Managed identities

Managed identities


This course covers the Secure Resources part of the 70-534 exam, which is worth 20-25% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.


Welcome back. In this lesson, we're gonna be talking about identity management with Azure Active Directory.

The first thing that we should mention is that Azure Active Directory is different from the on-prem version of Windows Server Active Directory that companies have been using for years and years. The on-prem version of Active Directory is about securing on-prem resources, where the Azure Active Directory is about securing cloud based resources. Now, that's a bit of a simplification.

However, it's a reasonable description. Azure AD is a multi-tenant, cloud based directory and identity management service. It uses open web standards such as SAML, WS-Federation, OpenID, and the Graph API. It even allows Windows 10 devices to domain join, allowing access to cloud based resources.

In contrast, the Windows Server Active Directory, which is the on-prem version, is a single organization based local directory service, which uses Kerberos and LDAP. Microsoft recognizes that hybrid solutions are inevitable, and so Azure AD and Windows Server AD are able to complement each other by syncing and allowing single sign-on.

It's common to see Windows applications built that are domain aware, especially intranet applications, and that meant that if companies wanted to move to the cloud via the lift-and-shift pattern, that they would need to have a domain controller running on an IaaS VM.

It's not that uncommon to see, even still, though Azure AD Domain Services allows Azure VMs to domain join without requiring a domain controller. Let's create an Azure directory. We're gonna start in the new portal, and we'll click on security and identity.

And then we're gonna select active directory. Notice how it opens up the classic portal here. Currently that's where all of the active directory stuff is managed, and that may change in the future, though for now it's still done here. So we need to fill out this add directory form.

We need a directory name, so let's give one. And then we need to set up our domain name. We'll just call ours ca534. And we'll set our country. Great. And we'll click the check, and in a moment we'll have our directory, and it will be fully created.

On this landing page here you can see that we have some options for things such as adding our own domain to make it a more friendly experience for the user for sign-in. And then we also are given the ability to sync with our on-prem resources.

And we have options here for the premium version. There are a few different tiers for Azure AD. The tiers have their own pricing as well. Starting at the free tier, and then we have up to two premium tiers.

So as you can see, each has their own allowed features and limits, and I'm not gonna go through all of the features and limits here. That's not very useful. However, you can see that we have a free version, and it's pretty feature-rich.

Okay, let's add a user. We'll click on the user tab, and then the add user button at the bottom. We can change the type of user. We have some options here. The default is the new user in your organization option. There's also the user within existing Microsoft account, user in another Azure AD, and user in partner companies.

So again, we'll just stay with the default. And then we'll add a username and click next. And then we have to fill out the profile form. We'll add the first name, and the last name, and there we go. And now we need a display name as well. Great. And with that done, we can change the role.

We have user, and then we have some different admins. There's a global admin, which allows all admin features. We have the billing admin, which manages subscriptions and support tickets. We have the service admin, which can manage requests and monitor some of the service health.

And we have the user admin, which manages groups, user accounts, and service requests, and the password admin can reset passwords for users and for other password admins. I'll go with the user role for this.

We could set up multi-factor authentication here as well. I'm not going to. It's not really useful in this demo. We talked about multi-factor authentication in a previous course. It allows for authentication that is more than just your username and password. It involves at least two forms of authentication.

So Azure allows us to use our username and password for the first factor, and then the next factor can be either from a phone call, a text message, mobile app notification, mobile app verification code, or some third party OAuth tokens. I always recommend the use of multi-factor authentication. It tends to make for a much more secure authentication method.

Okay, let's get back to our directory creation process. We'll click next. And we'll need a password for the user. So I need a temporary password. And I'm gonna copy it and then let's try and login to the portal. And the first time, it's gonna prompt us to change the password.

So we'll enter the password that we had previously, that temporary one, and then we'll give it a new password. And then we need the confirmation password. Perfect. Okay, and there we are. Now the portal is loading. Azure AD will allow us to grant users access to different resources inside of Azure.

Okay, you may recall I mentioned previously that it's common for applications, especially intranet apps, to be domain aware. Modern apps, and by that I mean cloud native apps, will still need similar integration with Azure AD.

And there are different ways to go about that integration. You could use one of the many libraries, including one for dot net that allows you to use link queries. However, at their core, they're all built on top of the REST API.

Microsoft provides what's called the Graph API. It will allow us to interact with Azure AD, and we can do things such as creating and updating users, as well as deleting users. And it's not limited to just interacting with Azure AD.

It's a single unified endpoint that will allow us to query things such as mail, calendars, and notes. We'll be focusing on the AD throughout this, but just know that it's one endpoint that has access to all of these different resources.

It's important to understand the Graph API because knowing this is gonna help you better guide developers in creating modern cloud apps. Microsoft provides us with a tool to test out our API calls. It allows us to set the version, the endpoint, and then submit the request and see the data that comes back.

We're gonna start out with the slash me endpoint, which will show information about the currently logged in user, and in this case, it's the AD user that I just created a few moments ago. And if we switch to the beta version, you can see that we have some new properties that come back in that list.

Now we can query things such as the organization, and there's really not much to see here. We can query directory roles. And then we can even drill into these to get additional information by clicking on one of the properties. We're gonna click on this GUID here.

Let's drill into the company administrator. And if we append the slash members to the end of this endpoint, we can list off all of the administrators. You may have noticed that the user I'm logged in with now is on this list, and if you recall, when I created that account, I set the role to user. However, I changed it in the meantime, so that's why you're seeing it here.

Now we're not gonna go through every API call. There's a lot of them. However, you may wanna skim through the documentation so you understand at a high level what's available.

Okay, in our next lesson, we're gonna take a look at Azure AD just a bit more. Specifically we're gonna look at OAuth 2.0 and OpenID Connect. If you're ready to learn more, then let's get started in the next lesson.

About the Author

Learning paths15

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.