Services and identity types of Azure AD

  5 minute read  

Services and identity types of Azure AD

https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/

What is Azure Active Directory

  • Microsoft’s cloud hosted identiy and access management service
  • Can provide single IdP for cloud and on-premises
  • Can synchronize with an on-premises Active Directory
  • Supports MFA
  • Provides identity based tools and services

Azure AD editions

Free
  • Administer users
  • Create groups
  • Sync with on-prem AD
  • Basic reports
  • Self-service password change for cloud users
  • SSO for Azure, M365 and other SaaS apps
Office 365 apps
  • Everything as above…plus
  • Self-service password reset for cloud users and device write-back so it can sync back to the on-prem AD user
P1
  • Everything as above…plus
  • Dynamic groups
  • Self-service group management
  • Microsoft Identity Manager
  • Cloud write-back to allow password reset for on-prem users
P2
  • Everything as above…plus
  • Azure Active Directory Identity Protection for risk-based conditional access
  • Priviledged Identity Management (PIM) to discover, restrict and monitor administrators and their access rights to provide just-in-time (JIT) access

Azure AD identity types

Azure AD manages different types of identities

User
  • Employees and guests are users
  • Users can be in a group
  • Groups can be assigned permissions instead of individual users
Service principle
  • Security identity used by apps or services
  • App must be registered with Azure AD
  • Registering creates a globally unique app object
  • The service principle is also created and references the app registration
Managed identity
  • Automatically managed in Azure AD
  • Used to manage the credentials for authenticating a cloud app with an Azure service
  • Devs can authenticate to services that support managed ID
  • Any Azure service that supports Azure AD can use managed ID to authenticate another service such as Azure Key Vault
  • Zero cost
Two types of managed ID

System-assigned allows you to enable managed ID directly on the service. The ID is created in Azure AD and exists only for the lifecycle of the service. Only that Azure service can use the ID to request tokens from Azure AD

User-assigned is created as a standalone resource. Can be assigned to one or more Azure services or one or more instances of an Azure service. The ID is managed separately from the Azure service lifecycle.

Device
  • Hardware based such as mobile, laptop, server or printer
  • Device ID in Azure AD can describe who owns the device
  • Microsoft InTune can be used to manage registered devices
  • Azure AD enables SSO via these devices

Azure AD registered devices can be Windows 10, iOS, MacOS or Android. Typically a registered device is personally owned and signed in with a personal Microsoft account or local account.

Azure AD joined devices exist only in the cloud. Owned by an organization and signed in with an organization account.

Hybrid Azure AD joined devices can be Windows 7, 8.1 or 10 or Windows Server 2008 or newer. Devices are owned by the organization and signed in with an Active Directory account. They exist in the cloud and on-premises.

Types of external identities

  • Enable organizations to allow access to resources using “bring their own identities”
  • Enabled through Azure AD support of external IdP such as other Azure AD tenant, Facebook, Google or enterprise IdP services
  • Configure federation with IdP allowing external users to sign-in with their own enterprise or social accounts

B2B allows you to share your apps and resources with external users

B2C is an IdM solution for customer facing apps

B2B
  • Allows sharing on your own apps and services with guests from other organizations
  • You maintain control over the data
  • Uses invitation and redemption
  • Allows externals to access your resources with their credentials
  • External user accounts are managed in Azure AD
  • External users are marked as guests
  • Guests accounts can be managed exactly the same as normal accounts
B2C
  • Is a ‘Customer Identity Access Management’ (CIAM) solution
  • Allows external users to sign-in with their preferred social, enterprise or local account to get SSO access to your apps
  • Azure AD B2C supports millions of users per day
  • It takes care of scaling, security, monitoring and threats such as DoS, password spray or brute force
  • External users are managed in the Azure AD B2C directory which is separate from the organization directory
  • Customizable with app branding
  • Requires Azure Ad P1 or P2 license

Hybrid identities

Hybrid model is where users are created in Active Directory or another IdP and then synchronized to Azure AD using Azure AD Connect

Cloud only is where users are created and managed solely in Azure AD

  • Regardless of where the user is created/managed they can access Cloud and on-premises services
  • For hybrid authentication can be performed by Azure AD which is known as managed authentication or Azure AD redirects the client to another IdP such as Active Directory which is known as federated authentication
Authentication methods

Password hash synchronization enables authentication for on-premises accounts in Azure AD.

Pass-through authentication (PTA) is an alternative to password hash synchronization in that the user password are only ever stored on premises in Active Directory. When a user authenticates using Azure AD it passes the authentication request directly to the on premises IdP.

Federated authentication Azure AD does not process any authentication requests and instead hands off the entire process to a federated IdP such as an on premises Active Directory.

Last modified July 21, 2024: update (e2ae86c)