Understanding Azure AD Identity
Azure Active Directory (Azure AD) is a cloud-based identity and access management service. It helps your employees sign in to and access resources, such as:
- Applications hosted in Azure, such as Azure Portal.
- Thousands of other Software as a Service (SaaS) applications, like Salesforce, Workday, and Microsoft 365.
- On-premises applications that you publish through Azure AD Application Proxy.
- Any other web application that you can publish using protocols like OAuth 2.0 or SAML.
Azure AD also helps your IT administrators manage their cloud and on-premises resources and provides features like single sign-on (SSO), multi-factor authentication (MFA), and access control.
Key Concepts in Azure AD Identity
The Azure AD identity model revolves around several core components:
1. Identities
An identity represents a user, service principal, or managed identity that can authenticate to Azure AD and request access to resources.
- Users: Represent people, such as employees, partners, or customers. Users can be managed in Azure AD or synchronized from an on-premises Active Directory.
- Service Principals: Represent an application or service that needs to access Azure resources. They are the identities used by applications when they need to authenticate to Azure AD.
- Managed Identities: A special type of identity in Azure AD that is automatically managed by Azure. They allow Azure resources to authenticate to any service that supports Azure AD authentication without needing credentials in your code.
2. Authentication
Authentication is the process of verifying who a user or service principal is. Azure AD supports various authentication methods, including:
- Password-based authentication
- Multi-Factor Authentication (MFA)
- Passwordless authentication (e.g., FIDO2 security keys, Microsoft Authenticator app)
- Federated authentication with trusted identity providers
For more details on authentication flows and protocols, visit the Authentication section.
3. Authorization
Authorization is the process of determining what an authenticated user or service principal is allowed to do. Azure AD uses role-based access control (RBAC) to manage permissions.
- Roles: Define a set of permissions that can be granted to users, groups, or service principals.
- Role Assignments: Link a role to a security principal (user, group, or service principal) for a specific scope (e.g., a subscription, resource group, or resource).
Learn more about authorization in the Authorization section.
4. Access Management
Azure AD provides comprehensive tools for managing access to your resources:
- Conditional Access Policies: Enforce organizational policies for access to cloud apps and resources based on conditions like user location, device, application, and risk.
- Privileged Identity Management (PIM): Manage, control, and monitor access to important resources by providing just-in-time (JIT) privileged access to Azure AD and Azure resources.
- Access Reviews: Enable organizations to manage group memberships, access to enterprise applications, and role assignments for users.
Note: Azure AD is a fundamental service for securing cloud applications and resources. Understanding its identity model is crucial for effective identity and access management.
Getting Started with Azure AD
To begin managing identities and access in Azure AD, consider the following steps:
- Create an Azure AD tenant if you don't have one.
- Add users and groups to your tenant.
- Configure authentication methods, including MFA.
- Register your applications and configure their access.
- Implement Conditional Access policies to enforce security.
Explore the sub-sections for detailed information on specific Azure AD identity components.