- Welcome to Azure Essentials.
An important part of cloud
security is configuring
who can access and manage
your cloud resources.
Identity and access from Microsoft Azure
is one of the most pivotal things to learn
as an Azure user.
In the next few minutes,
I'll walk you through
the essential things that you
need to know in this area.
Now at the heart of identity
and access management for Azure
is Azure Active Directory.
This is the identity system for Azure.
Every Azure subscription
trusts an Azure AD tenant
for sign-in and multiple subscriptions
can trust a single Azure AD tenant.
In the Azure portal
you can view and manage
the users and groups in the directory
that can be granted
access to Azure resources.
You can also view sign-in
activity in other audit logs.
Azure AD can be managed from
the Portal, Power Shell,
the Azure CLI and programmatically using
the Microsoft Graph API.
It's important to note that Azure AD is
the identity system for all
Microsoft Business Cloud Services, such as
Office 365, Dynamics 365
and Microsoft Intune.
If your organization already
has Azure Active Directory
you can use that to sign in to Azure.
And if you create an
Azure subscription using
your personal Microsoft account then a new
Azure AD tenant is created for you.
And your subscription trusts that tenant.
Now an important tip here
is, if you've already got
an Azure AD Work account that you use with
Office 365 or other Microsoft services,
you can transfer your subscription
from your personal account
to your work account,
which will also move it to
your Work Azure AD tenant.
You can find out more on how to do this
including how to create
a subscription using your
Azure AD Work Account at the link shown.
Now, if you've got a
on-premises active directory
it's easy to connect it
with Azure Active Directory
to create a hybrid directory
with a single point of management.
Using the Azure AD Connect tool, you can
synchronize users between AD and Azure AD,
so that they can be managed in one place.
You can choose from a variety
of options for reduce sign-on
or single sign-in including
hash password sync,
pass through authentication
and standards based federation
using a federation server
such as Active Directory
Federation Services.
Connecting your active
directory to Azure AD
can reduce management
effort and make it easier
to comply with policy.
Now, controlling access to Azure resources
is achieved by using Role
Based Access Control or RBAC.
With Azure RBAC us can grant
users the ability to make
specific actions on a
specific set of resources.
Azure comes with three
main built in roles:
the Owner, Contributor and Reader.
The Owner role can perform all actions on
all resource types.
The Contributor role is
similar to the Owner role
except it doesn't allow
for managing RBAC itself.
And finally the Reader role
can perform all read actions
on all resource types.
Azure also provides a set of
resource specific built-in
roles for more granular
control, for example,
the VM contributor role can
perform all actions on VM's
but can't perform actions
on any resource type,
such as networking.
This makes it possible to
separate the people who can manage
network resources from the people
who can manage VM resources.
Using Azure RBAC us can
also create custom roles
that align exactly to your
teams responsibilities.
Custom roles can be created
using the command line
or Azure Resource Manager API.
You can grant access to
resources by assigning a User,
Group or Service Principal,
such as a process
or an application to a specific role
and a specific scope.
The scope can be at the
level of the Subscription,
a Resource Group or an
Individual Resource such as a VM.
When a role assignment
is made on a Subscription
or Resource Group, the
assignment is inherited
by the Resources within that scope.
Let me give you an example,
if you've been assigned
the Owner role at the
Subscription scope, then
you have full access
to all the resource groups and resources
within that Subscription.
If you've been assigned the Owner Role
at the Resource Group scope
then you have full access to all
resources within that
specific Resource Group.
Again, you can manage role
assignments using the portal,
command line tools and the
Azure Resource Manager API.
In addition to controlling
access you can track actions
happening in the system
with the activity log,
that will show you Subscription
Level events including
the RBAC changes.
Now, one thing a lot of
Azure users want to know
is how to grant access to people
from outside their organization?
Now, we enable that with
Azure Active Directory B2B.
How this works is, you enter
a person's email address
when making a role assignment.
Azure will then invite
the user to become a guest
in your Azure AD.
Now be default, all
users can invite guests
but you can also control who
can make guest invitations.
If your user account
has been granted access
to an Azure subscription
from another organization
then you can manage that
subscription by switching to
the other organization's directory using
the sign-in control in the portal.
Lastly, to help you
protect your user accounts,
Azure Active Directory supports a range of
Multi-Factor Authentication methods,
including phone call,
SMS message or by using
the Microsoft Authenticator Mobile App.
Additionally, using the Azure AD
Premium Conditional Access
feature, you can configure
Multi-Factor Authentications
to be required
only under certain
conditions, such as when
users are accessing Azure
from home, while traveling
and not on the work network.
In fact, there's a lot that
I encourage you to explore
in Conditional Access, for
example, you can require
Multi-Factor Authentication
based on the user's sign-in
risk level and you can
limit access to only users
on managed devices.
I hope this overview helps
you understand the essentials
of identity and access for Azure.
It's a critical area to
understand as an Azure user
and you can learn more with
virtual demo experiences
at the links shown.
And of course, keep checking
back to Azure Essentials
for additional topics.
(dramatic music)
