- Domain 1 Overview: What "Secure Identity and Access" Actually Covers
- Microsoft Entra ID Fundamentals You Must Know Cold
- Privileged Identity Management, RBAC, and Access Reviews
- Conditional Access and Authentication Methods
- App Registrations, Managed Identities, and Service Principals
- Hybrid Identity: Connect, Sync, and Federation
- How Domain 1 Questions Are Actually Asked
- Scheduling Domain 1 Inside Your Broader Study Plan
- Frequently Asked Questions
- Domain 1 is worth 15-20% of the AZ-500 exam, the smallest of four domains but still foundational.
- Focus areas: Microsoft Entra ID, Privileged Identity Management, Conditional Access, and hybrid identity with Entra Connect.
- The exam mixes multiple-choice, case studies, and interactive labs within a 100-minute session.
- Passing requires 700/1000 across all four domains, so weak identity knowledge can sink an otherwise strong score.
Domain 1 Overview: What "Secure Identity and Access" Actually Covers
Domain 1 of the AZ-500 exam, Secure identity and access, accounts for 15-20% of your total score based on the current skills outline dated January 22, 2026. It's the smallest of the four domains - compare it to the 30-35% weight given to Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel - but identity is the backbone that the other three domains lean on. You can't secure networking, compute, or monitoring pipelines without first understanding who has access to what, and how that access is granted, reviewed, and revoked.
In practice, this domain tests your hands-on familiarity with Microsoft Entra ID (formerly Azure AD), privileged access controls, authentication mechanisms, and the identity layer that connects on-premises Active Directory to Azure. If you've spent real time administering an Azure tenant - creating users, assigning roles, configuring Conditional Access policies - this domain will feel like an extension of your daily work rather than abstract theory.
Microsoft Entra ID Fundamentals You Must Know Cold
Every Domain 1 study plan should start with Microsoft Entra ID because nearly every other topic in this section builds on it. You need working knowledge of:
- User and group lifecycle management, including dynamic groups and administrative units
- Built-in Entra ID roles versus custom roles, and when each is appropriate
- External identities - B2B collaboration and guest user access governance
- Self-service password reset (SSPR) configuration and password protection policies
- Identity Protection risk policies for sign-in risk and user risk
These aren't checkbox topics - the exam expects you to reason about scenarios. For example, you might be shown a case study describing a company with contractors who need temporary access to specific resource groups, and asked to identify the correct combination of administrative units, custom roles, and access reviews to satisfy least-privilege requirements.
Entra ID Roles vs. Azure RBAC
Candidates frequently confuse Entra ID directory roles (which govern the identity platform itself - users, groups, licensing) with Azure RBAC roles (which govern access to Azure resources like VMs, storage accounts, and key vaults). The exam tests this distinction directly.
- Entra ID roles: Global Administrator, User Administrator, Security Administrator
- Azure RBAC roles: Owner, Contributor, Reader, and resource-specific roles like Storage Blob Data Contributor
- Know that Azure RBAC assignments happen at management group, subscription, resource group, or resource scope
Privileged Identity Management, RBAC, and Access Reviews
Privileged Identity Management (PIM) is one of the highest-yield topics in Domain 1. Expect scenario questions that require you to configure just-in-time (JIT) role activation, set approval workflows, and define maximum activation duration for eligible role assignments. You should understand:
- The difference between eligible and active role assignments in PIM
- How to require multi-factor authentication or justification before role activation
- Configuring PIM for both Entra ID roles and Azure resource roles
- Setting up recurring access reviews for privileged roles and guest accounts
- Alert configuration for suspicious PIM activity
Layered on top of PIM is standard Azure RBAC design: assigning the least-privileged built-in role, writing custom role definitions with precise actions and notActions, and understanding how role assignments are inherited down the resource hierarchy. Expect at least one question that asks you to troubleshoot why a user has more (or less) access than intended by tracing inherited assignments across scopes.
Key Takeaway
Build a test tenant and actually configure PIM end-to-end - eligible assignments, activation settings, approval chains - rather than just reading about it. This is a heavily scenario-tested feature.
Conditional Access and Authentication Methods
Conditional Access policies are the enforcement layer of Entra ID security, and this exam will test your ability to design policies that balance security with usability. Core skills include:
- Building Conditional Access policies based on user, location, device state, and application
- Requiring compliant or hybrid-joined devices as access conditions
- Configuring session controls, including sign-in frequency and persistent browser sessions
- Deploying and enforcing multi-factor authentication (MFA) through Conditional Access rather than legacy per-user MFA
- Understanding authentication methods policy, including passwordless options like FIDO2 security keys and Microsoft Authenticator
- Blocking legacy authentication protocols that bypass Conditional Access
A common exam pattern presents a partially built policy - perhaps missing a grant control or targeting the wrong assignment - and asks what change achieves a stated security outcome. Read these carefully; the difference between "require MFA" and "require MFA and compliant device" changes the correct answer.
