🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-900 Domain 1
Domain 1 — Module 4 of 4 100%
4 of 28 overall

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit
Domain 1: Security, Compliance & Identity Concepts Free ⏱ ~12 min read

Identity: The New Security Perimeter

Firewalls used to be the front door. Now identity is. Authentication, authorisation, identity providers, directory services, and federation — the foundation of modern security.

Why is identity the new perimeter?

☕ Simple explanation

The office wall used to be the security boundary. Now your login is.

In the old days, your company network was like a walled garden. The firewall was the gate. If you were physically in the office and connected to the network, you were “inside” and trusted.

But now people work from home, from coffee shops, from airports. Data lives in the cloud, not on a server in the basement. There’s no “inside” anymore.

So the new security boundary is identity — who you are, how you prove it, and what you’re allowed to do. Your login credentials are now the front door.

With the shift to cloud computing and remote work, the traditional network perimeter (firewalls, VPNs, physical boundaries) is no longer sufficient as the primary security boundary. Users access resources from anywhere, on any device, connecting to services hosted across multiple cloud providers.

Identity has become the primary security perimeter because it is the common factor across all access scenarios. Every access request — regardless of location, device, or network — starts with identity verification. This is why Zero Trust puts identity at the centre of all access decisions.

Authentication vs authorisation

These two concepts appear on almost every SC-900 exam:

Authentication proves your identity; authorisation defines your permissions
FeatureAuthentication (AuthN)Authorisation (AuthZ)
Question it answersWho are you?What are you allowed to do?
When it happensFirst — before access is grantedSecond — after identity is confirmed
What it checksCredentials (password, MFA, biometrics)Permissions (roles, group memberships, policies)
AnalogyShowing your ID at the hotel front deskYour room key only opens YOUR room, not every room
ExampleSigning in with password + Authenticator appHaving 'read-only' access to the finance folder

Key exam concept: Authentication always comes before authorisation. You must prove who you are before the system decides what you can access.

💡 Scenario: Raj explains it to new intern Mia

Mia just joined Lakewood University’s IT helpdesk. Raj explains how the login process works:

  1. Authentication: Mia enters her username and password, then approves the MFA prompt on her phone. The system now knows she is Mia — not someone pretending to be her.
  2. Authorisation: The system checks Mia’s group memberships and role. As a helpdesk intern, she can reset passwords and view basic user info — but she cannot delete user accounts or access financial data.

“Think of it this way,” Raj says. “Authentication is the bouncer checking your ID. Authorisation is the VIP list deciding which areas you can enter.”

Identity providers (IdPs)

An identity provider is a service that creates, stores, and manages digital identities. It handles the authentication process so that applications don’t have to.

ConceptWhat It Means
Identity provider (IdP)The trusted service that verifies identities (e.g., Microsoft Entra ID, Google Identity)
Service provider (SP)The application or resource the user wants to access (e.g., SharePoint, Salesforce)
TokenA digital ticket issued by the IdP after successful authentication — the SP trusts this token
Single sign-on (SSO)Sign in once with the IdP, access many SPs without re-entering credentials

How it works:

  1. User tries to access an app (service provider)
  2. App redirects user to the identity provider
  3. IdP authenticates the user (password + MFA)
  4. IdP issues a token confirming identity
  5. User presents the token to the app
  6. App grants access based on the token

Key exam concept: Microsoft Entra ID is Microsoft’s cloud-based identity provider. It issues tokens that applications trust. This is the foundation of SSO in Microsoft 365.

Directory services and Active Directory

A directory service is a database that stores information about users, groups, devices, and other objects in a network. Think of it as a phone book for your organisation.

