1. YouTube Summaries
  2. Understanding Azure Identity and Access Management

Understanding Azure Identity and Access Management

By scribe 5 minute read

Create articles from any YouTube video or use our API to get YouTube transcriptions

Start for free
or, create a free article to see how easy it is.

Introduction to Azure Identity

Identity is a critical component of cloud security and access management. In Azure, identity serves as the new security perimeter, allowing you to assign permissions to various resources without relying solely on network-based security. This module will cover the fundamentals of identity in Azure, including:

  • Azure Active Directory (now called Microsoft Entra ID)
  • How Entra ID relates to Azure subscriptions
  • Conditional access
  • Just-in-time permissions through Privileged Identity Management

Why We Need Identities

Identities are necessary to provide different levels of access to services and resources. The goal is to give each identity the minimum set of permissions required to perform its function, following the principle of least privilege. This approach helps reduce risk by limiting the potential impact of accidental or malicious actions.

Permissions are typically grouped into roles, which can then be assigned to specific security principals (like users, groups, or service principals) at a particular scope (e.g., subscription, resource group, or individual resource).

Types of Identities

There are several types of identities in Azure:

  • Human users
  • Applications
  • Automation/scripts
  • Devices

Each type of identity should have its own unique account to ensure proper auditing and granular permission management.

Identity Providers

An identity provider (IdP) is a central store for identities that maintains the list of service principals and enables authentication. Microsoft Entra ID serves as the enterprise identity provider for Azure and other Microsoft cloud services.

Decentralized Identity

While not the primary focus for most Azure scenarios, it's worth being aware of decentralized identity concepts:

  • Users own and control their identity information
  • Verifiable credentials issued by trusted entities
  • Users choose what information to share with verifiers
  • Based on open standards and decentralized systems

Microsoft offers Entra Verified ID as a solution in this space, but it's not required for most Azure implementations.

Microsoft Entra ID (formerly Azure AD)

Microsoft Entra ID is the cloud-based identity and access management service for Azure and other Microsoft cloud platforms. Key points include:

  • Required for all Microsoft cloud services (Azure, Microsoft 365, Dynamics 365)
  • Each organization has its own Entra tenant
  • Supports federation with thousands of SaaS applications
  • Uses cloud-native protocols like OpenID Connect and OAuth 2.0
  • Offers different licensing tiers (Free, P1, P2, Entra Suite)

Entra ID vs. Active Directory Domain Services

Entra ID is not simply Active Directory running in the cloud. Key differences include:

  • Entra ID uses cloud protocols (HTTPS, REST APIs) vs. AD's on-premises protocols (Kerberos, LDAP)
  • Entra ID has a flat structure vs. AD's hierarchical OUs
  • Entra ID focuses on user/app authentication for cloud services vs. AD's device management for on-premises networks

Getting Entra ID

Most organizations already have an Entra tenant if they use any Microsoft cloud services. You can add custom domain names to your tenant for a better user experience.

Entra ID Objects

Users

Users represent individual human identities and should not be used for applications or automation. Key points:

  • Can be cloud-only or synchronized from on-premises AD
  • Have attributes like display name, user principal name, and department
  • Can be assigned directly to roles (though group assignment is preferred)

Groups

Groups help manage collections of users for easier permission management. Types include:

  • Security groups: Used for assigning permissions
  • Microsoft 365 groups: Used for collaboration in M365 apps

Dynamic groups can automatically add/remove members based on user attributes.

Service Principals

Service principals represent identities for applications, automation, or services. They can be:

  • Application registrations: For custom developed apps
  • Managed identities: Automatically managed identities for Azure resources

Devices

Devices can have different states in Entra ID:

  • Registered: Known to Entra ID but signed in with non-Entra account
  • Joined: Signed in with Entra ID account
  • Hybrid joined: Joined to on-premises AD and registered with Entra ID

Synchronization with On-Premises AD

Many organizations synchronize their on-premises Active Directory with Entra ID:

  • AD remains the source of truth for most objects
  • Entra Connect or Entra Connect cloud sync handle synchronization
  • Specific rules govern the relationship between AD, sync tools, and Entra ID

Authentication Options

Entra ID supports multiple authentication methods:

  • Cloud authentication: Passwords stored and verified in Entra ID
  • Password hash synchronization: Hash of on-premises password synced to Entra ID
  • Pass-through authentication: Verification performed on-premises
  • Federation: Authentication delegated to separate identity system (e.g., AD FS)

Password hash sync is generally recommended for most scenarios.

Multifactor Authentication (MFA) and Strong Authentication

MFA significantly improves security by requiring multiple forms of verification:

  • Something you know (password)
  • Something you have (phone, token)
  • Something you are (biometric)

Strong authentication methods like Windows Hello for Business and FIDO2 security keys provide phishing-resistant options.

Conditional Access

Conditional Access is a powerful feature that allows you to enforce specific requirements when accessing resources. Policies can be based on:

  • User or group membership
  • IP location information
  • Device
  • Application
  • Real-time risk detection

Controls can include requiring MFA, limiting access to specific clients, or blocking access entirely.

Privileged Identity Management (PIM)

PIM enables just-in-time privileged access to Entra and Azure resources:

  • Users can request temporary elevation to privileged roles
  • Approval workflows and justifications can be required
  • Time limits on privileged access
  • Audit history of role activations

Administrative Units

Administrative units allow you to delegate permissions over a subset of resources:

  • Restrict administrative scope for certain roles
  • Useful for regional or departmental administration
  • Requires Entra ID P1 licensing

External Identities (B2B)

External identities enable collaboration with partners and vendors:

  • Invite external users to your Entra tenant
  • External users authenticate with their own credentials
  • Your organization retains control over what the external user can access

Customer Identity Access Management (CIAM)

For customer-facing applications, Entra External ID (formerly Azure AD B2C) provides:

  • Support for social identity providers (Microsoft, Google, Facebook, etc.)
  • Custom branding and sign-up/sign-in flows
  • Integration with custom identity providers

Entitlement Management

Entitlement management allows you to create access packages that bundle resources (groups, apps, SharePoint sites) for easier governance:

  • Define policies for who can request access
  • Implement approval workflows
  • Set up automatic expiration and reviews

Conclusion

Azure identity and access management through Microsoft Entra ID provides a comprehensive set of tools for securing your cloud resources. By understanding and properly implementing these features, you can create a robust and flexible identity foundation for your Azure environment.

Article created from: https://www.youtube.com/watch?v=megA6BPpYqo

Ready to automate your
LinkedIn, Twitter and blog posts with AI?

Start for free

Related Articles