Azure Active Directory (AAD) 101
Hello Everyone!
I’m currently getting ready for the AZ-900 examination and recently I studied the azure core identity services module in it. So I thought to write an introductory article on it because it might help someone who is getting ready for examination like me or someone who has an interest in learning the basics in Azure AD.
Authentication vs. Authorization
So before going into deep, first we have to understand the difference between the two keywords authentication and authorization. You may already know this. But anyway I’ll quickly explain it.
So, the process of identifying someone himself or herself is called authentication.
For example, Say If I tell you I am Kalpani, someone will ask me to prove it. How can I prove it? Probably I can show you an ID card issued by the government, the passport, or my driving license. So that is authentication.
Then what is authorization?
Based on the identity that I have proved; the immediate next question comes is what I can do or what I cannot do with that identity in a particular organization or a system? In the context of Azure, What are the different services which I can access and where I do not have access, is called authorization.
Multi-factor authentication
When I log into a particular website, I provide my username and password and think somehow the password got leaked. Then somebody without authorized access and have my password can access data and services in it.
So how can we mitigate this issue? That is when we need multi-factor authentication (MFA). In addition to the username and password, one has to also provide the identity in the form of probably an OTP which they are going to get on their mobile, or phone call through a mobile network. Otherwise, they can have a mobile app installed, and on that app, they have to confirm that they are the person who is logging in.
So Multi-Factor Authentication works by requiring two or more of the following authentication methods:
- Something you know, typically a password.
- Something you have, such as a trusted device that is not easily duplicated. (Eg: phone or hardware key)
- Something you are — biometrics like a fingerprint or face scan.
Azure Active Directory (AAD)
Now, let’s see who is going to provide this authentication, authorization, and who is going to take care of these multi-factor authentication features. In Azure, we have the Azure Active Directory for that. We call it, an identity and access management service in Azure.
Authentication
Azure AD is a place where the users and the profiles will be created. Therefore, users or employees of an organization will log in with their username and password. And of course, sometimes it may require multifactor authentication. And then based on that identity, we then provide access to the applications.
Single sign-on (SSO)
The same identity can be used across multiple applications. And that feature is called a single sign-on. You log in one time, and with that particular login, you try to access all the resources.
Application management
As I mentioned before, multiple applications are going to be created and configured for Azure AD. These applications can be Business to Business applications (B2B).
Here, we are building applications, and these applications can be used only by users within my organization or in certain cases, by some users of another organization. I can invite users of another organization as guests into my AD. That means there is one more AD tenant where the identity of the user exists. But in my AD, he is going to exist as a guest.
Once the user is added to my AD, along with my other users, this particular user also can be granted permissions like any other user within the same organization.
Also, I should be able to provide access to any user if they have some kind of login, like probably Facebook login. If a user has a Facebook account, Google account, or Twitter account, they should be able to log in with that identity. And the respective service provider is then going to provide the information about that user to my Azure AD. So, these kinds of services are referred to as B to C, Business to Consumer. So, anybody in the world who has a social media account we can give access to those users for the application that are hosted in our azure portal.
Device management
And we can provide device management using Azure AD by joining our mobile devices or laptops to the Azure Tenant. Through the tenant, we can control the device. Say if I lose my device and then I can lock my account. Therefore on the device, nobody else can log in and steal my data.
Because of all the features, I mentioned above, Azure AD is one of the main and powerful services that made Azure more popular.
Active Directory to Azure Active Directory
It is very easy for businesses to adopt azure in their organization because almost every organization has an on-premise active directory. That means the users of their organization are already in the on-premise active directory. Now, what Microsoft does was they provide a facility to sink all the on-premise identities into azure Ad. If a user existing on-premise, the same username and password can be also added to azure with some tool such as Azure AD connect. This is the most popular way to connect your existing AD to Azure AD.
From this, All the employees of the organization can use the same username and password to log in and access their applications locally, as well as the applications which are in the cloud. This is also a form of single sign-on. Employee productivity will improve because they don’t have to remember different usernames and passwords for their applications, which are in the cloud or on-premise.
Conditional Access
MFA is not a free service. So we don’t want MFA to be enabled automatically for all the applications and all the users. Only for certain important applications, we can have MFA enabled. Otherwise, a user should be able to log in with a single username and password. And this feature is implemented with the help of conditional access.
Conditional Access is the tool used by Azure Active Directory to bring signals together to make decisions and enforce organizational policies.
You can allow conditional access to only a particular user or a group based on the IP network range or a location to a specific device, to a specific application. And even your Azure AD can do the risk detection as well.
So, as you can see in this picture, you can use different signals. Signals are through the device you are logging in, your location, your credentials, using which application you are using, and all the real-time tasks like using the browser and so on.
Every attempt is going to be checked whether it required a multi-factor authentication, whether it required to block that access, allow that access. So, if these two conditions passed, you can have access to your apps and the data itself.
Yes! Now you have a basic understanding of how Azure AD and its core services work. Hope this will help you.😃
Stay Safe! Happy Learning!
