AZ-140 logo
Focused certification exam prep
Start practice

AZ-140 Domain 2: Plan and implement identity and security (15-20%) - Complete Study Guide 2026

TL;DR
  • Domain 2 accounts for 15-20% of the AZ-140 exam and centers on identity, access, and session host security.
  • You must know both Azure AD-only and hybrid identity models, plus FSLogix profile container permissions.
  • RBAC scoping, Conditional Access policies, and MFA enforcement are recurring scenario-based question themes.
  • The exam is 100 minutes, delivered via Pearson VUE, with a passing score of 700 or greater.

Domain 2 Overview: Why Identity and Security Matters

Domain 2, "Plan and implement identity and security," makes up 15-20% of the AZ-140 exam - Configuring and Operating Microsoft Azure Virtual Desktop. It's the second-largest domain behind Domain 1's infrastructure planning content, and it's arguably the domain where candidates lose the most points simply because they underestimate it. Identity in Azure Virtual Desktop (AVD) is not a single topic; it spans Microsoft Entra ID (Azure AD), Active Directory Domain Services, Azure AD Domain Services, hybrid join configurations, FSLogix profile permissions, role-based access control, and Conditional Access enforcement.

If you've read the broader AZ-140 exam domains guide, you already know how the four domains fit together. Domain 2 is where Microsoft tests whether you can secure the environment you built in Domain 1 and prepare it for the user experience configured in Domain 3. It's a connective-tissue domain, and questions frequently blend identity concepts with host pool or session host details from other domains.

Scope Reality Check: Domain 2 isn't just "know what MFA is." Microsoft expects you to configure identity providers for AVD, assign the correct RBAC roles at the correct scope, and troubleshoot authentication failures tied to hybrid identity misconfigurations.

Identity Scenarios You Must Master

AVD supports several identity architectures, and Domain 2 questions expect you to know which scenario applies to which deployment model. You need working familiarity with:

  • Microsoft Entra ID-joined session hosts - the cloud-native model where session hosts join Entra ID directly without an on-premises AD dependency.
  • Hybrid Azure AD-joined session hosts - hosts joined to on-premises AD DS and synchronized to Entra ID via Azure AD Connect or Entra Connect.
  • Azure AD Domain Services (Azure AD DS) - a managed domain service used when you need domain-join capability without managing domain controllers.
  • Traditional AD DS with Entra ID sync - the classic hybrid pattern many enterprise customers still run.

Each model has implications for FSLogix profile storage, single sign-on behavior, and which users can be assigned to a host pool. Expect scenario questions that describe a company's existing identity setup and ask which session host join type is compatible, or what prerequisite is missing before user sign-in will succeed.

Identity Architecture Decisions

Candidates must understand how the chosen identity model constrains storage options, sign-in experience, and management tooling.

  • Entra ID-joined hosts typically pair with Azure Files using Entra ID Kerberos or Entra ID-joined storage accounts for FSLogix
  • Hybrid-joined hosts require line-of-sight to domain controllers for authentication and Group Policy
  • Azure AD DS removes the need for self-managed domain controllers but has feature limitations compared to full AD DS

FSLogix, Conditional Access, and Session Host Security

FSLogix profile containers show up constantly in Domain 2 material because profile access is fundamentally a permissions problem. Candidates need to know how to configure NTFS and share-level permissions on the storage location hosting FSLogix containers, how to assign the correct security groups, and how profile container access fails silently when permissions are misaligned with the identity model in use.

Beyond FSLogix, session host security touches:

  • Network security group (NSG) rules that restrict management traffic to session hosts
  • Azure Bastion or just-in-time (JIT) VM access for administrative connections instead of exposing RDP publicly
  • Disk encryption options for session host OS and data disks
  • Restricting local administrator rights on session hosts while still allowing FSLogix and app installs to function

Key Takeaway

When you see an exam question about a user who can log in but has no profile data, think permissions on the FSLogix storage location first, not application configuration.

RBAC and Permission Boundaries in AVD

Role-based access control is a heavily tested subtopic inside Domain 2. AVD introduces built-in roles beyond the generic Azure roles you may already know, and the exam wants you to match the correct role to the correct administrative task at the correct scope (subscription, resource group, host pool, or application group).

