Documente Academic
Documente Profesional
Documente Cultură
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service,
which helps employees sign in and access resource in:
External resources, such as Microsoft Office 365, the Azure Portal and thousands of other SaaS
applications.
Internal resources such as apps on your corporate network and intranet along with any cloud
apps developed by your own organization.
To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure
Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your
existing free directory, providing self-service, enhanced monitoring, security reporting and secure
access for your mobile users.
Premium P2: Azure Active Directory Premium P2 includes every feature of all other Azure
Active Directory edition enhanced with advanced identity protection and privileged identity
management capabilities. Price details below:
Application Management
Authentication
Business-to-Business (B2B)
Business-to-Customer (B2C)
Conditional Access
Azure Active Directory for Developers
Device Management
Domain Services
Enterprise Users
Hybrid Identity
Identity Governance
Identity Protection
Managed identities for Azure resources
Privileged identity management (PIM)
Reports and monitoring
There are four main types of applications that you can add to your Enterprise applications and manage
with Azure AD:
Azure AD Gallery applications – Azure AD has a gallery that contains thousands of applications
that have been pre-integrated for single sign-on with Azure AD. Some of the applications your
organization uses are probably in the gallery. Learn about planning your app integration, or get
detailed integration steps for individual apps in the SaaS application tutorials.
On-premises applications with Application Proxy – With Azure AD Application Proxy, you can
integrate your on-premises web apps with Azure AD to support single sign-on. Then end users
can access your on-premises web apps in the same way they access Office 365 and other SaaS
apps. Learn why to use Application Proxy and how it works.
Custom-developed applications – When building your own line-of-business applications, you
can integrate them with Azure AD to support single sign-on. By registering your application
with Azure AD, you have control over the authentication policy for the application. For more
information, see guidance for developers.
Non-Gallery applications – Bring your own applications! Support single sign-on for other apps
by adding them to Azure AD. You can integrate any web link you want, or any application that
renders a username and password field, supports SAML or OpenID Connect protocols, or
supports SCIM. For more information, see Configure single sign-on for non-gallery apps.
10. What is Authentication in Azure AD?
Authentication is the act of challenging a party for legitimate credentials, providing the basis for
creation of a security principal to be used for identity and access control. In simpler terms, it's the
process of proving you are who you say you are. Authentication is sometimes shortened to AuthN.
Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution
capable of supporting millions of users and billions of authentications per day. It takes care of the
scaling and safety of the authentication platform, monitoring and automatically handling threats like
denial-of-service, password spray, or brute force attacks.
Azure AD B2C is a white-label authentication solution. You can customize the entire user experience
with your brand so that it blends seamlessly with your web and mobile applications.
Customize every page displayed by Azure AD B2C when your users sign up, sign in, and modify their
profile information. Customize the HTML, CSS, and JavaScript in your user journeys so that the Azure
AD B2C experience looks and feels like it's a native part of your application.
By serving as the central authentication authority for your web applications, mobile apps, and APIs,
Azure AD B2C enables you to build a single sign-on (SSO) solution for them all. Centralize the collection
of user profile and preference information, and capture detailed analytics about sign-in behaviour and
sign-up conversion.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource,
then they must complete an action. Example: A payroll manager wants to access the payroll application
and is required to perform multi-factor authentication to access it.
By using Conditional Access policies, you can apply the right access controls when needed to keep your
organization secure and stay out of your user’s way when not needed.
Conditional Access policies are enforced after the first-factor authentication has been completed.
Conditional Access is not intended as an organization's first line of defence for scenarios like denial-of-
service (DoS) attacks, but can use signals from these events to determine access.
To protect these assets, IT staff need to first manage the device identities. IT staff can build on the
device identity with tools like Microsoft Intune to ensure standards for security and compliance are
met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from
anywhere through these devices.
Your users get access to your organization's assets they need.
Your IT staff get the controls they need to secure your organization.
Device identity management is the foundation for device-based conditional access. With device-based
conditional access policies, you can ensure that access to resources in your environment is only
possible with managed devices.
17. What is Domain Service in Azure AD?
Azure Active Directory (AAD) Domain Services allows organizations to “lift-and-shift” apps that use on-
premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the
features of on-premise Windows Server Active Directory (AD) but without the effort of installing
domain controllers (DCs), setting up ExpressRoute or a VPN to connect on-premise DCs to Azure.
Domain Services extends AAD to support Kerberos, NTLM, Group Policy, domain join, LDAP bind and
read, Secure LDAP, custom domain names, DNS management, and custom Organizational Units (OUs).
In addition to these features, it provides high availability, account lockout protection, and management
using familiar tools.
In the first part of this two-part series, I’ll show you how to set up Domain Services in Azure and
configure DNS. In the second part, I’ll discuss password hash synchronization requirements and how to
perform a domain join operation.
Identity Governance give organizations the ability to do the following tasks across employees, business
partners and vendors, and services and applications:
Govern the identity lifecycle
Govern access lifecycle
Secure administration
Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory
Identity Protection, in your environment, you can use the same protection systems Microsoft uses to
secure identities.
The vast majority of security breaches take place when attackers gain access to an environment by
stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging
third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to
even low privileged user accounts, it is relatively easy for them to gain access to important company
resources through lateral movement.
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this
problem. The feature provides Azure services with an automatically managed identity in Azure AD. You
can use the identity to authenticate to any service that supports Azure AD authentication, including
Key Vault, without any credentials in your code.
The managed identities for Azure resources feature are free with Azure AD for Azure subscriptions.
There's no additional cost.
Client ID - a unique identifier generated by Azure AD that is tied to an application and service
principal during its initial provisioning.
Principal ID - the object ID of the service principal object for your managed identity that is used
to grant role-based access to an Azure resource.
Azure Instance Metadata Service (IMDS) - a REST endpoint accessible to all IaaS VMs created
via the Azure Resource Manager. The endpoint is available at a well-known non-routable IP
address (169.254.169.254) that can be accessed only from within the VM.
24. How does the manage identities for Azure resources work?
There are two types of managed identities:
A system-assigned managed identity is enabled directly on an Azure service instance. When
the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's
trusted by the subscription of the instance. After the identity is created, the credentials are
provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the
Azure service instance that it's enabled on. If the instance is deleted, Azure automatically
cleans up the credentials and the identity in Azure AD.
A user-assigned managed identity is created as a standalone Azure resource. Through a create
process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in
use. After the identity is created, the identity can be assigned to one or more Azure service
instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of
the Azure service instances to which it's assigned.
Internally, managed identities are service principals of a special type, which are locked to only
be used with Azure resources. When the managed identity is deleted, the corresponding
service principal is automatically removed.
Your code can use a managed identity to request access tokens for services that support Azure AD
authentication. Azure takes care of rolling the credentials that are used by the service instance.
25. What is Privileged identity management (PIM)?
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you
to manage, control, and monitor access to important resources in your organization. This includes
access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or
Microsoft Intune.
Each recommendation is measured based on your Azure AD configuration. If you are using third-party
products to enable a best practice recommendation, you can indicate this configuration in the settings
of an improvement action. You also have the option to set recommendations to be ignored if they
don't apply to your environment. An ignored recommendation does not contribute to the calculation of
your score.