2.3. Core Security Features and Identity

💡 First Principle: Microsoft Entra ID is the identity backbone of Microsoft 365 — every user, every app, every policy evaluation starts with Entra. The security features built on top of it (Conditional Access, SSO, PIM) are tools for answering one question precisely: should this person, on this device, from this context, be allowed to access this resource right now?

Getting identity security right is the highest-leverage thing an M365 admin can do.

Think of Entra ID as the security checkpoint for every M365 resource. Every request — "open this email," "access this SharePoint site," "launch this app" — flows through Entra's evaluation: Who are you? What device are you on? What Conditional Access policies apply? What's your risk score? The answer determines access.

⚠️ Exam Trap: Conditional Access policies evaluate at sign-in time — they don't continuously monitor sessions. A session that passes the CA check at login won't be re-evaluated mid-session unless token lifetime policies are configured. One misconfigured Conditional Access policy can lock out your entire organization. One over-permissioned app registration can expose sensitive data. This section covers the tools and the mental models needed to configure them correctly.

The exam tests this domain heavily — expect questions about what Conditional Access can evaluate, what PIM does, and the difference between app registrations and enterprise apps.

⚠️ Common Misconception: Conditional Access is a lockout tool — it only blocks access. In reality, Conditional Access is a policy engine that can grant access, grant with conditions (require MFA, require compliant device), or block. It enables access as much as it restricts it.