Understanding Azure Active Directory Concepts
Welcome to the core concepts section for Azure Active Directory (Azure AD). This guide will walk you through the fundamental building blocks and principles that govern identity and access management within the Azure ecosystem.
Introduction to Azure AD
Azure Active Directory is a cloud-based identity and access management service. It enables users to sign in to applications and resources located on-premises and in the cloud. It provides a robust set of features for managing users, groups, and devices, as well as securing access to applications and data.
Azure AD Tenants
A tenant is a dedicated and trusted instance of Azure AD that an organization receives through a Microsoft cloud service, such as Azure, Microsoft 365, or Dynamics 365. Each Azure AD tenant is distinct and separate from any other Azure AD tenant. It contains all the organization's user accounts, application registrations, and other identity-related objects.
- Global Uniqueness: Tenant names are globally unique.
- Multi-tenancy: Azure AD supports multi-tenancy, allowing multiple organizations to use the service simultaneously without interfering with each other.
Users
Users are the individuals who access your organization's resources. In Azure AD, users can be:
- Members: Users who belong to your organization.
- Guests: Users from other organizations invited to collaborate (External Users via Azure AD B2B).
Each user is represented by a unique object in Azure AD, which includes attributes like name, email, and organizational role.
Groups
Groups are collections of users, devices, or other groups that can be used to simplify management. Assigning access to a group is more efficient than assigning it to individual users.
Types of groups include:
- Security Groups: Used to grant access to Azure resources.
- Microsoft 365 Groups: Provide a platform for collaboration, including shared mailboxes, calendars, and SharePoint sites.
Applications
In Azure AD, an application is a software program that uses Azure AD to sign in users and securely call Microsoft Graph or other APIs. Applications can be:
- SaaS Applications: Cloud-based applications like Salesforce, Workday, or Office 365.
- Web Applications: Applications hosted within your organization or custom-developed.
- Mobile Applications: Applications running on mobile devices.
- Desktop Applications: Applications installed on user workstations.
Registering an application in Azure AD enables single sign-on (SSO) and provides a centralized way to manage access.
Service Principals
A service principal is an identity that an application, hosted service, or automated tool uses to access Azure resources. It's a specific type of security principal representing an application's identity in a tenant.
When you register an application in Azure AD, a service principal object is automatically created in the tenant where the application is registered. If the application is deployed to other tenants, a service principal object must be created in each of those tenants as well.
Roles
Azure AD defines roles that grant specific permissions to perform administrative tasks. These roles are crucial for enforcing the principle of least privilege.
Examples include:
- Global Administrator: Can manage all aspects of Azure AD and related services.
- User Administrator: Can manage users and groups.
- Application Administrator: Can manage application registrations and enterprise applications.
Permissions
Permissions define what actions a user or application can perform on Azure AD resources. These are often granted through role assignments.
Azure AD uses a role-based access control (RBAC) model, where permissions are bundled into roles, and roles are assigned to security principals (users, groups, or service principals).
Conditional Access
Conditional Access is an Azure AD feature that acts as a gatekeeper, enforcing organizational policies to govern access to cloud apps and resources. It allows administrators to define rules based on user, location, device, application, and real-time risk detection.
Key components:
- Assignments: Who is affected (users, groups).
- Cloud Apps or Actions: What resources are protected.
- Conditions: Context of the access request (e.g., device platform, location, client application).
- Access Controls: What is enforced (e.g., require multi-factor authentication, block access, limit session).
Identity Protection
Azure AD Identity Protection uses machine learning and artificial intelligence to detect and respond to identity-based risks. It helps organizations protect against credential theft and account compromise.
Key features:
- Risk Detections: Identifies suspicious sign-in activities.
- Risk Policies: Automates remediation actions for risky users and sign-ins.
- Vulnerability Assessments: Provides recommendations to improve security posture.
Azure AD B2B Collaboration
B2B collaboration enables you to securely invite external users (partners, vendors, clients) to your Azure AD tenant. These external users access your applications and resources using their own identity credentials.
Benefits:
- Simplified guest access management.
- Reduced overhead for managing separate accounts.
- Enhanced security through familiar authentication methods.
Azure AD B2C Identity
Azure AD B2C (Business-to-Consumer) is a cloud identity service for customer-facing web and mobile applications. It allows consumers to sign up for applications using existing social accounts (like Google or Facebook) or by creating new credentials.
Key characteristics:
- Scalable to millions of users.
- Customizable user journeys and branding.
- Supports OpenID Connect and OAuth 2.0 protocols.