What Entra ID concepts overlap between AZ-104 and AZ-500?
Both AZ-104 and AZ-500 test Entra ID identity fundamentals, conditional access, RBAC, and Privileged Identity Management, but they test them at different depths. AZ-104 expects candidates to configure named locations, basic conditional access policies, MFA registration, and built-in role assignments. AZ-500 expects threat modeling, sign-in risk policies, identity protection, Conditional Access deployment patterns at scale, custom RBAC roles, and PIM workflows including approval chains. Roughly forty percent of AZ-500 identity content is shared with AZ-104; the remaining sixty percent is security-deep.
Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023, but the protocols, the licensing tiers, and the underlying directory remain the same. Both exams use the new name and reference the legacy "Azure AD" name in older question banks. Candidates who treat Entra ID as a simple cloud directory miss the layered identity architecture that runs underneath every Microsoft cloud service, including Microsoft 365, Dynamics 365, and Azure itself.
This guide separates what AZ-104 expects from what AZ-500 expects, and identifies the concepts that appear on both.
Entra ID Editions and What Each Tests
Entra ID ships in four editions. The exam tests which features belong to which edition because licensing decisions are part of architecture decisions.
| Edition | Key Features | Tested On |
|---|---|---|
| Free | Cloud authentication, basic SSO, self-service password change | AZ-900 baseline only |
| Microsoft 365 Apps | Self-service password reset for cloud users, MFA via Conditional Access for M365 | AZ-104 |
| P1 | Group-based access management, hybrid identity (writeback), Conditional Access, dynamic groups | AZ-104 and AZ-500 |
| P2 | Identity Protection, Privileged Identity Management, access reviews, entitlement management | AZ-500 primarily |
A frequent exam pattern: a scenario describes a feature requirement -- for example, "users must be auto-removed from a security group when their job title changes" -- and asks the minimum required edition. Dynamic groups need P1; sign-in risk policies need P2. Candidates who guess always-P2 are over-licensing in real life and miss exam points.
Tenants, Subscriptions, and the Trust Boundary
Entra ID tenant -- a dedicated, isolated instance of Microsoft Entra ID for an organization. Every Microsoft 365 organization, every Azure subscription, and every Dynamics 365 customer lives inside exactly one tenant.
Subscription -- a billing and isolation boundary inside Azure. A subscription trusts exactly one Entra ID tenant for authentication, but a tenant can authenticate users for many subscriptions.
This relationship is the source of half of the troubleshooting questions on AZ-104. A user cannot see a subscription -- why? Most often because the user is in tenant A but the subscription trusts tenant B. The fix is either to invite the user to tenant B as a guest (B2B collaboration) or to move the subscription to tenant A. AZ-500 deepens this scenario with cross-tenant access policies and external identity governance.
"The tenant is the security boundary that most teams underestimate. Subscriptions, resource groups, and management groups are management constructs. The tenant is where identity actually lives." -- Alex Simons, Corporate VP of Identity Program Management at Microsoft
Identities Entra ID Manages
Entra ID issues tokens for several identity types, and the exam tests when each applies.
Cloud-only user -- created directly in Entra ID, lives only in the cloud. Easiest to manage; appropriate for greenfield deployments.
Synchronized user -- originates in on-premises Active Directory, replicated into Entra ID by Microsoft Entra Connect Sync (formerly Azure AD Connect). The on-premises copy remains authoritative for most attributes.
Guest user -- a user from another tenant or an external email-based identity invited via B2B collaboration. Has restricted default permissions.
Service principal -- a security principal for an application. Maps to an app registration in the tenant.
Managed identity -- a service principal automatically managed by Azure for a resource (virtual machine, function app, App Service). System-assigned managed identities live and die with the resource; user-assigned managed identities are independent.
AZ-104 tests configuration and assignment of these identities. AZ-500 tests their security implications -- how to audit service principal credentials, how to scope managed identity permissions, and how to detect compromised guest accounts. The Microsoft-published Microsoft Identity Threat Detection and Response documentation is the canonical reference.
Hybrid Identity Authentication Methods
Hybrid identity decisions are heavily tested on both exams. Three options exist.
Password hash synchronization (PHS): a hash of the on-premises password hash replicates to Entra ID every two minutes. Users authenticate against Entra ID directly. Simplest, most resilient.
Pass-through authentication (PTA): Entra ID forwards the password to an on-premises agent that validates against the local domain controller. No passwords or hashes leave on-premises. Requires the agent to be reachable.
Federation: Entra ID redirects authentication to an on-premises identity provider, typically Active Directory Federation Services. Most complex, most flexible, often deprecated in favor of PHS.
