Tutorial / Cram Notes
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps organizations manage users and the resources those users can access. Azure AD identities are the core of the service — they represent the user accounts and other identity objects that are created, managed, and used for authentication and authorization to resources in Azure, Microsoft 365, and a wide range of third-party SaaS applications.
Types of Azure AD Identities
User Identities
Work or School Account (Organizational Identity):
This is the identity created by the organization’s administrator. It’s used by employees, students, or members to access resources owned by the organization.
Guest Account (External Identity):
Guest users from outside the organization can be given access to resources using Azure AD B2B (business-to-business). These could be partners, vendors, or customers.
Device Identities
Devices can also be registered or joined to Azure AD, allowing for secure and conditional access policies to ensure that only trusted devices can access certain resources.
Managed Identities
System-assigned Identity:
This is a type of identity that is automatically created and managed by Azure for a specific Azure resource. It is tied to the lifecycle of this resource.
User-assigned Identity:
This is a type of managed identity that an Azure administrator can create and assign to multiple resources. It has its own lifecycle independent of the resources it’s assigned to.
Service Principals
A service principal is an identity used by applications or services to access specific Azure resources. Think of it as a user identity (username and password or certificate) for an application.
Managed Identities for Azure Resources
Managed identities for Azure resources is a feature of Azure AD that provides Azure services with an automatically managed identity in Azure AD. It authenticates to any service that supports Azure AD authentication without needing credentials in the code.
Azure AD Identity Features
Authentication:
Azure AD provides authentication using a variety of methods including password, multi-factor authentication (MFA), Windows Hello for Business, and FIDO2.
Single Sign-On (SSO):
Azure AD enables SSO, allowing users to sign in once with one account and access all the organization’s applications and resources.
Multi-factor Authentication (MFA):
MFA provides additional security by requiring two or more elements for verification, which could include something you know (password), something you are (biometrics), or something you have (a trusted device).
Conditional Access:
Conditional access policies can be set up in Azure AD to automatically enforce access requirements such as MFA, compliant devices, or location constraints.
Role-Based Access Control (RBAC):
Azure AD allows for RBAC wherein users are assigned to roles that have predefined permissions, ensuring they only have access to the information and functions they need.
Identity Protection:
Azure AD Identity Protection uses automated heuristics to help detect and mitigate potential identity-based risks, manage risks, and automate responses.
Comparison Between Identity Types
| Identity Type | Description | Use Case Scenario |
|---|---|---|
| Work or School Account | Used by internal users (employees/students) | Access Office 365, Azure resources |
| Guest Account | External users accessing the organization’s resources | Collaborating with external partners |
| Device Identity | Represents a device in Azure AD | Device-based conditional access policies |
| System-assigned Managed ID | Identity tied to a resource’s lifecycle | Access Azure services without storing credentials in code |
| User-assigned Managed ID | Reusable identity across multiple resources | Multiple Azure resources needing the same identity |
| Service Principal | Application or service identity | Services accessing other Azure services |
Azure AD identities are fundamental for security and governance in cloud environments and are a critical component for any Azure AD deployment. It is essential for users preparing for the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam to understand the various Azure AD identities and their use cases, as well as the features and capabilities that Azure AD provides for managing and securing these identities.
Practice Test with Explanation
True or False: Azure Active Directory (AD) is a cloud-based identity and access management service that helps employees sign in and access resources.
- True
- False
Answer: True
Explanation: Azure AD is Microsoft’s cloud-based identity and access management service, which helps users sign in and access both external resources such as Microsoft Office 365, and internal resources such as apps on your corporate network and intranet.
Single Select: What is the main purpose of Azure AD B2C?
- To enable single sign-on for internal corporate applications.
- To manage digital identities of consumer users for applications.
- To improve the security of on-premises infrastructure.
- To connect enterprise directories with Azure AD.
Answer: To manage digital identities of consumer users for applications.
Explanation: Azure AD B2C (Business to Consumer) is designed to provide identity and access management solutions for customer-facing applications, allowing businesses to manage consumer identities at scale.
True or False: In Azure AD, a guest user can be added from any organization, even if it doesn’t use Azure AD.
- True
- False
Answer: True
Explanation: Azure AD allows you to add guest users from any organization, and this includes users who do not have Azure AD accounts. This feature is part of Azure AD’s B2B collaboration capabilities.
Multiple Select: Which of the following are types of identities that can be managed by Azure AD? (Select all that apply)
- Device identities
- User identities
- Application identities
- On-premises identities
Answer: Device identities, User identities, Application identities, On-premises identities
Explanation: Azure AD can manage different types of identities, including device identities, user identities, application identities, and it can also integrate with on-premises Active Directory to synchronize identities.
Single Select: What is Azure AD Domain Services primarily used for?
- To provide a Kubernetes identity service for containerized applications.
- To offer a domain join service for servers running on Azure.
