2.6 Identity Perimeter, Authentication, Authorization, and Federation

Identity is the control point for modern access

Microsoft's SC-900 outline includes identity as the primary security perimeter. The idea is that modern work no longer happens only inside one protected corporate network. Users, devices, workloads, and applications can access resources from homes, offices, public networks, partner environments, and cloud services. Because the network boundary is not enough, access decisions start with identity.

Authentication and authorization are related but different. Authentication proves that a user, device, or application is who or what it claims to be. Passwords, biometrics, one-time passcodes, certificates, and security keys can serve as authentication evidence. Authorization happens after authentication and determines what the authenticated identity is allowed to access or do.

An identity provider creates, maintains, and manages identity information. It provides authentication, authorization, and auditing services to applications and services. In modern authentication, an application can redirect a user to the identity provider. After successful verification, the identity provider issues a security token that the application trusts. Tokens contain claims such as user identifiers, roles, groups, issue time, and permission information.

Single sign-on is an important identity-provider benefit. A user signs in once to the identity provider and can access applications that trust the same provider without entering separate credentials for every app. Centralizing sign-in improves control because administrators can enforce policies and disable access from one place.

Directory services store and expose identity-related objects. Active Directory Domain Services, often shortened to AD DS, is Microsoft's on-premises directory service for domain-based networks. It stores users, devices, and groups, verifies credentials during sign-in, and defines access rights to network resources. Microsoft Entra ID is the current Microsoft cloud-based identity and access management service for internet and cloud scenarios.

Federation extends trust across boundaries. One identity provider can trust another identity provider so users authenticate with credentials they already have and access resources in a different organization or domain. Trust relationships are not automatically bidirectional; two-way trust must be configured when both sides need it.

Exam distinction cues

• If the prompt asks who the user is, think authentication.

• If it asks what the signed-in user can do, think authorization.

• If it asks about central sign-in, tokens, claims, or SSO, think identity provider.

• If it asks about cross-organization trust, think federation.

These identity concepts prepare you for Microsoft Entra chapters. SC-900 does not require you to build a full identity architecture in Domain 1, but it does expect precise vocabulary. Most wrong answers in identity questions come from mixing sign-in proof with access permission, or from confusing a directory that stores objects with federation that establishes trust.