Authentication & Authorization

Identity & Access Management (IAM)

IAM Components

"Who" - Azure Active Directory (AD) - Manages Azure identities. Azure AD is a cloud-based identity service

  • One per tenant

  • Provides identity - "who you are?"

  • Identity = "security principal" (technical term)

  • Manage end users (people) or applications

  • Email format (end user) -

"Can do what" - Azure Role-Based Access Control (RBAC) - Provides fine-grained access management to Azure resources. Controls access using roles:

  • Assign roles to a security principal

  • Roles are collections of specific permissions

  • There are general role and specific role types:

    • Owner - general role type, full access to all resources in scope

    • Virtual Machine Contributor - only access to manage VMs

"On which resources" - Scope - Controls the scope of access in the resource hierarchy. A scope defines a set of resources allowed to access:

  • Roles granted to various layers of the resource hierarchy

  • Lower levels inherit roles from the higher levels

    • Centralized management

Last updated