TechMilestoneHub

Category: SC-300 IAM

1.1 – Explain the identity landscape 🌍

Before diving into Microsoft Entra ID features, it’s important to understand how Microsoft views identity in modern security.

The Identity Lifecycle Model

Identity in Microsoft is built around five pillars:

1️⃣ Zero Trust – Verify Explicitly | Use Least Privilege | Assume Breach
2️⃣ Identity Sources – B2B, B2C, Verifiable Credentials
3️⃣ Actions – Authenticate (AuthN), Authorize (AuthZ), Administer, Audit
4️⃣ Usage – Access apps & data, security, licensing
5️⃣ Maintain – Protect β†’ Detect β†’ Respond

πŸ‘‰ The key message:

Never grant access just because it was granted yesterday – always confirm again.

Classic Identity vs Zero Trust πŸ†š

Classic Model ❌Zero Trust Model βœ…
Everything inside network is trustedNothing is trusted by default
One password = full accessContinuous verification
Firewall focusedIdentity & policy focused

In today’s world, one stolen credential can destroy everything. Zero Trust protects assets anywhere with central policy.

1.2 – Explore Zero Trust with identity πŸ›‘οΈ

Organizations now work in hybrid and multicloud environments. Users connect from home, mobile, and unmanaged devices. Zero Trust assumes:

β€œNever trust, always verify.”

Three Core Principles

  • βœ… Verify Explicitly – identity, device, location, risk
  • πŸ”’ Use Least Privilege – JIT & JEA access
  • πŸ’₯ Assume Breach – limit blast radius

Six Pillars of Zero Trust

πŸ§‘ Identity β€’ πŸ“± Endpoints β€’ πŸ“‚ Data β€’ 🧩 Apps β€’ πŸ—οΈ Infrastructure β€’ 🌐 Network

Identity is the control plane that decides access to all others.

Modern Architecture

  • Policy engine makes dynamic decisions
  • Signals like device health & sign-in risk
  • SIEM + XDR for detection and response
  • End-to-end protection

🎯 Goal: Only the right people get the right access at the right time.

1.3 – Discuss identity as a control plane πŸŽ›οΈ

A control plane decides how access flowsβ€”just like a traffic controller.

In modern IT:

πŸ‘€ Identity is the common denominator.

Every user, device, app, and service has an identity.
If we don’t know who the user is β†’ no other security matters.

Once verified, access can be enforced across:

  • On-prem systems
  • Cloud apps
  • SaaS like Microsoft 365

1.4 – Explore why we have identity πŸ€”

Identity enables four major capabilities:

  • πŸ” Authentication – prove who you are
  • 🚦 Authorization – what you can do
  • πŸ“‹ Auditing – track activity
  • βš™οΈ Administration – manage lifecycle

What is an Identity Provider (IdP)?

An IdP is a trusted system that:

  • Stores user identities
  • Performs authentication
  • Protects against attacks
  • Enables Single Sign-On (SSO)

πŸ‘‰ Example: Microsoft Entra ID

Common Protocols

  • OpenID Connect (OIDC)
  • SAML
  • OAuth 2.0

1.5 – Define identity administration πŸ› οΈ

Identity administration manages accounts from birth to retirement.

Real-World Risk Story 🚨

Juan leaves company β†’ account not removed β†’
password reused β†’ phishing β†’ breach using β€œvalid” account!

Core Administration Tasks

  • Provision / Deprovision
  • Synchronization
  • Password management
  • Group management
  • Entitlements
  • Change control

Automation Options πŸ€–

  • Azure CLI
  • PowerShell
  • Microsoft Graph API

πŸ‘‰ Microsoft Graph = single endpoint to manage identities programmatically.

1.6 – Contrast decentralized identity with central identity systems πŸ”„

Centralized Identity 🏒

  • One authority manages identities
  • Credentials stored centrally
  • Example: Microsoft Entra ID

Benefits:

  • Adaptive access
  • Unified management
  • Governance & visibility

Decentralized Identity πŸ†”

  • User owns identity
  • Based on DIDs & blockchain
  • Data stored β€œoff-chain” encrypted
  • Greater privacy & control

1.7 – Discuss identity management solutions 🧩

IAM controls:

  • Who can sign in
  • What they can access
  • Lifecycle & governance

Key Microsoft Entra Terms

  • Identity – object that authenticates
  • User – personal identity
  • Group – container for permissions
  • Tenant – dedicated Entra instance
  • Administrative Unit – boundary for admin

1.8 – Explain Microsoft Entra Business to Business 🀝

Microsoft Entra External Identities

Allows collaboration with partners using their own accounts.

B2B Collaboration

  • Guests appear in your directory
  • Use their own credentials

B2B Direct Connect

  • Teams shared channels
  • No guest object required

Microsoft Entra B2C πŸ‘₯

  • For customer-facing apps
  • Social & local accounts
  • CIAM platform at massive scale

1.9 – Compare Microsoft identity providers πŸ†š

ServicePurpose
Microsoft Entra IDCloud identity for SaaS
AD DSOn-prem directory
Entra Domain ServicesManaged AD in Azure

πŸ‘‰ Entra ID can sync with AD DS for hybrid identity.

1.10 – Define identity licensing πŸ’³

Important licenses:

  • Entra ID P1/P2 – advanced security
  • P2 required for PIM
  • Microsoft 365 licenses
  • MAU billing for external users

Subscription vs License

  • Subscription = agreement
  • License = per-user right to use

1.11 – Explore authentication πŸ”‘

Authentication validates identity with:

  • Standards compliance
  • Multiple sources
  • Strong assurance

Federation

Use on-prem AD as trusted source.

Protocols

  • SAML
  • WS-Fed
  • OIDC

Tokens 🎟️

  • Access Token
  • Refresh Token
  • ID Token (JWT)

Claims = key/value info about user.

1.12 – Discuss authorization 🚦

Authorization = what you can do.

Models

  • ACL
  • RBAC
  • ABAC
  • PBAC

New Feature

Authentication Context – require stronger controls for sensitive data.

1.13 – Explain auditing in identity πŸ“Š

Auditing helps:

  • Detect attacks
  • Compliance
  • Troubleshooting

Logs

  • Sign-in logs
  • Audit logs
  • Provisioning logs

Governance is Critical 🧠

Check:

  • HR vs directory
  • Last login
  • Excess privileges
  • MFA usage

Lifecycle: Join β†’ Move β†’ Leave ♻️

  • Create identity
  • Modify access
  • Remove when gone

Monitoring Tools

  • Azure Monitor
  • Sentinel
  • Resource Health
  • Policy