# Azure AD Identity Types Azure AD supports several identity types to manage access to resources. These identities help control who and what can access various applications and services in a secure environment. > #### **1. Users** > > * **Employees**:\ > These are the primary users within an organization who are typically **internal employees**. They have accounts in **Azure AD** and can access company resources based on assigned roles and permissions. > * **Users**:\ > This refers to both employees and **non-employee users** (e.g., contractors, vendors) who need access to company resources. They can be managed and authenticated through **Azure AD**. > * **Guests**:\ > **Guest users** are external collaborators (e.g., partners, contractors, clients) who need limited access to an organization’s resources. They are typically invited into Azure AD via **Azure AD B2B** and have a separate set of permissions and access policies. > #### **2. Service Principals** > > A **Service Principal** is a security identity used by an application or service to access resources. When an application or service needs access to resources in Azure AD, it uses a **Service Principal** to authenticate. > > * **Service Principal**: Used for applications and services to authenticate and authorize access to resources. It typically uses **OAuth** or **client secrets/certificates** for authentication. > #### **3. Managed Identities** > > Managed Identities are special identities created by Azure AD to help applications and services authenticate securely without needing to manage credentials. > > * **System Assigned Managed Identity**:\ > This identity is **automatically created** when an Azure resource (like a Virtual Machine or App Service) is created. It’s tied to the lifecycle of the resource — when the resource is deleted, the identity is also deleted. > * **User Assigned Managed Identity**:\ > A **User Assigned Managed Identity** is created as a standalone Azure resource and can be assigned to multiple Azure resources. It remains independent of the lifecycle of any specific resource and can be reused across different services. > #### **4. Devices in Azure AD** > > Azure AD also supports **device identities** to manage access and ensure only compliant devices are allowed to access organizational resources. Here are the main types of device identities in Azure AD: > > #### > > #### **4.1. Azure AD Registered Devices** > > * **Azure AD Registered Devices** are personal devices (such as smartphones or tablets) that are registered with Azure AD but are **not fully managed by the organization**. > * These devices are primarily used by employees for accessing organizational resources. > * They enable features like **Azure AD Authentication** and can enforce policies like **Conditional Access** for specific applications. > > *** > > #### **4.2. Azure AD Joined Devices** > > * **Azure AD Joined Devices** are **corporate-owned** devices (e.g., Windows PCs, mobile phones) that are **joined directly to Azure AD**. > * These devices are fully managed and can be configured with policies through **Intune**. > * They allow for centralized management, single sign-on (SSO), and enforcement of compliance policies for corporate environments. > * Ideal for organizations **using cloud-only environments** without on-premises Active Directory. > > *** > > **4.3. Hybrid Azure AD Joined Devices** > > * **Hybrid Azure AD Joined Devices** are devices that are joined to both **on-premises Active Directory** and **Azure AD**. > * These are typically **corporate-owned** devices that are part of a hybrid IT environment (combining on-premises and cloud resources). > * They provide a seamless experience for users who need access to both on-premises resources (through Active Directory) and cloud resources (through Azure AD). > * These devices benefit from features like **SSO**, **Conditional Access**, and can be managed using both **Active Directory** and **Azure AD**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ghoulsec.gitbook.io/ghoulsec-vault/exam-prep-notes/sc-900/azure-ad-identity-types.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.