We've covered quite a bit of ground in this course. With so many terms and features to keep track of, it's critical to be able to distinguish them from one another and understand what each does. By understanding what each identity management piece does, it becomes far easier to design an identity management solution. With that said, let's walk through a high-level recap of all of the key players in the identity management space and what each offers. Microsoft's Azure Active Directory is a cloud-based identity and access management service. With it, users can sign in and access external resources, such as Office 365, the Azure portal, and other SaaS applications. Azure AD is used to control access to applications and resources according to business requirements. A hybrid identity is an identity that spans on-prem and cloud-based capabilities. Leveraging hybrid identities allows an organization to create a common user identity for authentication and authorization to all resources, regardless of whether they are on-prem or in the cloud. Azure AD Domain Services is a Microsoft cloud-based offering that provides managed domain services, such as domain join, group policy, LDAP, and Kerberos and NTLM authentication. These services are fully compatible with traditional on-prem Active Directory and they can be deployed without any need for deployment or management of domain controllers in the cloud. Single sign-on, also referred to as SSO, allows users to sign in once with one account in order to access domain-joined devices, corporate resources, software as a service apps, and even web applications. 

After signing in, users can then launch apps right from the O365 portal or via the MyApps access panel. With single sign-on, IT administrators can centralize user account management, allowing them to automatically add or remove user access to applications, based on group membership. Also known as MFA, multi-factor authentication works by requiring two or more authentication methods, which typically include something like a password that the user knows, something the user owns, which is typically a mobile phone, and/or something the user is, biometrics would be a good example. Azure MFA offers the ability to safeguard access to applications and data while maintaining a simple end-user experience. Azure Active Directory Business-to-Business collaboration, also known as AD B2B, allows an organization to securely share company applications and services with guest users from other organizations, while retaining control over company data. Azure Active Directory Business-to-Consumer, also known as Azure AD B2C, is an identity management service that offers organizations the ability to customize and control how customers interact with corporate applications. It allows organizations to control how users sign up, sign in, and how they manage their profiles when using the applications. Azure AD B2C enables this functionality while also protecting customer identities. Azure Active Directory Privileged Identity Management, also known as PIM, is an Azure offering that allows you to manage and control access to resources within Azure and Azure AD, as well as within other services such as Intune and Office 365. Self-Service Password Reset, also known an SSPR, allows end users to reset forgotten passwords without the need for a call to the helpdesk. It's a feature that many organizations request, as it helps provide a more streamlined and pleasant end-user experience.

Depending on the SSPR functionality that is required, license requirements may vary. Through self-service group membership, Azure AD offers the ability for users to create and manage their own security groups and Office 365 groups. In addition, users can also request security group memberships as well as Office 365 group memberships. In such cases, the owner of such groups can approve or deny their membership. Managed Identities for Azure Resources provides supported Azure services with an automatically managed identity in Azure AD that can be used to authenticate to any service that supports Azure AD authentication without the need to store any credentials in code. Key Vault is one of the Azure services that is supported. Managed Identities for Azure Resources is a free feature that comes with all Azure AD editions. So, like I said, lots of terms. To learn more about each feature, you can, and should, read Microsoft's published documentation on each. Be sure to also watch for new Microsoft Azure courses on Cloud Academy, because we're always publishing new ones. Please give this course a rating, and if you have any questions or comments, please let us know. Thanks for watching and happy learning!