| Identity Mechanism | Description |
|---|---|
| Azure Active Directory (Azure AD) | Microsoft's cloud-based identity and access management service. Provides authentication and authorization for Azure resources, Office 365, and other cloud applications. Supports SSO, MFA, RBAC, etc. |
| Azure AD B2C | A separate service within Azure AD for customer-facing applications. Supports identity management and authentication for customers using social identity providers or local accounts. Allows customization of the user interface and user journeys. |
| Azure AD Domain Services | Provides managed domain services like domain join, LDAP, Kerberos, and NTLM authentication in Azure. Allows Azure VMs to be joined to a domain without the need for domain controllers. |
| Azure AD Managed Identities | Simplifies management of credentials used by Azure resources. Automatically handles rotation and renewal of credentials without requiring explicit management. |
| Azure AD Application Proxy | Allows secure access to on-premises web applications from the cloud without requiring VPNs. Integrates with Azure AD for authentication and provides additional security features like pre-authentication and conditional access. |
| Service Principal Authentication | Enables non-interactive access to Azure resources by applications and services. Typically used for automation tasks, background processes, or service-to-service communication. |
| Role-Based Access Control (RBAC) | Built into Azure Resource Manager to control access to Azure resources. Enables administrators to grant specific permissions to users, groups, or applications at a specific scope. |
| Azure Key Vault | Provides a secure store for keys, secrets, and certificates. Supports authentication using Azure AD, service principals, or managed identities for Azure resources. |
| Managed Service Identity (MSI) | Automatically creates an identity for an Azure service instance. Simplifies management of credentials used by Azure resources like VMs, Azure Functions, and App Service instances. |
| RBAC for Azure Kubernetes Service (AKS) | Controls access to resources within an AKS cluster. Allows fine-grained access control for managing Kubernetes resources like pods, services, and deployments. |
##############################################
# Azure Active Directory (Azure AD) Overview #
##############################################
1. What is Azure Active Directory?
- Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service.
- It provides centralized authentication and authorization for applications and services, both on-premises and in the cloud.
2. Key Features:
- Single Sign-On (SSO): Users can sign in once with their Azure AD credentials and access various applications without needing to re-enter their credentials.
- Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring users to verify their identity using a second form of authentication.
- Application Management: Allows administrators to manage access to thousands of cloud-based and on-premises applications from a centralized location.
- Identity Protection: Helps detect and respond to potential identity-related risks and threats.
- Conditional Access: Enables policies that dynamically control access to applications and resources based on specific conditions like user location, device compliance, or risk level.
- Role-Based Access Control (RBAC): Allows administrators to assign specific roles to users or groups, granting them access to Azure resources based on their responsibilities.
- Identity Governance: Provides capabilities for lifecycle management, access reviews, and privileged identity management to ensure secure and compliant access to resources.
3. Azure AD Editions:
- Azure AD Free: Provides basic identity and access management capabilities, including user and group management, self-service password reset, and single sign-on for up to 10 applications per user.
- Azure AD Premium P1: Includes advanced features such as self-service group management, MFA, Conditional Access, and Identity Protection.
- Azure AD Premium P2: Builds on P1 with additional features like Identity Governance, Privileged Identity Management, and Azure AD Identity Protection.
4. Integration with Other Microsoft Services:
- Office 365: Azure AD serves as the identity provider for Office 365, enabling seamless access to services like Exchange Online, SharePoint Online, and Teams.
- Azure: Provides authentication and authorization for Azure resources, allowing users to sign in to Azure Portal and access resources like virtual machines, databases, and storage accounts.
- Microsoft 365: Integrates with Microsoft 365 services, enabling unified identity and access management across Office 365, Windows 10, and Enterprise Mobility + Security (EMS) components.
5. Integration with Non-Microsoft Services:
- Azure AD supports standards-based authentication protocols like OAuth 2.0, OpenID Connect, and SAML, allowing integration with thousands of SaaS applications, including Salesforce, Dropbox, and ServiceNow.
- Provides APIs and SDKs for custom application development, enabling developers to build applications that leverage Azure AD for authentication and authorization.
6. Identity Federation:
- Azure AD supports federation with other identity providers, allowing users to sign in using their existing corporate credentials.
- Supports federation standards like SAML 2.0 and WS-Federation, enabling seamless integration with on-premises identity systems and third-party identity providers.
| Category | Subcategory | Description |
|---|---|---|
| Default Directory | Overview | General overview of the default directory |
| Preview features | Features available in preview | |
| Diagnose and solve | problems | Tools for diagnosing and solving issues |
| Manage | Users | Management of user accounts |
| Groups | Management of groups | |
| External Identities | Management of external user identities | |
| Roles and administrators | Management of roles and administrators | |
| Administrative units | Management of administrative units | |
| Delegated admin partners | Management of delegated admin partners | |
| Enterprise applications | Management of enterprise applications | |
| Devices | Management of devices | |
| App registrations | Management of application registrations | |
| Identity Governance | Management of identity governance features | |
| Application proxy | Management of application proxy settings | |
| Custom security attributes | Management of custom security attributes | |
| Licenses | Management of licenses | |
| Cross-tenant synchronization | Management of synchronization across tenants | |
| Microsoft Enterprise Connect | Management of Enterprise Connect features | |
| Custom domain names | Management of custom domain names | |
| Mobility (MDM and WIP) | Management of mobile device management and Windows Information Protection settings | |
| Password reset | Management of password reset settings | |
| User settings | Management of user settings | |
| Properties | Management of directory properties | |
| Security | Monitoring | Monitoring of directory activity |
| Sign-in logs | Management of sign-in logs | |
| Audit logs | Management of audit logs | |
| Provisioning logs | Management of provisioning logs | |
| Health (Preview) | Monitoring of directory health (preview) | |
| Log Analytics | Analysis of directory logs | |
| Diagnostic settings | Configuration of diagnostic settings | |
| Workbooks | Management of log analysis workbooks | |
| Usage & insights | Insights into directory usage | |
| Bulk operation results (Preview) | Management of bulk operation results (preview) | |
| Troubleshooting + Support | New support request | Creation of a new support request |
Azure AD Connect:
It will be used for to sync the onprem users data active directort to azure active directory
simple words: to synchronize on prem environment to the cloud will use azure ad connect
nnext --> next --> check the active directory domain services
click on next --> next --> next and install.(it will take 1 hout)
Give fresh domain name:
Type the password:
click on next --> install and reboot.
click on install.click on sso
Connect with azure ad now.
Note: user must have Gloabl Admin role
Click on connect or next must ensure it should succeed.
Afterwards click on add directory.
Choose an existing account:
Username is domain/username
Ensure its verified
Sync with selected ous are specific ous
Click on next --> next
To enable sso use global credentials
After syncying
User will shows in azure click on -prem user give access to perform activity on cloud
Azure Subscription how we can provide access to users in azure subscription.
We have
Mangement group level i.e ou level
Subscription level
Resource group level
Buildin role: Owner, Contributor , reader
Service specific role : VM contributor and backup operator
Custom RBAC :
0 Comments