Key roles to know cold include Desktop Virtualization Contributor, Desktop Virtualization User, Desktop Virtualization Session Host Operator, and the standard Azure Virtual Machine Contributor and Reader roles as they apply to session host management. Questions often present a help-desk scenario - someone needs to restart session hosts but shouldn't be able to delete a host pool - and ask which built-in role satisfies that requirement with least privilege.

RoleTypical Use CaseScope Level
Desktop Virtualization ContributorFull management of host pools, app groups, workspacesResource group or subscription
Desktop Virtualization UserEnd-user access to assigned resourcesApplication group
Desktop Virtualization Session Host OperatorManage session host status without full host pool controlHost pool
Virtual Machine Administrator LoginLocal admin sign-in to session hosts via Entra ID authVirtual machine or resource group
Least-Privilege Mindset: Almost every RBAC question on AZ-140 is really a least-privilege question in disguise. If two roles both technically "work," the correct answer is the one with the narrower scope and fewer permissions.

MFA, Conditional Access, and Multi-Session Considerations

Multi-factor authentication and Conditional Access policies are core Domain 2 content because AVD sessions represent a distinct sign-in surface that security teams want to control separately from other app access. You should understand how to scope a Conditional Access policy specifically to the AVD client apps, how per-session MFA differs from per-device trust, and how Conditional Access interacts with RemoteApp versus full desktop sessions.

For multi-session host pools specifically, expect questions about how identity and security controls behave differently when multiple users share a single Windows 10 or Windows 11 Enterprise multi-session VM - including how Conditional Access sign-in frequency settings affect a shared-host experience compared to personal desktops.

Conditional Access Scenarios to Rehearse

Practice mapping business requirements to Conditional Access configuration choices.

  • Requiring MFA only when connecting from outside a trusted network location
  • Blocking legacy authentication protocols for AVD client connections
  • Enforcing device compliance before allowing session host access
  • Applying different sign-in frequency rules to multi-session vs. personal host pools

How Domain 2 Questions Are Actually Written

Unlike straightforward recall questions, Domain 2 items on AZ-140 tend to be scenario-driven. A typical stem describes an organization's current identity setup (say, hybrid AD with Azure AD Connect) and a business constraint (contractors need access without domain accounts), then asks you to pick the configuration change that satisfies the requirement. The exam may include interactive components as part of the 100-minute proctored session, so you should be comfortable with drag-and-drop role-to-scenario matching and multi-step case study formats, not just single-answer multiple choice.

If you haven't yet reviewed how difficult candidates generally find this material, the AZ-140 difficulty guide breaks down where most people struggle, and Domain 2's blend of identity architecture and security policy is consistently cited as a pressure point - largely because it requires cross-referencing knowledge from Domain 1's networking and infrastructure decisions.

Scenario Practice Tip: When practicing, don't just memorize what each RBAC role or Conditional Access setting does in isolation - practice reading a two-paragraph scenario and identifying the single constraint that eliminates three of four answer choices.

A Focused Study Plan for Domain 2

Given that Domain 2 sits in the middle of exam weight (15-20%), it deserves a dedicated study block but shouldn't consume the majority of your prep time - that belongs to Domain 1. A reasonable approach is to study Domain 2 material after you've built a mental model of host pools and session hosts from Domain 1, since identity concepts make more sense once you understand what they're protecting.

Week 1

Identity Foundations

  • Review Entra ID-joined vs. hybrid-joined vs. Azure AD DS session host models
  • Build a lab host pool using each join type if possible
Week 2

Permissions and Storage

  • Configure FSLogix profile containers with correct NTFS/share permissions
  • Practice assigning built-in AVD RBAC roles at different scopes
Week 3

Conditional Access and MFA

  • Create Conditional Access policies scoped to AVD client apps
  • Test sign-in frequency behavior on a multi-session host pool
Week 4

Scenario Drills

  • Work through mixed scenario questions combining identity, RBAC, and network security
  • Cross-reference with Domain 1 and Domain 3 topics to reinforce connections

This four-week block fits naturally within a broader prep schedule. If you want the full multi-domain timeline, the AZ-140 study guide for passing on your first attempt lays out how to sequence all four domains together rather than studying them in isolation.

Domain 2 Compared to the Other AZ-140 Domains

It helps to see Domain 2 in context against the exam's full weighting so you can allocate study hours proportionally rather than treating every domain equally.

