing access maps to access reviews; request bundled resources maps to entitlement management; limit standing admin power maps to PIM; detect compromised identities maps to ID Protection; handle partners and customers maps to External ID. Because the Entra domain carries roughly 25 to 30 percent of the exam, fluency here pays off disproportionately.

When you can name the verb and snap to the matching Entra capability without hesitation, you avoid the two classic identity mistakes — defaulting to Conditional Access for every access question, and pulling threat-protection answers like Defender into what is fundamentally an access-control or governance decision.