Understanding Azure AD

Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. Azure AD can be used as a standalone service or in conjunction with other Azure services to create a complete identity solution.

Microsoft Online business services, such as Microsoft 365 or Microsoft Azure, use Azure AD for sign-in activities. If you’re or your company is using Azure, Microsoft 365 or Dynamics 365, you are already using Azure AD! (every Azure, Microsoft 365, and Dynamics 365 tenant is already an Azure AD tenant).

If you are familiar with Windows Server Active Directory, consider Azure AD as cloud version of Active Directory with many added capabilities and features. Azure AD can be connected and synced with on-premises Active Directory to integrate existing users, groups and applications.

Depending on the license type (Free, P1, P2, “Pay as you go”), Azure AD will provide some or all of the following features:

• Application management
• Authentication & Authorization
• Azure Active Directory for developers to build apps
• Business-to-Business (B2B)
• Business-to-Customer (B2C)
• Conditional Access
• Device Management Manage
• Domain services
• Enterprise users
• Hybrid identity
• Identity governance
• Identity protection
• Managed identities for Azure resources
• Privileged identity management (PIM)
• Reports and monitoring

Identity

• An identity is an object (or entity) that can be authenticated
• A thing that can get authenticated can be considered as an identity
• Examples:
  • A user with a username and password
  • An application or a service with secret keys
  • A server with certificate
• Azure AD is the underlying product that provides the identity service

Account

• An account is an identity that has data associated with it
• An indentity object gets its properties & attributes in a particular context and then becomes an account
• To have an account, we must first have a valid identity (can’t have an account without an identity)

Azure AD Account

• An Azure AD account is an identity that’s created directly in Azure AD or through another cloud service i.e., Azure, Microsoft 365 etc.
• Azure AD account is also called a work or school account (xxx@outlook.com, xxx@live.com are called personal account)
• Account realted identity information are stored in Azure AD and are accessible to the cloud service subscriptions i.e. Azure portal

Tenant

• A tenant is a single dedicated and trusted instance of Azure AD
• A tenant represents a single organization in Azure AD
• When signed up for Microsoft cloud service subscription (i.e. Azure), a tenant is automatically created and the subscription is linked to that tenant
• We can create multiple tenants

Types of tenant:

• Single tenant: Azure tenants that access other services in a dedicated environment are considered single tenant
• Multi-tenant: Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant

Azure AD Directory

• An Azure AD tenant is also called a directory in a Microsoft cloud service i.e. Azure AD tenant is shown as “Directory” inside Azure portal
• Each Azure tenant has a dedicated and trusted Azure AD directory
• The Directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources

Application Object

• Application registered to Azure AD is defined by its one and only application object
• Application object resides in the Azure AD tenant where the application was registered (known as the application’s “home” tenant)
• An application object is used as a template or blueprint to create one or more service principal objects (similar to a class in object-oriented programming)
• A service principal is created in every tenant where the application is used

Service Principle

• A service principal is the ‘local representation’ (or ‘local instance’) of a ‘global application object’ in a single tenant or directory
• A service principal is a concrete instance created from the application object and inherits certain properties from that application object
• A service principal is created in each tenant where the application is used and references the globally unique app object
• The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access

See: Relationship between application objects and service principals

Managed Identity

• Managed identities are essentially a wrapper around service principals and make their management simpler
• Credential rotation for Managed Identity happens automatically every 46 days according to Azure Active Directory default (Microsoft manages and maintains underlaying certificates and security measures)
• Managed identities are currently immutable

Custom Domain

• Every new Azure AD directory comes with an initial domain name i.e. ‘domainname.onmicrosoft.com’
• In addition to that initial name, we can also add our organization’s domain names
• Adding custom domain names helps us to create user names that are familiar to our users such as ‘xxx@hovermind.com’

Azure Subscription

• Subscription: A business model by which a customer agrees to pay the company for products or services throughout a specified time-period
• Azure subscription:
  • An Azure subscription is a logical container used to provision resources in Azure (a subscription fuels your consumption of Azure services)
  • All resources under a subscription are billed together
  • Every azure subscription is linkied to a single Azure AD tenant

Azure AD Roles

• A role is a set or collection of permissions
• Azure AD roles defines what are the activities or action an identity can perform within Azure AD
• Roles can be assigned to users, groups, service principles and managed identities
• Azure AD roles are used to manage Azure AD resources in a tenant such as:
  • create or edit users
  • assign administrative roles to others
  • reset user passwords, manage user licenses
  • application registration
  • manage domains
  • etc.
• Manage access to Azure Active Directory resources

Azure AD Global Administrator

• Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online
• This administrator role is automatically assigned to whomever created the Azure AD tenant
• This administrator role is called Global administrator in the Azure portal, but it’s called Company administrator in the Microsoft Graph API and Azure AD PowerShell

RBAC

• RBAC stands for “Role-based Access Control”
• Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage
• Example: you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription