Identity & Governance -- Master Notes

Exam Weight: 20-25%

Unified reference merging Scott Duffy (Udemy) and John Savill (YouTube Masterclass) with official Microsoft Learn documentation. Organized by the AZ-104 skills measured.

• 1. Microsoft Entra ID -- The Foundation
  • What Is Entra ID?
  • Account vs Tenant vs Subscription
  • Licensing Tiers
  • Tenant Types
• 2. Manage Microsoft Entra Users and Groups
  • Creating Users
  • Member vs Guest Users
  • Groups
  • Managing Licenses
  • External (Guest) Users -- B2B Collaboration
  • Self-Service Password Reset (SSPR)
• 3. Authentication & MFA
  • Authentication Proof Types
  • Authentication Strength Spectrum
  • Hybrid Authentication Options
  • Temporary Access Pass (TAP)
• 4. Conditional Access -- The Zero Trust Engine
  • Policy Structure
  • Common Scenarios
  • Named Locations
  • Risk-Based Policies (Requires P2)
  • Continuous Access Evaluation (CAE)
  • Policy Evaluation Rules
  • Security Defaults vs Conditional Access
• 5. Manage Access to Azure Resources -- RBAC
  • The RBAC Formula
  • The Three Core Roles
  • Scope and Inheritance
  • Control Plane vs Data Plane
  • Custom Roles
  • ABAC (Attribute-Based Access Control)
• 6. Authorization -- PIM & Access Reviews
  • Privileged Identity Management (PIM)
  • Emergency Access (Break-Glass Accounts)
  • Access Reviews
• 7. Manage Azure Subscriptions & Governance
  • The Azure Hierarchy
  • Governance Inheritance Rules
  • Management Groups
  • Subscriptions
  • Resource Groups
• 8. Azure Policy
  • Policy Effects
  • Common Built-in Policies
  • Initiatives (Policy Sets)
  • Policy Evaluation Timing
  • Remediation Tasks
  • Policy Exemptions
• 9. Resource Locks
• 10. Resource Tags
• 11. Cost Management
  • Cost Analysis
  • Budgets
  • Azure Advisor -- Cost Recommendations
  • Cost Savings Options
• 12. Identity Objects & Synchronization
  • Service Principals vs Managed Identities
  • Synchronization from AD
  • Devices
• 13. Exam Quick Reference
  • Key Limits to Memorize
  • Exam Gotchas -- Quick Fire

---

1. Microsoft Entra ID -- The Foundation

What Is Entra ID?

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-native identity provider. It is the single source of truth for authentication across Azure Portal, Microsoft 365, and thousands of SaaS apps. The goal: one login to rule them all (Single Sign-On).

Exam Trap

Entra ID and on-premises Active Directory Domain Services (AD DS) are completely different systems that happen to share a name.

Feature	AD DS (On-Prem)	Entra ID (Cloud)
Purpose	Closed network identity	Cloud / SaaS identity
Protocols	Kerberos, NTLM, LDAP	OAuth 2.0, OIDC, SAML
Ports	Wide range	HTTPS only (443)
Structure	Organizational Units (OU tree)	Flat (no hierarchy)
Management	Group Policy	Conditional Access, Intune
Query language	LDAP	Microsoft Graph API

Most real-world companies run a hybrid setup -- AD DS handles local resources while Entra ID handles cloud. They sync via Entra Connect or Cloud Sync.

Account vs Tenant vs Subscription

These are three separate concepts:

Concept	What It Is	Analogy
Account	Your identity (email + password, or managed identity)	Employee badge
Tenant	Your organization's Entra ID directory	The company itself
Subscription	Billing arrangement attached to a tenant	Company credit card

• One tenant can have many subscriptions.
• One subscription belongs to exactly one tenant (but can be moved).
• One custom domain can belong to only one tenant.

Licensing Tiers

Pricing is per-user per-month. Different users can have different tiers within the same tenant.

