You must have worked on web / desktop or mobile application, which required users to register and login to the application before using its functionality.
You might have used many different services to sign in and access management. Some people may use Identity Server, some may develop their own login and access management service.
The fundamentals of sign in and access management are same whether you develop your own service or use an external service. The purpose of service is simple, provide access to only authenticated users only if they are authorized.
But while creating this access management service on your own, you should also know about what kind of security attacks may happen and how are you going to keep your applications safe from these attacks.
So, now most of the developers/ organizations understand that instead of reinventing the wheel, it is better to use an already existing login service so that they can focus on business functionality part of the application.
Azure AD is access management service which you can use in your cloud based applications.
What is Azure AD ?
Azure Active Directory is Azure based identity and access management service. It enables your employees/customers to sign in and access the resources. The resources can be internal resources like your organization’s applications on intranet or internet. The resources can also be external for ex. Office365, Azure Portal, etc.
You can use the various Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure, Azure AD, and Office 365.
You can use Azure Active Directory to authenticate / authorize a Web application or a desktop application or mobile applications.
There are different pricing tiers for Azure AD. Many features of Azure AD are available in Azure AD Free. Then there are two premium versions P1 and P2. There is also “Pay as you go” option. For details about pricing and what is included in each pricing tier, you can refer to Azure documentation.
How it can be used ?
The IT administrators can use Azure AD to control (grant or revoke) access to the resources.
Application developers can use Azure AD as login and access management service for adding the Single Sign-On benefits to their applications. This will also enable them to focus on application’s business functionality. Azure provides APIs to build the personalized app experience.
As a subscriber, you’re already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps.
The identity and access management is very complex topic in itself. We need to understand few terms before starting any work on any identity and access management service. Let’s have a look at some of the basic terms.
Any thing which can get authenticated.
It can be a user with username and password. It may also include applications or servers that may require authentication through passwords or secret keys.
An identity which has some data associated with it. If identity does not exist, the account does not exist.
Azure AD Account
This is also called as Microsoft Work or School account.
This refers to an identity which was created using Azure AD or any other Microsoft’s cloud service e.g.g Office365. All such identities are stored in Azure AD and are accessible to your organization’s cloud service subscriptions.
This is used to pay for Azure cloud services. You may have one or more subscriptions and each one of them is linked with a credit card.
This refers to a dedicated and trusted instance of Azure AD which is created automatically, when you sign up for Microsoft cloud service subscription (e.g. Azure, Intune or O365).
An Azure tenant represents a single organization.
Any Azure tenant that access other services in a dedicated environment are considered single tenant.
Any Azure tenant that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
Azure AD Directory
Each Azure tenant has a dedicated and trusted Azure AD directory.
Like on-premise active directory, the Azure AD directory includes the tenant’s users, groups, and apps. This information is used to perform identity and access management functions for tenant resources.
If you already own a website, you might know the concept of domains.
Every Azure AD directory comes with an initial domain name, which looks as domainname.onmicrosoft.com. In addition to this name, you can also add your organization’s domain names which may include your brandname.
Adding custom domain may help you to create the user names that are familiar to your users.
This is a classic role which is billing owner of subscription. This role enables you to manage all subscriptions in an account. It has access to Azure Account Center.
Please refer the documentation for more details Classic subscription administrator roles, Azure Role-based access control (RBAC) roles, and Azure AD administrator roles.
This classic role enables you to manage all Azure resources including access to those resources. This is equivalent of user who has Owner role at subscription scope.
For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
This role helps you to manage all Azure resources including access.
This role is built for newer Authorization system RBAC (Role-Based access control). For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
Azure AD Global administrator
This role is automatically assigned to the person who creates the Azure AD tenant. The global administrators can perform any administrative function for Azure AD and for any service which can federate with Azure AD.
This role is called as Company administrator in Microsoft Graph API and in Azure PowerShell.
Microsoft Account (aka MSA)
These are personal accounts that provide access to Microsoft’s products and cloud services. Your Microsoft account details are stored in Microsoft consumer identity account system which is run by Microsoft.
You may have a @outlook.com account or @hotemail.com. Both of them are Microsoft accounts as they enable you to use Microsoft products.
I hope you enjoyed this article. Let me know your thoughts.