DomainWeightCore Focus
Domain 1: Plan and implement an AVD infrastructure40-45%Host pools, session hosts, storage, networking
Domain 2: Plan and implement identity and security15-20%Identity models, RBAC, FSLogix permissions, Conditional Access
Domain 3: Plan and implement user environments and apps20-25%App delivery, profile management, user settings
Domain 4: Monitor and maintain an AVD infrastructure10-15%Monitoring, alerting, autoscale, updates

Notice how Domain 2's content overlaps with both Domain 1's infrastructure planning and Domain 3's user environment configuration. Security decisions rarely exist in a vacuum on this exam - a question framed around identity often requires you to also recall a storage or networking detail from another domain, which is why studying domains in isolation can leave gaps.

Registration and Exam-Day Mechanics That Affect Domain 2 Prep

AZ-140 has no formal prerequisite listed by Microsoft, though the exam targets server or desktop administrators who already have practical experience with Azure compute, networking, identity, storage, and resiliency. That matters for Domain 2 specifically: if your background is light on identity administration (for example, you've never configured Conditional Access or managed Entra ID roles), plan extra hands-on lab time rather than assuming exam-cram reading will be enough.

The exam is delivered through Pearson VUE with both online proctored and test-center options, runs 100 minutes, and may include interactive components - which is directly relevant to Domain 2 since role-assignment and Conditional Access scenarios lend themselves to drag-and-drop or ordered-list question formats. A passing score of 700 or greater is required, and once earned, the certification renews every 12 months through a free online Microsoft Learn renewal assessment - so the identity and security knowledge you build now will need periodic refreshing rather than being a one-time effort.

If you're still weighing logistics like fees and testing options before you schedule, the AZ-140 certification cost breakdown covers the full pricing picture, and the AZ-140 pass rate data article gives useful context on what the numbers actually show without relying on guesswork.

Key Takeaway

Because Domain 2 blends conceptual identity knowledge with hands-on RBAC and Conditional Access configuration, build a small lab environment rather than relying solely on reading - the exam's scenario format rewards people who've actually clicked through the settings.

Beyond exam mechanics, it's worth understanding why employers value this credential in the first place. Organizations running hybrid or fully cloud-based virtual desktop environments need administrators who can secure identity boundaries correctly - misconfigured RBAC or missing Conditional Access policies are common real-world incident causes. If you're curious how this translates into job opportunities, the AZ-140 jobs overview and AZ-140 salary guide outline the roles that typically list this certification as a requirement or preference.

For hands-on practice that mirrors the scenario-based question style described above, working through timed practice questions on our AZ-140 practice test platform is one of the most efficient ways to confirm you've actually internalized Domain 2 concepts rather than just recognized them. Repeated exposure to realistic identity and security scenarios on the practice test site also helps you get comfortable with the pacing needed for a 100-minute proctored session.

Frequently Asked Questions

How much of the AZ-140 exam is Domain 2?

Domain 2, "Plan and implement identity and security," makes up 15-20% of the AZ-140 exam according to Microsoft's official skills outline, making it the second-heaviest domain behind infrastructure planning.

Do I need Active Directory experience before studying Domain 2?

There's no formal prerequisite for AZ-140, but Microsoft's target audience has experience with Azure identity concepts. If you haven't worked with AD DS, Entra ID, or hybrid identity before, plan extra hands-on time for this domain specifically.

What's the most commonly tested subtopic within Domain 2?

RBAC role assignment at the correct scope and FSLogix profile permission configuration are frequently cited as high-frequency scenario topics, along with Conditional Access policies scoped to AVD client applications.

How does Domain 2 relate to Domain 1 and Domain 3?

Identity decisions from Domain 2 directly affect host pool design covered in Domain 1 and the user profile experience covered in Domain 3. Many exam scenarios blend concepts across these domains rather than testing them in isolation.

Is the AZ-140 certification worth pursuing if I already know Azure identity basics?

If you already have solid Entra ID and RBAC experience, Domain 2 will likely feel more familiar, but you'll still need AVD-specific knowledge like Desktop Virtualization roles and FSLogix permissions. See the full ROI analysis for a broader view of the certification's value.

Ready to pass your AZ-140 exam?

Put this into practice with free AZ-140 questions across every exam domain.