# Identity and access management ## Azure AD * authentication system in Azure * also authentication system for other Microsoft cloud services like Office 365 etc * subscriptions are created to Azure AD tenant * there can be multiple subscriptions under single Azure AD tenant * Azure AD Connect can synchronize users between on-premise AD and Azure AD ### Managed Identities * Internally, managed identities are service principals of a special type, locked to only be used with Azure resources * when the managed identity is deleted, the corresponding service principal is removed. * Azure takes care of rolling the credentials used by Managed identity, so there is no need for manual credential rotation * There are two types of managed identities * system-assigned managed identity * enabled directly on an Azure service instance. Tied to a lifecycle of that service. * user-assigned managed identity * created as a standalone Azure resource. This identity can be assigned to one or more Azure service instances. * has lifecycle of its own ## RBAC Allows to authorize to user specific actions to specific Azure resources * Roles * Role definition is a collection of permissions * Three built-in roles * Owner - can perform all actions on all resource types * Contributor - similar than Owner, but does not allow managing RBAC itself * Reader - can perform all read actions on all resource types * Azure also provides resource specific built-in roles * Custom roles can be created * Access to resources can be granted by assigning role to security principal, which are * User * Group * Service Principal * Assignment structure * Security Principal * Role * Scope * Subscription * Resource Group * Resource * When assignment is done on subscription or resource group level, the resources below in this hierarchy inherit this assignment ## Resources * Azure Essentials: Identity and Access Management - * Understand Azure role definitions -