| Implement and manage user identities | Tenant configuration, built-in and custom Entra roles, administrative units, users, groups, custom security attributes, licensing, and device join. Then external identities: B2B invitations, cross-tenant access and synchronization, SAML and WS-Fed identity providers. Then hybrid: Entra Connect Sync, Cloud Sync, password hash sync, pass-through authentication, seamless SSO and migrating off AD FS. | 20 to 25% |
| Implement authentication and access management | The biggest domain. Authentication methods including certificate-based auth, Temporary Access Pass, Microsoft Authenticator and passkeys (FIDO2), tenant-wide MFA, SSPR, Windows Hello for Business and Entra password protection. Then Conditional Access end to end: assignments, controls, session management, continuous access evaluation, authentication context and protected actions. Then Entra ID Protection for user, sign-in and workload identity risk, and Global Secure Access with Private Access and Internet Access. | 25 to 30% |
| Plan and implement workload identities | Managed identities versus service principals versus service accounts, and assigning them to Azure resources. Enterprise application integration: settings, roles, consent, Application Proxy for on-premises apps and SaaS integration. App registrations: authentication, API permissions and app roles. Closes with Defender for Cloud Apps: cloud discovery, connected apps, app control policies and OAuth app policies. | 20 to 25% |
| Plan and automate identity governance | Entitlement management with catalogs, access packages and connected organizations. Access reviews from planning to remediation. Privileged access: PIM for Entra roles, Azure resources and groups, the approval process, audit history and break-glass accounts. Ends with monitoring: sign-in, audit and provisioning logs, Log Analytics with KQL, workbooks and Identity Secure Score. | 20 to 25% |