azure:az-500:alt:identity_and_access_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:alt:identity_and_access_management [2023/01/24 16:16] – [Azure AD] mmuzeazure:az-500:alt:identity_and_access_management [2023/02/11 21:02] (current) – [Identity and Access Management] mmuze
Line 1: Line 1:
 ====== Identity and Access Management ====== ====== Identity and Access Management ======
 +  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles]]
   * [[azure:az-500:alt:role_based_access_control|Role Based Access Control/RBAC]]   * [[azure:az-500:alt:role_based_access_control|Role Based Access Control/RBAC]]
   * [[azure:az-500:alt:hybrid_identity|Hybrid Identity]]   * [[azure:az-500:alt:hybrid_identity|Hybrid Identity]]
Line 7: Line 8:
   * Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).   * Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).
   * MFA is supported for free tier AAD by way of //Security Defaults//.   * MFA is supported for free tier AAD by way of //Security Defaults//.
-      * //Security Defaults// is a built-in set of protections against identity based attacks.+      * //Security Defaults// is a built-in set of protections against identity-based attacks. 
 +  * **//[[https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-delegated-administration-primer|delegated administration]]//** is the term for how a //CSP (Cloud Solution Provider)// can be given roles that allow them to administer services on behalf of the customer. 
 + 
 + 
 +==== Security Principle ==== 
 +> Security principal: An Azure security principal is a security identity that user-created apps, services, and automation tools use to access specific Azure resources. Think of it as a "user identity" (username and password or certificate) with a specific role, and tightly controlled permissions. A security principal should only need to do specific things, unlike a general user identity. It improves security if you grant it only the minimum permission level that it needs to perform its management tasks. A security principal used with an application or service is called a service principal. 
  
 ===== Authentication Methods ===== ===== Authentication Methods =====
-===Azure AD Pass-through Authentication===+===Azure AD Pass-through Authentication (PTA)=== 
 +Using PTA AAD passes authentication attempts to an agent running on an on-prem server that passes it to an on-prem Windows Server AD. 
 >Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. >Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.
 +
 +=== Azure AD password hash synchronization ===
 +Password hash sync works by running the **Azure AD Connect** service on a server on-prem that syncs user and password hashes to AAD.
 +
 +>The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.
 ====== AAD Roles ====== ====== AAD Roles ======
 +  * AAD Roles are generally assigned to individual users, but some groups are given a special designation that allows roles to be assigned to them.
 +    * These must be cloud groups created directly in AAD, **not** synced security groups from Windows AD.
 +    * The members must be directly assigned to the group—not dynamic groups.
 +  * AAD does not have organizational units (OUs)—it has a flat structure. But it does have **Administrative Units** that certain roles can be assigned to.
  
 > The **Account Administrator** is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. > The **Account Administrator** is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription.
Line 52: Line 70:
  
 ==== Types ==== ==== Types ====
-  * **System-assigned.** Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.+  * **System-assigned.** Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD
   * **User-assigned.** You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. For user-assigned managed identities, the identity is managed separately from the resources that use it.   * **User-assigned.** You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. For user-assigned managed identities, the identity is managed separately from the resources that use it.
 +
 +=== Examples of System-assigned ===
 +  * A VM accessing an Azure Key Vault
 +  * A VM accessing Azure Storage
 +  * A //Azure App Service// accessing an Azure Key Vault
  
  
Line 75: Line 98:
   * Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons.   * Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons.
  
 +====== Access Reviews ======
 +  * Requires a P2 license
 +
 +====== Microsoft Entra Verified ID ======
 +
 +====== Passwordless authentication ======
 +
 +====== User Management ======
 +  * Deleted users and M365 groups can be restored (undeleted) for up to 30 days.
 +  * Deleted Security Groups cannot be restored.
 +
 +====== Guest Access ======
 +  * The default user/guest collaboration settings allow any user (including B2B guest uers) to invite guest users.
 +  * When inviting guests is limited to certain admin roles those roles include Global Administrator, User Administrator, and Guest Inviter.
 ====== Related ====== ====== Related ======
 +  * [[azure:az-500:alt:hybrid_identity|Hybrid Identity]]
   * [[azure:az-500:alt:azure_storage|Azure Storage]]   * [[azure:az-500:alt:azure_storage|Azure Storage]]
  
  
  • azure/az-500/alt/identity_and_access_management.1674576966.txt.gz
  • Last modified: 2023/01/24 16:16
  • by mmuze