App Registrations, Managed Identities, and Service Principals
This subtopic trips up candidates who have strong infrastructure experience but limited application identity exposure. You need to distinguish between:
- App registrations and the resulting service principal objects used for delegated or application permissions
- System-assigned managed identities, tied to the lifecycle of a single resource
- User-assigned managed identities, which can be shared across multiple resources
- Granting API permissions and understanding admin consent versus user consent workflows
- Securing app secrets and certificates, and why managed identities are preferred over stored credentials
Expect scenarios where an application needs to access a key vault or storage account without embedding credentials in code - the correct answer is almost always a managed identity paired with an appropriately scoped RBAC role, not a client secret.
Hybrid Identity: Connect, Sync, and Federation
Many organizations running the AZ-500 curriculum still operate hybrid environments, and Microsoft continues to test this reality. You should be comfortable with:
- Microsoft Entra Connect Sync configuration, including filtering and attribute mapping
- Password hash synchronization versus pass-through authentication versus federation
- Seamless single sign-on (SSO) configuration for hybrid users
- Entra Connect Health monitoring and troubleshooting sync errors
- Password writeback and self-service password reset in a hybrid context
Hybrid identity questions tend to be scenario-driven: a company has an on-premises AD forest, wants minimal infrastructure footprint, and needs SSO - you need to recommend password hash sync with seamless SSO over a federation server, and explain the trade-off in the answer choice.
| Domain 1 Topic Area | What to Prioritize |
|---|---|
| Entra ID Fundamentals | Roles, external identities, Identity Protection risk policies |
| PIM & RBAC | JIT activation, approval workflows, custom role definitions, access reviews |
| Conditional Access | Policy design, session controls, MFA enforcement, legacy auth blocking |
| App Identity | Managed identities vs. service principals, consent models |
| Hybrid Identity | Entra Connect sync methods, SSO, password writeback |
How Domain 1 Questions Are Actually Asked
Understanding format matters as much as content. The AZ-500 exam does not publish a fixed scored/unscored split, but candidates should expect somewhere between 40 and 60 total items delivered in 100 minutes, whether taken online proctored or at a Pearson VUE test center. Domain 1 questions typically show up in three formats:
- Standalone multiple-choice - direct questions about a single Entra ID feature or PIM setting
- Case studies - a multi-paragraph scenario describing an organization's identity requirements, followed by several questions that reference the same background information
- Interactive/lab-style tasks - simulated configuration screens where you select settings in something resembling the actual Azure portal
One detail that surprises first-time candidates: the exam interface gives you split-pane access to Microsoft Learn documentation during the test. This won't save you if you don't already understand the concepts - there isn't time to research from scratch under a 100-minute clock - but it's useful for confirming a specific PIM setting name or Conditional Access condition you're second-guessing. If you're unsure how difficult this exam experience feels overall, the complete difficulty guide breaks down what to expect beyond just the domain content.
Scheduling Domain 1 Inside Your Broader Study Plan
Because Domain 1 underpins concepts tested elsewhere, most successful candidates study it early rather than saving it for last. A practical sequencing approach:
Entra ID Core + RBAC
- Set up a free tenant and create users, groups, administrative units
- Practice assigning built-in and custom RBAC roles at different scopes
PIM and Conditional Access
- Configure eligible role assignments and activation approval workflows
- Build layered Conditional Access policies with session controls
App Identity and Hybrid Identity
- Register an app, assign a managed identity, test key vault access
- Review Entra Connect sync options and SSO configuration on paper if no on-prem lab is available
This sequencing matters because Domain 1 concepts reappear when you move into Domain 2: Secure networking (private endpoints and RBAC on network resources) and Domain 3: Secure compute, storage, and databases (managed identities accessing storage and databases). Getting identity solid first makes the later domains click faster instead of forcing you to relearn RBAC scoping mid-way through networking material. For a broader week-by-week framework covering all four domains together, see the full AZ-500 Study Guide 2026.
Once you've worked through the material, run timed practice questions specifically tagged to identity topics on our AZ-500 practice test platform before moving on - isolating Domain 1 in practice mode helps surface gaps that generic full-length exams can blur together.
Frequently Asked Questions
Domain 1, Secure identity and access, makes up 15-20% of the exam according to the current skills outline. It's the smallest of the four domains, but its concepts - RBAC, managed identities, Conditional Access - resurface throughout the networking, compute, and monitoring domains.
Microsoft recommends practical Azure and hybrid administration experience along with strong familiarity with Microsoft Entra ID as a prerequisite, and the exam's interactive lab-style items reflect that expectation. Reading alone rarely prepares candidates for the scenario and simulation questions in this domain.
Standard RBAC grants persistent access at a defined scope, while PIM adds time-bound, just-in-time activation with optional approval workflows for both Entra ID roles and Azure resource roles. Expect the exam to test scenarios where PIM is the correct answer specifically because standing privileged access is the security risk being addressed.
Yes - identity and access management is core to most cloud security roles that hire for this certification. If you're curious what kinds of roles value this skill set, see the AZ-500 Jobs overview and the AZ-500 Salary Guide 2026.
Most candidates benefit from studying Domain 1 early since its concepts - RBAC scoping, managed identities, Conditional Access - appear again inside networking, compute, and monitoring scenarios. Studying identity first tends to make the remaining material easier to absorb.
- AZ-500 Domain 2: Secure networking (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 3: Secure compute, storage, and databases (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%) - Complete Study Guide 2026
- AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas