Author : HASSAN MD TAREQ | Updated : 2020/10/15

Azure AD

  • Azure is protected by Azure Active Directory (authentication and authorization)
  • Azure AD sits in the heart of Microsoft cloud
  • See: Active Directory and Azure AD
  • Azure AD provides:
    • User management
    • Application integration
    • Single sign on
    • Integration with other directory services
  • Azure AD is different than (on-premise) Active Directory Domain Services

Azure AD Overview

  • Azure AD Domain Services
    • a seperate service
    • a PaaS offering from Azure
    • different than Azure AD
  • Azure AD Connect
    • Azure AD Connect is a tool for connecting on premises identity infrastructure to Microsoft Azure AD
    • designed to meet and accomplish your hybrid identity goals
    • used to replicate objects from (on-premise) Active Directory Domain Services to Azure AD
    • See: What is Azure AD Connect?

Role based access control

  • In short RBAC
  • Roles allow you to group together sets of permissions
  • We can make users or groups members of roles
  • Members of roles inherit all the permissions assigned to the role
  • When using roles:
    • Choose or create a role
    • Assign role to members
    • Configure a scope for the role


  • Built-in roles
  • Custom roles

Built-in roles

  • Owner: Lets you manage everything including access to resources
  • Contributor: Lets you manage everything except granting access to resources
  • Reader: Lets you view everything but not make changes

Allowing access to Resource Group

Allowing access to Resource Group

Locking Resource Group

Azure security options

  • Azure firewall
  • Azure DDOS Protection
  • Azure web application firewall
  • Network Security groups
  • Forced tunneling
  • Marketplace devices

Azure information protection

  • AIP is used to classify documents and emails
  • AIP applies labels to documents
  • Labeled documents can be protected
  • AIP labels
    • Can be applied automatically
    • Can be applied manually
    • Can be recommended to users

Two sides to AIP

  • Classification: Metadata is added to documents. Clear text and visual markings like headers, footers and watermarks
  • Protection: Azure rights management encrypts documents using rights management templates

Advanced threat protection

  • Monitor and analyze user activity
  • Identifies suspicious activity and events
  • Works with your on-premises Active Directory forest
  • Identifies
    • Reconnaissance attacks
    • Compromised credentials
    • Lateral movements
    • Domain dominance

Azure Advisor Security Assistance

Azure Security Center