πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 1
Domain 1 β€” Module 7 of 10 70%
7 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 1: M365 Core Features & Objects Premium ⏱ ~12 min read

Authentication: Passwords, MFA & Beyond

Authentication is how M365 proves you are who you say you are. From passwords to passkeys, MFA to passwordless β€” know the methods, know the risks.

Authentication vs authorisation

β˜• Simple explanation

Authentication = β€œWho are you?” Authorisation = β€œWhat are you allowed to do?”

Think of a hotel. Authentication is the front desk checking your ID and giving you a room key. Authorisation is what that key opens β€” your room (yes), the pool (yes), the staff kitchen (no).

In M365: authentication verifies your identity (password + MFA). Authorisation decides what you can access (based on your licenses, group memberships, and policies).

Authentication (AuthN) is the process of verifying a user’s identity β€” confirming they are who they claim to be. In M365, this is managed by Microsoft Entra ID using methods like passwords, MFA, FIDO2 keys, or Windows Hello.

Authorisation (AuthZ) is the process of determining what an authenticated user can access β€” based on role assignments, group memberships, conditional access policies, and license entitlements.

Authentication methods in Microsoft 365

Authentication methods ranked by security
FeatureSecurity LevelUser ExperienceCommon Use
Password onlyπŸ”΄ Low (easily phished)Familiar but riskyLegacy β€” being phased out
Password + MFA🟑 Good (blocks most attacks)Extra step but manageableCurrent standard for most orgs
Microsoft Authenticator🟒 Strong (push notification)Tap to approve on phoneRecommended MFA method
FIDO2 security key🟒 Very strong (phishing-resistant)Physical key, tap to sign inHigh-security roles
Windows Hello for Business🟒 Very strong (biometric/PIN)Face, fingerprint, or PINCorporate-managed Windows devices
Certificate-based auth🟒 Strong (smart cards)Insert card + PINGovernment, regulated industries
Passkeys🟒 Very strong (phishing-resistant)Biometric or device unlockThe future β€” replacing passwords

Key exam concept: Passwords alone are NOT secure. The exam always favours MFA or passwordless methods. If a question asks β€œwhat should the admin enable to improve security?” β€” the answer almost always involves MFA or a stronger method.

Multi-Factor Authentication (MFA)

MFA requires two or more factors from different categories:

FactorCategoryExample
Something you knowKnowledgePassword, PIN
Something you havePossessionPhone (Authenticator app), security key
Something you areBiometricFingerprint, face recognition

MFA works because even if an attacker steals your password (something you know), they still need your phone (something you have) to complete sign-in.

πŸ’‘ Scenario: Brew & Byte enables MFA

Brew & Byte has 30 employees and never used MFA. After a phishing email nearly compromised Kai’s account, they decide to enable it:

  1. Microsoft Entra admin center β†’ Protection β†’ Multifactor authentication
  2. Enable Security defaults (free, enables MFA for all users automatically)
  3. All users register Microsoft Authenticator on their phones
  4. Sign-in now requires: password + Authenticator approval

Result: Even when Zoe (the designer) clicks a phishing link and enters her password on a fake site, the attacker can’t complete sign-in because they don’t have Zoe’s phone.

Cost: $0 β€” Security defaults are free and included in every M365 plan.

Passwordless authentication β€” the future

Microsoft is moving towards passwordless authentication:

  • Microsoft Authenticator (passwordless mode) β€” tap to approve, no password needed
  • FIDO2 security keys β€” physical USB/NFC key, phishing-resistant
  • Windows Hello for Business β€” face, fingerprint, or PIN tied to the device
  • Passkeys β€” cross-platform, phishing-resistant, biometric-based
ℹ️ Why passwordless is more secure

Passwords are the weakest link because:

  • Users reuse them across sites
  • They can be phished (fake login pages)
  • They can be brute-forced or sprayed
  • They can be leaked in data breaches

Passwordless methods eliminate passwords entirely. A FIDO2 key or Windows Hello credential is tied to a specific device, can’t be phished (it verifies the website’s identity too), and can’t be reused on other sites.

Exam tip: If a question asks about β€œphishing-resistant authentication” β†’ the answer is FIDO2 security keys, Windows Hello for Business, or passkeys. NOT Authenticator app (which is strong but not phishing-resistant by default).

Self-Service Password Reset (SSPR)

SSPR lets users reset their own passwords without calling the helpdesk:

  • Configured in Microsoft Entra admin center β†’ Protection β†’ Password reset
  • Users register recovery methods (phone, email, security questions)
  • Reduces helpdesk calls by 20-40% in most organisations

Exam note: SSPR is about convenience AND security. It reduces the risk of helpdesk-based social engineering attacks (attacker calls helpdesk pretending to be the user).

🎬 Video walkthrough

🎬 Video coming soon

Authentication Methods β€” AB-900 Module 7

Authentication Methods β€” AB-900 Module 7

~10 min

Flashcards

Question

What's the difference between authentication and authorisation?

Click or press Enter to reveal answer

Answer

Authentication (AuthN) = verifying WHO you are (password, MFA, biometric). Authorisation (AuthZ) = determining WHAT you can access (roles, groups, policies, licenses).

Click to flip back
Question

What are the three factors used in multi-factor authentication?

Click or press Enter to reveal answer

Answer

1) Something you know (password, PIN). 2) Something you have (phone, security key). 3) Something you are (fingerprint, face). MFA requires two or more from different categories.

Click to flip back
Question

What makes FIDO2 security keys phishing-resistant?

Click or press Enter to reveal answer

Answer

FIDO2 keys verify the website's identity as part of authentication β€” if the site is fake (phishing), the key won't work. The credential is also tied to the specific device and can't be exported or reused.

Click to flip back

Knowledge Check

Knowledge Check

Clearfield Council requires phishing-resistant authentication for all councillors accessing sensitive systems. Which method should Director Chen deploy?
Knowledge Check

An employee's password is compromised in a data breach. They also use Microsoft Authenticator for MFA. Can the attacker sign in to their M365 account?

Next up: Microsoft Defender XDR β€” the threat protection and intelligence platform that watches for attacks across your entire M365 environment.

← Previous

Zero Trust: Never Trust, Always Verify

Next β†’

Microsoft Defender XDR

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.