🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 1
Domain 1 — Module 9 of 10 90%
9 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 1: M365 Core Features & Objects Premium ⏱ ~14 min read

Microsoft Entra: Your Identity Hub

Microsoft Entra ID is the identity backbone of Microsoft 365. Conditional access, SSO, app registrations, and troubleshooting sign-in issues — it all lives here.

What is Microsoft Entra?

☕ Simple explanation

Microsoft Entra ID is the bouncer, the receptionist, and the security camera — all in one.

When you sign in to M365, Entra ID checks your identity (bouncer). It decides what you can access (receptionist). And it logs everything you do (security camera).

It also connects to other apps outside Microsoft. If your company uses Salesforce or ServiceNow, Entra ID can let you sign in to those with the same credentials — that’s Single Sign-On (SSO). One login, many apps.

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft’s cloud-based identity and access management service. It handles authentication, authorisation, conditional access, SSO, app integration, and identity governance for M365 and thousands of third-party applications.

It’s the foundation that every other M365 service relies on — without Entra ID, nothing works. The admin interface is at entra.microsoft.com.

Conditional Access — smart security gates

Conditional Access (CA) policies are if/then rules that control access based on conditions:

IF (conditions) THEN (controls)

Condition (IF)What It Checks
User or groupWho is signing in
Cloud appWhat they’re trying to access
LocationWhere they’re signing in from
Device platformWindows, iOS, Android, Mac
Device complianceIs the device Intune-managed and healthy?
Sign-in riskIs this sign-in behaviour unusual?
User riskHas this user been flagged for compromise?
Control (THEN)What Happens
AllowLet them in
BlockDeny access
Require MFAAllow after MFA verification
Require compliant deviceAllow only from managed devices
Require app protectionAllow only in protected apps
💡 Scenario: Clearfield Council's CA policies

Director Chen creates three conditional access policies:

  1. “Require MFA for all users” — IF: any user → THEN: require MFA
  2. “Block access from untrusted countries” — IF: sign-in from outside NZ/AU → THEN: block
  3. “Require compliant device for sensitive apps” — IF: accessing SharePoint or Exchange → AND device is not Intune-compliant → THEN: block

These policies layer on top of each other. A councillor signing in from New Zealand on a managed device with MFA → all three policies pass → access granted.

Same councillor on a personal phone from overseas → blocked by policy 2 AND policy 3.

Single Sign-On (SSO)

SSO = one sign-in, access to many apps. Users sign in once to Entra ID, then access M365, Salesforce, ServiceNow, and thousands of other apps without re-entering credentials.

Benefits the exam tests:

  • 🔒 More secure — fewer passwords to manage, less password fatigue
  • ⚡ Better UX — users don’t get frustrated re-authenticating
  • 🔑 Centralised control — disable one account, access to ALL apps is revoked
  • 📊 Audit trail — all app access flows through Entra, creating a single log

App registrations vs Enterprise apps

ConceptWhat It IsWho Creates It
App registrationAn identity record for an application in your tenantDevelopers (when building custom apps)
Enterprise appA service principal — the app’s presence in YOUR tenantCreated when you consent to a third-party app or register your own
ℹ️ App registrations — why admins care

When a developer builds a custom app that connects to M365 (e.g., a dashboard that reads SharePoint data), they create an app registration in Entra ID. This registration defines:

  • What the app is called
  • What permissions it needs (read email, access files, etc.)
  • What authentication method it uses

As an admin, you review these registrations because they determine what data apps can access. An app with “read all users’ email” permission is a significant security concern.

Exam tip: Know that app registrations control what third-party and custom apps can do in your tenant. Admins should review permissions and require admin consent for sensitive permissions.

Troubleshooting sign-in issues

The exam tests common troubleshooting scenarios:

IssueWhere to CheckCommon Fix
MFA not workingEntra → Users → Authentication methodsRe-register MFA method, check Authenticator setup
Conditional access blockingEntra → Sign-in logs → CA tabUse “What If” tool to simulate the policy evaluation
Risky sign-in flaggedEntra → Identity Protection → Risky sign-insReview and confirm/dismiss the risk
App consent issuesEntra → Enterprise apps → PermissionsReview and grant admin consent if appropriate

Key tool: The “What If” tool in Entra lets you simulate a sign-in and see which CA policies would apply. This is the #1 troubleshooting tool for access issues — the exam tests it.

🎬 Video walkthrough

🎬 Video coming soon

Microsoft Entra — AB-900 Module 9

Microsoft Entra — AB-900 Module 9

~12 min

Flashcards

Question

What is a Conditional Access policy?

Click or press Enter to reveal answer

Answer

An if/then rule: IF certain conditions are met (user, location, device, risk level) → THEN apply specific controls (allow, block, require MFA, require compliant device). Managed in the Microsoft Entra admin center.

Click to flip back
Question

What is Single Sign-On (SSO) and why is it important?

Click or press Enter to reveal answer

Answer

SSO lets users sign in once (to Entra ID) and access many apps without re-authenticating. Benefits: more secure (fewer passwords), better UX, centralised access control, single audit trail.

Click to flip back
Question

What's the 'What If' tool in Entra used for?

Click or press Enter to reveal answer

Answer

It simulates a sign-in to show which Conditional Access policies would apply. Used for troubleshooting access issues — 'Why can't this user sign in?' → What If shows exactly which policy is blocking them.

Click to flip back

Knowledge Check

Knowledge Check

A Northwave employee reports they can't access Outlook from their personal phone, but it works fine from their work laptop. Maya suspects a Conditional Access policy is the cause. What should she use to confirm?
Knowledge Check

Brew & Byte wants all employees to sign in once and automatically access M365, Salesforce, and their project management tool without re-entering credentials. What should Kai set up?

Next up: PIM, Audit Logs & Identity Governance — privileged access management, tracking who did what, and maintaining your Identity Secure Score.

← Previous

Microsoft Defender XDR

Next →

PIM, Audit Logs & Identity Governance

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.