April 17, 2024

Azure Identity and Access Management

RBAC (role-based access control) – Offers fine grained access management of your Azure resources. It is an authorization system build on Azure Resource Manager. E.g. you can assign a group of users to only manage a Virtual Machine (VM) resource and you can assign a single user to only manage the SQL database resource. Authorization an also be applied at the Resource Group level.

Azure Active Directory – Is Microsoft’s cloud-based identity and access management service. Users can be allowed to sign-in and access resources. You can use this to control internal and external resources e.g. Microsoft Office 365.

IT Admins will typically use Azure AD to control access to applications and to application resources. They may also enforce Multi-factor Authentication (MFA) and automate user provisioning.

Application developers will often use Azure AD to add single sign-on to their apps, allowing them to log-on using their Google credentials for example.

Subscribers to services like Microsoft 365, Office 365, and Azure are automatically Azure AD tenants.

Azure Active Directory B2B (Business-to-Business) – Allows organizations to securely share their apps and services with guest users from other external organizations, while allowing the, to retain control over their data. It provides a invitation and redemption process that allows external users to user their own credentials to access partner resources.

Azure Active Directory B2C (Business-to-Customer) – Provides business-to-customer identity as a service. Users can access the organization’s applications via single sign-on using their existing credentials from trusted providers. Azure AD B2C supports standard authentication protocols such as OAuth2, Open ID Connect, and SAML.

Azure Active Directory Domain Services (AADDS) – Is a cloud offering that provides managed domain services to organizations who use it. It offers features such as domain join, LDAP, Kerberos and NTLM authentication that’s compatible with traditional on-premise Active Directory. It also provides group policy support. Using this cloud offering means you can get the benefits of Active Directory without having to deploy, manage, or patch domain controllers. Azure ADDS can also integrate with your existing AD tenant to allow your existing users to sign-in with their existing credentials. Access to resources can be controlled through existing groups and user accounts as well. AADDS can synchronize and replicate with existing on-premise AD. Synchronization is achieved using a tool called Azure AD Connect. This helps you achieve a hybrid environment with your on-premise AD and Azure AD Domain Services.

Azure Multi-Factor Authentication (MFA) – allows organizations to enforce two-step verification (or multi-step verification). So rather than just using a traditional username/password, MFA requires user to provide two or more authentication methods such as something the user knows (e.g. username/password), something they possess (e.g. a mobile phone, something they are (e.g. biometrics).

The level of features you get for Azure Multi-Factor-Authentication depends on your subscription: