🖊️
Notes
  • Notes
  • aws
    • CloudWatch
    • EKS
    • IAM
    • Key Management Service (KMS)
    • security
      • Attacks against AWS infrastructure
    • vpc
      • AWS Transit Gateway
  • azure
    • Azure AD
    • Azure CDN
    • DNS in Azure
    • Hub-spoke network topology
    • Identity and access management
    • Azure Landing zones
    • Storage
  • certifications
    • aws-sa-pro
    • Certified Kubernetes Administrator
  • containers
    • Examples
    • Linux Container Primitives
  • databases
    • Relational databases
  • gcp
    • IAM
  • git
    • Git
  • golang
    • Building Go projects
    • Concurrency
    • Project structure
  • infosec
    • SSH
    • SSL
  • Kubernetes
    • Admission Controllers
    • Autoscaling
    • Debugging
    • Multi-tenancy
    • Network Policies
    • Pod Priority
    • Pod Security Policies
    • Secrets
    • StatefulSet
    • additional-services
      • Debugging ArgoCD RBAC
      • open-policy-agent
  • misc
    • FFmpeg
    • PDFs
  • programming
    • Learning resources
    • concepts
      • Serialization
  • rabbitmq
    • Clustering and HA
    • Shovel plugin
  • shells
    • Bash
  • terraform
    • Moving resources between remote states
  • vim
    • Fzf (plugin)
    • Registers
    • Spell Check
  • linux
    • arch
      • Arch Linux installation
Powered by GitBook
On this page
  • Azure AD
  • Managed Identities
  • RBAC
  • Resources
  1. azure

Identity and access management

Azure AD

  • authentication system in Azure

  • also authentication system for other Microsoft cloud services like Office 365 etc

  • subscriptions are created to Azure AD tenant

  • there can be multiple subscriptions under single Azure AD tenant

  • Azure AD Connect can synchronize users between on-premise AD and Azure AD

Managed Identities

  • Internally, managed identities are service principals of a special type, locked to only be used with Azure resources

    • when the managed identity is deleted, the corresponding service principal is removed.

  • Azure takes care of rolling the credentials used by Managed identity, so there is no need for manual credential rotation

  • There are two types of managed identities

    • system-assigned managed identity

      • enabled directly on an Azure service instance. Tied to a lifecycle of that service.

    • user-assigned managed identity

      • created as a standalone Azure resource. This identity can be assigned to one or more Azure service instances.

      • has lifecycle of its own

RBAC

Allows to authorize to user specific actions to specific Azure resources

  • Roles

    • Role definition is a collection of permissions

    • Three built-in roles

      • Owner - can perform all actions on all resource types

      • Contributor - similar than Owner, but does not allow managing RBAC itself

      • Reader - can perform all read actions on all resource types

    • Azure also provides resource specific built-in roles

    • Custom roles can be created

    • Access to resources can be granted by assigning role to security principal, which are

      • User

      • Group

      • Service Principal

    • Assignment structure

      • Security Principal

      • Role

      • Scope

        • Subscription

        • Resource Group

        • Resource

    • When assignment is done on subscription or resource group level, the resources below in this hierarchy inherit this assignment

Resources

PreviousHub-spoke network topologyNextAzure Landing zones

Last updated 4 years ago

Azure Essentials: Identity and Access Management -

Understand Azure role definitions -

https://www.youtube.com/watch?v=nRk1_koNBB8
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions