Lesson 33 of 60 intermediate

Identity Security: MFA, SSO, IAM

Why identity is the new perimeter

Open interactive version (quiz + challenge)

Real-world analogy

Identity is your passport. MFA is the fingerprint check at the border. SSO is showing the passport once to enter a whole country (not one per city). IAM is the visa policy deciding what you can do where.

What is it?

Identity security is the modern ‘perimeter’ of enterprise IT. Most breaches now begin with a stolen or weak credential, not with firewall penetration. Mastering this lesson is mandatory for every IT role — not just security.

Real-world relevance

An executive clicks a phishing link, enters credentials on a fake page. Password is stolen. Because their account has FIDO2-based MFA plus Conditional Access, the attacker can’t log in — sign-in logs show blocked attempts from abroad. SOC resets credentials, investigates, moves on. No breach.

Key points

Authentication factors — something you know/have/are — Passwords (know), tokens/phones (have), biometrics (are). MFA = two or more categories. SMS-based MFA is weaker than authenticator-app or hardware token (FIDO2).
SSO in plain English — Single sign-on lets one authentication unlock many apps. Behind the scenes: SAML, OIDC, OAuth. Users love it because fewer passwords; admins love it because revoking one account revokes all access.
IAM — not just users — Identity and Access Management covers users, groups, roles, service principals, and permissions across systems. Cloud IAM (AWS/Azure/GCP) is policy-based and hugely powerful — and dangerous when misconfigured.
RBAC and least privilege — Role-Based Access Control groups permissions into roles (HelpDesk, ReadOnly, FinanceUser) and assigns roles to groups/users. Far easier to review than user-by-user permissions.
Conditional Access — Modern identity (Entra ID) can require MFA based on conditions: new device, unusual location, risky sign-in, sensitive app. The right policy blocks most credential-theft attacks without punishing normal users.
Service accounts and managed identities — Apps need identity too. Use managed identities (cloud) or dedicated service accounts, never shared with humans. Rotate secrets. Store in a vault, never in code.
Password hygiene — what still matters — Long passphrases beat short complex ones. Password managers let every site have a unique password. Never reuse. Check haveibeenpwned.com — if your email is there, change anywhere it’s reused.
Phishing-resistant MFA — FIDO2/WebAuthn (hardware keys, passkeys) resists phishing because the browser itself checks the origin. Push/SMS/TOTP can still be phished or prompt-bombed. Aim for FIDO2 on privileged accounts.

Code example

// Entra Conditional Access pattern (high level)

Policy: "Require MFA for All Users"
  Target:  All users (exclude break-glass accounts)
  Apps:    All cloud apps
  Conditions: any sign-in
  Control: Require MFA

Policy: "Block legacy authentication"
  Target:  All users
  Apps:    All
  Conditions: client apps = legacy auth
  Control: Block

Policy: "Require compliant device for email"
  Target:  All users
  Apps:    Office 365 Exchange Online
  Conditions: platforms = iOS, Android, Windows, macOS
  Control: Require device compliance

Policy: "High-risk sign-in -> block or force password change"
  Target:  All users
  Conditions: sign-in risk = High
  Control: Block access + require password change

Break-glass accounts: 2 accounts, strong unique passwords,
hardware MFA, EXCLUDED from all CA policies, stored offline.

Line-by-line walkthrough

1. Conditional Access example block
2. Policy 1 — require MFA all users
3. Target scope
4. Apps scope
5. Conditions
6. Control
7. Blank separator
8. Policy 2 — block legacy auth
9. Target
10. Apps
11. Conditions
12. Control
13. Blank separator
14. Policy 3 — require compliant device for email
15. Scope and platforms
16. Control
17. Blank separator
18. Policy 4 — block high-risk sign-ins
19. Conditions
20. Control
21. Blank separator
22. Break-glass account note

Spot the bug

Company rolls out Conditional Access requiring MFA for ALL accounts, including admins. No break-glass exceptions configured.

Need a hint?

Why is this dangerous?

Show answer

If MFA infrastructure fails (identity provider outage, MFA app offline), nobody can log in — including admins — so recovery is impossible. Always maintain 2 break-glass accounts with strong unique passwords, hardware MFA stored offline, excluded from standard CA policies, tightly monitored for usage.

Explain like I'm 5

Passwords alone are like a lock with a paper key. MFA adds a fingerprint. SSO means one real ID card unlocks every door you’re allowed. IAM decides which doors that is.

Fun fact

Microsoft has reported that enabling MFA blocks over 99% of automated account-compromise attempts. One checkbox, massively disproportionate impact — which is why ‘turn on MFA’ is the single most common senior recommendation to any organization.

Hands-on challenge

Audit your personal accounts: is MFA on every critical one (email, bank, password manager, cloud)? Prefer authenticator app or hardware key over SMS. Note which accounts you upgraded.

More resources

Conditional Access overview (Entra) (Microsoft Learn)
FIDO2 / WebAuthn (FIDO Alliance)
haveibeenpwned (HIBP)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp