Azure Identity & Access Management (Azure AD)

Azure Identity and Access Management (IAM) is an essential framework used to manage users, their identities, and their permissions within the Azure ecosystem. It involves controlling who can access resources, what actions they can perform, and ensuring that only authorized users or services can interact with Azure resources.

---

Authentication

Authentication is the process of verifying the identity of a user, device, or service to ensure they are who they claim to be. In Azure, Azure Active Directory (Azure AD) is typically used to handle authentication.

To strengthen security, Azure supports Multi-Factor Authentication (MFA), which requires users to provide multiple forms of evidence to verify their identity. MFA relies on the combination of different factors to authenticate users:

---

Multi-Factor Authentication (MFA)

MFA enhances security by requiring users to provide more than one verification factor. MFA typically involves the following factors:

1. Knowledge Factor (Something You Know)

   • This is a piece of information only the user knows, such as a password or a PIN. It’s the most common form of authentication but can be vulnerable if compromised.

2. Possession Factor (Something You Have)

   • This refers to a physical object that only the user possesses, such as a smartphone, a security token, or a smartcard. For example, a code sent to your phone via text message or generated by an authenticator app like Microsoft Authenticator is a possession factor.

3. Physical Characteristic (Something You Are)

   • This is a biometric factor, which includes things such as fingerprints, facial recognition, or retina scans. This form of authentication is typically used for higher levels of security as biometrics are unique to the individual.

4. Location (Somewhere You Are)

   • This factor uses the user’s geographical location, usually determined by the IP address or GPS data, to authenticate the user. If a user attempts to log in from an unusual or unknown location, additional authentication may be required.

---

Authorization

Authorization is the process of determining whether an authenticated user has permission to access a resource or perform a specific action. Once a user has successfully authenticated, authorization ensures that they can only perform actions within their allowed scope.

Azure provides multiple ways to manage authorization based on users, groups, and resource groups.

---

Authorization Based on User

In Azure, user-based authorization grants access to resources based on the roles assigned to individual users. These roles define what actions a user can perform on Azure resources.

• Azure AD manages user roles and permissions.

• Azure uses Role-Based Access Control (RBAC) to assign specific roles to users. Common roles include:

  • Owner: Can manage all resources, including access.

  • Contributor: Can manage resources but cannot grant access to others.

  • Reader: Can only view resources.

Each user is assigned one or more roles that determine what they can do within Azure.

---

Authorization Based on Groups

Azure allows you to manage authorization at the group level. This is especially useful for organizations with many users who share similar access needs.

• Azure AD Groups: Groups are collections of users, and access can be assigned to the group rather than individual users. This simplifies management and ensures consistency in permissions.

• When a group is assigned a role (e.g., Contributor or Reader), all users within that group inherit the same level of access to resources.

• Dynamic Groups: In Azure, dynamic groups can be automatically populated based on certain attributes (like department or job title). This can simplify user management, especially when dealing with large organizations.

---

Authorization Based on Resource Groups

A Resource Group in Azure is a container that holds related resources for an Azure solution. Azure provides the ability to assign access and permissions at the Resource Group level, allowing administrators to control access to all resources within a group.

• Role-Based Access Control (RBAC) on Resource Groups: Roles can be assigned to users or groups at the resource group level, giving them access to all resources within that group.

  • For example, if a user is assigned the Contributor role at the resource group level, they can manage all resources within the group, including virtual machines, storage accounts, and databases.

• This approach helps simplify access management by allowing permissions to be granted based on the context of the entire resource group, instead of individual resources within it.

---