Azure Identity & Access Management
Securing Your Cloud Resources
Table of Contents
- Introduction to Identity in Azure
- Microsoft Entra ID (Azure AD)
- Users, Groups, and Administrative Units
- Role-Based Access Control (RBAC)
- Azure AD Authentication Methods
- Conditional Access Policies
- Managed Identities
- Best Practices
1. Introduction to Identity in Azure
Identity is the foundation of security in Azure. It answers the question: Who is accessing what?
Identity vs Access:
┌─────────────────────────────────────────────────────────────────┐
│ IDENTITY AND ACCESS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ IDENTITY ACCESS │
│ ───────── ───── │
│ "Who are you?" "What can you do?" │
│ │ │
│ ┌──────────┐ ┌──────────────┐ │
│ │ User │──────────────→│ RBAC │ │
│ │ Group │ │ Policies │ │
│ │ Service │ │ Licenses │ │
│ │ Principal │ │ │
│ └──────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Why Identity Matters:
| Concern | Without Identity | With Identity |
|---|---|---|
| Security | Anyone can access | Only authenticated users |
| Audit | No tracking | Full audit trail |
| Compliance | Hard to prove | Evidence available |
| Productivity | Shared accounts | Personalized access |
2. Microsoft Entra ID (Azure AD)
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service.
What is Microsoft Entra ID?
- Cloud identity provider
- Single Sign-On (SSO) for cloud apps
- Identity governance
- Application proxy
- B2B and B2C identity
Azure AD vs On-Premises AD:
┌─────────────────────────────────────────────────────────────────────┐
│ AD COMPARISON │
├─────────────────────────┬───────────────────┬───────────────────────┤
│ Feature │ On-Prem AD │ Microsoft Entra ID │
├─────────────────────────┼───────────────────┼───────────────────────┤
│ Authentication │ Kerberos, NTLM │ OAuth2, SAML, OIDC │
├─────────────────────────┼───────────────────┼───────────────────────┤
│ Protocol │ LDAP │ REST API │
├─────────────────────────┼───────────────────┼───────────────────────┤
│ Scale │ Forest/domain │ Tenant-based │
├─────────────────────────┼───────────────────┼───────────────────────┤
│ Cloud integration │ Requires sync │ Native │
├─────────────────────────┼───────────────────┼───────────────────────┤
│ MFA │ Additional setup │ Built-in │
└─────────────────────────┴───────────────────┴───────────────────────┘
Azure AD Editions:
| Feature | Free | P1 | P2 |
|---|---|---|---|
| Users | Unlimited | Unlimited | Unlimited |
| SSO | 10 apps | Unlimited | Unlimited |
| MFA | Limited | Full | Full |
| Conditional Access | - | ✓ | ✓ |
| Identity Protection | - | - | ✓ |
| Access Reviews | - | - | ✓ |
| Cost | Free | $6/user/month | $9/user/month |
3. Users, Groups, and Administrative Units
Creating Users:
# Create a user
az ad user create \
--display-name "John Smith" \
--password "Password123!" \
--user-principal-name "john@mycompany.onmicrosoft.com"
# List users
az ad user list
# Get user details
az ad user show --id john@mycompany.onmicrosoft.com
# Delete user
az ad user delete --id john@mycompany.onmicrosoft.com
User Properties:
| Property | Description |
|---|---|
| User Principal Name (UPN) | user@domain.onmicrosoft.com |
| Display Name | Human-readable name |
| Mail Nickname | Part of UPN before @ |
| Job Title | User's role |
| Department | Organization unit |
| Usage Location | Country for licensing |
Groups:
┌─────────────────────────────────────────────────────────────────┐
│ GROUP TYPES │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Security Groups Microsoft 365 Groups │
│ ───────────────── ──────────────────── │
│ • Manage access • Collaboration │
│ • Assign permissions • Email & Teams │
│ • Assign licenses • SharePoint access │
│ │
│ Membership Types: │
│ • Assigned - Manual member addition │
│ • Dynamic User - Rule-based membership │
│ • Dynamic Device - Rule-based device membership │
│ │
└─────────────────────────────────────────────────────────────────┘
Administrative Units:
- Create organizational divisions
- Delegate administration
- Apply policies at scope
# Create administrative unit
az ad admin unit create \
--display-name "Marketing Department" \
