AZ-900 Exam Cram: Azure Identity, Access, and Security

This cram sheet focuses on Unit 2.4 of the AZ-900 Microsoft Azure Fundamentals curriculum. It covers how Azure manages who can log in (Identity), what they can do (Access), and how the overall environment is protected (Security).

---

Topic Weighting

[!IMPORTANT] This section is high-yield. Expect a mix of conceptual questions (Zero Trust) and specific tool questions (Microsoft Entra ID vs. RBAC).

---

Key Concepts Summary

1. Microsoft Entra ID (formerly Azure Active Directory)

• Cloud-based Identity Provider (IdP): Manages users, groups, and application access.
• Authentication (AuthN): The process of proving you are who you say you are (e.g., providing a password).
• Authorization (AuthZ): Determining what permissions an authenticated person has.

2. Authentication Methods

• SSO (Single Sign-On): One set of credentials to access multiple applications.
• MFA (Multifactor Authentication): Requires 2+ elements (Something you know, something you have, something you are).
• Passwordless: Uses Windows Hello, Microsoft Authenticator app, or FIDO2 security keys.

3. Conditional Access

• The "If-Then" engine of Azure security.
• Example: IF a user is logging in from an unknown IP, THEN require MFA.

4. Zero Trust Model

• Guiding Principle: Never trust, always verify.
• Three Pillars: Verify explicitly, Use least privileged access, Assume breach.

---

Formula / Concept Box: RBAC Roles

Azure Role-Based Access Control (RBAC) is applied to Scopes (Management Group > Subscription > Resource Group > Resource).

---

Common Pitfalls

• RBAC vs. Azure Policy: RBAC manages Who (identity). Azure Policy manages Properties (e.g., "No VMs in East US").
• Microsoft Entra ID vs. Entra Domain Services: Entra ID is a cloud identity service (REST API). Entra Domain Services provides traditional domain join, group policy, and LDAP/Kerberos.
• Defense in Depth is not a single tool: It is a strategy using multiple layers (Physical, Network, Compute, etc.).
• Encryption at Rest vs. In Transit: At rest = data on disk (AES-256). In transit = data moving over the network (HTTPS/TLS).

---

Mnemonics / Memory Triggers

• CIA Triad: The foundation of security: Confidentiality, Integrity, Availability.
• The Zero Trust Mantra: "Never Trust, Always Verify."
• MFA Elements:
  1. Something you know (Password/PIN)
  2. Something you have (Phone/Token)
  3. Something you are (Biometrics/Fingerprint)

---

Visual Anchor: Defense in Depth

The Defense in Depth model aims to protect information and prevent it from being stolen by those who aren't authorized to access it.

\begin{tikzpicture} \draw[thick, fill=blue!10] (0,0) circle (3.5cm); \node at (0,3.2) {Physical Security}; \draw[thick, fill=blue!20] (0,0) circle (3.0cm); \node at (0,2.7) {Identity & Access}; \draw[thick, fill=blue!30] (0,0) circle (2.5cm); \node at (0,2.2) {Perimeter}; \draw[thick, fill=blue!40] (0,0) circle (2.0cm); \node at (0,1.7) {Network}; \draw[thick, fill=blue!50] (0,0) circle (1.5cm); \node at (0,1.2) {Compute}; \draw[thick, fill=blue!60] (0,0) circle (1.0cm); \node at (0,0.7) {Application}; \draw[thick, fill=red!40] (0,0) circle (0.5cm); \node at (0,0) {\textbf{DATA}}; \end{tikzpicture}

---

Practice Set

1. Which service is used to manage identities and provide authentication for cloud apps?

• Answer: Microsoft Entra ID.

2. A user needs to be able to create Virtual Machines but must not be allowed to grant permissions to other users. Which RBAC role should be assigned?

• Answer: Contributor.

3. True or False: Conditional Access is a feature of Microsoft Entra ID used to enforce MFA based on signals like location or device state.

• Answer: True.

4. Which security model assumes that every request is a potential breach and must be verified?

• Answer: Zero Trust.

5. What is the primary purpose of Microsoft Defender for Cloud?

• Answer: To provide security posture management and threat protection across hybrid cloud workloads.