# Identity and access management ## Azure AD * authentication system in Azure * also authentication system for other Microsoft cloud services like Office 365 etc * subscriptions are created to Azure AD tenant * there can be multiple subscriptions under single Azure AD tenant * Azure AD Connect can synchronize users between on-premise AD and Azure AD ### Managed Identities * Internally, managed identities are service principals of a special type, locked to only be used with Azure resources * when the managed identity is deleted, the corresponding service principal is removed. * Azure takes care of rolling the credentials used by Managed identity, so there is no need for manual credential rotation * There are two types of managed identities * system-assigned managed identity * enabled directly on an Azure service instance. Tied to a lifecycle of that service. * user-assigned managed identity * created as a standalone Azure resource. This identity can be assigned to one or more Azure service instances. * has lifecycle of its own ## RBAC Allows to authorize to user specific actions to specific Azure resources * Roles * Role definition is a collection of permissions * Three built-in roles * Owner - can perform all actions on all resource types * Contributor - similar than Owner, but does not allow managing RBAC itself * Reader - can perform all read actions on all resource types * Azure also provides resource specific built-in roles * Custom roles can be created * Access to resources can be granted by assigning role to security principal, which are * User * Group * Service Principal * Assignment structure * Security Principal * Role * Scope * Subscription * Resource Group * Resource * When assignment is done on subscription or resource group level, the resources below in this hierarchy inherit this assignment ## Resources * Azure Essentials: Identity and Access Management - * Understand Azure role definitions - --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.tatusl.dev/azure/iam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.