Design Identity and Access Management Flashcards
Identity
We used to look at on Prem as being the trusted Premitter but its now just another resource, We can now orchestrate solutions based on Identity as center
- User
- Application/Service Principal
- Managed Identities
Azure AD Tenant Architecture
Azure Active Directory is Global, the Azure Active Directory Tenant is an instance of the Azure AD service inside of the Azure Cloud
When we Create a Azure AD tenant we get a default domain name for that, like prefix.onmicrosoft.com
Azure Azure Directory Tenant is one to many relationship, where an AAD can be assigned to different subscription but a subscription can only have one AAD
AZURE AD and Features
A global cloud-based identity service for Azure that provides Identity repository
- IAM Platform
- Identity Security > MFA and PIM
- Collaboration and Development > B2B B2C
- Monitoring > Audit logs, risk management, identity protech and security monitoring
- Identity Integration > Hybrid Identity
- Enterprise Access
AD vs AAD
AZURE AD Hybrid Identities
Extending Identity and access into the cloud
- Simplify the user login
AZURE AD External Identities
AZURE AD Connect
AZURE AD Domain Services
Azure Roles vs AD Roles
AZURE AD Roles
Set of roles that we have specifically for providing access to manage IDENTITY OBJECTS inside of our AD TENANT themselves like users, applications devices inside our AD tenant
Global Admin > manage Azure AD resources
Billing Admin > perform billing tasks
User Administrator > manage user and groups
Helpdesk Administrator > Password resets
AZURE Groups
Groups reduce the effect required to manage access
- Assigned
Group Admins/Owners determine Permission
Manually Managed by Admin or Owners - Dynamic
Device/User attributes
Require AAD Premium P1 license
Platform Managed no manually changes required
Permission > Security Groups
0365 > MS 0365 groups for Collaboration
AZURE Access Control
AZURE Roles
Azure Roles are for resources inside our subscription.
- Owner > Full access to resources and delegates access
- Reader > Can only view Resources
- Contributor > Create and manage resources but cannot manage the access
- User Access Administrator > Can delegate access to resources but cannot manage them
AZURE Administrative Units
AZURE RBAC
RBAC = Who can do what and where
Azure RBAC
WHO > Security Principals > Users
What > Role Assignments > Roles
Where > Effeective Permissions > Scope