11.2 Entra Playbook for Identity, Access, and Governance
Key Takeaways
- Microsoft Entra ID is the current name for the cloud identity service in the SC-900 objectives.
- Authentication proves who a user or workload is, while authorization decides what that identity can access.
- Conditional Access, multifactor authentication, roles, RBAC, ID Governance, access reviews, PIM, and ID Protection all live in the identity lane.
- Hybrid identity scenarios connect cloud identity needs with existing directory services and Active Directory concepts.
Use Entra When the Scenario Is About Identity
The Microsoft Entra domain is a large part of SC-900, and many product-selection questions start with identity language. If the prompt mentions users, groups, devices, workload identities, authentication methods, multifactor authentication, password protection, Conditional Access, role assignment, access reviews, privileged identity, or sign-in risk, begin with Microsoft Entra. The exam does not require you to build a tenant, but it expects you to know which capability owns the problem.
Microsoft Entra ID is the current name for the cloud identity and access service. You may see older materials that refer to Azure Active Directory, the former product name. On the exam, use the current Entra name unless a question explicitly describes a renamed or legacy reference. This naming detail matters because old study notes can make the same service look like a separate product.
| Requirement in a scenario | Entra capability to recognize | Exam reasoning |
|---|---|---|
| Verify user identity with more than a password | Multifactor authentication | The task is stronger authentication. |
| Grant access only when signals meet policy | Conditional Access | The task is policy-based access control. |
| Assign permissions to manage Microsoft Entra or Azure resources | Entra roles and RBAC | The task is authorization and least privilege. |
| Review whether users still need access | Access reviews | The task is identity governance. |
| Require just-in-time privileged role activation | Privileged Identity Management | The task is reducing standing privilege. |
| Detect risky users or risky sign-ins | Microsoft Entra ID Protection | The task is identity risk detection. |
Authentication Versus Authorization
- Authentication answers who or what is signing in.
- Authorization answers what the authenticated identity can do.
- Federation lets an identity provider establish trust so users can access resources across boundaries.
- Directory services store identity information and support identity lookup and management.
Hybrid identity questions often mention an organization that already has directory services or Active Directory and wants users to access cloud resources. The answer is not automatically a network firewall or a compliance tool. The scenario is still about identity. Microsoft Entra supports cloud identity concepts, hybrid identity, and identity governance patterns that help organizations modernize access while retaining existing identity investments.
Conditional Access is especially common in scenario wording because it connects Zero Trust thinking with identity controls. A Zero Trust prompt may say never trust, always verify, or apply least privilege. If the action is to evaluate sign-in signals and enforce controls such as multifactor authentication, the product lane is Entra. If the action is to review privileged role assignment, the lane is still Entra, but the more specific capability is Privileged Identity Management.
Do not overfit every security word to Defender. Identity is a security control, and the SC-900 outline explicitly treats identity as a primary security perimeter. Defender products help detect and protect against threats, but they do not replace the Entra controls that decide whether identities can sign in, receive permissions, keep access, or activate privileged roles.
A company wants administrators to activate privileged roles only when needed and for a limited time. Which capability best matches the scenario?
A user enters a password and then approves a second verification prompt. Which concept is being demonstrated?
A scenario asks whether employees still need access to a sensitive application. Which Entra feature is the best match?