On-premises AD vs cloud-based Entra ID
FeatureActive Directory Domain Services (AD DS)Microsoft Entra ID (Cloud)
Where it runsOn-premises serversMicrosoft's cloud
What it managesUsers, computers, group policies on local networkUsers, groups, apps, devices across cloud and on-prem
AuthenticationKerberos, NTLMOAuth 2.0, SAML, OpenID Connect
Device managementGroup Policy (GPO)Intune, Conditional Access
Access scopeCorporate networkAnywhere with internet
Multi-factor authRequires additional infrastructureBuilt-in, cloud-native
💡 Why both exist

Many organisations started with on-premises Active Directory years ago. They can’t just switch it off — thousands of apps and services depend on it.

Microsoft Entra ID was built for the cloud era. It handles modern authentication protocols and works from anywhere.

Hybrid identity (which you’ll learn about in the Entra domain) connects both — letting organisations use their existing AD investments while extending to the cloud.

Federation

Federation is a trust relationship between two separate identity providers that allows users from one organisation to access resources in another — without creating a separate account.

Simple analogy: Your EU driving licence lets you drive in New Zealand. The NZ authorities don’t issue you a new licence — they trust the EU authority that issued yours. That’s federation.

How federation works

  1. Organisation A trusts Organisation B’s identity provider
  2. A user from Organisation B tries to access a resource in Organisation A
  3. Organisation A redirects the user to Organisation B’s IdP for authentication
  4. Organisation B’s IdP verifies the user and issues a token
  5. Organisation A accepts the token and grants access

Key exam concept: Federation is about trust between organisations. The user authenticates with THEIR OWN identity provider — not the resource’s provider. This enables cross-organisation collaboration without duplicate accounts.

💡 Scenario: Lakewood University uses federation

Lakewood University wants to share a research portal with partner universities.

  • Without federation: Every researcher from every partner university needs a new Lakewood account. That’s thousands of accounts to create, manage, and eventually delete.
  • With federation: Lakewood trusts each partner university’s identity provider. Researchers sign in with their own university credentials. Lakewood never sees their passwords.

Raj sets up the federation trust once per partner. From then on, researchers can access the portal using their existing credentials.

🎬 Video walkthrough

🎬 Video coming soon

Identity Fundamentals — SC-900 Module 4

Identity Fundamentals — SC-900 Module 4

~10 min

Flashcards

Question

Why is identity called the 'new security perimeter'?

Click or press Enter to reveal answer

Answer

Because with cloud computing and remote work, there's no longer a fixed network boundary to protect. Every access request starts with identity — making it the common security checkpoint regardless of location, device, or network.

Click to flip back
Question

What is the difference between authentication and authorisation?

Click or press Enter to reveal answer

Answer

Authentication (AuthN) = 'Who are you?' — verifying identity with credentials. Authorisation (AuthZ) = 'What can you do?' — determining permissions based on roles and policies. Authentication always happens first.

Click to flip back
Question

What is an identity provider (IdP)?

Click or press Enter to reveal answer

Answer

A trusted service that creates, stores, and manages digital identities. It authenticates users and issues tokens that applications trust. Example: Microsoft Entra ID. SSO works because the IdP handles authentication for multiple applications.

Click to flip back
Question

What is federation?

Click or press Enter to reveal answer

Answer

A trust relationship between two identity providers that lets users from one organisation access resources in another — without creating duplicate accounts. Users authenticate with their OWN IdP. Like a driving licence accepted in another country.

Click to flip back
Question

What is the difference between Active Directory Domain Services and Microsoft Entra ID?

Click or press Enter to reveal answer

Answer

AD DS: on-premises, uses Kerberos/NTLM, manages local network. Entra ID: cloud-based, uses OAuth/SAML/OIDC, works from anywhere. Many orgs use both (hybrid identity).

Click to flip back

Knowledge Check

Knowledge Check

Raj needs to verify whether a user trying to access the university portal is actually who they claim to be. Which process should Raj rely on?
Knowledge Check

Lakewood University sets up a trust relationship with a partner university so their researchers can access Lakewood's portal using their own credentials. What is this called?
Knowledge Check

Which statement correctly describes the relationship between authentication and authorisation?

← Previous

Encryption, Hashing & GRC

Next →

Microsoft Entra ID: Your Identity Hub

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.