This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
As a Microsoft identity and access administrator, you design, implement, and operate an organization’s identity and access management by using Microsoft Entra. You configure and manage identities throughout their lifecycles for users, devices, Microsoft Azure resources, and applications. You are responsible for ensuring the application of Zero Trust principles for identity and access solutions.
As an identity and access administrator, you provide seamless experiences and self-service management capabilities for users. You plan and implement identity, authentication, and authorization to enable access across applications and resources. You’re also responsible for troubleshooting, monitoring, and reporting on identity and access.
You collaborate with many other roles in the organization to drive strategic identity projects, modernize identity solutions, implement hybrid identity solutions, and implement identity governance.
You should be familiar with Azure, Microsoft 365 services and workloads, and Active Directory Domain Services (AD DS). You should also be familiar with PowerShell and Kusto Query Language (KQL).
- Implement and manage user identities (20–25%)
- Implement authentication and access management (25–30%)
- Plan and implement workload identities (20–25%)
- Plan and automate identity governance (20–25%)
- Configure and manage built-in and custom Microsoft Entra roles
- Recommend when to use administrative units
- Configure and manage administrative units
- Evaluate effective permissions for Microsoft Entra roles
- Configure and manage domains in Microsoft Entra ID and Microsoft 365
- Configure Company branding settings
- Configure tenant properties, user settings, group settings, and device settings
- Create, configure, and manage users
- Create, configure, and manage groups
- Manage custom security attributes
- Automate bulk operations by using the Microsoft Entra admin center and PowerShell
- Manage device join and device registration in Microsoft Entra ID
- Assign, modify, and report on licenses
- Manage External collaboration settings in Microsoft Entra ID
- Invite external users, individually or in bulk
- Manage external user accounts in Microsoft Entra ID
- Implement Cross-tenant access settings
- Implement and manage cross-tenant synchronization
- Configure external identity providers, including protocols such as SAML and WS-Fed
- Implement and manage Microsoft Entra Connect Sync
- Implement and manage Microsoft Entra Cloud Sync
- Implement and manage password hash synchronization
- Implement and manage pass-through authentication
- Implement and manage seamless single sign-on (SSO)
- Migrate from AD FS to other authentication and authorization mechanisms
- Implement and manage Microsoft Entra Connect Health
- Plan for authentication
- Implement and manage authentication methods, including certificate-based, temporary access pass, OAUTH tokens, Microsoft Authenticator, and passkey (FIDO2)
- Implement and manage tenant-wide multifactor authentication (MFA) settings
- Configure and deploy self-service password reset (SSPR)
- Implement and manage Windows Hello for Business
- Disable accounts and revoke user sessions
- Implement and manage Microsoft Entra password protection
- Enable Microsoft Entra Kerberos authentication for hybrid identities
- Plan Conditional Access policies
- Implement Conditional Access policy assignments
- Implement Conditional Access policy controls
- Test and troubleshoot Conditional Access policies
- Implement session management
- Implement device-enforced restrictions
- Implement continuous access evaluation
- Configure authentication context
- Implement protected actions
- Create a Conditional Access policy from a template
- Implement and manage user risk by using Identity Protection or Conditional Access policies
- Implement and manage sign-in risk by using Identity Protection or Conditional Access policies
- Implement and manage Multifactor authentication registration policy
- Monitor, investigate and remediate risky users and risky sign-ins
- Monitor, investigate, and remediate risky workload identities
- Deploy Global Secure Access clients
- Deploy and manage Private Access
- Deploy and manage Internet Access
- Deploy and manage Internet Access for Microsoft 365
- Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
- Create managed identities
- Assign a managed identity to an Azure resource
- Use a managed identity assigned to an Azure resource to access other Azure resources
- Plan and implement settings for enterprise applications, including application-level and tenant-level settings
- Assign appropriate Microsoft Entra roles to users to manage enterprise applications
- Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
- Design and implement integration for software as a service (SaaS) apps
- Assign, classify, and manage users, groups, and app roles for enterprise applications
- Configure and manage user and admin consent
- Create and manage application collections
- Plan for app registrations
- Create app registrations
- Configure app authentication
- Configure API permissions
- Create app roles
- Configure and analyze cloud discovery results by using Defender for Cloud Apps
- Configure connected apps
- Implement application-enforced restrictions
- Configure Conditional Access app control
- Create access and session policies in Defender for Cloud Apps
- Implement and manage policies for OAuth apps
- Manage the Cloud app catalog
- Plan entitlements
- Create and configure catalogs
- Create and configure access packages
- Manage access requests
- Implement and manage terms of use (ToU)
- Manage the lifecycle of external users
- Configure and manage connected organizations
- Plan for access reviews
- Create and configure access reviews
- Monitor access review activity
- Manually respond to access review activity
- Plan and manage Microsoft Entra roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
- Plan and manage Azure resources in PIM, including settings and assignments
- Plan and configure groups managed by PIM
- Manage the PIM request and approval process
- Analyze PIM audit history and reports
- Create and manage break-glass accounts
- Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
- Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
- Monitor Microsoft Entra ID by using KQL queries in Log Analytics
- Analyze Microsoft Entra ID by using workbooks and reporting
- Monitor and improve the security posture by using Identity Secure Score