Azure AD Identities serve as an essential component in the SC-900: Microsoft Security, Compliance, and Identity Fundamentals exam.
Understanding these identities becomes crucial for managing identity and access in Microsoft 365, implementing and managing hybrid identities, and understanding the Microsoft identity platform. This article aims to discuss, highlight, and describe the pivotal roles of Azure AD (Active Directory) identities in detail.
Understanding Azure AD Identities
Azure Active Directory (Azure AD) is a cloud-based, multi-tenant directory service from Microsoft. It provides identity and access management solutions that allow users to access a range of cloud-based applications using a single identity. Azure AD identities can either be cloud identities or synced identities that come with two identity models – user identities and device identities.
- User Identities: These identities are linked to individual users. They grant access to Azure AD resources based on set permissions. User identities can be Azure AD accounts, Microsoft accounts, guest accounts, or anonymous accounts.
- Device Identities: These identities are linked to devices. They are used to grant access to Azure AD resources to specific devices based on set permissions and attributes.
Cloud Identity vs. Synced Identity
Azure AD allows two types of user identities: Cloud Identity and Synced Identity.
- Cloud Identity: Refers to user identities created in or directly managed through Azure AD. These identities are not associated with an on-premises Active Directory.
- Synced Identity: Refers to user identities that are created in an on-premise Active Directory and then synchronized to Azure AD using Azure AD Connect.
Cloud Identity | Synced Identity | |
---|---|---|
Management | Azure AD | Local Active Directory and Azure AD |
Password Authentication | Azure AD | Local Active Directory or Azure AD |
Need for Directory Sync | No | Yes |
How Azure AD Identities Work?
Azure AD identities operate on the principle of claims-based identity. In a claim-based system, user information is packaged into security tokens that are issued by Identity Provider (IdP) – in this case, Azure AD. These tokens contain claims about the user and are used to verify the identity.
Understanding Identity Synchronization
Azure AD Connect is the tool that usually performs identity synchronization from the on-premises Active Directory to Azure AD. Azure AD Connect supports various topologies, including multi-forest scenarios, which can synchronize your directories’ data to Azure AD.
Understanding Authentication
Authentication in Azure AD could be password-based or could be handled through federation. Federation uses Security Assertion Markup Language (SAML) based claims to provide users with seamless access to Azure AD.
Understanding Azure AD B2B and B2C
Azure AD also provides B2B (Business-to-Business) and B2C (Business-to-Customer) services.
Azure AD B2B allows organizations to share its applications and services with guest users from any other organization while maintaining control over its own corporate data. On the other hand, Azure AD B2C is an identity management service that enables customization and control over the customer sign-up, sign-in, and profile management process.
Understanding the concept of Azure AD identities is vital to manage access in Microsoft 365 environment securely and efficiently. From granting the right permissions to securing user accounts, Azure AD identities are at the heart of the Microsoft identity platform.
Practice Test
True or False: Azure AD identities include cloud identities, synced identities, and federated identities.
- True
- False
Answer: True
Explanation: Azure AD supports several types of identities like cloud identities (created and managed in Azure AD), synced identities (created in on-premises server and synced to Azure AD), and federated identities (managed on-premises and authentication is done by federation service).
Microsoft Azure AD is an identity management service only for Microsoft applications, can you confirm?
- True
- False
Answer: False.
Explanation: Azure AD isn’t limited to Microsoft applications. It can control the access to a variety of applications from Google Cloud, AWS and it supports thousands of pre-integrated SaaS applications.
Which of the following represents identity models supported in Azure AD?
- a. Cloud identity
- b. Synced identity
- c. Federated identity
- d. Local identity
Answer: a, b and c.
Explanation: Azure AD supports three identity models – Cloud identity, Synced identity, and Federated identity. Local identity is not an identity model in Azure AD.
True or False: Federated identities in Azure AD require ADFS.
- True
- False
Answer: True.
Explanation: Federated identities require ADFS (Active Directory Federation Services) or another third-party identity provider, to authenticate the user in Azure AD.
Who manages account policies including password policy, account lockout policy etc., for Cloud Identities?
- a. Microsoft
- b. User Itself
- c. Azure AD
- d. All of the above
Answer: a.
