Identity and access management

Azure AD

  • authentication system in Azure

  • also authentication system for other Microsoft cloud services like Office 365 etc

  • subscriptions are created to Azure AD tenant

  • there can be multiple subscriptions under single Azure AD tenant

  • Azure AD Connect can synchronize users between on-premise AD and Azure AD

Managed Identities

  • Internally, managed identities are service principals of a special type, locked to only be used with Azure resources

    • when the managed identity is deleted, the corresponding service principal is removed.

  • Azure takes care of rolling the credentials used by Managed identity, so there is no need for manual credential rotation

  • There are two types of managed identities

    • system-assigned managed identity

      • enabled directly on an Azure service instance. Tied to a lifecycle of that service.

    • user-assigned managed identity

      • created as a standalone Azure resource. This identity can be assigned to one or more Azure service instances.

      • has lifecycle of its own


Allows to authorize to user specific actions to specific Azure resources

  • Roles

    • Role definition is a collection of permissions

    • Three built-in roles

      • Owner - can perform all actions on all resource types

      • Contributor - similar than Owner, but does not allow managing RBAC itself

      • Reader - can perform all read actions on all resource types

    • Azure also provides resource specific built-in roles

    • Custom roles can be created

    • Access to resources can be granted by assigning role to security principal, which are

      • User

      • Group

      • Service Principal

    • Assignment structure

      • Security Principal

      • Role

      • Scope

        • Subscription

        • Resource Group

        • Resource

    • When assignment is done on subscription or resource group level, the resources below in this hierarchy inherit this assignment


Last updated