Azure AD Identity Types

Azure AD supports several identity types to manage access to resources. These identities help control who and what can access various applications and services in a secure environment.

1. Users
Employees: These are the primary users within an organization who are typically internal employees. They have accounts in Azure AD and can access company resources based on assigned roles and permissions.
Users: This refers to both employees and non-employee users (e.g., contractors, vendors) who need access to company resources. They can be managed and authenticated through Azure AD.
Guests: Guest users are external collaborators (e.g., partners, contractors, clients) who need limited access to an organization’s resources. They are typically invited into Azure AD via Azure AD B2B and have a separate set of permissions and access policies.

2. Service Principals
A Service Principal is a security identity used by an application or service to access resources. When an application or service needs access to resources in Azure AD, it uses a Service Principal to authenticate.
Service Principal: Used for applications and services to authenticate and authorize access to resources. It typically uses OAuth or client secrets/certificates for authentication.

3. Managed Identities
Managed Identities are special identities created by Azure AD to help applications and services authenticate securely without needing to manage credentials.
System Assigned Managed Identity: This identity is automatically created when an Azure resource (like a Virtual Machine or App Service) is created. It’s tied to the lifecycle of the resource — when the resource is deleted, the identity is also deleted.
User Assigned Managed Identity: A User Assigned Managed Identity is created as a standalone Azure resource and can be assigned to multiple Azure resources. It remains independent of the lifecycle of any specific resource and can be reused across different services.

4. Devices in Azure AD
Azure AD also supports device identities to manage access and ensure only compliant devices are allowed to access organizational resources. Here are the main types of device identities in Azure AD:

4.1. Azure AD Registered Devices
Azure AD Registered Devices are personal devices (such as smartphones or tablets) that are registered with Azure AD but are not fully managed by the organization.
These devices are primarily used by employees for accessing organizational resources.
They enable features like Azure AD Authentication and can enforce policies like Conditional Access for specific applications.
4.2. Azure AD Joined Devices
Azure AD Joined Devices are corporate-owned devices (e.g., Windows PCs, mobile phones) that are joined directly to Azure AD.
These devices are fully managed and can be configured with policies through Intune.
They allow for centralized management, single sign-on (SSO), and enforcement of compliance policies for corporate environments.
Ideal for organizations using cloud-only environments without on-premises Active Directory.
4.3. Hybrid Azure AD Joined Devices
Hybrid Azure AD Joined Devices are devices that are joined to both on-premises Active Directory and Azure AD.
These are typically corporate-owned devices that are part of a hybrid IT environment (combining on-premises and cloud resources).
They provide a seamless experience for users who need access to both on-premises resources (through Active Directory) and cloud resources (through Azure AD).
These devices benefit from features like SSO, Conditional Access, and can be managed using both Active Directory and Azure AD.

PreviousModern Authentication with Azure AD NextAzure External Identities

Last updated 1 month ago

Azure AD Identity Types

Azure AD supports several identity types to manage access to resources. These identities help control who and what can access various applications and services in a secure environment.

1. Users
Employees: These are the primary users within an organization who are typically internal employees. They have accounts in Azure AD and can access company resources based on assigned roles and permissions.
Users: This refers to both employees and non-employee users (e.g., contractors, vendors) who need access to company resources. They can be managed and authenticated through Azure AD.
Guests: Guest users are external collaborators (e.g., partners, contractors, clients) who need limited access to an organization’s resources. They are typically invited into Azure AD via Azure AD B2B and have a separate set of permissions and access policies.

2. Service Principals
A Service Principal is a security identity used by an application or service to access resources. When an application or service needs access to resources in Azure AD, it uses a Service Principal to authenticate.
Service Principal: Used for applications and services to authenticate and authorize access to resources. It typically uses OAuth or client secrets/certificates for authentication.

3. Managed Identities
Managed Identities are special identities created by Azure AD to help applications and services authenticate securely without needing to manage credentials.
System Assigned Managed Identity: This identity is automatically created when an Azure resource (like a Virtual Machine or App Service) is created. It’s tied to the lifecycle of the resource — when the resource is deleted, the identity is also deleted.
User Assigned Managed Identity: A User Assigned Managed Identity is created as a standalone Azure resource and can be assigned to multiple Azure resources. It remains independent of the lifecycle of any specific resource and can be reused across different services.

4. Devices in Azure AD
Azure AD also supports device identities to manage access and ensure only compliant devices are allowed to access organizational resources. Here are the main types of device identities in Azure AD:

4.1. Azure AD Registered Devices
Azure AD Registered Devices are personal devices (such as smartphones or tablets) that are registered with Azure AD but are not fully managed by the organization.
These devices are primarily used by employees for accessing organizational resources.
They enable features like Azure AD Authentication and can enforce policies like Conditional Access for specific applications.
4.2. Azure AD Joined Devices
Azure AD Joined Devices are corporate-owned devices (e.g., Windows PCs, mobile phones) that are joined directly to Azure AD.
These devices are fully managed and can be configured with policies through Intune.
They allow for centralized management, single sign-on (SSO), and enforcement of compliance policies for corporate environments.
Ideal for organizations using cloud-only environments without on-premises Active Directory.
4.3. Hybrid Azure AD Joined Devices
Hybrid Azure AD Joined Devices are devices that are joined to both on-premises Active Directory and Azure AD.
These are typically corporate-owned devices that are part of a hybrid IT environment (combining on-premises and cloud resources).
They provide a seamless experience for users who need access to both on-premises resources (through Active Directory) and cloud resources (through Azure AD).
These devices benefit from features like SSO, Conditional Access, and can be managed using both Active Directory and Azure AD.

PreviousModern Authentication with Azure AD NextAzure External Identities

Last updated 1 month ago