Hi there. Welcome to Identity and Access Management. In this lecture, you are going to learn about several features and services that you can use to manage identity and access in Azure. We’re going to cover role-based access control (or RBAC), Azure Active Directory, Azure Active Directory B2C, Azure Active Directory Domain Services, and Azure Multi-Factor Authentication. We’ll start with Role-Based Access Control.

Because access management is so important for organizations using the cloud, there needs to be a robust way to manage access. Role-based access control, also known as RBAC, is the tool of choice. Using RBAC, you can effectively manage which users have access to what Azure resources, what those users can do with those resources, and what areas in Azure they have access to.

RBAC is an authorization system built on Azure Resource Manager. It offers fine-grained access management of you Azure resources.

For example, you can allow one user or group to manage your VMs in your Azure subscription, while allowing another user or group to manage your virtual networks. Perhaps you need to assign a group of DBAs to manage your SQL databases without giving them access to your VMs. You can do this with RBAC.

You can even allow a user or group of users to manage all resources in a specific resource group, while allowing another user or group to manage the resources in a separate resource group.

Segregating duties within your organization, using RBAC, allows you to grant your users only the amount of access they need to perform their jobs. By granting users least privilege to get their work done, you minimize the chances of a security incident or a mistake that could take down production.

The diagram on your screen depicts a Microsoft-recommend usage pattern for using RBAC.

Now, let’s shift to Azure AD. Azure AD is Microsoft’s cloud-based identity and access management service. You use this to allow users to sign in and access resources in. You can use Azure AD to control access to both internal and external resources.

For example, you can use it to control access to things like Microsoft Office 365, the Azure portal, and even to all kinds of external SaaS applications. You can also control access to internal resources, like applications that reside on your corporate network or to home-grown cloud apps.

Azure AD is intended for IT Admins, App Developers, and for subscribers to services such as Microsoft 365, Office 365, Azure, and others.

IT Admins will typically use Azure AD to control access to applications and to app resources. They will also often use Azure AD to enforce multi-factor authentication and to automate user provisioning.

App developers will often use Azure AD to add single sign-on to their apps. This makes logons easier for the app users since it then allows them to authenticate with their existing credentials. 

Subscribers to services like Microsoft 365, Office 365, and Azure are already using Azure AD – sometimes without even knowing it – because these tenants are automatically Azure AD tenants. Azure AD is how provisioning and access to these services is handled.

Azure Active Directory business-to-business collaboration is also known as Azure AD B2B. This offering allows organizations to securely share their apps and services with guest users from other external organizations, while allowing them to retain control over their data. 

This is a great solution for organizations that need to work with external partners. 

Azure AD B2B provides an easy-to-use invitation and redemption process that allows external users to use their own credentials to access partner resources. 

Azure Active Directory business to customer, or B2C, provides business-to-customer identity as a service. Leveraging Azure AD B2C allows an organization’s customers to access the organization’s applications via single sign-on that uses their existing social, enterprise, or local account identities.

Azure AD B2C uses standards-based authentication protocols. Supported protocols include OpenID Connect, OAuth 2.0, and SAML – and it integrates with most modern app and commercial software.

The image on your screen represents the possibilities offered by Azure AD B2C.

Using Azure AD B2C, you can build a single sign-on solution for your organization’s web apps, mobile apps, and even APIs. 

Azure Active Directory Domain Services, or Azure AD DS, is a cloud offering that provides managed domain services to organizations who leverage it. It offers features like domain join, LDAP, and even Kerberos and NTLM authentication that’s fully compatible with traditional on-prem Active Directory. Azure AD Domain Services also offers group policy support.

The key benefit of Azure AD Domain Services is the fact that you can use them to get many of the benefits of Active Directory, without having to deploy, manage, or patch domain controllers. Because Azure AD DS integrates with your existing Azure AD tenant, you can allow your users to sign in with their existing credentials. Access to resources can be controlled through existing groups and user accounts as well.

Azure AD DS replicates identity information from Azure AD and can also synchronize user account info from an existing on-prem Active Directory. However, if you wish to run a cloud-only environment, you don't even need a traditional on-prem AD.

If you need to run a hybrid environment with an on-prem AD and Azure AD Domain Services, you can synchronize your on-prem user accounts, group memberships, and credentials to Azure AD via Azure AD Connect. These synchronized objects are then available within the Azure AD DS managed domain.

Azure Multi-Factor Authentication offers organizations two-step verification. The strength of multi-factor authentication is its layered approach. And this only makes sense when you think about it. It’s far more difficult to compromise multiple authentication factors than it is to compromise a username/password combination. 

MFA works by requiring two or more authentication methods, including something your users know (which is usually a password), something they possess – maybe a smartphone for example, and something they are. This could include a fingerprint or some other sort of biometrics.

Think about, even if a bad guy gets access to a user's password, that password really is useless without also having access to the additional authentication method that’s been configured. 

Organizations typically use MFA to protect data and applications without making things difficult for end users.

Azure Multi-Factor Authentication comes as part of Azure Active Directory Premium or Microsoft 365 Business. These offerings include full-featured use of Azure MFA, including Conditional Access policies that can be configured to require multi-factor authentication.

Azure AD Free and standalone Office 365 licenses will also allow you to require multi-factor authentication for users and administrators.

A subset of Azure MFA capabilities is also available to protect global administrator accounts in all Azure and O365 subscriptions.