AZ-900 Episode 25 | Azure Identity Services | Authentication, Authorization & Active Directory (AD)

Hello everyone, welcome back, I'm Adam and in this

episode

of Azure Fundamentals we're going to cover one of the most important topics when it comes to Azure, which is

identity

and access management. Pay attention. Managing other identities is one of the most critical issues when it comes to Azure. comes to Azure, so whether you are trying to be a developer architect or an administrator, you should at least understand the basics as such. Today we're going to learn about a couple of terms when it comes to

identity

, things like what is identity, what is

authentication

.

authorization

multi-factor

authentication

and we will also cover the Azure Active Directory service without further ado, let's talk about identity first.

Identity generally means being something or someone, for example, our user accounts are considered identity, so when we log in to the Azure portal, we use our own identities and typically identify ourselves using usernames and passwords, but identity can also mean an application or server that will identify itself with a secret key or certificate in the process of verifying that identity is called authentication, so if the user connects to your server he will be presented with a username, for For example, tom's authentication server will require tom to present some type of authentication factor such as a password, only then will tom's session be established and identity verified, so every time we log in to the blue portal we needed present our own credentials. is the authentication process, but once the identity is verified, there is another process called

authorization

, when Tom will try to access one of our

services

, it will be necessary to validate his account to know if the owner of the resource granted him access to this account, in this case the

services

can do it. on their own or they can communicate with an external authorization server if Tom has been granted access to this specific service.

This process of ensuring that only authenticated identities gain access to resources for which the resource owner has granted them access is called authorization. We see that in all aspects of Azure platform management, if we go to the Azure resource group, that means we already have access to view that resource group. If we try to create or delete a resource group or any service within that resource group, that means I have been granted access to do so and this verification process is called authorization and all those things like controlling, verifying, tracking and managing the access to authorized users and applications is called access management and here comes Azure Active Directory, everything we did so far.

In the Azure portal, when we as users connected to Azure and managed our subscriptions, our resources such as vms databases and resource groups went through the Azure ID, so not only Azure Ide stores our Azure accounts, but also grants permissions to access Azure resources and governs. all the access to those specific resources it's also worth noting that

azure

id doesn't just work with the

azure

platform if you're using one of the live.com services like skype, maybe outlook or onedrive again, your user account on live. com is too. stored in azure id and also azure ids governing access to those services if you are using your organization resources like onedrive for enterprise sharepoint power bi teams or any other Office 365 platform product again you are going through azure id, it manages licensing for your user groups and access to those services, and finally, you can even extend your own applications with Azure Active Directory authentication and authorization features, so Azure ID is a pretty powerful service.

Let me quickly show you how it works, as you've seen in the multiple demos I've done. Until now, there are many ways to access Azure Active Directory. The one I'll use now is to use the search bar on the top screen and use the Azure ID from recent services. In this panel I will be able to manage everything related to Azure Active Directory. and my Azure Identities, one important thing is that to manage Azure Active Directory you need to have a global administrator role, only then you can manage all aspects of it. On the left side you have many panels that allow you to manage the most important things when it comes to identities for example users and groups, as part of this demo let's create a new user identity, let's navigate to the users panel in the left side, select new user to create a new user and start filling out the form for identity part, we need to fill in the username, which is our login.

I will create the user Tom Doe on my domain, but if you want you can also use the custom domain here, so I need to provide a display name, Tom Doe, this is the name. will be displayed everywhere in the Azure portal, especially when we search for the specific user and provide the first and last name. If we scroll down, we need to generate the first password. We can generate it automatically or write it ourselves and once this is done, we can select create and our new user identity has been created. We can test that this identity works by logging into the Azure portal, which we'll do in just a second, but for now let's also navigate back and go to groups and create a new group in this one.

In this case, I will create a new security group and I will call the developers of this group and I will assign a membership to this group, so I will add Tom as a member of this group, so let's find Tom, select his user and press Select . Tom has been added and the group has been created now that we have created tong and our group created and tom assigned to that group, we can grant them access, so let's go to our resource groups within the resource group panel. I will navigate to two resource groups one is called firewall az900 in this resource group I will navigate to access control and give them a role assignment on this role as an item.

I will grant you an owner privilege. This is just full administrative access to this resource group and I'm going to find a developer group and select it and press. save, I will also go back to another research group called routing az 900 nva again, go to access control, press add, select role assignment and this time give a reader role to tom again, select start and press save, everything will be you have added successfully that means I can change the browser and log in as tom and here I can navigate to the azure.com portal and log in as tom to get the full username of tom.

The easiest way is to go back to Azure

active

directory

, go to users, select tom and select your full username, paste it into that portal, press next and now provide the password. Once you provide the password, you have to provide a new password on first login, press sign in and on the next screen select skip and sign in to the blue portal as We can see that we were able to sign in to the Azure portal without any problem. Our new identity has been created and if we navigate to Resource Groups, we should see two resource groups that we granted access to just now.

The security propagation will take a moment so we just need to give it a quick second and all the resource groups are now visible so for this tom it has owner privileges because it was added to a group as an owner for this tom it only has reader privileges so if Tom were to go to nva routing and try to stop one of the VMs which he couldn't do as part of his reader role, but if he went back to the firewall and selected one of the servers there and hit stop he should be able to do it because he owns this resource group, this is as far as we'll go today because we'll have a separate

episode

on role-based access control in Azure, but that's how easy you can manage access to your Azure platform and your Azure resources with Azure Active.

directory

, to summarize, Azure

active

directory is our identity, but also access management services in Azure, it allows us to manage our identities, for example user groups and applications, but also manage our access to our Azure resources , so everything like subscriptions, research group roles. mappings and all authentication and authorization settings for our organization, it is also worth mentioning that Azure Active Directory is a centralized system for logging into any other Microsoft cloud platforms such as Azure Microsoft 365, Office 365 and Live.com services such as Skype Onedrive etc., but I also want to mention that if your organization uses Active Directory in your on-premises environment, you can use a sync service that will sync your on-premises identities to the cloud so you can use the same accounts for both environments, which is extremely important for hybrid cloud environments and organizations that are starting to migrate to the cloud, one last topic I want to touch on is called multi-factor authentication, in the times we live in now, providing username and password is simply not enough , servers will need more credentials plus authentication factors from their users to prove their identity, for example by providing a code that was sent to their mobile phones.

This type of process is called multi-factor authentication. It is a process of presenting two or more factors of evidence, so to speak. to prove one's identity, so multi-factor authentication is an authentication process using more than one factor, more than one evidence to prove your identity and there are many types of factors that you can use, for example, knowledge factor, to that knows something like a password or a pen, you can use the possession factor, so something you have, like a phone card or a key, you can also use the physical characteristic factor for something you are, like a fingerprint, a voice, a face or an iris.

Very often we see one of those three or a combination of those three using our mobile devices, but there are different types of factors, such as location factor, so somewhere where you are, for example, GPS location, there are many different types of factors, so multi-factor authentication simply means using more than one of those factor types, and of course all of that is supported. by Azure ID is a simple on and off switch and you are protected. All the materials for this episode can be found in episode 25 on my website and that's it when it comes to identity and access management in azure, if you like this episode please give it a thumbs up. leave a comment and subscribe to see more if you want to skip to the next episode just click on the side or follow the playlist and watch the next one.