In Microsoft cloud identity, access to Azure resources follows the classical order of authenticate, then authorize. Microsoft Learn defines the two steps clearly: “Authentication is the process of establishing the identity of a person or service,” while “Authorization is the process of determining what a person or service can do.” In an Azure sign-in, Microsoft Entra ID (formerly Azure AD) first validates the user’s credentials (password, MFA, Conditional Access, device compliance, risk evaluation). Upon success, a security token is issued that proves the user’s identity. Only after this identity is established does Azure proceed to authorization, where the Azure Resource Manager evaluates role-based access control (RBAC) assignments to decide what actions are allowed. SCI guidance emphasizes this sequence for Zero Trust: “Verify explicitly” (authenticate with strong signals) and then “use least privilege access” (authorize by RBAC or Privileged Identity Management). Therefore, when users sign in to the Azure portal, the first step is authentication—verifying who they are. The subsequent step is authorization, which determines what resources and operations they can access based on roles, scope, and policy. This ordering underpins secure identity and access management across Microsoft 365 and Azure.