Now let's see how we can manage users and access e natural
out indication and authorization are the fundamental concepts. When discussing identity and access management,
let's take a look at what is the difference between those.
Authentication is the process of establishing the identity of a person or an application looking to gain access to a resource or data.
In essence, it confirms that they are who they claim they are
out. Indication is not new to the digital world. The use of passports, driving licenses or other identity in identification methods are all examples for authentication In the offline world,
authentication is the basis for creating a security principle that can be used to access the resource
authorization. On the other side is the process of establishing the level of faxes the principal has. It determines what data and resource is there a load to access. For example, on employees can access their own payroll information while the accountant can access the payroll for the whole company.
Authentication and authorization are often abbreviated that us out in an algae.
We've already had a brief discussion of factual active directory, but let's look a bit deeper into it,
attractive directory or A D is a cloud based identity service that you can use to synchronize your own premise. Identities or yes, with other enterprise service is from Microsoft, like Office 3 65 and Dynamics 3 65
This means that you can use the same identities across applications.
Aye aye D provides service is like out indication single sign on business to business and business to consumer identity management application and device management.
The more identities are users has to manage, the greater the risk of credential related security incident.
Different applications have different possible policies, and with the growth of complexity, remembering those becomes hard
on the other side. If we use the leaves, the organization removing those from every application is a tedious task.
With single sign on, users need to remember only one password that will simplify the security mother
by using actual active directory for SS saw. You kept also the ability to create an intelligence security graph that you can use to do a threat analysis and offer a real time identity protection for all your users.
Another technology that improves the protection of user identities is the motive factor authentication, or M F. A.
I M f. A is also known as to factor out indication or cafe, because it requires two or more elements for for authentication.
Those elements falling, tow the following categories.
Something you know, like password or the answer of a security question.
Something you possess, like authenticator up on your phone or a hardware security token and something you are like your fingerprint, iris or face.
FAA increases the security of the user accounts because the probability of a cocker to care for access to multiple above factors is lower.
Agile Adie has built in capabilities for motive, factor authentication and can integrate with external M F A providers. The functionality is free of charge for user's score. Designated global administrator See National Lady. Because those are highly sensitive accounts.
Other user accounts can have m f A enabled after purchasing a license.
Actually, Active Directory also allows you to create service identities.
Service identities are kept in natural and eliminate the need to stall those in configuration files. Those reducing the exposure of the credentials.
Aye aye D has two ways to Kanto service identities.
The 1st 1 is the use of a service principle to understand what a sort of ex principal ways. Let's look at the difference between identity and the principal.
Identity is a thing that can be authenticated.
This can be a user who have user name and password, but it can also be a prop location or service that can authenticate with certificates in keys.
Principle is an identity. The attacks, with the certain claims and roles assigned to it
set of his principal is in the service identity that can be assigned roles.
The creation of a service principal requires configuration steps that make them a tedious process. You need to create the principal, configure the server or the application to use it. Then you have to maintain the principle throughout the application life cycle.
The use of managed service identities is much easier because all the work of creation, configuration and maintenance is done by azure.
The infrastructure is responsible for establishing the identity and authenticating with the service. Within your application, you can use this identity as any other azure 80 user identity.
I know that not all service is a natural support the manager of this identity as of now, but the list is constantly growing.
We've mentioned the rolls in the previous life. But what are they really useful for?
We're also a sense of grandeur, permissions to re sources and data that can be assigned to users.
Actually, it is a building rolls like reader, contributor or global administrator, but you can create custom ones if neither of the built Win one satisfies your need.
Identities arm up to Ross either directly or through a group. Membership
rose can be granted at the individual resource level, but they can also be flowing down the azure hierarchy.
We're all assigned to a higher level in the higher. He is also considered, in effect at the lower levels.
Actually, it doesn't only give you the tools to manage that all based access for your users, but also to monitor and noted that all members
actual privileged identity management completes the set of tools you need toe. Achieve a high level off regulatory compliance for your work. Waltz on Azure
as your privilege. Intensity management is a paid offering available to customers who purchased as you're a de premium, P two or Enterprise Mobility and Security E five or Microsoft 3 65 and five.
In our next video, we'll see how you can leverage encryption in natural to protect your data