Authentication & Authorization

Identity & Access Management (IAM)

IAM Components

"Who" - Azure Active Directory (AD) - Manages Azure identities. Azure AD is a cloud-based identity service
  • One per tenant
  • Provides identity - "who you are?"
  • Identity = "security principal" (technical term)
  • Manage end users (people) or applications
  • Email format (end user) - [email protected]
"Can do what" - Azure Role-Based Access Control (RBAC) - Provides fine-grained access management to Azure resources. Controls access using roles:
  • Assign roles to a security principal
  • Roles are collections of specific permissions
  • There are general role and specific role types:
    • Owner - general role type, full access to all resources in scope
    • Virtual Machine Contributor - only access to manage VMs
"On which resources" - Scope - Controls the scope of access in the resource hierarchy. A scope defines a set of resources allowed to access:
  • Roles granted to various layers of the resource hierarchy
  • Lower levels inherit roles from the higher levels
    • Centralized management