Domain 2 of 4

Authentication and Access

Domain · 25–30% of the SC-300 exam

Every sign-in is a fresh access decision, and Conditional Access is the gate that makes it

Zero Trust says verify explicitly: trust nothing because of where a request comes from, and re-decide access on every sign-in using whatever signals are available at that moment. In Microsoft Entra ID that decision is a single if-then gate called Conditional Access, and this whole domain is the machinery feeding it. A policy reads "if these signals match (who, what resource, where, what risk), then enforce these controls (block, or grant only with multifactor authentication, MFA, or a compliant device)." The classic trap is treating the older per-user MFA toggle or Security Defaults as the way you require strong authentication today; both predate this gate and are being retired in its favor. Plan from the gate: decide what each sign-in must prove, then arrange the other three subtopics to supply the credentials, the risk signal, and the network reach that gate needs.

The domain unfolds in four steps: credentials, the gate, the risk signal, then the network

Read the four subtopics as one pipeline into that gate. First, Authentication Methods is where you enable and scope the strong credentials a population can register, ranked by phishing resistance (passkeys and Windows Hello for Business at the top, SMS and voice at the bottom), so there is something solid for the gate to demand. Second, Conditional Access is the gate itself: it ANDs its assignments, ANDs the grant controls you select, and lets a Block in any matching policy override every grant. Third, ID Protection adds a sharper input by scoring user risk and sign-in risk, which you consume as a risk condition in a Conditional Access policy rather than through the standalone legacy risk policies (retiring October 1, 2026). Fourth, Global Secure Access extends the same identity-aware gate beyond app sign-in to network traffic itself, tunneling internet, Microsoft 365, and private-app traffic so Conditional Access can apply to it. Each step exists to make the gate's decision stronger or wider.

When two answers both work, choose the more phishing-resistant, signal-aware option

The exam consistently rewards the stronger end of the Zero Trust spectrum. Between two methods that both satisfy MFA, prefer the phishing-resistant one (passkey, Windows Hello for Business, certificate-based authentication) over a phishable one (Authenticator push, SMS). Between enforcing a control statically and enforcing it on a signal, prefer the signal: require MFA on elevated sign-in risk rather than on everyone all the time. And between blocking traffic at the edge generically and routing it through the identity-aware gate, prefer the gate. Two guardrails ride along with this instinct: test a new Conditional Access policy in report-only mode before turning it On, and exclude emergency-access (break-glass) accounts from every policy so one misconfiguration cannot lock out all administrators.

How each subtopic feeds the one access-decision gate

StepRole at the gateSignature controlDrill into
Register the credentialSupplies the strong factors the gate can demandAuthentication methods policy, phishing-resistant tier, Temporary Access PassAuthentication Methods
Make the decisionThe if-then gate that grants, blocks, or adds requirements per sign-inAssignments AND grant controls; Block overrides; report-onlyConditional Access
Sharpen the signalScores user risk and sign-in risk for the gate to act onRisk-based Conditional Access; MFA-registration prerequisiteID Protection
Widen the reachExtends the identity-aware gate to network traffic, not just app sign-inTraffic forwarding profiles; Internet Access and Private AccessGlobal Secure Access

Subtopics in this domain