• AZ-500 Certification
• Identity & Access Management

• Create and manage a managed identity for Azure resources
• Manage Azure AD groups
• Manage Azure AD users
• Manage external identities by using Azure AD
• Manage administrative units

• AAD does not use Kerberos or NTLM like traditional on-prem AD, instead it uses protocols like, OAuth, SAML, OpenID and WS-Federation.
• Best Practice: Limit Global Administrator to 5 or less users in an organization.
• Unlike traditional AD, Azure AD has a flat structure. There are no OUs.
• AAD roles can be assigned to users and to certain groups that have the option enable to allow roles to be assigned to them.
• AAD supports three methods of authentication, native AAD auth, pass-thru auth and federated auth.
• B2B is method of granting access to an external (through a third-party identity provider) user principle.
  • Authentication is handled by the third-party provider and authorization is handled by the AAD that is granting access.

• There are two group types in AAD
  • Security groups
  • Microsoft 365 groups

• A Managed Identity is a way for a compute resource (e.g. VM, logic app, app service, function, etc) get access to credentials/security principle without dealing with storing them. This eliminates the problem with having credentials stored in a config file somewhere that could be compromised.
• There are system assigned managed identities and user assigned managed identities.
• With system assigned managed identity there is a one-to-one relationship between a resource that needs a security principle and the security principle.
• With a user assigned managed identity multiple resources (e.g. VMs in scale-set) can share a single security principle.

• External Identities includes B2B Collaboration, B2B direct connect and Azure AD B2C.
• https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview

• No user object is created in your Azure AD directory.

• B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users.

• An Administrative Unit (AU) is a mechanism for limiting the permissions of an Azure AD role to apply to a selected set of users and/or groups. It limits the scope of the role. When a group is selected the scope only applies to the group itself, not the users that are a member of the group.

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.

• An administrative unit is similar in some ways to an organization unit in traditional AD.
• A AAD P1 license or better is required for each AU administrator, but members can be AAD free license or better.
• To create an Administrative Unit the user must be a Global Administrator or Privileged Role Administrator.

• https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles

• PIM (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general AD roles.
  • https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
  • Requires an AAD P2 license or EMS E5 license
  • https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

• https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
• A Managed Identity is a way of avoid embedding credentials in application code.
• This allows services, like virtual machines and app service web apps to acquire a token that is subsequently used to get a secret from key vault. And in turn access some resource using the secret.