Azure Active Directory Concepts

Identity

An entity that can be authenticated
An identity can be a user with a username and password
Identities also include applications or other servers that might require authentication through secret keys or certificates

A tenant represents an organization in Azure Active Directory
It’s a dedicated Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365
An Azure tenant represents a single organization
Single tenant: Azure tenants that access other services in a dedicated environment are considered single tenant
Multi-tenant: Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant

Each Azure tenant has a dedicated and trusted Azure AD directory
The Directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources

Application registered to Azure AD is defined by its one and only application object
Application object resides in the Azure AD tenant where the application was registered (known as the application’s “home” tenant)
An application object is used as a template or blueprint to create one or more service principal objects - similar to a class in object-oriented programming
A service principal is created in every tenant where the application is used

A service principal is the local representation, or application instance, of a global application object in a single tenant or directory
A service principal is a concrete instance created from the application object and inherits certain properties from that application object
A service principal is created in each tenant where the application is used and references the globally unique app object
The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access

Managed identities are essentially a wrapper around service principals and make their management simpler
Credential rotation for MI happens automatically every 46 days according to Azure Active Directory default
Managed identities are currently immutable

Every new Azure AD directory comes with an initial domain name i.e. domainname.onmicrosoft.com
In addition to that initial name, you can also add your organization’s domain names
Adding custom domain names helps you to create user names that are familiar to your users such as hassan@hovermind.com

Subscription: A business model by which a customer agrees to pay the company for products or services throughout a specified time-period
Azure subscription: An Azure subscription is a logical container used to provision resources in Azure
You can have many subscriptions and they’re linked to a credit card

The billing owner of a subscription
This role has access to the Azure Account Center and enables you to manage all subscriptions in an account

This role helps you manage all Azure resources, including access
This role is built on a newer authorization system called Azure role-base access control (Azure RBAC) that provides fine-grained access management to Azure resources

Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online
This administrator role is automatically assigned to whomever created the Azure AD tenant
This administrator role is called Global administrator in the Azure portal, but it’s called Company administrator in the Microsoft Graph API and Azure AD PowerShell

Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.

RBAC => Role-based access control
Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage
Example: you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription