Authentication and External Identities
SSO, MFA, passwordless, B2B, B2C, and Conditional Access — Azure offers multiple ways to verify identity and control access. Here's how they work together.
How does Azure verify who you are?
Think of three levels of security at an airport.
Password (single factor) = showing your boarding pass. Anyone who has your pass could board your flight.
MFA (multi-factor) = showing your boarding pass AND your passport. Even if someone steals your pass, they can’t get through without your passport.
Passwordless = biometric scanning. No pass needed — your fingerprint or face IS your identity. Faster AND more secure.
SSO (Single Sign-On) = one security check at the entrance gets you into all the airport shops, lounges, and gates. You don’t show your ID at every door.
Conditional Access = the security rules change based on context. If you’re a known frequent flyer, you get fast-tracked. If you’re flagged as suspicious, you get extra screening.
Authentication methods
Single sign-on (SSO)
SSO lets users sign in once and access multiple applications:
| Without SSO | With SSO |
|---|---|
| Sign in to Azure portal (password) | Sign in once to Entra ID |
| Sign in to Microsoft 365 (another password) | ✅ Azure portal — no additional sign-in |
| Sign in to Salesforce (yet another password) | ✅ Microsoft 365 — no additional sign-in |
| Sign in to ServiceNow (different password) | ✅ Salesforce — no additional sign-in |
| 4 passwords to remember | ✅ ServiceNow — no additional sign-in |
Benefits: Fewer passwords to remember, fewer help desk calls for password resets, better security (users don’t write passwords on sticky notes).
Multi-factor authentication (MFA)
MFA requires two or more verification factors from different categories:
| Factor Type | Category | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN |
| Something you have | Possession | Phone, security key, authenticator app |
| Something you are | Inherence | Fingerprint, face recognition |
Why MFA matters: Microsoft reports that MFA blocks 99.9% of automated account attacks. Even if a password is stolen, the attacker can’t get past the second factor.
Peak Roasters requires MFA for all 15 staff. When logging in, employees enter their password (knowledge) and approve a push notification on their phone (possession).
Passwordless authentication
Passwordless is the most secure option — no password to steal, phish, or guess:
| Method | How It Works |
|---|---|
| Windows Hello for Business | Face recognition or fingerprint on your device |
| Microsoft Authenticator | Approve a sign-in request on your phone |
| FIDO2 security keys | Physical USB/NFC key you tap to authenticate |
Why passwordless is more secure than passwords + MFA
Passwords are the weakest link in authentication:
- They can be guessed, stolen, phished, or brute-forced
- Users reuse passwords across sites
- Even with MFA, the password is still a target
Passwordless eliminates the password entirely. With Windows Hello, your biometrics never leave the device — they’re stored in a hardware security chip. There’s nothing for an attacker to steal remotely.
External identities
Azure supports identities beyond your own organisation:
| Feature | B2B (Business-to-Business) | B2C (Business-to-Consumer) |
|---|---|---|
| Who | Partners, contractors, vendors | Customers, public users |
| They use | Their OWN identity (work email, Google, etc.) | Social accounts (Google, Facebook) or local accounts |
| Access to | Your organisation's apps and resources | Your customer-facing applications |
| Managed in | Your Entra ID tenant (as guest users) | A separate B2C tenant |
| Example | Contractor accesses SharePoint with their Gmail | Customer signs into your app with their Google account |
Harbour Health’s B2B scenario: External specialists need access to patient case files. Rather than creating new accounts, Harbour Health invites them as B2B guest users — the specialists sign in with their own hospital’s credentials.
Conditional Access
Conditional Access policies are if-then rules that evaluate signals and enforce decisions:
Signal (IF) → Decision (THEN)
| Signal | Example |
|---|---|
| User or group | ”All managers” or “Marketing team” |
| Location | ”Outside the office network” |
| Device | ”Unmanaged personal device” |
| Application | ”Azure portal” or “HR system” |
| Risk level | ”High risk sign-in detected” |
| Decision | Action |
|---|---|
| Allow | Grant access (possibly with conditions) |
| Block | Deny access completely |
| Require MFA | Allow access only after MFA verification |
| Require compliant device | Allow only from Intune-managed devices |
Harbour Health’s Conditional Access policies
| Policy | Signal | Decision |
|---|---|---|
| Policy 1 | Doctors accessing patient records from outside the hospital | Require MFA + compliant device |
| Policy 2 | Any user with high-risk sign-in | Block access, notify security |
| Policy 3 | IT admins accessing Azure portal | Require MFA always, even from trusted locations |
Exam tip: Conditional Access requires Entra ID P1
Conditional Access is a premium feature — it requires Microsoft Entra ID P1 or P2 licensing. The free tier of Entra ID includes basic authentication and MFA but NOT Conditional Access policies.
If an exam question asks how to enforce location-based or device-based access rules, the answer is Conditional Access (not just MFA alone).
🎬 Video walkthrough
🎬 Video coming soon
Authentication and External Identities — AZ-900
Authentication and External Identities — AZ-900
~10 minFlashcards
Knowledge Check
Harbour Health wants to ensure that doctors accessing patient records from personal devices must complete MFA AND use a compliant device. Which Entra ID feature should they configure?
Peak Roasters wants external contractors to access their SharePoint site using the contractors' own email credentials. Which Entra ID feature enables this?
Next up: Azure Security — RBAC, Zero Trust, defence-in-depth, and Microsoft Defender for Cloud.