SC-300: Azure Active Directory & Identity Management
A learning roadmap created for the STYAVA.dev community. At STYAVA.dev, we build learning experiences that are simple, direct, and beginner-friendly. This guide brings together everything covered across all 4 days of the SC-300 training โ explained in plain language, with links to explore more. Each day focuses on one core area of Microsoft Entra ID (Azure AD). Every point below includes a short explanation so learners understand why it matters.
๐ Identity: What It Actually Means
Identity is the digital name tag for users, apps, and devices. Without identity, nothing can log in or access resources.
๐ Authentication: Proving Who You Are
This is the login step โ username, password, OTP, biometrics. The system checks if you are genuine.
๐ Authorization: What You Can Do After Login
Example: you may be allowed to view files but not edit them.
โ๏ธ Azure AD = Cloud Identity
Azure AD (now called Microsoft Entra ID) doesnโt use:
* Domain controllers
* Group policies
* OUs
* FSMO roles
It is built for cloud apps, SaaS usage, and identity for modern environments.
๐ฅ๏ธ On-Prem AD DS = Traditional Identity
Uses SYSVOL, NTDS database, LDAP, and domain controllers.
Very different from Azure AD.
๐ Understanding SC-300 Exam Structure
Trainer covered retake rules, question types, and how Microsoft structures identity certifications.
Setting Up On-Prem AD DS & Understanding Azure AD Tenant
๐๏ธ Setting Up a Domain Controller
The trainer created a Windows Server VM, installed AD DS, and promoted it to a DC (apple.com).
Purpose: show what โtraditional identityโ looks like.
๐ค Creating Users (Example: โEricโ)
This showed how accounts are stored in NTDS database with attributes like SID, UPN, etc.
๐๏ธ Hierarchy in On-Prem AD
On-prem uses: Forests Domains OUs Group Policies
Designed for large, structured networks.
โ๏ธ Azure AD Tenant = Auto-Created
When you create an Azure account, your Azure AD tenant appears automatically. You donโt install anything or manage domain controllers.
โ ๏ธ Azure AD Doesnโt Support On-Prem Features
No GPO, no OUs, no FSMO roles โ because itโs built for cloud-first identity.
Role-Based Access Control (RBAC) & Permissions
๐ผ Azure AD Editions
Free, Microsoft 365, P1, and P2 โ each adds more capabilities (especially security features in P1/P2).
๐ Two Admin Portals
portal.azure.com โ Full Azure management
aad.portal.azure.com โ Identity-focused (Microsoft Entra Admin Center)
๐ What RBAC Does
RBAC controls who can manage which Azure resources.
You give users the right level of access instead of full admin rights.
๐งฉ RBAC Scope Levels
Roles flow downward from the level you assign them:
* Management Group
* Subscription
* Resource Group
* Resource
* Higher level = more access.
๐ฅ Real Demo
Trainer created users (Arjun, Messi) and resource groups (HR, Market, Sales) to show how access inheritance works.
๐ Key Lesson
Assigning access at subscription level impacts everything below it.
This is why STYAVA-style guidance always stresses Least Privilege Access.
Hybrid Identity, Azure AD Connect, DNS, MFA & Conditional Access
๐ซ You Canโt Just โRecreateโ On-Prem Users in Azure
Because their SID wonโt match.
A new identity = broken permissions.
๐ Azure AD Connect is the Official Sync Tool
Connects on-prem AD DS with Azure AD.
It syncs:
* Users
* Passwords
* Attributes
* Groups
It does not replicate the full AD DS database.
๐ Supported Auth Methods
Password Hash Sync (PHS) โ Simple + secure
Pass-Through Authentication (PTA) โ On-prem validation
Federation (AD FS) โ Full control, complex setup
๐ DNS Is Critical for Identity
DNS discovers domain controllers and handles authentication flows.
Azure DNS doesnโt act as AD-integrated DNS โ itโs for cloud resources.
๐ก๏ธ MFA + Conditional Access = Core Cloud Security
Together they protect user accounts from risky logins, unfamiliar locations, compromised devices, and more.