Merge pull request #54056 from ceperezb/CEPEREZB-sc900-describe-identity-concepts

module update

Author: JamesJBarnett

learn-pr/wwl-sci/describe-identity-principles-concepts/1-introduction.yml

@@ -4,10 +4,10 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Introduction"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 1
+durationInMinutes: 2
 content: |
   [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/2-define-authentication-authorization.yml

@@ -4,10 +4,10 @@ title: Define authentication and authorization
 metadata:
   title: Define authentication and authorization
   description: "Define authentication and authorization"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 2
+durationInMinutes: 7
 content: |
   [!include[](includes/2-define-authentication-authorization.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter.yml

@@ -4,10 +4,10 @@ title: Define identity as the primary security perimeter
 metadata:
   title: Define identity as the primary security perimeter
   description: "Define identity as the primary security perimeter"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 3
+durationInMinutes: 6
 content: |
   [!include[](includes/3-define-identity-primary-security-perimeter.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/4-describe-role-identity-provider.yml

@@ -4,10 +4,10 @@ title: Describe the role of the identity provider
 metadata:
   title: Describe the role of the identity provider
   description: "Describe the role of the identity provider"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 7
+durationInMinutes: 6
 content: |
   [!include[](includes/4-describe-role-identity-provider.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/5-describe-concept-of-directory-services-active-directory.yml

@@ -4,10 +4,10 @@ title: Describe the concept of directory services and Active Directory
 metadata:
   title: Describe the concept of directory services and Active Directory
   description: "Describe the concept of directory services and Active Directory"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 2
+durationInMinutes: 6
 content: |
   [!include[](includes/5-describe-concept-of-directory-services-active-directory.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/6-describe-concept-federation.yml

@@ -4,10 +4,10 @@ title: Describe the concept of federation
 metadata:
   title: Describe the concept of federation
   description: "Describe the concept of federation"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 2
+durationInMinutes: 6
 content: |
   [!include[](includes/6-describe-concept-federation.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/7-knowledge-check.yml

@@ -4,12 +4,12 @@ title: Module assessment
 metadata:
   title: Module assessment
   description: "Knowledge check"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
   module_assessment: true
-durationInMinutes: 2
+durationInMinutes: 3
 content: |
   [!include[](includes/7-knowledge-check.md)]
 quiz:
@@ -47,4 +47,26 @@ quiz:
       explanation: "Incorrect. The process of tracking who does what, where, when, and how is auditing, not authentication."
     - content: "Enabling federated services."
       isCorrect: false
-      explanation: "Incorrect. Authentication doesn't enable federated services."
+      explanation: "Incorrect. Authentication doesn't enable federated services."
+  - content: "Why is identity described as the new security perimeter?"
+    choices:
+    - content: "Because users can only access resources from within the corporate network."
+      isCorrect: false
+      explanation: "Incorrect. Users now access resources from many locations outside the corporate network, which is why the network perimeter alone is no longer sufficient."
+    - content: "Because verifying who or what is requesting access—regardless of network location—has become the primary way organizations control access to resources."
+      isCorrect: true
+      explanation: "Correct. As work happens from anywhere on any device, identity verification has replaced the network perimeter as the central security boundary."
+    - content: "Because firewalls and VPNs have been replaced entirely by biometric authentication."
+      isCorrect: false
+      explanation: "Incorrect. While strong authentication is important, the concept of identity as the security perimeter reflects a broader shift in how access decisions are made—not the replacement of all network controls."
+  - content: "An organization needs to manage identities for employees who use both on-premises applications and cloud-based SaaS services. Which solution is designed to support both scenarios?"
+    choices:
+    - content: "Active Directory Domain Services (AD DS)"
+      isCorrect: false
+      explanation: "Incorrect. AD DS was designed for on-premises networks and doesn't natively support cloud-based SaaS applications or modern authentication protocols."
+    - content: "A domain controller (DC)"
+      isCorrect: false
+      explanation: "Incorrect. A domain controller is a server that runs AD DS. It doesn't natively support cloud-based SaaS services or modern authentication."
+    - content: "Microsoft Entra ID"
+      isCorrect: true
+      explanation: "Correct. Microsoft Entra ID is a cloud-based identity and access management service that supports both cloud and on-premises scenarios, including hybrid identity configurations where identities are synchronized between AD DS and the cloud."

