AB-900, AI Security, Cybersecurity, Data Security, Microsoft Certification

Understand features and capabilities of Microsoft Entra (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand features and capabilities of Microsoft Entra

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Identity is the foundation of security in Microsoft 365. Before users can access email, Teams, SharePoint, Microsoft 365 Copilot, or other services, their identities must be verified and managed securely.

Microsoft Entra is Microsoft’s family of identity and access solutions that helps organizations secure users, applications, devices, and external identities. Microsoft Entra provides authentication, authorization, identity governance, and access management capabilities that support modern security strategies such as Zero Trust.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding the major capabilities of Microsoft Entra is essential.

What Is Microsoft Entra?

Microsoft Entra is Microsoft’s identity and access product family.

It helps organizations:

  • Manage identities.
  • Authenticate users.
  • Control access to resources.
  • Protect against identity-based attacks.
  • Support Zero Trust security.

Microsoft Entra enables secure access to:

  • Microsoft 365
  • Microsoft Teams
  • SharePoint Online
  • Exchange Online
  • Third-party applications
  • Custom applications

Microsoft Entra ID

The core component of Microsoft Entra is Microsoft Entra ID (formerly Azure Active Directory).

Microsoft Entra ID is a cloud-based identity and access management service that provides:

  • User accounts
  • Group management
  • Authentication services
  • Authorization capabilities
  • Single Sign-On (SSO)
  • Multi-Factor Authentication (MFA)

Microsoft 365 relies on Microsoft Entra ID to manage identities.

Identity and Access Management (IAM)

Identity and Access Management (IAM) ensures that:

  • The correct users are identified.
  • Appropriate access is granted.
  • Access can be controlled and monitored.

IAM helps organizations maintain security while enabling productivity.

Authentication

Authentication verifies identity.

It answers:

Who are you?

Microsoft Entra supports multiple authentication methods, including:

  • Passwords
  • Microsoft Authenticator
  • SMS verification
  • Voice calls
  • FIDO2 security keys
  • Windows Hello for Business

Authentication occurs before authorization.

Authorization

Authorization determines what authenticated users are allowed to access.

It answers:

What are you allowed to do?

Examples include:

  • Accessing SharePoint sites.
  • Reading Exchange mailboxes.
  • Managing Teams settings.

Authorization is commonly controlled through:

  • Roles
  • Permissions
  • Policies

Single Sign-On (SSO)

Single Sign-On allows users to sign in once and access multiple applications without re-entering credentials.

Benefits include:

  • Improved user experience.
  • Reduced password fatigue.
  • Fewer password reset requests.
  • Increased productivity.

Users can access Microsoft 365 applications with one identity.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication requires more than one authentication factor.

Examples:

  1. Password
  2. Microsoft Authenticator approval

Benefits include:

  • Stronger security.
  • Reduced credential theft risk.
  • Better protection against phishing attacks.

MFA is one of Microsoft’s most important security recommendations.

Conditional Access

Conditional Access uses signals to determine whether access should be allowed.

Signals may include:

  • User identity
  • Device status
  • Location
  • Application being accessed
  • Risk level

Examples:

  • Require MFA outside the corporate network.
  • Block high-risk sign-ins.
  • Require compliant devices.

Conditional Access supports the Zero Trust principle of Verify Explicitly.

Role-Based Access Control (RBAC)

Microsoft Entra uses Role-Based Access Control to assign administrative privileges.

Examples of built-in roles include:

  • Global Administrator
  • User Administrator
  • Security Administrator
  • Exchange Administrator

RBAC follows the principle of least privilege by granting only the permissions required.

Groups

Groups simplify administration by allowing permissions and licenses to be assigned to multiple users simultaneously.

Types of groups include:

Security Groups

Used to assign permissions and policies.

Microsoft 365 Groups

Provide collaboration resources such as:

  • Outlook mailbox
  • Teams workspace
  • SharePoint site

Groups help reduce administrative effort.

Self-Service Capabilities

Microsoft Entra supports self-service features such as:

Self-Service Password Reset (SSPR)

Users can reset forgotten passwords without administrator assistance.

Benefits:

  • Reduced help desk workload.
  • Faster account recovery.

Self-Service Group Management

Users can manage group membership when permitted.

Device Identity and Management Integration

Microsoft Entra can recognize devices and work with Microsoft Intune.

This allows organizations to:

  • Register devices.
  • Evaluate compliance.
  • Control access based on device health.

Examples:

  • Require managed devices.
  • Block noncompliant devices.

External Identities

Organizations often collaborate with external users.

Microsoft Entra supports:

  • Guest users
  • Business partners
  • Contractors

External identities allow secure collaboration while maintaining administrative control.

Identity Protection

Microsoft Entra helps detect identity-related threats such as:

  • Credential theft
  • Suspicious sign-ins
  • Impossible travel scenarios
  • Password spray attacks

Identity protection helps organizations respond to risks quickly.

