AZ-900 Identity and Security — Azure Entra ID and Zero Trust Guide 2026

Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. Previously known as Azure Active Directory (Azure AD), it was rebranded to Microsoft Entra ID in 2026. For the AZ-900 exam, you may see both names — they refer to the same service.

Entra ID is the backbone of identity in Azure. It provides a central directory for managing users, groups, and applications. Unlike traditional on-premises Active Directory (which manages domain-joined machines on a local network), Entra ID is designed for cloud and hybrid environments, controlling access to cloud resources like Microsoft 365, Azure portal, and thousands of third-party SaaS applications.

Authentication vs Authorization

These two concepts appear repeatedly on the AZ-900 exam — understand the distinction clearly:

• Authentication (AuthN) — Verifying who you are. This is the process of proving your identity, typically with a username and password, biometrics, or a certificate. Example: logging in to the Azure portal with your credentials.
• Authorization (AuthZ) — Determining what you can do. After your identity is confirmed, authorization defines which resources you can access and what actions you can perform. Example: a user authenticated as a Contributor can deploy VMs but cannot delete subscriptions.

Entra ID handles both: it authenticates users with protocols like OAuth 2.0 and OpenID Connect, then uses RBAC to authorize resource access. Single Sign-On (SSO) is a key Entra ID feature — authenticate once and access multiple applications without re-entering credentials.

Role-Based Access Control (RBAC)

RBAC is the authorization system used across Azure to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC is built on three key concepts:

• Security principal — The entity requesting access: a user, group, service principal, or managed identity
• Role definition — A collection of permissions (e.g., read, write, delete). Azure has 70+ built-in roles, plus support for custom roles
• Scope — The boundary where the role applies: management group, subscription, resource group, or individual resource

Common built-in roles to know for AZ-900: Owner (full access, can assign roles), Contributor (can create/manage resources, cannot assign roles), Reader (view-only access), User Access Administrator (manages user access to Azure resources).

RBAC uses an additive permissions model — if a user has Reader on a subscription but Contributor on a specific resource group, they get the higher permission at that scope. Deny assignments override allows. See the Azure governance guide for how RBAC fits into the broader policy and management hierarchy.

Conditional Access and Multi-Factor Authentication (MFA)

Conditional Access is an Entra ID feature that enforces policies based on conditions — it's Azure's "if-then" engine for identity security. For example: if a user signs in from an unrecognized device in a foreign country, then require MFA or block access.

Common Conditional Access signals include: user or group membership, IP location, device compliance state, application being accessed, and real-time risk detection. Conditional Access is available in Entra ID P1 and P2 licenses.

Multi-Factor Authentication (MFA) adds a second verification factor beyond username and password. The three MFA factor categories are: something you know (password, PIN), something you have (authenticator app, SMS code, hardware token), and something you are (fingerprint, face recognition). Requiring MFA dramatically reduces account compromise risk — Microsoft reports MFA blocks over 99.9% of automated attacks.

How Identity and Security Appear on the AZ-900 Exam

Identity, security, and compliance make up 35–40% of the AZ-900 exam — the largest single domain. Questions in this domain test conceptual understanding, not hands-on configuration. Expect scenario-based questions where you must pick the right tool or explain the right concept.

Common question patterns:

• "Which Azure service provides centralized identity management?" → Microsoft Entra ID
• "A user needs to access Azure resources from multiple apps without logging in multiple times. What feature enables this?" → Single Sign-On (SSO)
• "Your security team wants to be alerted when a user logs in from an unusual location. Which service would you use?" → Microsoft Defender for Cloud or Conditional Access
• "Which role allows a user to create and manage Azure resources but not assign roles?" → Contributor
• "What Zero Trust principle states that you should not assume the internal network is safe?" → Assume Breach

Study tip: Learn the purpose of each tool, not just its name. The exam frequently asks you to select the right service for a given scenario. Practice with the AZ-900 practice tests to build pattern recognition for these question types. Also review the AZ-900 complete guide for the full exam breakdown and the exam tips for time management strategies.

Identity and security questions often pair with governance topics. Review the Azure governance guide to understand how Azure Policy, Blueprints, and management groups layer on top of RBAC. For service-level understanding, the Azure services guide covers how Entra ID integrates across compute, storage, and networking resources.

Azure Security Tools

Microsoft Defender for Cloud

Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender) is a unified security management and threat protection platform. It provides two main capabilities: Cloud Security Posture Management (CSPM) — continuously assesses your Azure environment and provides a Secure Score with prioritized recommendations — and Cloud Workload Protection Platform (CWPP) — detects and responds to threats across VMs, containers, databases, and storage accounts.

Defender for Cloud works across Azure, on-premises, and other cloud providers (AWS, GCP). Key metric to know: the Secure Score, a percentage that represents your security posture. Higher score = better security.

Microsoft Sentinel

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It collects security data at cloud scale across users, devices, applications, and infrastructure — both on-premises and in multiple clouds. Sentinel uses AI and machine learning to detect threats, investigate them with built-in hunting tools, and respond with automated playbooks (using Azure Logic Apps).

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets — API keys, passwords, certificates, cryptographic keys, and other sensitive configuration values. Applications retrieve secrets from Key Vault at runtime rather than storing them in code or config files. This centralizes secret management, enables rotation, and provides an audit log of all access. Key Vault integrates with Azure RBAC and Entra ID for fine-grained access control.

Azure DDoS Protection and Defense in Depth

Azure DDoS (Distributed Denial of Service) Protection defends Azure resources against volumetric network attacks. The Basic tier is enabled automatically for all Azure customers at no extra cost. The Standard tier (now called DDoS Network Protection) adds adaptive tuning, attack analytics, rapid response support, and SLA guarantees.

The Defense in Depth model describes a layered security approach where multiple independent security controls protect resources:

1. Physical — Microsoft datacenter physical security (guards, badge access, cameras)
2. Identity & Access — Entra ID, MFA, Conditional Access, RBAC
3. Perimeter — DDoS protection, Azure Firewall, perimeter firewalls
4. Network — Network segmentation, NSGs, VPN, ExpressRoute encryption
5. Compute — VM endpoint protection, patch management, Defender for Servers
6. Application — Secure application development, WAF, no stored secrets in code
7. Data — Data encryption at rest and in transit, Key Vault, database access controls

On the exam, you may be asked to identify which layer a specific control belongs to, or to explain why defense in depth is better than relying on a single security measure.