Feature	Free	P1 (~$6/user)	P2 (~$9/user)
Basic user & group mgmt	Yes	Yes	Yes
SLA (money-back guarantee)	No	Yes	Yes
Conditional Access	No	Yes	Yes
Dynamic Groups	No	Yes	Yes
SSPR (full + writeback)	No	Yes	Yes
Identity Protection (risk)	No	No	Yes
Access Reviews	No	No	Yes
PIM (just-in-time admin)	No	No	Yes

Cost Strategy

P2 for admins and security-sensitive roles, P1 for power users needing Conditional Access, Free for basic users. You do not need to license everyone at the same tier.

Tenant Types

Type	Purpose	Auth Methods	Pricing
Workforce (default)	Employees, B2B guests, hybrid	Entra, federated, B2B	Per-user license
External (CIAM)	Customer-facing apps	Social logins, email OTP, enterprise IDP	MAU (monthly active users)

---

2. Manage Microsoft Entra Users and Groups

Creating Users

Three methods:

Portal

Entra ID > Users > + New user > Create user
Required fields: Username + Display Name only
Azure auto-generates a temporary password

PowerShell

New-MgUser -DisplayName "Walter White" `
  -UserPrincipalName "walter@contoso.com" `
  -PasswordProfile @{ Password = "TempP@ss123!"; ForceChangePasswordNextSignIn = $true } `
  -AccountEnabled $true `
  -MailNickname "wwhite"

Azure CLI

az ad user create \
  --display-name "Walter White" \
  --user-principal-name "walter@contoso.com" \
  --password "TempP@ss123!" \
  --force-change-password-next-sign-in true

Key Facts

• A brand new user has zero permissions. They can log in but see nothing until assigned roles or group memberships.
• Free tier supports up to 500,000 directory objects (users + groups + contacts).
• Usage Location must be set on a user before you can assign a license.

Member vs Guest Users

Aspect	Member	Guest
Identity source	Your domain	External email (Gmail, corporate, etc.)
Created by	Admin creates	Admin invites (must accept)
Default directory access	Full read	Limited visibility
Governed by	Same Conditional Access / MFA / RBAC	Same rules apply
UPN format	user@contoso.com	user_fabrikam.com#EXT#@contoso.onmicrosoft.com

Groups

Two group types:

• Security Group -- for RBAC, resource access, Conditional Access targeting.
• Microsoft 365 Group -- for collaboration (Teams, SharePoint, shared mailbox).

Three membership types:

• Assigned -- manual add/remove. Works on Free tier.
• Dynamic User -- attribute-based rules. Requires P1.
• Dynamic Device -- device attribute rules. Requires P1.

Dynamic Group Rule Examples

# All users in the Quantum department
user.department -eq "Quantum"

# All users hired in the last year
user.employeeHireDate -ge now().addDays(-365)

# All users with Hero job titles
user.jobTitle -startsWith "Hero"

Dynamic groups are rule-based, not event-based: Azure periodically re-evaluates membership (not instant). You cannot assign Entra ID roles to dynamic groups.

Managing Licenses

• Licenses are purchased at the tenant level, then assigned to individual users.
• Usage Location gotcha: Must be set before license assignment (some services are restricted by country).
• Assign via: Portal (user properties), Groups (group-based licensing), PowerShell, Graph API.

External (Guest) Users -- B2B Collaboration

Invite path: Entra ID > Users > + New user > Invite external user.

Guests follow the same security rules as members: Conditional Access applies, MFA can be enforced, permissions must be explicitly granted, access reviews can include guests.

Cross-Tenant Access Settings provide fine-grained control:

• Inbound: Which external users can access your tenant, which apps, trust their MFA?
• Outbound: Which of your users can access other tenants, which apps?
• Trust settings: Trust partner MFA (eliminates double-MFA), trust compliant devices, trust Hybrid Join.

Self-Service Password Reset (SSPR)

Lets users reset their own passwords without an IT ticket. Available at https://aka.ms/sspr.

Setting	Options
Enabled for	None / Selected groups / All
Methods required	1 or 2
Available methods	Authenticator, Phone, Email, Security Questions
Registration	Can force on next sign-in

Important

• Admins always have SSPR enabled with mandatory 2-factor. Not configurable.
• SSPR for regular users requires P1/P2.
• Email verification is useless if the user's Azure email IS their primary email (circular). Use Authenticator app.

