Introduction
The two most basic IAM processes required to secure access to digital assets are the following:
- Identify who it is that is trying to access resources by using authentication.
- Verify that identified users indeed should be authorized to reach the resource they are attempting to access.
On a fundamental level, IAM encompasses the following components:
- how individuals are identified in a system (understand the difference between identity management and authentication);
- how roles are identified in a system and how they are assigned to individuals;
- adding, removing, and updating individuals and their roles in a system;
- assigning levels of access to individuals or groups of individuals; and
- protecting the sensitive data within the system and securing the system itself.
What is Azure Active Directory?
It is a cloud-based suite of identity management capabilities that enables you to securely manage access to Azure services and resources for your users. It provides application management, authentication, device management, and hybrid identity.
Azure Ad Concepts
Concept | Description |
Identity | An object that can be authenticated |
Account | An identity that has data associated with it |
Azure AD account | An identity created through Azure AD or another Microsoft cloud service |
Azure AD tenant/directory | A dedicated and trusted instance of Azure AD, a Tenant is automatically created when your organization signs up for a Microsoft cloud service subscription •Additional instances of Azure AD can be created •Azure AD is the underlying product providing the identity service •The term Tenant means a single instance of Azure AD representing a single organization •The terms Tenant and Directory are often used interchangeably |
Azure subscription | Used to pay for Azure cloud services |
Azure Active Directory Editions
Feature | Free | Microsoft 365 Apps | Premium P1 | Premium P2 |
Directory Objects | 500,000 objects | No object limit | No object limit | No object limit |
Single Sign-On | Unlimited | Unlimited | Unlimited | Unlimited |
Core Identity and Access | X | X | X | X |
B2B Collaboration | X | X | X | X |
Identity & Access for O365 | X | X | X | |
Premium Features | X | X | ||
Hybrid Identities | X | X | ||
Advanced Group Access | X | X | ||
Conditional Access | X | X | ||
Privileged Identity Management (PIM) | X | |||
Identity Protection | X | |||
Identity Governance | X |
Self-Service Password Reset
- .Determine who can use the self-service password reset
- Choose the number of authentication methods required and the methods available (email, phone, questions)
- You can require users to register for SSPR (same process as MFA)
User Accounts
All users must have an account. The account is used for authentication and authorization. Identity Sources are Cloud, Directory-synchronized, and Guest
Managing User Accounts
One must be a Global Administrator or User Administrator to manage users. User profile(picture, job, contact info) is optional. Deleted users
can be restored for 30 days. Sign-in and audit log information is available.
Bulk User Accounts
Create the comma-separated values (CSV) file with the list of all the users and their properties. Loop through the file processing of each user. Consider error handling, duplicate users, initial password settings, empty properties, and when the account is enabled.
Group Accounts
Group Types
- Security groups
- Microsoft 365 groups
Assignment Types
- Assigned
- Dynamic User
- Dynamic Device (Security groups only)
Create or update a dynamic group in Azure Active Directory
In Azure Active Directory (Azure AD), you can also use rules to determine group membership based on user or device properties.
Who can access the data?
Roles:
- Security Administrator
- Security Reader
- Report Reader
- Global Reader
- Global Administrator