Microsoft and Alex Weinert, the VP of Identity Security, have publicly recommended PHS for the vast majority of organizations. The exam reflects this preference -- PHS is the right answer unless the scenario explicitly mandates that passwords cannot leave the corporate network.
Conditional Access: The Heart of Both Exams
Conditional Access -- the policy engine that decides whether a sign-in attempt should succeed, fail, or require additional verification, based on signals at the moment of the request.
A Conditional Access policy has three parts.
Assignments: who, what, when -- users and groups, cloud apps, sign-in risk, device platform, location, client app
Access controls: what to require -- block, MFA, compliant device, hybrid joined device, app protection policy, terms of use
Session controls: what to constrain post-grant -- sign-in frequency, persistent browser session, app-enforced restrictions, Conditional Access app control
AZ-104 expects candidates to build basic policies: require MFA for all admins, block sign-ins from outside named locations, require compliant devices for SharePoint. AZ-500 expects the security-grade scenarios: deploy Conditional Access in report-only mode, use the What If tool to test policy impact before enforcement, layer policies for graduated risk response, and combine sign-in risk with user risk for adaptive authentication.
Named Locations Versus Trusted Locations
The exam distinguishes the two. A named location is an IP range or country that a policy can reference. A trusted named location additionally bypasses certain risk signals -- specifically, sign-ins from trusted locations do not contribute to user risk in the same way. AZ-500 tests this nuance directly.
Privileged Identity Management
PIM is a P2-only feature that converts permanent role assignments into eligible assignments that users activate when needed. AZ-500 dedicates significant coverage to PIM; AZ-104 tests it lightly.
PIM workflow:
A user is assigned an eligible role rather than an active one
When the user needs the role, they activate it through the PIM portal
Activation may require justification, MFA, ticket reference, and approval
Active duration is time-bound (default eight hours, configurable)
Activations and approvals are logged in the audit log
Common AZ-500 scenario: an organization has twenty Global Administrators with permanent assignments. A new policy requires zero standing privilege. The candidate must select PIM with eligible assignments and approval workflows as the answer.
The Heineken security team's publicly described Entra ID hardening project moved over three hundred privileged users into eligible-only assignments in 2022, with average activation time under three minutes. AZ-500 scenarios mirror this exact migration pattern.
RBAC Versus Entra Roles -- A Critical Distinction
Two role systems coexist in Microsoft Cloud, and the exam tests the boundary between them.
Entra ID roles govern Entra ID itself -- creating users, managing groups, assigning licenses, configuring Conditional Access. Examples: Global Administrator, User Administrator, Authentication Administrator.
Azure RBAC roles govern Azure resources -- virtual machines, storage accounts, networks. Examples: Owner, Contributor, Reader, Virtual Machine Contributor.
A user who is Global Administrator in Entra ID has no Azure RBAC permissions by default. A user who is Owner on an Azure subscription has no Entra ID admin permissions by default. This boundary is the most-missed concept on shared content between AZ-104 and AZ-500.
The "Access management for Azure resources" toggle on a Global Administrator's profile is the bridge -- enabling it grants the User Access Administrator RBAC role at the root scope, allowing the Global Admin to manage Azure RBAC. The exam tests when to use this toggle (rare, breakglass scenarios) and when not to (routine operations).
Real-World Patterns the Exam Borrows From
The ASOS retail pattern: ASOS, the UK fashion retailer, runs identity for its e-commerce workforce via Entra ID with hybrid identity through Entra Connect Sync. Their Conditional Access deployment uses persona-based policies -- separate policies for store associates, corporate staff, contractors, and developers, each with different MFA, device, and location requirements. AZ-500 scenarios mirror this persona-based approach.
The Microsoft 365 enterprise pattern: most Fortune 500 organizations now follow a published Microsoft "Zero Trust" baseline that combines Conditional Access, device compliance via Intune, and Identity Protection risk policies. Both AZ-104 and AZ-500 borrow from this baseline directly.
What Each Exam Asks Differently
| Topic | AZ-104 Depth | AZ-500 Depth |
|---|---|---|
| Entra ID editions | Identify minimum edition for a feature | Same plus license cost optimization |
| Conditional Access | Build basic policies | Design layered policies, report-only rollout, What If testing |
| MFA | Configure registration and enforcement | Threat-aware MFA, FIDO2, passwordless deployment |
| Hybrid identity | Choose method (PHS/PTA/Federation) | Same plus fallback design and Identity Protection integration |
| RBAC | Assign built-in roles | Same plus custom roles, root scope, ABAC conditions |
| PIM | Recognize eligible vs active | Design approval workflows, access reviews, just-in-time access |
| Identity Protection | Out of scope | Sign-in risk, user risk, automated remediation |
A candidate who has passed AZ-104 needs roughly forty percent additional study for the AZ-500 identity domain -- not a full restart.
