Microsoft Entra: Your Identity Hub

What is Microsoft Entra?

Conditional Access — smart security gates

Conditional Access (CA) policies are if/then rules that control access based on conditions:

IF (conditions) THEN (controls)

Condition (IF)	What It Checks
User or group	Who is signing in
Cloud app	What they’re trying to access
Location	Where they’re signing in from
Device platform	Windows, iOS, Android, Mac
Device compliance	Is the device Intune-managed and healthy?
Sign-in risk	Is this sign-in behaviour unusual?
User risk	Has this user been flagged for compromise?

Control (THEN)	What Happens
Allow	Let them in
Block	Deny access
Require MFA	Allow after MFA verification
Require compliant device	Allow only from managed devices
Require app protection	Allow only in protected apps

💡 Scenario: Clearfield Council's CA policies

Director Chen creates three conditional access policies:

1. “Require MFA for all users” — IF: any user → THEN: require MFA
2. “Block access from untrusted countries” — IF: sign-in from outside NZ/AU → THEN: block
3. “Require compliant device for sensitive apps” — IF: accessing SharePoint or Exchange → AND device is not Intune-compliant → THEN: block

These policies layer on top of each other. A councillor signing in from New Zealand on a managed device with MFA → all three policies pass → access granted.

Same councillor on a personal phone from overseas → blocked by policy 2 AND policy 3.

Single Sign-On (SSO)

SSO = one sign-in, access to many apps. Users sign in once to Entra ID, then access M365, Salesforce, ServiceNow, and thousands of other apps without re-entering credentials.

Benefits the exam tests:

• 🔒 More secure — fewer passwords to manage, less password fatigue
• ⚡ Better UX — users don’t get frustrated re-authenticating
• 🔑 Centralised control — disable one account, access to ALL apps is revoked
• 📊 Audit trail — all app access flows through Entra, creating a single log

App registrations vs Enterprise apps

Concept	What It Is	Who Creates It
App registration	An identity record for an application in your tenant	Developers (when building custom apps)
Enterprise app	A service principal — the app’s presence in YOUR tenant	Created when you consent to a third-party app or register your own

ℹ️ App registrations — why admins care

When a developer builds a custom app that connects to M365 (e.g., a dashboard that reads SharePoint data), they create an app registration in Entra ID. This registration defines:

• What the app is called
• What permissions it needs (read email, access files, etc.)
• What authentication method it uses

As an admin, you review these registrations because they determine what data apps can access. An app with “read all users’ email” permission is a significant security concern.

Exam tip: Know that app registrations control what third-party and custom apps can do in your tenant. Admins should review permissions and require admin consent for sensitive permissions.

Troubleshooting sign-in issues

The exam tests common troubleshooting scenarios:

Issue	Where to Check	Common Fix
MFA not working	Entra → Users → Authentication methods	Re-register MFA method, check Authenticator setup
Conditional access blocking	Entra → Sign-in logs → CA tab	Use “What If” tool to simulate the policy evaluation
Risky sign-in flagged	Entra → Identity Protection → Risky sign-ins	Review and confirm/dismiss the risk
App consent issues	Entra → Enterprise apps → Permissions	Review and grant admin consent if appropriate

Key tool: The “What If” tool in Entra lets you simulate a sign-in and see which CA policies would apply. This is the #1 troubleshooting tool for access issues — the exam tests it.

🎬 Video walkthrough

Flashcards

Question

What is a Conditional Access policy?

Click or press Enter to reveal answer

Answer

An if/then rule: IF certain conditions are met (user, location, device, risk level) → THEN apply specific controls (allow, block, require MFA, require compliant device). Managed in the Microsoft Entra admin center.

Click to flip back

Question

What is Single Sign-On (SSO) and why is it important?

Click or press Enter to reveal answer

Answer

SSO lets users sign in once (to Entra ID) and access many apps without re-authenticating. Benefits: more secure (fewer passwords), better UX, centralised access control, single audit trail.

Click to flip back

Question

What's the 'What If' tool in Entra used for?

Click or press Enter to reveal answer

Answer

It simulates a sign-in to show which Conditional Access policies would apply. Used for troubleshooting access issues — 'Why can't this user sign in?' → What If shows exactly which policy is blocking them.

Click to flip back

Knowledge Check

Knowledge Check

A Northwave employee reports they can't access Outlook from their personal phone, but it works fine from their work laptop. Maya suspects a Conditional Access policy is the cause. What should she use to confirm?

ACheck the employee's license assignment in the M365 admin centerBReview the sign-in logs and use the 'What If' tool in the Microsoft Entra admin centerCReset the employee's password — it might be expiredDCheck Exchange admin center for mailbox access restrictions

Check Answer

Knowledge Check

Brew & Byte wants all employees to sign in once and automatically access M365, Salesforce, and their project management tool without re-entering credentials. What should Kai set up?

ACreate separate accounts for each applicationBConfigure Single Sign-On (SSO) through Microsoft Entra IDCUse a shared password across all applicationsDSet up a VPN that auto-authenticates to each service

Check Answer

---

Next up: PIM, Audit Logs & Identity Governance — privileged access management, tracking who did what, and maintaining your Identity Secure Score.