---

3. Authentication & MFA

Authentication Proof Types

Category	Examples
Something you know	Password, PIN
Something you have	Phone, FIDO2 key, smart card
Something you are	Fingerprint, face, retina

MFA = two or more factors from different categories. MFA blocks 99.2% of attacks.

Authentication Strength Spectrum

From weakest to strongest:

Level	Method	Phishing Resistant?
1. Worst	Password only	No
2. Better	Password + SMS/Phone	No (SIM swap vulnerable)
3. Good	Password + Authenticator app	No (MFA fatigue attacks)
4. Great	Passwordless -- Hello, Authenticator, FIDO2	Depends on method
5. Best	Phishing-resistant -- Hello, FIDO2, Certificate	Yes

Entra Built-in Authentication Strengths

Strength	Included Methods
MFA	All MFA methods
Passwordless MFA	Hello, Passkeys, Certificate, Authenticator
Phishing-resistant MFA	Hello, Passkeys, Certificate (NOT Authenticator)

Custom authentication strengths can be created and used in Conditional Access Grant controls.

Hybrid Authentication Options

For organizations syncing from on-prem AD:

Feature	Password Hash Sync (PHS)	Pass-Through Auth (PTA)	Federation (ADFS)
Auth happens at	Entra (cloud)	On-prem DC	External IDP
On-prem dependency	None	Yes (agents)	Yes (ADFS servers)
Complexity	Low	Medium	High
Leaked credential detection	Yes	No	No
Recommendation	Best choice	Good	Avoid if possible

TIP

Always enable PHS even if using PTA or Federation -- it serves as failback for disaster recovery and enables leaked credential detection.

Temporary Access Pass (TAP)

Solves the "chicken-and-egg" problem of MFA registration. Time-limited, optionally one-time-use code.

Workflow: Admin creates TAP -> share securely -> user authenticates -> user sets up passwordless -> TAP expires.

Enables fully passwordless onboarding where the user never knows a password.

---

4. Conditional Access -- The Zero Trust Engine

Requires Entra ID P1

Every access request is evaluated based on: who, what app, where from, which device, what risk level.

Policy Structure

Assignments (IF):

• Users / Groups (include and exclude)
• Cloud Apps or Actions (all apps, selected apps, or user actions like "Register security info")
• Conditions: Locations (IP/country/GPS), Device platforms, Sign-in risk, User risk, Client apps

Access Controls (THEN):

• Grant: Block, or Grant with requirements (MFA, compliant device, Hybrid Join, approved app, authentication strength)
• Session: Sign-in frequency, persistent browser, app-enforced restrictions, Defender for Cloud Apps proxy

Common Scenarios

Scenario	Target	Condition	Control
MFA for all admins	Admin roles	Any	Require MFA (exclude break-glass)
Block legacy auth	All users	Client apps = "Other clients"	Block
Compliant device for sensitive apps	All users	Selected apps	Require device compliance
Location-based	All users	Outside named locations	Require MFA or Block

Named Locations

Defined by: IP ranges (CIDR blocks), Countries, or GPS coordinates (from Authenticator app).

Risk-Based Policies (Requires P2)

Risk Type	Detects	Response
Sign-in risk	Anonymous IP, atypical travel, password spray, malicious IP	Low=allow, Med=MFA, High=block
User risk	Leaked credentials (dark web), anomalous behavior	Low=allow, Med=password change, High=block

Continuous Access Evaluation (CAE)

Traditional tokens are valid for ~1 hour regardless of account state changes. CAE enables near-real-time revocation on critical events: user disabled, password change, MFA change, location policy violation. Reduces token theft window from ~1 hour to minutes.

Policy Evaluation Rules

• All matching policies are evaluated and combined.
• If any policy blocks, access is blocked (block wins).
• All grant requirements from all matching policies must be satisfied.
• Exclusions override includes.

Security Defaults vs Conditional Access

Feature	Security Defaults	Conditional Access
License	Free	P1 required
Granularity	All-or-nothing	Fine-grained
What it does	MFA for all, block legacy auth	Custom policies
When to use	No P1 license available	Always prefer if you have P1

---

5. Manage Access to Azure Resources -- RBAC

The RBAC Formula

WHO (Security Principal) + WHAT (Role Definition) + WHERE (Scope) = Role Assignment

Security Principals: User, Group, Service Principal, Managed Identity. Best practice: Assign roles to Groups, not individual users.

