What is Microsoft Entra ID? An AZ-900 Study Guide

Microsoft Entra ID, formerly Azure Active Directory, is a cloud-based identity and access management (IAM) service. In the AZ-900 exam, it is presented as the primary tool for managing user identities, securing access via MFA and Conditional Access, and providing Single Sign-On (SSO) across cloud and on-premises applications.

What exactly is Microsoft Entra ID?

If you've been studying older materials, you'll see this referred to as Azure Active Directory (Azure AD). Microsoft rebranded it to Entra ID to reflect that it does much more than just manage a directory; it's a complete identity ecosystem. Think of Entra ID as the 'digital bouncer' for your organization. It verifies who a user is and determines what they are allowed to touch within your Azure environment, Microsoft 365, and even third-party SaaS apps like Salesforce or Slack.

For the AZ-900 exam, you need to understand that identity is the new security perimeter. We no longer rely solely on firewalls because users are accessing data from home, coffee shops, and mobile devices. Entra ID centralizes this management, ensuring that whether a user is accessing a Virtual Machine in Azure or an email in Outlook, the identity check is consistent and secure.

How does Entra ID fit into Identity and Access Management (IAM)?

Identity and Access Management (IAM) is a framework of policies and technologies ensuring that the right people have the right access to the right resources. Entra ID is the engine that powers IAM in the Microsoft cloud. It manages three core components: users (the people), groups (collections of users for easier management), and service principals (identities for applications or automated tools).

A critical concept you'll encounter on the exam is Role-Based Access Control (RBAC). Instead of assigning permissions to individuals one by one—which is a nightmare to manage at scale—you assign permissions to a role (like 'Contributor' or 'Reader') and then assign users to that role. We always recommend following the Principle of Least Privilege (PoLP): give users the absolute minimum access they need to do their job. This limits the 'blast radius' if an account is ever compromised.

What is the difference between Authentication and Authorization?

These two terms are often used interchangeably in casual conversation, but for the AZ-900, you must distinguish them clearly. Authentication (AuthN) is the process of proving you are who you say you are. When you enter your password or scan your fingerprint, you are authenticating. It's like showing your passport at the airport to prove your identity.

Authorization (AuthZ), on the other hand, happens after you've been authenticated. It determines what you are actually allowed to do. Just because you have a passport (Authentication) doesn't mean you have a visa to enter a specific country (Authorization). In Entra ID, authorization is handled via RBAC and scopes. If you can log into the Azure Portal but can't delete a Virtual Machine, you are authenticated, but you aren't authorized to perform that specific action.

Why are MFA and Conditional Access critical for security?

Passwords alone are a liability. That's why Multi-Factor Authentication (MFA) is a non-negotiable part of a modern identity strategy. MFA requires two or more pieces of evidence: something you know (password), something you have (a phone app or hardware token), or something you are (biometrics). Statistics show that MFA can block over 99.9% of account compromise attacks, making it a high-priority topic for your exam.

To make MFA smarter, Microsoft uses Conditional Access. Think of this as an 'if-then' statement for security. For example: 'If a user is logging in from an unknown IP address in a different country, then require MFA.' Or, 'If the user is on a corporate-managed device, then allow access without a second prompt.' This balances security with user experience, ensuring that friction is only added when the risk level increases.

How does Single Sign-On (SSO) simplify the user experience?

Password fatigue is real. When employees have to remember 15 different passwords for 15 different apps, they start using 'Password123' for everything, which is a security disaster. Single Sign-On (SSO) solves this by allowing a user to sign in once with one set of credentials to access multiple independent software systems.

In the Entra ID ecosystem, SSO works by acting as the Identity Provider (IdP). When a user tries to access a connected app, the app asks Entra ID, 'Is this person who they say they are?' Entra ID confirms the identity and sends a token back to the app. This not only makes users happier but also makes the IT admin's life easier. When an employee leaves the company, you only have to disable one account in Entra ID to instantly revoke their access to every single SSO-connected application.

How should you study Entra ID to pass the AZ-900?

The AZ-900 doesn't require you to be a directory architect, but it does require you to understand these concepts in a practical context. Don't just memorize definitions; imagine real-world scenarios. Ask yourself: 'If I were the admin, would I use a Group or a Role here?' or 'Would Conditional Access be better than a static password policy?'

The best way to lock in this knowledge is through active recall. We've built our practice exams with this in mind, offering 1,000 expert-curated questions that mirror the actual exam environment. Use our domain filtering to focus specifically on the 'Describe Azure AD/Entra ID' section. By reviewing the detailed reasoning for every wrong answer, you'll start to see the patterns Microsoft uses to trick students, ensuring you walk into the testing center with total confidence.

❓ Frequently Asked Questions