Practice and Hands-On
The single best practice tool is the Entra ID free trial combined with Microsoft Learn sandboxes. The following hands-on sequence aligns with both exams.
Create a tenant and add cloud users
Configure security defaults, observe what they enforce, and disable them
Build a Conditional Access policy in report-only mode, sign in from a different network, and inspect the sign-in log
Use the What If tool to evaluate policy impact for a specific user, app, and location
Assign an eligible PIM role, activate it, and review the audit entry
Create a custom RBAC role with a JSON definition limited to two actions, and assign it to a test user
Microsoft Learn's "Implement and manage identity and access" learning path covers each step with free sandbox labs.
Identity Protection: AZ-500 Deep Territory
Identity Protection is the P2-only feature that detects compromised accounts and at-risk sign-ins. AZ-500 dedicates roughly fifteen percent of identity questions to this feature; AZ-104 mostly skips it.
Identity Protection produces three signals.
Sign-in risk -- the probability that a specific authentication request was not made by the legitimate user. Inputs include atypical travel, anonymous IP, malware-linked IP, unfamiliar sign-in properties, password spray patterns, and leaked credentials.
User risk -- the probability that a user identity has been compromised, accumulated over time. A user with leaked credentials in a public breach combined with several risky sign-ins from foreign IPs reaches high user risk.
Risk detections -- individual events surfaced for investigation. Each detection has a type, a level (low/medium/high), and an associated user.
The exam scenario typically describes an organization that wants to require additional verification for risky sign-ins and a password reset for compromised accounts. The correct answer combines two policies: a sign-in risk policy that requires MFA at medium-and-above risk, and a user risk policy that requires a secure password change at high risk. AZ-500 candidates who select a single policy lose points.
The Microsoft Defender for Identity team and security researcher John Lambert have published detection patterns that align directly with these signals. AZ-500 reading the published patterns before sitting the exam is high-leverage preparation.
Access Reviews and Entitlement Management
P2 also unlocks two governance features tested heavily on AZ-500.
Access reviews schedule recurring approval cycles for group memberships, role assignments, and application access. A reviewer (the user themselves, their manager, or a designated approver) decides whether each assignment should continue. Stale assignments are automatically removed.
Entitlement management packages access requests into catalogs. A user requests access to a catalog containing a group, an application, and a role; an approval workflow grants or denies; the assignment is time-limited and audited. This feature is the AZ-500 answer to scenarios involving partner access, contractor onboarding, and project-based access.
A typical AZ-500 question describes a thousand-user organization with high contractor turnover. The candidate must select access reviews for ongoing membership audits and entitlement management for the request workflow. Candidates who select only PIM miss the point -- PIM governs role activation, not group membership lifecycle.
Common Misconceptions That Cost Points
Several recurring misunderstandings trip up otherwise prepared candidates.
MFA is not Conditional Access: classic per-user MFA exists outside Conditional Access and is being deprecated. The exam expects Conditional Access as the modern enforcement mechanism, with classic MFA shown only as a legacy option to migrate away from.
Security defaults disable Conditional Access: a tenant cannot have both security defaults enabled and Conditional Access policies enabled. The exam tests scenarios where enabling Conditional Access requires first disabling security defaults.
Guest user permissions are restricted by default: a fresh guest user can read directory data only for users they collaborate with, not the full directory. Restricting further requires the External Identities settings, not RBAC.
Hybrid identity does not require federation: PHS and PTA both support hybrid sign-in without federation. Many candidates assume hybrid means federation -- the exam corrects this directly.
The Microsoft Press AZ-500 Exam Ref by Yuri Diogenes and Orin Thomas covers each of these misconceptions explicitly. Both authors are senior PMs on the Microsoft security and identity teams.
See also: /certifications/azure/az-500-azure-security-engineer-hardest-azure-cert-explained, /certifications/azure/az-104-azure-administrator-domains-with-highest-question-density, /certifications/cybersecurity/zero-trust-architecture-fundamentals.
References
- Microsoft Learn. "What is Microsoft Entra ID?" Microsoft Corporation, 2025.
- Microsoft Docs. "Conditional Access policies overview." Microsoft Corporation, 2025.
- Microsoft Docs. "Privileged Identity Management documentation." Microsoft Corporation, 2025.
- Weinert, Alex. "Your Pa$$word doesn't matter." Microsoft Identity Blog, 2019.
- Microsoft Press. Microsoft Certified: Azure Security Engineer Associate Study Guide -- AZ-500 Exam Ref. 2024.
- Simons, Alex. "Microsoft Entra: securing access for a connected world." Microsoft Identity Blog, 2023.
- Microsoft Docs. "Choose the right authentication method for your Microsoft Entra hybrid identity solution." Microsoft Corporation, 2025.