The Three Core Roles

Role	Can Do	Use Case
Reader	View only	Auditors, reporting
Contributor	Read + Write + Delete	Developers, operators
Owner	Everything + assign roles to others	Admins

Plus User Access Administrator -- can manage access only (no resource operations).

Exam Trap: Two Separate Role Systems

Entra ID Roles	Azure RBAC Roles
Manage the directory (users, groups, licenses)	Manage Azure resources (VMs, Storage, Networks)
~90 built-in roles	Hundreds of built-in roles
Found at: Entra ID > Roles and administrators	Found at: Resource > Access Control (IAM)

Global Administrator does NOT automatically have Azure resource access. These are separate systems. A Global Admin must explicitly elevate via "Access management for Azure resources" in Entra ID Properties to get User Access Administrator at Root MG.

Scope and Inheritance

Permissions cascade downward, never upward:

Management Group
  └── Subscription
       └── Resource Group
            └── Resource

• Owner at subscription = Owner of everything below.
• Inherited permissions cannot be blocked or removed at a lower scope.
• Multiple roles are additive (union of all permissions). You cannot subtract permissions.
• RBAC has no deny capability (Azure Policy does).
• Limit: 4,000 role assignments per subscription.

Control Plane vs Data Plane

Exam Trap

Resource permissions are NOT data permissions.

Type	Example Role	What It Does
Control plane	Storage Account Contributor	Create/delete/configure the storage account
Data plane	Storage Blob Data Contributor	Read/write/delete blobs inside the account

Being Owner of a storage account does not let you read blobs. You need a separate data role. Data plane roles typically have "Data" in the name.

Custom Roles

Structure: Actions, NotActions, DataActions, NotDataActions, AssignableScopes.

WARNING

NotActions is NOT a deny -- it simply excludes from a wildcard. If another role grants the permission, the user still has it.

• Limit: 5,000 custom roles per tenant.
• Custom Entra ID roles require P1/P2. Custom Azure RBAC roles work on any tier.

ABAC (Attribute-Based Access Control)

Adds conditions to role assignments for fine-grained data access. Uses attributes on both the user (custom security attributes in Entra ID) and the resource (e.g., blob index tags).

Example: User with PrimaryProject=Alpha can only access blobs tagged Project=Alpha.

Current limitations: only works with blob and queue data roles on Storage Accounts; must use Entra auth (not access keys).

---

6. Authorization -- PIM & Access Reviews

Privileged Identity Management (PIM)

Requires Entra ID P2

Just-in-time privileged access with auditing and approval workflows.

Term	Meaning
Eligible	User CAN activate the role (but doesn't have it yet)
Active	User HAS the role right now
Activate	Transition from eligible to active

Settings per role:

• Activation duration: 30 min - 24 hours
• Require justification
• Require approval (with approver list)
• Require MFA or Conditional Access
• Email notifications on activation

Best practices: Make most assignments eligible (not permanent), set short activation windows, require justification, enable notifications. PIM works for both Entra ID roles and Azure RBAC roles.

Emergency Access (Break-Glass Accounts)

• Cloud-only accounts excluded from all Conditional Access.
• MFA via hardware FIDO2 key stored in a safe.
• Very long password stored securely.
• Alert on any use. Never used for daily work. Tested quarterly.

Access Reviews

Automated review of group membership, app assignments, Entra roles, Azure roles.

• Reviewer types: Manager, Self, Specific users, Group owners.
• Auto-actions: Remove access if reviewer doesn't respond, apply results automatically.
• Recurrence: one-time, weekly, monthly, quarterly.