Identity Governance

Identity governance helps organizations manage:

  • Access reviews
  • Lifecycle management
  • Least privilege practices

Governance helps ensure users retain only the access they need.

Passwordless Authentication

Microsoft Entra supports passwordless sign-in methods including:

  • Microsoft Authenticator
  • Windows Hello for Business
  • FIDO2 security keys

Benefits include:

  • Improved user experience.
  • Reduced phishing risks.
  • Stronger security.

Microsoft Entra and Zero Trust

Microsoft Entra supports all three Zero Trust principles.

Verify Explicitly

Evaluate identity and access conditions.

Use Least Privileged Access

Grant only necessary permissions.

Assume Breach

Continuously monitor identity risks.

Microsoft Entra and Microsoft 365 Copilot

Microsoft 365 Copilot relies on Microsoft Entra identities.

Entra controls:

  • User authentication.
  • Authorization.
  • Access policies.
  • Group memberships.
  • Security controls.

Copilot inherits existing permissions and does not grant access to content users are not already authorized to view.

Benefits of Microsoft Entra

Organizations benefit from:

Centralized Identity Management

Manage users from a single platform.

Improved Security

Protect against identity attacks.

Better User Experience

Single Sign-On reduces friction.

Reduced Administrative Effort

Groups and self-service capabilities simplify management.

Support for Zero Trust

Access decisions are based on multiple signals.

Best Practices

Enable Multi-Factor Authentication

Protect identities against compromise.

Use Least Privilege

Assign only required permissions.

Implement Conditional Access

Strengthen access decisions.

Use Self-Service Password Reset

Reduce support costs.

Review Administrative Roles Regularly

Limit excessive privileges.

Exam Tips

Remember these key AB-900 concepts:

  • Microsoft Entra is Microsoft’s identity and access family.
  • Microsoft Entra ID was formerly Azure Active Directory.
  • Authentication verifies identity.
  • Authorization determines access.
  • Single Sign-On provides one login for multiple applications.
  • Multi-Factor Authentication improves security.
  • Conditional Access evaluates multiple signals.
  • RBAC controls administrative privileges.
  • Self-Service Password Reset reduces help desk workload.
  • Microsoft 365 Copilot relies on Microsoft Entra identities and permissions.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Entra?

A. Replace Microsoft Teams meetings
B. Manage identity and access to resources
C. Increase SharePoint storage capacity
D. Provide email hosting

Correct Answer: B

Explanation: Microsoft Entra provides identity and access management capabilities for users, applications, and devices.

Question 2

What was Microsoft Entra ID previously called?

A. Microsoft Intune
B. Azure Active Directory
C. Exchange Online
D. Microsoft Purview

Correct Answer: B

Explanation: Microsoft Entra ID is the new name for Azure Active Directory.

Question 3

Which capability allows users to sign in once and access multiple applications?

A. Multi-Factor Authentication
B. Conditional Access
C. Single Sign-On
D. Identity Governance

Correct Answer: C

Explanation: Single Sign-On improves user experience by reducing repeated sign-ins.

Question 4

Which Microsoft Entra feature allows users to reset forgotten passwords without administrator assistance?

A. Self-Service Password Reset
B. Privileged Identity Management
C. Role-Based Access Control
D. Conditional Access

Correct Answer: A

Explanation: Self-Service Password Reset reduces support requests and speeds account recovery.

Question 5

Which capability uses factors such as location and device compliance when making access decisions?

A. Dynamic Distribution Groups
B. Microsoft Lists
C. Conditional Access
D. Shared Mailboxes

Correct Answer: C

Explanation: Conditional Access evaluates various signals before granting access.

Question 6

What does authentication determine?

A. What permissions users have
B. Who the user is
C. Which Teams channel is created
D. Which files are deleted

Correct Answer: B

Explanation: Authentication verifies a user’s identity.

Question 7

Which principle is supported by Role-Based Access Control (RBAC)?

A. Maximum privilege
B. Open access
C. Unlimited permissions
D. Least privilege

Correct Answer: D

Explanation: RBAC grants only the permissions necessary to perform assigned tasks.

Question 8

Which authentication method strengthens security by requiring multiple verification factors?

A. Single Sign-On
B. Multi-Factor Authentication
C. Shared mailbox access
D. Version history

Correct Answer: B

Explanation: MFA provides stronger identity protection than passwords alone.

Question 9

What type of group provides collaboration resources such as Teams, Outlook mailboxes, and SharePoint sites?

A. Security group
B. Distribution list
C. Microsoft 365 group
D. Mail contact

Correct Answer: C

Explanation: Microsoft 365 groups provide shared collaboration resources.

Question 10

How does Microsoft 365 Copilot use Microsoft Entra?

A. It bypasses user permissions.
B. It replaces authentication requirements.
C. It creates anonymous access.
D. It relies on Entra identities and existing permissions.

Correct Answer: D

Explanation: Copilot respects existing identities, permissions, and security controls managed by Microsoft Entra.

Go to the AB-900 Exam Prep Hub main page

Leave a comment