learn-pr/wwl-sci/describe-identity-principles-concepts/8-summary-resources.yml

@@ -4,10 +4,10 @@ title: Summary and resources
 metadata:
   title: Summary and resources
   description: "Summary and resources"
-  ms.date: 09/23/2024
+  ms.date: 03/31/2026
   author: wwlpublish
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 1
+durationInMinutes: 3
 content: |
   [!include[](includes/8-summary-resources.md)]

learn-pr/wwl-sci/describe-identity-principles-concepts/includes/1-introduction.md

@@ -1,10 +1,12 @@
 
-Everyone, and every device, has an identity that can be used to access resources. Identity is the way in which people and things are identified on your corporate network, and in the cloud.  Being certain about who or what is accessing your organization’s data and other resources is a fundamental part of securing your environment.
+Identity is how people, devices, and applications prove who or what they are when accessing digital resources. In a world where work happens from anywhere and data spans cloud and on-premises systems, identity has become the central security control organizations rely on.
 
-In this module, you'll learn about the key concepts of authentication and authorization and why identity is important in securing corporate resources. You'll also learn about some identity related services.
+This module introduces the foundational identity concepts that underpin the Microsoft security, compliance, and identity portfolio. It starts with authentication and authorization—the processes of proving identity and determining access. From there, it explores why identity has replaced the network perimeter as the primary security boundary, and why this matters for every organization. It covers how identity providers enable modern, centralized authentication and single sign-on, then looks at how directory services—from traditional Active Directory to cloud-based Microsoft Entra ID—store and manage identity information at scale. Finally, it covers how federation extends trust across organizational boundaries so users can access resources in different domains without separate accounts.
 
 After completing this module, you'll be able to:
 
-- Understand the difference between authentication and authorization.
-- Describe the concept of identity as a security perimeter.
-- Describe identity-related services.
+- Define authentication and authorization and explain how they work together to control access.
+- Describe identity as the primary security perimeter and explain the four pillars of an identity infrastructure.
+- Describe the role of an identity provider and how modern authentication uses tokens and single sign-on.
+- Describe directory services, Active Directory Domain Services, and Microsoft Entra ID as its cloud evolution.
+- Describe the concept of federation and how trust relationships enable cross-organizational access.

learn-pr/wwl-sci/describe-identity-principles-concepts/includes/2-define-authentication-authorization.md

@@ -1,23 +1,82 @@
 
-### Authentication
-Authentication is the process of proving that a person is who they say they are. When someone purchases an item with a credit card, they might be required to show another form of identification. This proves that they are the person whose name appears on the card. In this example, the user might show a driver’s license that serves as a form of authentication and proves their ID.
+<!-- markdownlint-disable MD041 -->
+Authentication and authorization are two fundamental concepts in identity and access management. Together, they ensure that only the right people—and only what they need—can access organizational resources.
 
-When you want to access a computer or device, you encounter a similar type of authentication. You might get asked to enter a username and password. The username states who you are, but by itself isn't enough to grant you access. When combined with the password, which only that user should know, it allows access to your systems. The username and password, together, are a form of authentication. Authentication is sometimes shortened to AuthN.
+## Authentication
 
-### Authorization
-Once you authenticate a user, you need to decide where they can go, and what they're allowed to see and touch. This process is called authorization.
+Authentication is the process of proving that you are who you say you are. Every time you sign in to an application, unlock your phone, or access a company system, authentication is happening. The system challenges you to provide proof of your identity, and then verifies that proof before deciding whether to allow access.
 
-Suppose you want to spend the night in a hotel. The first thing you do is go to reception to start the "authentication process." After the receptionist has verified who you are, you're given a keycard and can go to your room. Think of the keycard as the authorization process. The keycard lets you open only the doors and elevators you're permitted to access, such as for your hotel room.
+Authentication is sometimes shortened to *AuthN*. The goal of authentication is to answer the question: *Who are you?*
 
-In cybersecurity terms, authorization determines the level of access or the permissions an authenticated person has to your data and resources. Authorization is sometimes shortened to AuthZ.
+### How authentication works
 
-### Multifactor authentication (MFA) and passwordless
-Using a username and password is a common way to authenticate, but passwords are a frequent target for attackers.
+Authentication requires *credentials*—evidence that verifies your identity. Common types of credentials include:
 
