Let's see how we can manage users in azure.
Authentication and authorization are the fundamental concepts. When discussing identity and access management.
Let's take a look at what the differences between those
authentication is. The process of establishing the identity of a person or an application looking to gain access to a resource or data.
In essence, it confirms that they are who they claim they are.
Authentication is not new to the digital world, either.
The use of passports, driving licenses or other identification methods are all examples for authentication. In the offline world,
authentication is the basis for creating a security principle that can be used to access a resource.
Authorization, on the other hand, is the process of establishing the level of access the principal has.
It determines what data and resources they are allowed to access.
For example, an employee can access their own payroll information while the accountant can access the payroll. For the whole company,
authentication and authorization are often abbreviated as off and and off easy.
We've already had a brief discussion of azure active directory, but let's take a look a bit deeper into it
as your active directory or a D is a cloud based identity service that you can use to synchronize your on premises identities or to use with other enterprise services from Microsoft, like Office 3 65 and Dynamics 3 65.
This means that you can use the same identity across applications.
A. A D provides services like authentication, single sign on business to business and business to consumer identity management application and the device management.
The more identities a user has to manage the greater risk of credential related security incidents.
Different applications have different password policies. And with the growth of complexity, remembering those becomes hard.
On the other hand, if a user leaves an organization, removing those from every application is a tedious task.
With single sign on, users need to remember only one password that will simplify the security model
by using Azure active directory for SSO. You also have the ability to create an intelligent security graph that you can use to do a threat analysis and offer real time identity protection for all your users.
Another technology that improves the protection of users identities is multi factor identification, or MFA.
MFA is also known as two factor authentication, or TF because it requires two or more elements for full authentication.
Those elements fall into the following categories.
Something you know, like a password or the answer to a security question.
Something you possess, like an authenticator app on your phone or a hardware security token
and something you are like your fingerprint iris or your face.
MFA increases the security of users accounts because the probability a hacker has access to multiple of these factors is low,
as your body has built in capabilities for multi factor authentication and can integrate with external MFA providers.
The functionality is free of charge for users who are designated global administrators in Azure a deep because those are highly sensitive accounts.
Other user accounts can have MFA enabled after purchasing a license.
As your active directory also allows you to create service identities,
service identities are kept in azure and eliminate the need to store those in configuration files, thus reducing the exposure of the credentials.
A D has two ways to handle service identities.
The first one is the use of a service principle
to understand what a service principle is. Let's look at the difference between identity and principle,
an identity is something that can be authenticated. This can be a user who has a user name and password, but it can also be an application or service that can authenticate with certificates and keys.
A principal is an identity that has certain claims and roles assigned to it.
A service principle is a service identity that can be assigned roles.
The creation of a service principle requires configuration steps that make this a tedious process.
You need to create the principal, configure the server or the application to use it. Then you have to maintain the principle throughout the application lifecycle.
The use of managed service identities is much easier because of all the work of creation, configuration and maintenance is done by azure.
The infrastructure is responsible for establishing the identity and authenticating with the service
within your application, you can use this identity as any other as your a D user identity.
Note that not all azure services and azure support the managed services identity as of now, but the list is constantly growing.
We've mentioned the roles in the previous slide, but
what are they really useful for?
Well, rules are a set of granular permissions to resources and data that can be assigned to users.
Azure has built in roles like reader contributor or global administrator,
but you can create custom ones if neither of the built in one satisfies your need.
Identities are mapped to roles either directly or through a group. Membership
rolls can be granted at the individual resource level, but they can also flow down the azure hierarchy.
A role assigned to a higher level in the azure hierarchy is also considered in effect at the lower levels.
As your doesn't only give you the tools to manage the role based access for your users, but also a tool to monitor and audit the role members.
As you're privileged, identity management completes the set of tools you need to achieve a high level of regulatory compliance for your workloads. In Azure
as you're privileged, identity management is a paid offering to customers who purchase as your A D premium P two or Enterprise Mobility and Security E five or Microsoft 3 65 M five.
In our next video, we'll see how you can leverage encryption in azure to protect your data.