The heart of Azure Identity Management is Azure Active Directory. It is used for identity management on all Microsoft Cloud Business services such as O365 and Dynamics and to sign into Azure itself. All these applications trust the AD. On Premise Ads can also be connected to Azure AD via Azure AD Connect to create a hybrid directory with a single point of administration. User sign in options such as Password Synchronisation, pass through authentication and Federation with AD FS are all options. It can be managed from the Portal, PowerShell, Azure Command Line CLI and programmatically using the Graph API.
Role Based Access Control (RBAC)
Azure has 3 main built in roles which are Owner, Contributor and Reader. More granular resource specific roles are also provided such as ‘Virtual Machine Contributer’ or ‘User Access Contributer’ allowing the user to perform specific duties. Custom roles can also be created.
Access to resources can be granted by assigning a user, group or ‘service principle’ (process or application) to a specific role and scope. The scope can be a subscription, a resource group or a specific resource (e.g. a VM).
Azure AD also supports multi-factor authentication including phone call, SMS or using Microsoft’s authenticator App. You can also configure this so it behaves differently on the network compared with home. Azure AD can also be configured to trusted IPs. You can configure specific access conditions e.g. Users working from home can be set to requiring multi factor authentication. You can also assign a specific sign in risk level or restrict access to users only on managed devices.
An activity log enables you to track access activity and changes to access rights.
You can also provide access to Azure AD to external parties and this is enabled via Azure B2B. To do this a role is assigned to the external user and an email address is entered so that they are sent an invite to join.