---

7. Manage Azure Subscriptions & Governance

The Azure Hierarchy

Entra ID Tenant
  └── Root Management Group (one per tenant, cannot be deleted)
       └── Management Groups (up to 6 levels deep, 10,000 per tenant)
            └── Subscriptions
                 └── Resource Groups (up to 980 per subscription)
                      └── Resources

Governance Inheritance Rules

Governance Type	Flows Direction	Applied At
RBAC	Down	MG, Sub, RG, Resource
Policy	Down	MG, Sub, RG
Locks	Down	Sub, RG, Resource
Budgets	Aggregate Up	MG, Sub, RG
Tags	Do NOT inherit	Sub, RG, Resource

Management Groups

• Root MG: one per tenant, cannot be deleted or moved, display name CAN be changed.
• Max depth: 6 levels below root.
• Limit: 10,000 management groups per tenant.
• Use cases: apply policies across multiple subscriptions, organize by department/environment/geography.

Subscriptions

Fact	Detail
Trust	Exactly ONE Entra tenant
Moving to another tenant	Possible but loses all RBAC and managed identities
RG limit	980 per subscription
Role assignment limit	4,000 per subscription
Types	Free Trial, Pay-as-you-go, Enterprise Agreement, Dev/Test, Sponsorship

Resource Groups

Fact	Detail
Nesting	Not allowed -- flat within a subscription
Location	Has a region (metadata only); resources inside can be in any region
Lifecycle	Group things that get created/deleted together
Renaming	Cannot rename -- create new RG and move resources
Cross-RG communication	Resources CAN communicate across RGs (not a network boundary)

---

8. Azure Policy

Policy vs RBAC

Aspect	RBAC	Policy
Controls	WHO can do actions	HOW resources must be configured
Default stance	Deny all (must grant)	Allow all (must restrict)
Can deny?	No	Yes
Applied to	Users / apps	Resources

Policy Effects

Evaluation order: Disabled -> Append -> Modify -> Deny -> Audit -> DINE/AINE.

Effect	Behavior
Deny	Block non-compliant creation/update
Audit	Allow but flag as non-compliant
Modify	Change properties during create/update
DeployIfNotExists (DINE)	Auto-deploy missing related resource
AuditIfNotExists (AINE)	Audit if related resource is missing
Append	Add properties (deprecated -- use Modify)
Disabled	Policy exists but does not run

Common Built-in Policies

• Allowed locations (restrict regions)
• Allowed VM SKUs (restrict sizes)
• Require tags on resources
• Inherit tags from resource group
• Require HTTPS on storage accounts

Initiatives (Policy Sets)

Bundle multiple policies together. Built-in examples: Azure Security Benchmark, CIS Benchmark, ISO 27001, NIST SP 800-53.

Policy Evaluation Timing

• Immediate on resource create/update.
• Within 30 minutes on new policy assignment.
• Full cycle every 24 hours.
• Manual on-demand trigger available.

Remediation Tasks

For Modify and DINE policies, existing non-compliant resources need a remediation task. These policies require a managed identity with appropriate permissions.

Policy Exemptions

Two types:

• Waiver -- permanent exception.
• Mitigated -- compliance achieved through another mechanism.

Both can have expiry dates.

---

9. Resource Locks

Prevent accidental deletion or modification.

Lock Type	Can Modify?	Can Delete?
ReadOnly	No	No
CanNotDelete	Yes	No

Critical Distinction

Locks are control plane only. They do NOT stop data plane operations. A locked storage account still allows blob uploads/deletions inside it.

• Locks can be applied at subscription, resource group, or resource level.
• Locks inherit downward and are cumulative.
• Only Owner at the scope can remove a lock.
• Some services auto-create locks (Azure Backup, Site Recovery).

---

10. Resource Tags

Key-value pairs for metadata, filtering, billing, and automation.

Fact	Detail
Max tags per resource	50 (some resources: 15)
Tag name max length	512 characters
Tag value max length	256 characters
Inheritance	None by default -- use Policy to enforce
Applied to	Subscriptions, Resource Groups, Resources (NOT Management Groups)

Recommended minimum tags: Environment, Owner, CostCenter, Application, BusinessUnit, Criticality.

Tags + Cost Management: Filter cost reports by tag (e.g., show only production costs).

Tags + Policy: Enforce with built-in policies:

• "Require a tag on resources" (Deny effect)
• "Inherit a tag from resource group" (Modify effect)
• "Add or replace tag on resources" (Modify effect)

---

11. Cost Management

Cost Analysis

Views: accumulated costs, daily costs, cost by resource/service/tag. Group by: resource group, resource type, location, tag, subscription.

