2.6 Identity Perimeter, Authentication, Authorization, and Federation

Identity is the modern control point

Microsoft's SC-900 outline treats identity as the primary security perimeter. The reasoning ties directly to Zero Trust: modern work no longer happens only inside one protected corporate network. Users, devices, workloads, and applications access resources from homes, offices, public networks, partner environments, and cloud services. Because the network boundary alone cannot define trust, access decisions start with identity — you authenticate and authorize the identity behind each request rather than trusting its origin network.

An identity can belong to a person, a service or application, or a device. The 'four pillars of identity' the exam often references are administration (creating and managing identities), authentication (proving identity), authorization (deciding access), and auditing (tracking activity). Keep these distinct — distractors love to swap two of them.

Authentication vs. authorization

These two are related but sequential and must not be confused:

Authentication always happens first; authorization follows only after the identity is verified. A reliable exam tell: if the prompt asks who the user is, the answer is authentication; if it asks what the signed-in user can access or do, the answer is authorization. A distractor claiming 'authorization happens before authentication' is always wrong.

Identity providers, tokens, and single sign-on

An identity provider (IdP) creates, maintains, and manages identity information while providing authentication, authorization, and auditing services to applications. In modern authentication, an application redirects the user to the IdP; after the IdP verifies the user, it issues a security token that the application trusts. Tokens carry claims — statements about the identity such as user identifier, name, roles, group memberships, issue time, and permissions. The application reads the claims rather than handling credentials itself, which centralizes and strengthens security.

Single sign-on (SSO) is a key IdP benefit: a user authenticates once to the IdP and can then access every application that trusts the same provider without re-entering credentials. SSO improves both usability and control — administrators enforce policies (like MFA and Conditional Access) and can disable a user's access in one place, instantly cutting off all connected apps.

Directory services

A directory service stores and exposes identity-related objects so they can be managed and queried:

• Active Directory Domain Services (AD DS) — Microsoft's on-premises directory for domain-based networks. It stores users, devices, and groups, verifies credentials at sign-in, and defines access rights to network resources.
• Microsoft Entra ID (formerly Azure Active Directory / Azure AD) — Microsoft's cloud-based identity and access management service for internet and cloud scenarios. This rebrand is heavily tested: 'Azure AD' and 'Microsoft Entra ID' are the same product, and the current name is Microsoft Entra ID.

Don't confuse a directory (which stores objects) with federation (which establishes trust between providers).

Federation across boundaries

Federation establishes a trust relationship between two separate identity providers so users can authenticate with credentials they already have and access resources in a different organization or domain. The user's home IdP performs authentication; the relying organization's IdP trusts that result and grants access based on it — the user never needs a second set of credentials in the partner system. A familiar everyday example is signing in to a third-party website using an existing account from another provider.

A tested nuance: federation trust is not automatically bidirectional. If both organizations need their users to access each other's resources, a two-way trust must be explicitly configured. A one-way trust lets one side's users into the other, but not vice versa.

Why these concepts matter for SC-900

These identity fundamentals set up the Microsoft Entra chapters (which cover Conditional Access, MFA, identity protection, and identity governance). Domain 1 does not require you to design an identity architecture, but it does demand precise vocabulary. Most wrong answers on identity questions come from two confusions: (1) mixing authentication (sign-in proof) with authorization (access permission), and (2) confusing a directory service (stores objects) with federation (establishes cross-boundary trust).

Master these distinctions and you can resolve nearly every Domain 1 identity question quickly and correctly.

Modern vs. legacy authentication

The exam contrasts modern authentication with older models. In legacy setups, an application often handled credentials directly or relied on a single on-premises directory. Modern authentication instead delegates the sign-in to a trusted identity provider that returns a token of claims — this is what makes SSO, MFA, Conditional Access, and federation possible across cloud and on-premises resources. Microsoft Entra ID acts as that cloud identity provider for Microsoft 365 and thousands of integrated apps.

Tokens are time-limited and signed, so an application can validate a token without contacting the IdP for every request, yet still trust its claims. This is why a single, well-protected identity provider is so central to Zero Trust: it concentrates verification, policy enforcement, and auditing at one strongly defended control point.

When you see an SC-900 scenario about centralizing sign-in, issuing claims, enabling SSO, or extending trust to a partner, anchor your answer to identity-provider and federation concepts rather than to network or encryption controls — that focus is what separates correct answers from plausible-sounding distractors.