Introduction to Azure AD Identity
Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service that helps your employees sign in to and access resources such as Microsoft 365, thousands of other SaaS applications, and even custom line-of-business applications.
It provides a robust set of features for managing user identities, ensuring secure access, and enabling seamless collaboration across your organization. This documentation will guide you through the essential aspects of Azure AD.
Core Concepts
- Tenants: Your dedicated instance of Microsoft Entra ID.
- Objects: Users, groups, applications, service principals, and devices.
- Authentication: The process of verifying who a user or service is.
- Authorization: The process of granting permissions to access resources.
- Conditional Access: Policies that enforce access controls based on conditions.
Getting Started
To begin using Azure AD, you typically need an Azure subscription or a Microsoft 365 subscription. You can then:
- Create a Tenant: If you don't have one already.
- Add Users: Invite users to your tenant.
- Configure Applications: Register and configure applications for single sign-on (SSO).
- Set Up Policies: Implement security and access policies.
Authentication Flows
Azure AD supports various authentication protocols and flows to accommodate different application types and scenarios. Key protocols include:
- OAuth 2.0: An authorization framework that enables applications to obtain limited access to user accounts in an HTTP service.
- OpenID Connect (OIDC): An identity layer built on top of the OAuth 2.0 protocol, enabling clients to verify the identity of the end-party based on the authentication performed by an authorization server.
- SAML 2.0: A security assertion markup language standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
Common authentication flows include:
- Authorization Code Flow
- Implicit Flow (deprecated for new applications)
- Client Credentials Flow
- On-Behalf-Of Flow
Authorization and Access Control
Once a user or service is authenticated, Azure AD determines what resources they can access and what operations they can perform. This is managed through:
- Roles: Built-in and custom roles that grant specific permissions.
- Groups: Assigning permissions to groups rather than individual users.
- Application Assignments: Granting users access to specific registered applications.
Managing Users and Groups
Effective identity management starts with well-organized users and groups.
User Management:
- Creating Users: Manually, via CSV import, or through directory synchronization.
- User Properties: Managing attributes like name, email, job title, etc.
- Licensing: Assigning licenses for access to services.
Group Management:
- Types of Groups: Security groups, Microsoft 365 groups.
- Group Scopes: Global, Universal, Domain Local.
- Dynamic Membership: Rules-based group membership.
Managing Applications
Azure AD acts as an identity provider for your applications, enabling single sign-on (SSO) and secure API access.
- App Registrations: Registering your applications to work with Azure AD.
- Enterprise Applications: Pre-integrated applications from the Azure AD gallery.
- API Permissions: Granting applications access to Microsoft Graph API and other resources.
Key Security Features
Azure AD offers advanced security features to protect your organization's identities and resources.
- Multi-Factor Authentication (MFA): Requiring multiple verification methods for sign-in.
- Conditional Access Policies: Granular control over access based on user, device, location, and application.
- Identity Protection: Detecting and responding to identity-based risks.
- Privileged Identity Management (PIM): Just-in-time (JIT) access and approval workflows for privileged roles.
Getting Started Tutorials
Explore these quick start tutorials to get hands-on experience: