1.1.2. Identity as the New Security Perimeter

💡 First Principle: In cloud environments, identity replaces the network as the security perimeter. A user's ability to access M365 resources is determined by who they are (verified identity) and what they're allowed to do (authorization) — not where they're connecting from.

In the old model, your firewall defined the boundary: inside the network = trusted, outside = untrusted. That model breaks the moment users work from home, use personal devices, or access cloud services from anywhere. Microsoft 365 doesn't live "inside" your network — it lives in Microsoft's cloud. So the question shifts from "is this person on our network?" to "is this person who they say they are, and do they have permission?"

This is the conceptual foundation of Microsoft Entra ID (formerly Azure Active Directory) — the identity and access management system that every M365 service uses to answer those two questions. Every sign-in, every access attempt, every policy evaluation starts here.

💡 Key Point: When you hear "Zero Trust" later in this guide, remember this section. Zero Trust is not a product — it's the logical conclusion of "identity is the perimeter."

⚠️ Exam Trap: Candidates sometimes confuse Microsoft Entra ID with on-premises Active Directory. They are related but different. Entra ID is a cloud identity service; on-premises AD is a directory service designed for local networks. Organizations often sync the two, but they are not the same thing and have different capabilities.

Reflection Question: If a company moves all its servers to Azure and keeps its on-premises Active Directory, has it completed its identity modernization? Why or why not?