-**Multifactor authentication (MFA)** strengthens authentication by requiring more than one proof, such as:
+- A username and password
+- A fingerprint or facial scan (biometrics)
+- A one-time code sent to your phone
+- A hardware security key
+
+A username alone doesn't prove identity—it can be known or guessed by others. Adding a password (something only the legitimate user should know) gives a system confidence that the right person is signing in. Adding a biometric or physical device raises that confidence further.
+
+Modern authentication systems also evaluate *contextual signals*: where the sign-in request originates, what device is being used, the time of day, and whether behavior matches typical patterns. These signals help systems detect suspicious sign-in attempts even when the correct credentials are presented.
+
+### Passwordless authentication
+
+*Passwordless* authentication removes the reliance on passwords by using stronger alternatives—such as biometrics, hardware security keys, or device-based credentials—to verify identity. Because there's no password to steal, reuse, or guess, passwordless methods reduce many of the risks associated with traditional password-based sign-in.
+
+### Multifactor authentication
+
+A username and password alone are often insufficient protection. Passwords are frequently stolen through phishing attacks, data breaches, and credential-stuffing attacks. *Multifactor authentication (MFA)* strengthens authentication by requiring more than one type of proof, drawn from different categories:
+
+- **Something you know**—a password or PIN
+- **Something you have**—a phone, a hardware security key, or a smart card
+- **Something you are**—a biometric, such as a fingerprint or facial scan
+
+When MFA is enabled, stealing a password alone isn't enough to compromise an account. An attacker would also need to physically possess the user's device or replicate their biometrics. This extra layer of verification dramatically reduces the risk of account takeover.
+
+## Authorization
+
+Once your identity is confirmed through authentication, the next question is: *What are you allowed to do?*
+
+Authorization is the process of determining what an authenticated user has permission to access and what actions they can perform. Knowing who you are isn't enough—the system also needs to determine what you're entitled to.
+
+Authorization is sometimes shortened to *AuthZ*.
+
+### The hotel analogy
+
+A useful way to think about authentication and authorization is to imagine checking into a hotel.
+
+When you arrive, you go to the reception desk and present your passport or driver's license. The receptionist checks your identification against your reservation to confirm who you are. That's *authentication*.
+
+Once verified, you're given a keycard programmed to open specific doors: your assigned room, the fitness center, or the pool—but not other guests' rooms, the staff areas, or the kitchen. When you use the keycard, the door sensor checks your permissions and grants or denies access accordingly. That's *authorization*.
+
+In digital systems:
+- The credentials you provide (username, password, biometrics) are like your passport—they prove who you are.
+- The permissions assigned to your account—which applications, files, and actions you can access—are like the keycard.
+
+### How authorization is managed
+
+Authorization is typically managed through *roles* and *permissions*. Rather than assigning access rights individually to every user, systems group permissions into named roles, and then assign users to those roles.
+
+For example:
+- A *help desk technician* role might allow viewing user account status but not resetting passwords.
+- A *security administrator* role might allow resetting passwords and reviewing sign-in logs.
+- A *global administrator* role might have full control over all settings and users.
+
+This model is called *role-based access control (RBAC)*. When the permissions of a role change, every user assigned to that role is automatically affected. RBAC makes managing access across large organizations scalable and consistent.
+
+Authorization decisions can also be dynamic. A user might be authorized to access a sensitive application under normal circumstances—but if they sign in from an unexpected location or an unrecognized device, a risk-based policy might step up the authentication requirement or restrict access until the risk is resolved.
+
+## Authentication and authorization work together
+
+Authentication and authorization are distinct processes, but they work together to protect resources. They always occur in a specific order:
+
+1. **Authentication**—the system verifies who you are.
+2. **Authorization**—the system determines what you're allowed to do.
+
+Authorization can only happen after successful authentication. You can't determine what someone is permitted to do without first confirming their identity. And confirming identity alone—without checking permissions—leaves resources exposed.
+
+Together, authentication and authorization form the foundation of access management across all Microsoft security, compliance, and identity solutions.
 
-- Something you know (password or PIN)
-- Something you have (phone, security key)
-- Something you are (biometrics)
 
-**Passwordless** authentication reduces reliance on passwords by using stronger alternatives (for example, passkeys or Windows Hello for Business). Many passwordless methods are **phishing-resistant**, meaning they help protect users even if they're tricked into visiting a fake sign-in page.