Differences

This shows you the differences between two versions of the page.

--- azure:az-500:manage_azure_active_directory_azure_ad_identities [2022/06/23 00:52] – [Managed Identity] mmuze
+++ azure:az-500:manage_azure_active_directory_azure_ad_identities [2022/07/22 13:44] (current) – mmuze
@@ Line 1: / Line 1: @@
 ====== § Manage Azure Active Directory (Azure AD) identities ======
+  * [[azure:az-500:az-500_certification|AZ-500 Certification]]
+  * [[azure:az-500:identity_access_management|Identity & Access Management]]
   * Create and manage a managed identity for Azure resources
   * Manage Azure AD groups
@@ Line 6: / Line 9: @@
   * Manage administrative units
-  * [[azure:az-500:az-500_certification|AZ-500 Certification]]
-  * [[azure:az-500:identity_access_management|Identity & Access Management]]
   * AAD does not use Kerberos or NTLM like traditional on-prem AD, instead it uses protocols like, OAuth, SAML, OpenID and WS-Federation.
   * Best Practice: Limit Global Administrator to 5 or less users in an organization.
@@ Line 17: / Line 17: @@
     * Authentication is handled by the third-party provider and authorization is handled by the AAD that is granting access.
-===== Users & Groups =====
+====== Users & Groups ======
   * There are two group types in AAD
-    * Security groups
+    * **Security groups** - Azure AD Security Groups are analogous to Security Groups in on-prem Windows Active Directory. They are Security Principals, which means they can be used to secure objects in Azure AD.
-    * Microsoft 365 groups
+    * **Microsoft 365 groups** - are a membership object in Microsoft 365 that eases the task of ensuring a group of people have consistent permissions to a group of related resources.
+      * [[https://docs.microsoft.com/en-us/microsoft-365/community/all-about-groups]]
+      * The group's files are in SharePoint, the real time collaboration is in Teams, the email discussions are in Exchange, but they're all secured and managed as a Microsoft 365 Group.
+      * used for collaboration
 ====== Managed Identity ======
   * A **Managed Identity** is a way for a compute resource (e.g. VM, logic app, app service, function, etc) get access to credentials/security principle without dealing with storing them. This eliminates the problem with having credentials stored in a config file somewhere that could be compromised.
+  * [[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]]
+  * There are **system assigned** managed identities and **user assigned** managed identities.
+  * With system assigned managed identity there is a one-to-one relationship between a resource that needs a security principle and the security principle.
+  * With a user assigned managed identity multiple resources (e.g. VMs in scale-set) can share a single security principle.
+  * A **Managed Identity** is a way of avoid embedding credentials in application code.
+  * This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.
 ====== External Identities ======
   * **External Identities** includes B2B Collaboration, B2B direct connect and Azure AD B2C.
   * [[https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview]]
+===== B2B Collaboration =====
+  * B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.
 ===== B2B direct connect =====
   * No user object is created in your Azure AD directory.
-===== B2B Collaboration =====
+{{ :azure:az-500:b2b-direct-connect-overview.png?800 |}}
-  * B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.
+====== B2C ======
+  * [[https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]]
+> Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
+{{ :azure:az-500:b2c.png?800 |}}
 ====== Administrative Unit ======
-  * An [[https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units|Administrative Unit (AU)]] is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.
+  * An [[https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units|Administrative Unit (AU)]] is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups instead of an entire AAD directory. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.
 >  An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.
@@ Line 42: / Line 61: @@
   * An **administrative unit** is similar in some ways to an **organization unit** in traditional AD.
   * A AAD P1 license or better is required for each AU administrator, but members can be AAD free license or better.
+  * To create an Administrative Unit the user must be a Global Administrator or Privileged Role Administrator.
-  * Azure AD roles are distinct from general Azure roles
 ====== Roles ======
   * [[https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles]]
-===== Hybrid Identity Authentication =====
-  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn]]
-  * There are three options for hybrid authentication
-      * password hash sync
-      * pass-thru authentication
-      * federated authentication
-  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#architecture-diagrams]]
-===== Privileged Identity Management =====
-  * **PIM** (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general AD roles.
-      * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do]]
-      * Requires an AAD P2 license or EMS E5 license
-      * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements]]
-===== Managed Identities =====
-  * [[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]]
-  * A **Managed Identity** is a way of avoid embedding credentials in application code.
-  * This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.