Differences

This shows you the differences between two versions of the page.

--- azure:az-500:manage_azure_active_directory_azure_ad_identities [2022/06/23 02:16] – [Hybrid Identity Authentication] mmuze
+++ azure:az-500:manage_azure_active_directory_azure_ad_identities [2022/07/22 13:44] (current) – mmuze
@@ Line 19: / Line 19: @@
 ====== Users & Groups ======
   * There are two group types in AAD
-    * Security groups
+    * **Security groups** - Azure AD Security Groups are analogous to Security Groups in on-prem Windows Active Directory. They are Security Principals, which means they can be used to secure objects in Azure AD.
-    * Microsoft 365 groups
+    * **Microsoft 365 groups** - are a membership object in Microsoft 365 that eases the task of ensuring a group of people have consistent permissions to a group of related resources.
+      * [[https://docs.microsoft.com/en-us/microsoft-365/community/all-about-groups]]
+      * The group's files are in SharePoint, the real time collaboration is in Teams, the email discussions are in Exchange, but they're all secured and managed as a Microsoft 365 Group.
+      * used for collaboration
 ====== Managed Identity ======
   * A **Managed Identity** is a way for a compute resource (e.g. VM, logic app, app service, function, etc) get access to credentials/security principle without dealing with storing them. This eliminates the problem with having credentials stored in a config file somewhere that could be compromised.
+  * [[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]]
   * There are **system assigned** managed identities and **user assigned** managed identities.
   * With system assigned managed identity there is a one-to-one relationship between a resource that needs a security principle and the security principle.
   * With a user assigned managed identity multiple resources (e.g. VMs in scale-set) can share a single security principle.
+  * A **Managed Identity** is a way of avoid embedding credentials in application code.
+  * This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.
 ====== External Identities ======
   * **External Identities** includes B2B Collaboration, B2B direct connect and Azure AD B2C.
   * [[https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview]]
+===== B2B Collaboration =====
+  * B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.
 ===== B2B direct connect =====
   * No user object is created in your Azure AD directory.
-===== B2B Collaboration =====
+{{ :azure:az-500:b2b-direct-connect-overview.png?800 |}}
-  * B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.
+====== B2C ======
+  * [[https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]]
+> Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
+{{ :azure:az-500:b2c.png?800 |}}
 ====== Administrative Unit ======
-  * An [[https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units|Administrative Unit (AU)]] is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.
+  * An [[https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units|Administrative Unit (AU)]] is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups instead of an entire AAD directory. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.
 >  An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.
@@ Line 51: / Line 67: @@
   * [[https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles]]
-====== Privileged Identity Management ======
-  * **PIM** (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general AD roles.
-      * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do]]
-      * Requires an AAD P2 license or EMS E5 license
-      * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements]]
-====== Managed Identities ======
-  * [[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]]
-  * A **Managed Identity** is a way of avoid embedding credentials in application code.
-  * This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.