AB-900, AI, AI Security, Data Security, Microsoft Certification

Understand authentication methods (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Understand authentication methods

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Authentication is one of the foundational security concepts in Microsoft 365. Before users can access email, files, Teams conversations, or Microsoft 365 Copilot experiences, the system must first verify their identity.

Authentication answers the question:

“Who are you?”

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, it is important to understand the various authentication methods available in Microsoft 365 and how they help secure organizational resources.

What Is Authentication?

Authentication is the process of verifying a user’s identity before granting access to Microsoft 365 resources.

When users sign in, Microsoft Entra ID (formerly Azure Active Directory) validates their credentials and determines whether they are who they claim to be.

Authentication occurs before authorization.

Example

  1. User enters credentials.
  2. Microsoft verifies identity.
  3. Authorization determines what resources the user can access.

Authentication vs. Authorization

Although closely related, these are different concepts.

AuthenticationAuthorization
Verifies identityDetermines access rights
Answers “Who are you?”Answers “What can you do?”
Occurs firstOccurs second
Uses credentials and identity factorsUses permissions and policies

Why Authentication Is Important

Authentication helps organizations:

  • Prevent unauthorized access.
  • Protect sensitive data.
  • Reduce credential theft risks.
  • Support Zero Trust security.
  • Enable secure remote work.

Without authentication, Microsoft 365 resources would be exposed to anyone.

Authentication Factors

Authentication methods are based on one or more factors.

Something You Know

Examples:

  • Passwords
  • PINs
  • Security questions

Something You Have

Examples:

  • Smartphone
  • Hardware token
  • Security key

Something You Are

Examples:

  • Fingerprint
  • Facial recognition
  • Biometrics

Using multiple factors increases security.

Single-Factor Authentication (SFA)

Single-factor authentication requires only one credential.

Typically:

Username + Password

Advantages:

  • Simple
  • Familiar

Disadvantages:

  • Vulnerable to phishing attacks.
  • Password theft can lead to account compromise.

Because passwords alone are risky, organizations increasingly use stronger authentication methods.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) requires two or more authentication factors.

Example:

  1. User enters a password.
  2. User approves a request in Microsoft Authenticator.

Benefits include:

  • Stronger protection against compromised passwords.
  • Reduced account takeover risk.
  • Improved compliance.

Microsoft strongly recommends MFA for all users.

Common MFA Methods in Microsoft 365

Microsoft 365 supports several MFA options.

Microsoft Authenticator App

Users receive:

  • Push notifications
  • Number matching prompts
  • Verification approvals

Advantages:

  • Secure
  • Convenient
  • Widely recommended by Microsoft

Text Message (SMS)

Users receive a verification code by text.

Advantages:

  • Easy to use.

Limitations:

  • Less secure than app-based authentication.
  • Vulnerable to SIM-swapping attacks.

Voice Calls

Users receive an automated phone call with verification instructions.

This method is supported but is generally less secure than app-based options.

Hardware Security Keys

Physical devices such as FIDO2 security keys provide strong authentication.

Benefits:

  • Resistant to phishing attacks.
  • Passwordless capability.
  • Strong protection for privileged accounts.

Passwordless Authentication

Passwordless authentication eliminates traditional passwords.

Instead, users authenticate through:

  • Microsoft Authenticator
  • FIDO2 security keys
  • Windows Hello for Business

Benefits include:

  • Reduced phishing risk.
  • Improved user experience.
  • Fewer password-related support requests.

Passwordless authentication is a key part of Microsoft’s security strategy.

Windows Hello for Business

Windows Hello for Business uses:

  • Facial recognition
  • Fingerprint recognition
  • PINs

Because biometric information remains on the device, this method provides strong security and convenience.

FIDO2 Security Keys

FIDO2 keys are physical authentication devices.

Examples include:

  • USB keys
  • NFC keys

Benefits:

  • Passwordless sign-in.
  • Protection against phishing.
  • Strong authentication for administrators.

Certificate-Based Authentication

Certificate-based authentication uses digital certificates to verify identity.

Organizations commonly use this method for:

  • Highly secure environments
  • Smart cards
  • Specialized devices

Legacy Authentication

Legacy authentication uses older protocols that often rely only on usernames and passwords.

Examples include:

  • POP3
  • IMAP
  • SMTP AUTH (certain scenarios)

These methods do not support modern security controls like MFA.

Because of their security risks, organizations are encouraged to disable legacy authentication whenever possible.

Adaptive Authentication and Conditional Access

Microsoft Entra Conditional Access can require additional authentication based on risk factors.