--description "Marketing team administrators"
# Add user to admin unit
az ad member add \
--member-id <user-id> \
--parent-id <admin-unit-id>
4. Role-Based Access Control (RBAC)
RBAC Concepts:
┌─────────────────────────────────────────────────────────────────┐
│ RBAC MODEL │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Role Assignment │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Principal ──→ Role ──→ Scope │ │
│ │ (Who?) (What?) (Where?) │ │
│ │ | │
│ │ • User • Owner • Subscription │ │
│ │ • Group • Contributor • Resource Group │ │
│ │ • Service • Reader • Resource │ │
│ │ Principal • Custom Role • Management Group │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Built-in Roles:
| Role | Description | Use Case |
|---|---|---|
| Owner | Full control, can manage access | Team lead |
| Contributor | Manage resources, no access | Developer |
| Reader | View resources only | Auditor |
| User Access Administrator | Manage access | Security admin |
Resource-Specific Roles:
- Storage Account - Storage Blob Data Owner, Storage Table Data Reader
- Virtual Machine - Virtual Machine Contributor
- Key Vault - Key Vault Contributor, Key Vault Secrets Officer
Assigning Roles:
# Assign role to user at subscription level
az role assignment create \
--assignee john@mycompany.onmicrosoft.com \
--role "Contributor" \
--scope "/subscriptions/<sub-id>"
# Assign role at resource group level
az role assignment create \
--assignee-group "Developers" \
--role "Virtual Machine Contributor" \
--scope "/subscriptions/<sub-id>/resourceGroups/Dev"
# List assignments
az role assignment list --assignee john@mycompany.onmicrosoft.com
# Remove assignment
az role assignment delete \
--assignee john@mycompany.onmicrosoft.com \
--role "Contributor" \
--scope "/subscriptions/<sub-id>"
Custom Roles:
{
"Name": "Storage Blob Reader",
"IsCustom": true,
"Description": "Can read blob storage containers and blobs",
"Actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"NotActions": [],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"AssignableScopes": [
"/subscriptions/<sub-id>"
]
}
5. Azure AD Authentication Methods
Available Methods:
┌─────────────────────────────────────────────────────────────────┐
│ AUTHENTICATION METHODS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Password-based │
│ ├── Password (username + password) │
│ └── Authenticator app (TOTP) │
│ │
│ Passwordless (Recommended) │
│ ├── Windows Hello for Business │
│ ├── FIDO2 Security Keys │
│ └── Microsoft Authenticator app │
│ │
│ Multi-Factor Authentication (MFA) │
│ ├── SMS (text message) │
│ ├── Phone call │
│ └── Authenticator app │
│ │
└─────────────────────────────────────────────────────────────────┘
MFA Setup:
# Enable MFA for user
az ad user show --upn-or-object-id john@mycompany.com \
| az role assignment create \
--role "Directory Readers" \
--scope /subscriptions/<sub-id>
Conditional Access MFA:
{
"displayName": "Require MFA for non-compliant devices",
"state": "enabled",
"conditions": {
"signInRiskLevels": ["medium", "high"],
"devicePlatforms": ["iOS", "Android"]
},
"grantControls": {
"operator": "AND",
"builtInControls": ["mfa", "compliantDevice"]
}
}
6. Conditional Access Policies
What is Conditional Access?
Policies that enforce access decisions based on conditions:
- User/Group
- Location (IP, country)
- Device state (compliant, domain-joined)
- Risk level
- Application
Common Scenarios:
Scenario 1: Block Access from Risky Locations
{
"conditions": {
"locations": {
"excludeLocations": ["Trusted locations"],
"includeLocations": ["All locations"]
}
},
"grantControls": {
"blockAccess": true
}
}
Scenario 2: Require Compliant Device
{
"conditions": {
"deviceStates": {
"includeStates": ["Compliant"],
"excludeStates": ["Non-compliant"]
}
},
"grantControls": {
"builtInControls": ["compliantDevice"]
}
}
Implementing via Portal:
- Go to Microsoft Entra ID → Security → Conditional Access
- Click "New policy"
- Configure:
- Name
- Assignments (who, what, where)
- Grant controls (require MFA, compliant device)
- Enable policy
- Create
7. Managed Identities
What Are Managed Identities?
