Azure Identity and Access Management (IAM) is a cloud based access management solution helps you or your organization to secure access control to your resources and apps with ease through Azure Active Directory. Azure Active Directory or simply known as Azure AD, it is a multi-tenant cloud based identity and access management service. The primary purpose of Azure Active Directory (Azure AD) is to provide identity and access management for Azure resources and applications. It allows users to securely authenticate and authorize access to resources and applications, both in the cloud and on-premises.
Azure AD also provides features such as multi-factor authentication, self-service password management, and conditional access to help secure access to resources. Additionally, Azure AD enables organizations to manage access for external users and partners through Azure AD B2B and B2C. Azure AD also provides an Identity Provider (IDP) for Single Sign-On (SSO) for applications integrated with Azure AD.
Azure AD Features:
- Enterprise Identity Solution: Create a single identity for users and keep them in sync across the enterprise.
- Single Sign-On (SSO):provides single sign-on access to applications and infrastructure services.
- Multi Factor Authentication: Enhance security with additional factors of authentication Self-Service: Empower customer users to complete password resets themselves, as well as request access to specific apps and services.
Azure Identity and Access Management Services:
Secure access to customer resources with Azure Identity and Access Management Solution. Below are the identity and access management services provided by Azure Active Directory.
For Access and Authentication:
- Multi-factor authentication
- Device Registration
- Role Based Access Control For Management
- Self Service Password Management
- Self Service Group Management
- Privileged Account Management For Monitoring and Auditing
- Application Usage Monitoring
- Rich Auditing
- Security Monitoring and Alerting
For Managing Organization:
- Sign up for Azure AD as an organization
- Sign up for Azure AD Premium
- Add a custom domain name
- Add company branding
- Associate an Azure subscription
- Add customer privacy info
Domain name that is owned and used by Organizations or Individuals. A domain name is an identifier for many directory resources such as:
- username or email address
- address for a group
- app id URI for an application
Azure Active Directory and Azure Active Directory (B2C) enable users to access applications published by and share the same administration experiences.
Azure Administrative and RBAC Roles:
Each role in azure has it's own significant access. Azure roles be assigned according to business need considering all the security checks.
Azure Active Directory (AAD) Roles:
- Global Administrator also known as domain admin or Azure AD Admin. This role has full right to create and manage groups in the AAD.
- Application Administrator also known as App Admin for Azure AD. This role has only rights to create and manage Enterprise Application and App registrations in Azure AD.
- Cloud Application Administrator
- Global Reader
Role-Based Access Control (RBAC) Roles:
Also know as RBAC roles and permissions which are specific to resources.
- Owner
- Contributor
- User Access Administrator
- Reader
What is Administration?
Administration is nothing but managing users, groups and access control to various resources in an organization.
What is Auditing?
Auditing means capturing or recording the data actions of who did what, when and type action made by user or service.
What is Microsoft Entra?
Microsoft Entra is an Azure enterprise Azure Active Directory (Azure AD) identity service to secure your environment with multi cloud identity and access management where you can manage everything, all in one place. This MS Entra service simplifies the managing and securing of your entire identity infrastructure (apps, resources, services, devices) including Azure AD from Microsoft Entra admin centre.
You can access Microsoft Entra from here π Microsoft Entra Portal
Microsoft Entra help to protect your user and date with the following services:
Single sign-on access to enterprise apps or to your own custom developed apps.
Multi Factor authentication with conditional access policies to enable identity protection and to secure data from cybersecurity attacks.
With a single identity control pane allows you to grant full visibility and control of your app, resources, services, users, groups and managed identities. Simply you can have full visibility and control the entire environment.
Governance ensures the right people have access to the right resources, and only when they need it using Privileged Identity Management (PIM)
Learn more about π Microsoft Entra
Cloud Directory and DNS to Manage Azure AD
Azure Active Directory is also called as Azure AD in short.
Use Case: Customer needs a global administrator access to all the users in a <customer specified> group in a <customer specified> organization, <customer specified> subscription, <customer specified> region/location to manage cloud application or resources and also with a self service password management >> password reset, 2 step authentication and notification service.
