Identity & Access Management (IAM)

IAM Components

"Who" - Azure Active Directory (AD) - Manages Azure identities. Azure AD is a cloud-based identity service

• One per tenant

• Provides identity - "who you are?"

• Identity = "security principal" (technical term)

• Manage end users (people) or applications

• Email format (end user) - name@domain.com

"Can do what" - Azure Role-Based Access Control (RBAC) - Provides fine-grained access management to Azure resources. Controls access using roles:

• Assign roles to a security principal

• Roles are collections of specific permissions

• There are general role and specific role types:

  • Owner - general role type, full access to all resources in scope

  • Virtual Machine Contributor - only access to manage VMs

"On which resources" - Scope - Controls the scope of access in the resource hierarchy. A scope defines a set of resources allowed to access:

• Roles granted to various layers of the resource hierarchy

• Lower levels inherit roles from the higher levels

  • Centralized management