Authentication, Authorization, and Federation
Authentication, Authorization, and Federation

In this course, we will go over some basic identity concepts regarding security and Azure.

Learning Objectives

  • The concepts of authentication, authorization, and federation
  • What is an Identity and an Identity Provider
  • The concepts of directory services and Active Directory 
  • The concept of the primary security perimeter

Intended Audience

  • Users looking to learn about basic identity concepts referenced in Microsoft Azure
  • Users preparing for the SC-900 certification


  • A basic familiarity with Azure



In order to fully grasp the concept of identity, one must first understand the concepts of authentication, authorization, and federation, as well as how they relate to identity. All of these concepts are similar and relate to one another, but grasping their relationships and how they interact is important to understanding the entire picture. So, with that in mind, let's start off with authentication. Authentication also known as AuthN is the process of proving someone is who they say they are. A good everyday example of authentication is like checking someone's ID. You can verify and authenticate their identity based on that ID. When you think of this process in terms of Azure, it's not much different. A username is simply who you are while a password is the proof that validates who you are. Your name can be thought of and compared to your username. For example, my name is Lee Mucciarone and some variation of that could be my username. So, if your name is your username, then the password must be your ID. Both the ID and the password are then used to authenticate you are who you say you are, and that's authentication.

Authorization, on the other hand, is something that comes after your authentication process. Sometimes referred to as AuthZ, authorization is the allowance of permissions that an individual has. Effectively, it's the level of permissions a user has to data and resources. So, a single user might have access to document A but not document B while another user may have access to both document A and B. And that's an example of authorization. Now that we know both of these concepts, let's tie them into one larger example to complete the picture. Consider you're looking to spend the night at a hotel and you made a reservation. You would show up to the hotel and walk up to the front desk and tell them about your reservation. They would then validate who you are with your ID and their system and then give you your room key. That's the process of authentication. But now that you have your room key, you can find your room and access it. However, that key is only good for your specific room, and that's the example of authorization. While you authenticated your identity, you only have authorization to be in a specific room.

Meanwhile, a hotel employee might have access to all of the rooms because they have more access and permissions than you as a customer would have. Now, it's time to throw in another level to these concepts with the idea of federation. Think about this for a second. Have you ever logged into Facebook, Twitter, Instagram, Discord, or any other website using a Google account? But how does that work? Wouldn't you think that you would need a Facebook or a Twitter account in order to log into those sites? If that was the case, why can I log into them with my Google account? Well, this is an example of the concept of federation. Federation is the ability to cross organizational or domain boundaries with trust relationships between multiple different identity providers. To help consider this picture. Within it, there are four different parties: the user, the website, identity provider A, and identity provider B. If a user wants to access the website, they attempt to log in using identity provider A. Usually, this wouldn't work because the website uses identity provider B to authenticate its users. However, if identity provider A has a trust relationship with identity provider B, the user is allowed access because the identity provider of the website trusts the identity provider of the user.

So, if Google has a trust relationship with Twitter, a user could authenticate with their Google account rather than their Twitter account. The greatest benefit to federation is that it reduces the need for users to have multiple usernames and passwords when accessing different domains. Allowing users a single set of credentials to access multiple different domains, not only simplifies management but reduces confusion among those users. But now that we've mentioned identity providers, we should probably jump into what exactly an identity provider is and what does that mean for a user's identity.


About the Author
Learning Paths

Lee has spent most of his professional career learning as much as he could about PC hardware and software while working as a PC technician with Microsoft. Once covid hit, he moved into a customer training role with the goal to get as many people prepared for remote work as possible using Microsoft 365. Being both Microsoft 365 certified and a self-proclaimed Microsoft Teams expert, Lee continues to expand his knowledge by working through the wide range of Microsoft certifications.

Covered Topics