Managed identities provide Azure services with an identity in Azure AD, eliminating the need to manage credentials.
┌─────────────────────────────────────────────────────────────────┐
│ MANAGED IDENTITY WORKFLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Without Managed Identity: With Managed Identity: │
│ ┌──────────┐ ┌──────────┐ │
│ │Function │ │Function │ │
│ │ │ │ │ │
│ │Need to │ │ │ │
│ │manage │ │ ✓ │ │
│ │secrets │ │ │ │
│ └────┬─────┘ └────┬─────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌────────────┐ ┌────────────────┐ │
│ │ Key │ │ Azure AD │ │
│ │ Vault │ │ (Identity) │ │
│ └────────────┘ └────────────────┘ │
│ │ │ │
│ │ ▼ │
│ │ ┌────────────────┐ │
│ └─────────────────────── │ Azure │ │
│ Manual │ Resources │ │
│ └────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
System-Assigned vs User-Assigned:
| Feature | System-Assigned | User-Assigned |
|---|---|---|
| Lifecycle | Tied to resource | Independent |
| Sharing | Cannot share | Can share across resources |
| Use case | Single resource | Multiple resources |
| Creation | Automatic with resource | Manual |
Using Managed Identity:
// Get token using Managed Identity
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(
new TokenRequestContext(new[] { "https://storage.azure.com/.default" }));
// Access blob storage
var blobServiceClient = new BlobServiceClient(
new Uri("https://mystorage.blob.core.windows.net"),
credential);
Enable Managed Identity:
# Enable system-assigned identity for VM
az vm identity assign \
--name myVM \
--resource-group myResourceGroup
# Enable for Function App
az functionapp identity assign \
--name myFunction \
--resource-group myResourceGroup
8. Best Practices
Security Checklist:
┌─────────────────────────────────────────────────────────────────┐
│ IDENTITY SECURITY CHECKLIST │
├─────────────────────────────────────────────────────────────────┤
│ ✓ Enable MFA for all users │
│ ✓ Use Conditional Access policies │
│ ✓ Implement least privilege with RBAC │
│ ✓ Use Managed Identities (not secrets) │
│ ✓ Enable password protection │
│ ✓ Regular access reviews │
│ ✓ Monitor sign-in logs │
│ ✓ Implement privileged identity management. │
└─────────────────────────────────────────────────────────────────┘
RBAC Best Practices:
- Use Groups - Assign roles to groups, not users
- Scope Appropriately - Use resource group scope for teams
- Custom Roles - Create for specific needs
- Audit Regularly - Review role assignments
- Document - Track who has what access
Identity Protection:
# Review risky users
az ad risk-detection list --filter "riskEventTypes eq 'all'"
# Review conditional access policies
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/conditionalAccess/policies"
Quick Reference:
┌─────────────────────────────────────────────────────────────────┐
│ IDENTITY COMMANDS │
├─────────────────────────────────────────────────────────────────┤
│ Create user: az ad user create --display-name <name> │
│ List users: az ad user list │
│ Create group: az ad group create --display-name <name> │
│ Assign role: az role assignment create │
│ List roles: az role definition list │
│ Enable MI: az <resource> identity assign │
└─────────────────────────────────────────────────────────────────┘
Hands-On Lab:
Exercise 1: Create Users and Groups
- Create 3 users
- Create a group and add users
- Assign group to resource
Exercise 2: Configure RBAC
- Assign contributor role to a user
- Assign reader role to another user
- Verify permissions
Exercise 3: Enable MFA
- Enable MFA for a user
- Test MFA login
Exercise 4: Create Conditional Access
- Create policy requiring MFA
- Test from different locations
Next Steps:
- Explore Identity Protection
- Implement Access Reviews
- Learn about Privileged Identity Management (PIM)
Azure Integration Hub - Learning Roadmap Level: Beginner | Topic: Azure Identity & Access