Identity and Access Management
Start course

Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications, and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.

This course begins by looking at Azure's shared responsibility model before moving on to look at various security topics within Azure: storage security, database security, identity & access management, and networking security. By the end of this course, you should have a basic understanding of all of the key security options and features available in Microsoft Azure.

For any feedback relating to this course, please contact us at

Learning Objectives

  • Understand the shared responsibility model
  • Learn how to secure Azure resources
  • Learn about Azure security services and technologies
  • Learn how to monitor your Azure resources with Azure Security Center

Intended Audience

This course is intended for IT Professionals who need to develop an understanding of the security solutions that are available in Microsoft Azure.


To get the most from this course, you should have a basic understanding of Microsoft Azure and its offerings.


Hi there. Welcome to Identity and Access Management. In this lecture, you are going to learn about several features and services that you can use to manage identity and access in Azure. We’re going to cover role-based access control (or RBAC), Azure Active Directory, Azure Active Directory B2C, Azure Active Directory Domain Services, and Azure Multi-Factor Authentication. We’ll start with Role-Based Access Control.

Because access management is so important for organizations using the cloud, there needs to be a robust way to manage access. Role-based access control, also known as RBAC, is the tool of choice. Using RBAC, you can effectively manage which users have access to what Azure resources, what those users can do with those resources, and what areas in Azure they have access to.

RBAC is an authorization system built on Azure Resource Manager. It offers fine-grained access management of you Azure resources.

For example, you can allow one user or group to manage your VMs in your Azure subscription, while allowing another user or group to manage your virtual networks. Perhaps you need to assign a group of DBAs to manage your SQL databases without giving them access to your VMs. You can do this with RBAC.

You can even allow a user or group of users to manage all resources in a specific resource group, while allowing another user or group to manage the resources in a separate resource group.

Segregating duties within your organization, using RBAC, allows you to grant your users only the amount of access they need to perform their jobs. By granting users least privilege to get their work done, you minimize the chances of a security incident or a mistake that could take down production.

The diagram on your screen depicts a Microsoft-recommend usage pattern for using RBAC.

Now, let’s shift to Azure AD. Azure AD is Microsoft’s cloud-based identity and access management service. You use this to allow users to sign in and access resources in. You can use Azure AD to control access to both internal and external resources.

For example, you can use it to control access to things like Microsoft Office 365, the Azure portal, and even to all kinds of external SaaS applications. You can also control access to internal resources, like applications that reside on your corporate network or to home-grown cloud apps.

Azure AD is intended for IT Admins, App Developers, and for subscribers to services such as Microsoft 365, Office 365, Azure, and others.

IT Admins will typically use Azure AD to control access to applications and to app resources. They will also often use Azure AD to enforce multi-factor authentication and to automate user provisioning.

App developers will often use Azure AD to add single sign-on to their apps. This makes logons easier for the app users since it then allows them to authenticate with their existing credentials. 

Subscribers to services like Microsoft 365, Office 365, and Azure are already using Azure AD – sometimes without even knowing it – because these tenants are automatically Azure AD tenants. Azure AD is how provisioning and access to these services is handled.

Azure Active Directory business-to-business collaboration is also known as Azure AD B2B. This offering allows organizations to securely share their apps and services with guest users from other external organizations, while allowing them to retain control over their data. 

This is a great solution for organizations that need to work with external partners. 

Azure AD B2B provides an easy-to-use invitation and redemption process that allows external users to use their own credentials to access partner resources. 

Azure Active Directory business to customer, or B2C, provides business-to-customer identity as a service. Leveraging Azure AD B2C allows an organization’s customers to access the organization’s applications via single sign-on that uses their existing social, enterprise, or local account identities.

Azure AD B2C uses standards-based authentication protocols. Supported protocols include OpenID Connect, OAuth 2.0, and SAML – and it integrates with most modern app and commercial software.

The image on your screen represents the possibilities offered by Azure AD B2C.

Using Azure AD B2C, you can build a single sign-on solution for your organization’s web apps, mobile apps, and even APIs. 

Azure Active Directory Domain Services, or Azure AD DS, is a cloud offering that provides managed domain services to organizations who leverage it. It offers features like domain join, LDAP, and even Kerberos and NTLM authentication that’s fully compatible with traditional on-prem Active Directory. Azure AD Domain Services also offers group policy support.

The key benefit of Azure AD Domain Services is the fact that you can use them to get many of the benefits of Active Directory, without having to deploy, manage, or patch domain controllers. Because Azure AD DS integrates with your existing Azure AD tenant, you can allow your users to sign in with their existing credentials. Access to resources can be controlled through existing groups and user accounts as well.

Azure AD DS replicates identity information from Azure AD and can also synchronize user account info from an existing on-prem Active Directory. However, if you wish to run a cloud-only environment, you don't even need a traditional on-prem AD.

If you need to run a hybrid environment with an on-prem AD and Azure AD Domain Services, you can synchronize your on-prem user accounts, group memberships, and credentials to Azure AD via Azure AD Connect. These synchronized objects are then available within the Azure AD DS managed domain.

Azure Multi-Factor Authentication offers organizations two-step verification. The strength of multi-factor authentication is its layered approach. And this only makes sense when you think about it. It’s far more difficult to compromise multiple authentication factors than it is to compromise a username/password combination. 

MFA works by requiring two or more authentication methods, including something your users know (which is usually a password), something they possess – maybe a smartphone for example, and something they are. This could include a fingerprint or some other sort of biometrics.

Think about, even if a bad guy gets access to a user's password, that password really is useless without also having access to the additional authentication method that’s been configured. 

Organizations typically use MFA to protect data and applications without making things difficult for end users.

Azure Multi-Factor Authentication comes as part of Azure Active Directory Premium or Microsoft 365 Business. These offerings include full-featured use of Azure MFA, including Conditional Access policies that can be configured to require multi-factor authentication.

Azure AD Free and standalone Office 365 licenses will also allow you to require multi-factor authentication for users and administrators.

A subset of Azure MFA capabilities is also available to protect global administrator accounts in all Azure and O365 subscriptions.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.