authorization
In the context of Microsoft identity and access management, when users attempt to access an application or a service, authorization is what controls their level of access. This concept is clearly defined in Microsoft’s Security, Compliance, and Identity (SCI) learning paths, particularly in SC-900 and SC-300 certifications.
From Microsoft SCI training materials:
“Authentication is the process of verifying the identity of a user, while authorization is the process of determining what resources a user can access and what actions they are permitted to perform.”
In more detail:
Authentication confirms who you are (e.g., verifying credentials through Azure AD, MFA).
Authorization decides what you can do (e.g., access to files, roles, permissions in an app or service).
SCI documentation explains:
“Once authentication is successful, authorization policies are applied to determine whether the authenticated user is allowed to access the requested resource and at what level.”
This principle is implemented using role-based access control (RBAC) in Microsoft Azure and Microsoft 365 environments. For example, even if a user successfully logs into the Microsoft 365 portal (authentication), their ability to manage Exchange Online settings or view compliance data depends on their assigned roles (authorization).
