- Back to the Cloud
- Posts
- ๐ก๏ธ Unlocking Azure Identity: Who Are You and What Can You Do?
๐ก๏ธ Unlocking Azure Identity: Who Are You and What Can You Do?
Sandeep Reddy M
June 11, 2025 โข Estimated Reading Time: 4 minutes
Hey there, identity navigator!
Last week, we explored the core of Azureโs engine โ Compute services. This week on โBack to the cloudโ, we're diving into something just as critical: Identity and Access Management.
๐น 1. Azure Active Directory (Azure AD)
๐ What Is It?
Azure AD is Microsoftโs cloud-based identity and access management (IAM) service. It helps employees sign in and access:
Microsoft 365
Azure portal
Custom apps
Thousands of SaaS apps
Think of it as the cloud version of Active Directory, but not a 1-to-1 replacement of on-prem AD.
๐ Key Features:
Single Sign-On (SSO): One login for all apps and services.
Authentication: Username + password, MFA, biometrics.
Authorization: What users are allowed to do (via RBAC).
Device registration: Manage mobile and PCs.
Conditional Access: Enforce policies based on location, device, etc.
โ Common Azure AD Objects:
Object | Description |
|---|---|
Users | People with login access |
Groups | Collection of users |
Applications | Registered apps (e.g., SaaS or custom) |
Service Principals | Identity for apps/services to access resources |
๐ก Exam Tip:
"Which service handles user authentication in Azure?" โ Answer: Azure Active Directory
๐น 2. Role-Based Access Control (RBAC)
๐ What is RBAC?
Controls what users can do with Azure resources.
Identity = who RBAC = what theyโre allowed to do
๐งฉ RBAC Components:
Component | Description |
|---|---|
Security Principal | User, group, service principal, or managed identity |
Role Definition | Collection of permissions (e.g., Reader, Contributor) |
Scope | Level at which role applies (Management Group โ Subscription โ Resource Group โ Resource) |
Role Assignment | Binds a principal to a role at a scope |
๐ Built-in Roles to Know:
Role | Permissions |
|---|---|
Owner | Full access + manage access |
Contributor | Full access, can't manage access |
Reader | View-only |
User Access Administrator | Manage RBAC permissions |
๐ You can also create custom roles, but that's not on AZ-900.
๐น 3. Multi-Factor Authentication (MFA)
๐ก๏ธ What is MFA?
Requires two or more authentication methods:
Password
OTP (phone/email)
Biometrics (Windows Hello, Authenticator app)
๐ Enabled via Azure AD โ Free tier includes MFA for admins by default.
๐น 4. Conditional Access
๐ฆ What is it?
Azure AD feature to apply rules and policies based on conditions, like:
User/group
Device type
Location (IP)
App being accessed
Example: Require MFA if login is from a new country.
๐ง What is it?
Uses AI and machine learning to detect risky sign-ins and risky users.
Can automatically:
Block sign-ins
Force password resets
Trigger conditional access
๐ Available in Azure AD Premium P2, not on the free tier.
๐น 6. Azure AD Join vs. Hybrid Join
Type | Use Case |
|---|---|
Azure AD Join | Devices joined directly to Azure AD (cloud-only environments) |
Hybrid Join | Devices joined to on-prem AD + Azure AD (for hybrid orgs) |
๐น 7. Managed Identities
Automatically manage identities for Azure resources (like VMs or App Services).
Used to access other Azure services securely (like Azure Key Vault) without storing credentials.
๐ Available in System-assigned (1:1) or User-assigned (reusable across resources).
โ AZ-900 Quick Identity Scenarios
Scenario | Service |
|---|---|
Authenticate users across cloud apps | Azure AD |
Give a developer read-only access to a resource group | RBAC โ Reader role |
Require a second factor to access the Azure Portal | MFA |
Restrict access by location | Conditional Access |
Automatically detect and respond to risky logins | Identity Protection |
Allow a VM to access a Key Vault securely | Managed Identity |
๐ง Final Exam Tips for Azure Identity
Know Azure AD is used for authentication and SSO.
RBAC = Authorization at scope levels (Subscription โ Resource Group โ Resource).
MFA is a common security feature. It protects against stolen credentials.
Conditional Access lets you create smart access policies.
Managed Identity = No secrets or credentials needed for resource-to-resource access.