L11. Identity and Security: Entra ID, RBAC, and Defender for Cloud
Video generating
Check back soon for the video lesson on Identity and Security: Entra ID, RBAC, and Defender for Cloud
Identity is the new security perimeter. The AZ-900 exam tests Microsoft Entra ID, Azure RBAC, Conditional Access, MFA, Zero Trust, and Defender for Cloud basics.
Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) is Azure's cloud-based identity and access management service. It provides authentication and authorization for Azure resources, Microsoft 365, and third-party SaaS applications. Key Entra ID features tested on AZ-900:
- Single Sign-On (SSO): one set of credentials to access multiple applications
- Multi-Factor Authentication (MFA): requires a second form of verification beyond password
- Conditional Access: grant or block access based on conditions (user location, device compliance, risk level)
- B2B: invite external users (guests) to your tenant
- B2C: customer identity for consumer-facing applications
Azure RBAC (Role-Based Access Control)
Azure RBAC controls who can do what with Azure resources. You assign roles to identities (users, groups, service principals) at a specific scope. Key roles:
- Owner: full access including ability to delegate access
- Contributor: create and manage resources but cannot grant access to others
- Reader: view resources only; cannot make changes
Microsoft Defender for Cloud
Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) service. Two main functions:
- Secure Score: a numeric measure of your security posture; higher is better; provides prioritized recommendations
- Defender plans: paid workload protection for VMs, databases, containers, etc.
Zero Trust Security Model
Zero Trust assumes no implicit trust: "never trust, always verify." Key principles:
- Verify explicitly: authenticate and authorize based on all available data
- Use least privilege access: limit access with just-in-time and just-enough-access
- Assume breach: minimize blast radius, segment access, encrypt data
- ✓Entra ID provides authentication and SSO for Azure, Microsoft 365, and third-party SaaS applications
- ✓MFA requires a second verification factor beyond a password; reduces account compromise risk significantly
- ✓Azure RBAC assigns roles at scope: Owner > Contributor > Reader; roles cascade from higher to lower scopes
- ✓Defender for Cloud provides Secure Score and prioritized security recommendations for Azure resources
- ✓Zero Trust: verify explicitly, use least privilege, assume breach
1. A developer needs to deploy resources to Azure but must not be able to grant permissions to other users. Which Azure RBAC role is most appropriate?
2. Which Microsoft security feature provides a numeric measurement of an organization's current security posture with prioritized recommendations?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.