• Create and manage a managed identity for Azure resources
• Manage Azure AD groups
• Manage Azure AD users
• Manage external identities by using Azure AD
• Manage administrative units

• AZ-500 Certification
• Identity & Access Management
• AAD does not use Kerberos or NTLM like traditional on-prem AD, instead it uses protocols like, OAuth, SAML, OpenID and WS-Federation.
• Best Practice: Limit Global Administrator to 5 or less users in an organization.
• Unlike traditional AD, Azure AD has a flat structure. There are no OUs.
• AAD roles can be assigned to users and to certain groups that have the option enable to allow roles to be assigned to them.
• AAD supports three methods of authentication, native AAD auth, pass-thru auth and federated auth.
• B2B is method of granting access to an external (through a third-party identity provider) user principle.
  • Authentication is handled by the third-party provider and authorization is handled by the AAD that is granting access.

• There are two group types in AAD
  • Security groups
  • Microsoft 365 groups

• External Identities includes B2B Collaboration, B2B direct connect and Azure AD B2C.
• https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview

• No user object is created in your Azure AD directory.

• B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.

• An Administrative Unit (AU) is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.

• An administrative unit is similar in some ways to an organization unit in traditional AD.
• A AAD P1 license or better is required for each AU administrator, but members can be AAD free license or better.

• Azure AD roles are distinct from general Azure roles

• https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles

• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
• There are three options for hybrid authentication
  • password hash sync
  • pass-thru authentication
  • federated authentication
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#architecture-diagrams

• PIM (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general AD roles.
  • https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
  • Requires an AAD P2 license or EMS E5 license
  • https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

• https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
• A Managed Identity is a way of avoid embedding credentials in application code.
• This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.