Examples:

  • Require MFA outside the corporate network.
  • Block risky sign-ins.
  • Require compliant devices.

This supports the Zero Trust principle of Verify Explicitly.

Password Policies

Strong passwords remain important.

Best practices include:

  • Long passwords or passphrases.
  • Avoiding reused passwords.
  • Avoiding predictable information.
  • Enabling MFA.

Microsoft recommends focusing on password quality rather than forcing frequent password changes.

Authentication in Zero Trust

Authentication supports Zero Trust by:

Verifying Identity Continuously

Access requests are evaluated using multiple signals.

Reducing Credential Risks

MFA strengthens security.

Supporting Least Privilege

Only verified users receive access.

Authentication and Microsoft 365 Copilot

Microsoft 365 Copilot relies on existing Microsoft 365 identities.

Users must authenticate before accessing:

  • Outlook
  • Teams
  • SharePoint
  • Word
  • Copilot experiences

Copilot itself does not bypass authentication requirements.

Best Practices

Enable Multi-Factor Authentication

MFA is one of the most effective security controls.

Adopt Passwordless Authentication

Reduce reliance on passwords.

Use Microsoft Authenticator

Prefer app-based verification over SMS.

Disable Legacy Authentication

Reduce exposure to credential attacks.

Protect Administrator Accounts

Use stronger authentication methods for privileged users.

Exam Tips

Remember these key AB-900 concepts:

  • Authentication verifies identity.
  • Authentication occurs before authorization.
  • Single-factor authentication usually relies on passwords.
  • MFA uses multiple authentication factors.
  • Microsoft Authenticator is a recommended MFA method.
  • Passwordless authentication improves security.
  • Windows Hello for Business supports biometric authentication.
  • FIDO2 security keys provide phishing-resistant authentication.
  • Legacy authentication is less secure because it often does not support MFA.
  • Conditional Access can require additional authentication based on risk.

Practice Exam Questions

Question 1

What question does authentication answer?

A. Who is the user?
B. How much storage is available?
C. What resources can the user access?
D. Which files should be encrypted?

Correct Answer: A

Explanation: Authentication verifies identity and determines whether the user is who they claim to be.

Question 2

Which process occurs before authorization?

A. Authentication
B. Auditing
C. Encryption
D. Data classification

Correct Answer: A

Explanation: Users must first prove their identity before permissions are evaluated.

Question 3

Which example represents multi-factor authentication?

A. Username only
B. Password only
C. PIN only
D. Password and Microsoft Authenticator approval

Correct Answer: D

Explanation: MFA requires multiple authentication factors rather than relying on a single credential.

Question 4

Which authentication factor category includes a fingerprint?

A. Something you know
B. Something you have
C. Something you own
D. Something you are

Correct Answer: D

Explanation: Biometrics are considered “something you are.”

Question 5

Which Microsoft solution provides app-based MFA approvals?

A. Microsoft Authenticator
B. Exchange Online
C. SharePoint Online
D. Microsoft Purview

Correct Answer: A

Explanation: Microsoft Authenticator supports push notifications and secure MFA verification.

Question 6

What is a major advantage of passwordless authentication?

A. Increased mailbox size
B. Reduced phishing risks
C. Automatic role assignments
D. Elimination of permissions

Correct Answer: B

Explanation: Removing passwords helps reduce common attack methods such as phishing.

Question 7

Which authentication method uses facial recognition or fingerprints?

A. FIDO2
B. SMS verification
C. Voice call authentication
D. Windows Hello for Business

Correct Answer: D

Explanation: Windows Hello for Business supports biometric authentication and PIN-based sign-in.

Question 8

Why are legacy authentication protocols considered less secure?

A. They consume more storage.
B. They disable file sharing.
C. They often do not support modern protections such as MFA.
D. They prevent Teams meetings.

Correct Answer: C

Explanation: Legacy authentication protocols typically rely only on usernames and passwords.

Question 9

Which technology can require additional authentication based on risk conditions?

A. Conditional Access
B. Distribution groups
C. Shared mailboxes
D. Version history

Correct Answer: A

Explanation: Conditional Access evaluates signals and can require MFA or block access.

Question 10

Which authentication method provides phishing-resistant, passwordless sign-in through a physical device?

A. SMS codes
B. Security questions
C. Voice calls
D. FIDO2 security keys

Correct Answer: D

Explanation: FIDO2 keys provide strong passwordless authentication and resist phishing attacks.

Go to the AB-900 Exam Prep Hub main page

Leave a comment