Solution: Azure Active Directory (Azure AD) allows users/groups to manage access to cloud resources, enterprise apps and on-premises apps.
Resources can be part of the Azure AD organization, such as permissions to manage objects through roles in Azure AD, or external to the organization, such as for Software as a Service (SaaS) apps, Azure services, SharePoint sites, and on-premises.
Create a Azure AD Tenant:
To create a azure AD Tenant and assigning roles we should follow below steps:
All Services >> Azure Active Directory >>
Step 1: Create a Directory
- Organization name a <customer specified organization name>
- Initial Domain Name a < customer specified domain name>.onmicrosoft.com
- Country or Region a <customer specified Country/Region> Create
Step 2: Select Azure Active Directory >>Under Manage Roles and Administrator >> Global Administrator >> + Add members >> Save Changes
Create Users and Groups:
To create user in azure AD follow the below steps:
Creating Users:
Select Azure Active Directory >>
Under Manage
Manage>> Select Users>> Select New User to create a new user
Name Γ <name of the user>
User Name Γ <name of the user> @domainname.onmicrosoft.com>
Profile Γ General Γ First name , Last name Work Info Γ Job Title, Description
Properties Γ default
Groups Γ <<Select group if needed>>
Directory Roles a <Select a role>
Users
Global Administrators
Limited Administrators
Password <a random password will be generated>
#provide this password for assigned user to get access to the resources.
>> Create
Inviting Guest User:
Send Invite to user < Enter User Email and Add Description and provide a password for the user>
Creating Groups in Azure AD:
Create groups in Azure AD >> Select Azure Active Directory >> Under Manage Select Groups>> Click on New Group to create a group
- Group type a Select "Security/Office 365 “
- Group name a <Specify name of group>
- Group Description a <add group description>
- Member Type Γ Select Assigned >> Members >> add member
Adding Role Assignments in Azure
- To add role assignments to the users/groups follow the below steps:
- Subscriptions >> Access Control (IAM)>>Add Role Assignment
- Role a <Select Role from drop down list>
- Assign Access to a <Azure AD, Users , Groups or service principles>
- Select a <Add members or Groups>
- Click on Save to make changes
Configure Self Service Password Reset:
Under Manage >> Password Reset>>
Self Service Password reset
- None
- Selected Γ To select Specific groups
- All
Authentication Methods>> Number of methods required to reset 1 or 2
Methods available to users:
- Mobile App Notification
- Mobile App Code
- Mobile phone
- Office Phone
- Security Question
Notification >> Notify users on password reset? YES/NO
Notify all admins when other admins reset their password? YES/NO
Azure Active Directory Privileged Identity Management (PIM)
with Azure AD PIM, you can manage, control, and monitor access to Azure Resources within your organization at ease.
Microsoft Azure Cloud DNS
- First add a DNS to your virtual network. Access the management portal and go to the section Networks > {Your Network Name} > Configure > DNS servers. Add the name and an IP to it.
- Now, deploy a <customer> VM inside the Virtual Network and configure its IP to the same <customer> IP that has been defined inside the portal.
- Configure DNS server with the details for the VMs and set the forwarders if <customer> wants to be able to resolve names outside the virtual network.
- Reboot your virtual machines to get the new configuration through DHCP.
Solution Implementation:
- Directory Name a <customer specified directory name>
- DNS Domain Name a <customer specified domain name>
- Subscription Γ < customer specified Subscription>
- Resource Group Γ <customer specified Resource Group >
- Location Γ <customer specified Location>
- Click on OK
- Virtual Network a <customer specified Virtual Network >
- Subnet a < customer specified Subnet >
- Click on Ok
- AAD DC Administrator (manage group membership)
- Click on Ok to provision the resource
- Go to AADDS >> Select the Domain Service
- Update DNS Server Settings for your Virtual Networks>>Configure DNS Servers
- DNS Server >> Select Custom >> add DNS Servers and Save
Read more about Azure Identity and Access Management:
π Azure Privileged Identity Management | Azure AD PIM
π Microsoft Entra and Manage Azure Active Directory (Azure Portal)
π Azure Lighthouse: Take Control, Stay Secure and Informed