Exam Tip

Different Azure regions have different prices. Japan and Brazil typically cost more than US East.

Budgets

WARNING

Budgets are alerts, not hard limits. They do NOT stop spending.

Two alert types:

• Actual -- triggers when you have spent X% of the budget.
• Forecasted -- triggers when you are projected to exceed the budget.

Alerts can trigger Action Groups: email, SMS, webhook, Azure Function, Logic App.

Azure Advisor -- Cost Recommendations

Free built-in recommendations across five pillars: Reliability, Security, Performance, Cost, Operational Excellence.

Cost suggestions: right-size VMs, shutdown idle resources, use reservations, delete unused resources.

Cost Savings Options

Option	Savings	Flexibility	Best For
Reservations	30-72%	Locked to SKU + region	Predictable steady-state
Savings Plan	15-65%	Any compute, any region	Variable compute usage
Hybrid Benefit	Up to 40-55%	Existing licenses	Organizations with SA
Spot VMs	Up to 90%	Can be evicted anytime	Batch / fault-tolerant

---

12. Identity Objects & Synchronization

Service Principals vs Managed Identities

Feature	Service Principal	Managed Identity
Use case	External apps, CI/CD pipelines	Azure-to-Azure resource access
Credentials	Secret, Certificate, or Federated	None (Azure manages tokens)
Rotation	You manage	Automatic
Security ranking	Good	Best

Managed Identity types:

• System-Assigned: tied to one resource, deleted when resource is deleted.
• User-Assigned: independent lifecycle, can be shared across multiple resources.

Federated Credentials (Workload Identity Federation): Exchange tokens from a trusted external IDP (e.g., GitHub Actions OIDC) for an Entra access token. No secrets stored externally.

Synchronization from AD

Feature	Entra Connect Sync	Cloud Sync
Architecture	Windows server required	Lightweight agent
Multi-forest (disconnected)	No	Yes
Pass-through Auth	Yes	No
Writeback	Full	Limited
Recommendation	Legacy	Use for new deployments

Topology rules:

• One tenant to one sync engine.
• One AD forest can sync to multiple tenants (via multiple sync instances).
• Multiple forests can sync to one tenant.

Devices

State	Sign-in Account	Management	Best For
Registered	Personal (MSA)	MDM optional	BYOD
Joined	Entra account	Full MDM	Corporate owned
Hybrid Joined	AD + Entra	GPO + MDM	Existing AD environment

---

13. Exam Quick Reference

Key Limits to Memorize

Limit	Value
Management Groups per tenant	10,000
MG hierarchy depth	6 levels below root
Resource Groups per subscription	980
Role assignments per subscription	4,000
Custom roles per tenant	5,000
Tags per resource	50 (some: 15)
Tag name max length	512 chars
Tag value max length	256 chars
Directory objects (Free tier)	500,000

Exam Gotchas -- Quick Fire

1. Contributor cannot assign roles -- only Owner can.
2. Resource Owner =/= Data Owner -- separate data plane roles needed.
3. Permissions are additive -- you can only add, never subtract via RBAC.
4. Tags do NOT inherit -- you need Azure Policy.
5. Locks are control plane only -- data operations still work.
6. Subscription move to new tenant loses all RBAC and managed identities.
7. Dynamic groups cannot have Entra roles assigned to them.
8. SSPR for admins is always on with 2-factor. Not configurable.
9. One custom domain = one tenant. Cannot share across tenants.
10. Budget alerts do NOT stop spending -- they are notifications only.
11. Policy Deny beats RBAC permissions -- even an Owner can be blocked by Policy.
12. Global Admin has no Azure resource access by default -- must explicitly elevate.
13. Security Defaults and Conditional Access are mutually exclusive -- disable defaults to use CA.
14. NotActions is not a deny -- it just excludes from a wildcard match.
15. CAE reduces token theft window from ~1 hour to minutes.

---

Sources: Scott Duffy (Udemy AZ-104), John Savill (AZ-104 Masterclass), Microsoft Learn AZ-104 Study Guide