Explanation: For Cloud identities, Microsoft manages account policies like password policy, account lockout policy etc.
True or False: Azure AD is a multi-tenant, cloud-based directory, and identity management system.
- True
- False
Answer: True.
Explanation: Azure AD is indeed a multi-tenant, cloud based directory and identity management system, combining core directory services, application access management, and identity protection into a single solution.
Which of the following is not a type of Azure AD Identity?
- a. Cloud Identity
- b. Synced Identity
- c. Federated Identity
- d. Local Identity
Answer: d. Local Identity
Explanation: Azure AD only has three types of identities, Cloud Identity, Synced Identity, and Federated Identity. Local Identity is not one of the Azure AD supported identities.
Azure AD is only responsible for managing users. True or False?
- True
- False
Answer: False.
Explanation: Azure AD manages more than just users. It also manages groups, applications, and devices, providing a variety of ways to collaborate and secure access.
True or False: An Azure AD account can be used to sign in to multiple devices.
- True
- False
Answer: True.
Explanation: An Azure AD account can indeed be used to sign in to multiple devices, providing a seamless user experience across devices by using the same account.
Which type of identity in Azure AD is managed on-premises but uses federation services for authentication?
- a. Cloud Identity
- b. Synced Identity
- c. Federated Identity
- d. Local Identity
Answer: c. Federated Identity
Explanation: Federated Identity in Azure AD is an identity type that is managed on-premises but uses federation services such as ADFS for authentication.
Interview Questions
What is Azure Active Directory (Azure AD)?
Azure AD is Microsoft’s cloud-based identity and access management service. It helps employees sign in and access resources in the external resources such as Microsoft Office 365 and internal resources such as apps on the company network and intranet.
What are the two types of Azure AD identities?
The two types of Azure AD identities are User identities (used by people), and Service Principals (used by applications or services).
What is the purpose of User Identities in Azure AD?
User identities represent actual users. This identity used to sign in and access the resources. In short, it is used for authentication and authorization to access the resources.
What is an Azure AD tenant?
An Azure AD tenant is a dedicated instance of Azure AD that’s automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Microsoft 365.
What is the function of Service Principals in Azure AD?
Service Principals in Azure AD represent the identity that is used by a service, app, or daemon running on a device to authenticate against Azure AD and access specific resources.
How are Azure AD identities authenticated?
Azure AD identities are authenticated through a process called sign-in. This process validates the identity of the person or service principal who wants to access resources.
What is Azure AD B2B collaboration?
Azure AD B2B collaboration lets you securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data.
What is Azure AD B2C?
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables you to customize and control how users sign up, sign in, and manage their profiles when using your applications.
What is Azure AD Connect?
Azure AD Connect is a Microsoft utility that will sync your Active Directory records up to Azure AD. It allows users to use a common identity for authentication and authorization to all resources, including on-premises and cloud resources.
Why is Azure AD known as Identity as a Service (IDaaS)?
Azure AD is considered an Identity as a Service (IDaaS) because it provides identity and access management services in the cloud to help businesses streamline and secure access to applications.
What is conditional access in Azure AD?
Conditional Access in Azure AD is a capability that allows you to implement automated access control decisions for accessing your cloud apps that are based on specific conditions.
What is Microsoft Managed Identity for Azure resources?
Managed Identity for Azure resources is a feature of Azure AD. It provides Azure services with an automatically managed identity in Azure AD. It’s used to authenticate to any service that supports Azure AD authentication without having any credentials in your code.
Can Azure AD support Multi-Factor Authentication (MFA)?
Yes, Azure AD supports Multi-Factor Authentication (MFA) which adds an extra layer of security to user sign-ins and transactions by ensuring users provide more than just a password to identify themselves.
What is Self-Service Password Reset (SSPR) in Azure AD?
Self-Service Password Reset (SSPR) is a feature in Azure AD that allows users to reset their passwords without the need for administrator intervention, enabling them to quickly regain access to their accounts.
Can you integrate an on-premise Active Directory with Azure AD?
Yes, it is possible to integrate on-premise Active Directory with Azure AD. This integration allows you to sync on-premise AD users to Azure AD, enabling users to authenticate in the cloud using the same credentials they use on-premise.