- To extend on-premises Active Directory to the cloud for traditional domain-joined services.
- To synchronize Azure Active Directory with other cloud identity providers.
Answer: To extend on-premises Active Directory to the cloud for traditional domain-joined services.
Explanation: Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory but are hosted in Azure.
True or False: Only global administrators can manage Azure AD roles and role assignments.
- True
- False
Answer: False
Explanation: While global administrators have the highest level of privileges, including managing roles and assignments, other administrative roles in Azure AD also have the permission to manage specific roles and role assignments related to their responsibilities.
Single Select: What feature does Azure AD provide to support single sign-on (SSO)?
- Multi-Factor Authentication (MFA)
- B2B collaboration
- Privileged Identity Management (PIM)
- Seamless SSO
Answer: Seamless SSO
Explanation: Seamless Single Sign-On (Seamless SSO) is a feature of Azure AD that enables users to automatically sign in when they are on their corporate devices, connected to their corporate network.
True or False: Azure AD Connect is used to integrate on-premises directories with Azure Active Directory.
- True
- False
Answer: True
Explanation: Azure AD Connect is a tool that connects on-premises directories like Windows Server Active Directory with Azure Active Directory, enabling you to provide a common identity for users for both cloud and on-premises resources.
Multiple Select: Which of the following are functions of Azure AD Privileged Identity Management (PIM)? (Select all that apply)
- Enforces Multi-Factor Authentication (MFA) for sensitive roles
- Manages the lifecycle of external user identities
- Provides just-in-time privileged access to Azure AD and Azure resources
- Allows discovery of shadow IT by analyzing cloud apps usage
Answer: Enforces Multi-Factor Authentication (MFA) for sensitive roles, Provides just-in-time privileged access to Azure AD and Azure resources
Explanation: Azure AD Privileged Identity Management (PIM) enhances security by providing just-in-time privileged access and requiring Multi-Factor Authentication (MFA) to activate any roles.
True or False: Conditional Access policies in Azure AD cannot apply to specific applications.
- True
- False
Answer: False
Explanation: Conditional Access policies in Azure AD can be very granular, including being able to apply to specific applications, users, locations, and device states.
Single Select: Which Azure AD feature uses machine learning to identify and block potentially compromised identities?
- Azure AD Identity Protection
- Azure AD Connect Health
- Azure AD B2C
- Azure AD Domain Services
Answer: Azure AD Identity Protection
Explanation: Azure AD Identity Protection uses machine learning to detect irregularities in sign-in behavior and can automatically block or take appropriate remedial action on potentially compromised identities.
Interview Questions
What is an Azure AD user?
An Azure AD user is a user account that is used to access Azure services and other Microsoft services like Microsoft 365, Dynamics 365, and Power Platform.
What is an Azure AD group?
An Azure AD group is a collection of user accounts, other groups, and service accounts that are used to assign permissions and access rights to resources in Azure and other Microsoft services.
What are the different types of groups in Azure AD?
There are two types of groups in Azure AD security groups and Microsoft 365 groups. Security groups are used for assigning access to resources, while Microsoft 365 groups are used for collaboration and sharing in Microsoft 365.
What is an Azure AD service account?
An Azure AD service account is a type of account that is used to run services or applications, rather than for interactive sign-in by a user. These accounts are typically used for automating tasks or integrating with other services.
What is an Azure AD device?
An Azure AD device is a device that is registered with Azure AD, allowing it to be managed and monitored by administrators. Devices can include Windows PCs, servers, mobile devices, and other IoT devices.
What is a device identity in Azure AD?
A device identity is a unique identifier that is assigned to a device when it is registered with Azure AD. This identity is used to authenticate the device and authorize it to access resources.
What is device management in Azure AD?
Device management in Azure AD refers to the tools and features that allow administrators to manage and monitor devices that are registered with Azure AD. This can include features like remote wipe, conditional access, and device compliance policies.
What is Azure AD Connect?
Azure AD Connect is a tool that is used to synchronize on-premises Active Directory with Azure AD, allowing users, groups, and other objects to be managed from a single location.
What is an Azure AD guest user?
An Azure AD guest user is a user account that is created in Azure AD for someone who does not have a primary account in the directory. Guest users can be invited to collaborate on Microsoft 365 content or other Azure AD resources.
What is Azure AD B2B?
Azure AD B2B is a feature that allows organizations to collaborate with users outside of their own organization, by inviting them to access resources in their Azure AD tenant. This can include partners, vendors, or customers.
Azure AD identities are essential for managing access to resources in the Azure ecosystem.
Can anyone explain the difference between Azure AD identities and traditional on-prem AD identities?
What role do service principals play in Azure AD identities?
I appreciate this blog post!
How do managed identities simplify resource management in Azure?
Is it possible to sync on-prem AD identities with Azure AD?
What is the significance of MFA in Azure AD identities?
Thanks for the helpful information!