Author : HASSAN MD TAREQ | Updated : 2020/11/13
What Azure AD?
Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection.
Identity
- An entity that can be authenticated
- An identity can be a user with a username and password
- Identities also include applications or other servers that might require authentication through secret keys or certificates
Tenant
- A tenant represents an organization in Azure Active Directory
- It’s a dedicated Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365
- An Azure tenant represents a single organization
- Single tenant: Azure tenants that access other services in a dedicated environment are considered single tenant
- Multi-tenant: Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant
Azure AD directory
- Each Azure tenant has a dedicated and trusted Azure AD directory
- The Directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources
Application Object
- Application registered to Azure AD is defined by its one and only application object
- Application object resides in the Azure AD tenant where the application was registered (known as the application’s “home” tenant)
- An application object is used as a template or blueprint to create one or more service principal objects - similar to a class in object-oriented programming
- A service principal is created in every tenant where the application is used
Service Principle
- A service principal is the local representation, or application instance, of a global application object in a single tenant or directory
- A service principal is a concrete instance created from the application object and inherits certain properties from that application object
- A service principal is created in each tenant where the application is used and references the globally unique app object
- The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access
See: Relationship between application objects and service principals
Managed Identity
- Managed identities are essentially a wrapper around service principals and make their management simpler
- Credential rotation for MI happens automatically every 46 days according to Azure Active Directory default
- Managed identities are currently immutable
Custom domain
- Every new Azure AD directory comes with an initial domain name i.e.
domainname.onmicrosoft.com
- In addition to that initial name, you can also add your organization’s domain names
- Adding custom domain names helps you to create user names that are familiar to your users such as
hassan@hovermind.com
Azure subscription
- Subscription: A business model by which a customer agrees to pay the company for products or services throughout a specified time-period
- Azure subscription: An Azure subscription is a logical container used to provision resources in Azure
- You can have many subscriptions and they’re linked to a credit card
Account Administrator
- The billing owner of a subscription
- This role has access to the Azure Account Center and enables you to manage all subscriptions in an account
Owner
- This role helps you manage all Azure resources, including access
- This role is built on a newer authorization system called Azure role-base access control (Azure RBAC) that provides fine-grained access management to Azure resources
Azure AD Global administrator
- Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online
- This administrator role is automatically assigned to whomever created the Azure AD tenant
- This administrator role is called Global administrator in the Azure portal, but it’s called Company administrator in the Microsoft Graph API and Azure AD PowerShell
Azure AD roles
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Role-based access control
- RBAC => Role-based access control
- Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage
- Example: you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription