Scribd
Upload
17 views32 pages

S11 Slides

Azure Active Directory (Azure AD) is a cloud-based identity and access management service that manages access to numerous applications, including the Azure Portal. It offers advanced features such as multi-factor authentication, conditional access, and device management, while supporting over 2,800 applications and managing more than 1.2 billion identities. Azure AD can also be integrated into custom applications for authentication and provides a Business-to-Customer (B2C) service for identity management.

Uploaded by

Pawan Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views32 pages

S11 Slides

Azure Active Directory (Azure AD) is a cloud-based identity and access management service that manages access to numerous applications, including the Azure Portal. It offers advanced features such as multi-factor authentication, conditional access, and device management, while supporting over 2,800 applications and managing more than 1.2 billion identities. Azure AD can also be integrated into custom applications for authentication and provides a Business-to-Customer (B2C) service for identity management.

Uploaded by

Pawan Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Azure AD

Memi Lavi
www.memilavi.com
Azure AD

• Short for Azure Active Directory

• Central identity and access management cloud service

• Used to manage access to thousands of apps

• Among them – the Azure Portal

• Secure, robust, intelligent


Azure AD

• Advanced features:
• MFA
• Conditional Access
• Device management
• Hybrid identity
• Identity protection
• Monitoring and reports
• And lots more…
Azure AD

• We’re interested mainly in:

• Control access to Azure resources

• By setting up users, groups, roles

• Not entirely architecture- and dev- related, but still important

• Use Azure AD to add authentication to our apps

• Can be done also via Azure AD B2C


Azure AD Figures

• Integrates with more than 2,800 apps

• Manages more than 1.2 billion identities

• Processes over 8 billion authentications every day

• Secured using 3,500 security experts in Microsoft

• …which invests more than $1bn annually on cybersecurity

• The largest identity and access management service in the world


Tenant

• A specific instance of Azure AD containing accounts and groups

• Called also Directory

• Is NOT part of the subscription hierarchy

• Exists beside the subscription

• For new subscriptions, a new tenant is created automatically

• A tenant can be assigned to multiple subscriptions


Tenant

Azure AD Tenant Subscription

Resource Group Resource Group Resource Group


Users and Groups

• Two of the main three objects managed by Azure AD

• The 3rd one is Roles (later…)

• Manages and stores the users that are part of the tenant

• Groups the users in Groups

• Examples: IT Admins, Developers, etc.

• Allows defining roles to groups instead of each user


Azure AD Licenses

• Azure AD Licenses have great effect on the functionality and price

of Azure AD

• Important to understand the differences and recommend the right

solution
Azure AD Licenses

Free Premium 1 Premium 2


Max Objects 500,000 Unlimited Unlimited
Users & Groups X X X
MFA X (All or nothing) X (With Conditional X (With Conditional
Access) Access)
Dynamic Groups X X
Conditional Access X X
Risk Detention X
Risk based X
Conditional Access
Privileged Identity X
Management (PIM)
Price Free 6$ user / month 9$ user / month
Azure AD Security Defaults
• Increases protection of the organization in the Free tier
• Adds preconfigured security settings:
• Requiring all users to use MFA (block 99.9% of account
compromises)
• Blocks legacy authentication
• And more…
• No additional cost (so…still free ☺)
• For more fine-grained management – use Conditional Access (P1)
RBAC in Azure
• In order to perform any operation, or access any data in Azure you
have to have the appropriate role
• If you want to:
• Create resource groups
• Access data in SQL
• See metrics of App Service
• … then you have to have the right role
• If you don’t – you’ll get an empty portal
RBAC in Azure
• In general, three types of roles:

Can perform any action on the resource, including


Owner assigning roles to it

Can perform any action on the resource, but


Contributor cannot assign roles to it

Can only view data, but cannot change anything


Reader
RBAC in Azure
• Examples:

Can manage virtual machines


Virtual Machine Contributor

Can read Azure Cosmos DB account data


Cosmos DB Account Reader

Allows full access to Service Bus resources


Service Bus Data Owner
RBAC in Azure
Azure AD Tenant Azure

Users Roles Authorizations

Jane Owner Change

David Reader Assign


Roles

Rachel View Data


RBAC in Azure

• It’s always better to assign roles to groups and not individual users

• Easier maintenance
Managed Identities

• The ability to assign Azure AD identity to Azure resource

• The resource can connect to other Azure resources using this

identity

• No need to handle credentials (usernames, passwords etc.)


Managed Identities

• Two types of Managed Identities:

• System assigned – Managed by Azure, tied to the resource’s

lifecycle (when the resource is deleted – so is the identity)

• User assigned – Managed by the user. Can be assigned to

multiple resources, not tied to any lifecycle


Managed Identities

• Resources that can be assigned Managed Identity:

• App Service

• Virtual Machine

• Event Grid

• Function

• And more…
Managed Identities

• Resources that can be authorized using Managed Identity:


• SQL
• Event Hubs
• Service Bus
• Storage
• Key Vault
• And more…
Using Azure AD on Our App

• Azure AD can be used as authentication engine on other apps

• Not just the Azure Portal

• It can be used on our own app!


Using Azure AD on Our App

• The process:

• Register the app in Azure AD

• Add code to use Azure AD as authentication engine

• For App Services – can be configured via the Portal


Using Azure AD on Our App

• The authentication:

• Uses OAuth and JWT


Azure AD B2C

• Identity-as-a-service for your application

• A Business-to-Customer (B2C) service

• Enables integrating identity services in your app

• Works with various identity providers

• Provides various user flows

• Enables customization
Azure AD B2C

• Identity services provided by Azure AD B2C:

• Sign Up

• Sign In

• Log Out

• Reset Password

• And more…
Azure AD B2C vs Azure AD

Identity providers used


by Azure AD B2C

- Identity Provider (Holds users’ - Identity Service (Used to


details) perform identity-related
- Single tenant can be used for actions)
Azure AD Azure AD B2C
authentication by many apps - Works with various identity
providers
- Used by business apps as the
identity component
Azure Office Business
App #3
Portal 365 App
Authentication Features

• MFA

• Conditional Access

• Audit Log

• Custom policies

• Custom pages

• And more…
Authentication Features

• Quite complex to set up

• A lot of moving parts

• We won’t demonstrate it…


Cloud Architecture
Service Peering
Endpoint
App Gateway

Azure AD
Authentication
Event Grid Topic
NSG NSG

Function App Storage App Service


AKS VM Peering VM
Order Processing Account Inventory App
Cart App Weather API Catalog App

NSG

Cosmos DB ACR Redis


Cart Docker
Azure SQL
Syncing Azure AD with On Prem

• Many organizations want to sync their on prem Active Directory

with Azure AD

• Useful when the organization has apps on prem and in cloud and

wants to have a single user base


AD Connect
Authentication with AD Connect

The passwords are copied to Azure AD,


Password Hash Sync Authentication happens in the cloud

Passwords stay on-prem, Azure AD passes data to


Pass-Through
on-prem for validation

You might also like