Azure Identity & Access Management

In the modern cloud-first world, managing who can access your digital resources — and under what conditions — is critical for security and compliance. Azure Directory Services (Microsoft Entra ID) offer a powerful suite of identity and access management solutions, helping organizations securely manage users, devices, and access across both cloud and hybrid environments.

These services are essential for controlling authentication, enabling secure sign-ins, enforcing organizational policies, and supporting modern workplace needs such as remote access and Bring Your Own Device (BYOD).

Key Capabilities of Microsoft Entra ID

• Authentication: Provides secure sign-in mechanisms for users and applications using modern protocols like OAuth, OpenID Connect, and SAML. It supports password less sign-in, smart lockout, and risk-based conditional access.
• Single Sign-On (SSO): Allows users to access multiple applications with one set of credentials, enhancing user experience and reducing password fatigue.
• Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring additional verification methods beyond just a password.
• Application Management: Centralizes control over SaaS, on-premises, and custom apps with features like single sign-on (SSO), user provisioning, and app access controls.
• Device Management: Registers and manages devices accessing corporate resources, ensuring that only compliant and trusted devices can sign in. Integrates with Microsoft Intune for deeper endpoint control.
• Conditional Access: Implements policies that grant, or block access based on specific conditions like user location, device state, or risk level.
• Identity Protection: Utilizes machine learning to detect and respond to potential identity risks, such as compromised accounts or a typical sign-in behaviour.
• Integration with On-Premises Directories: Through tools like Azure AD Connect, it synchronizes on-premises directories with the cloud, enabling hybrid identity solutions.
• Support for External Identities: Facilitates collaboration by allowing partners, vendors, and customers to access resources securely.

Licensing Options

• Microsoft Entra ID Free: Provides basic features like user and group management, directory synchronization, and SSO for a limited number of applications.
• Microsoft Entra ID P1: Adds advanced features such as Conditional Access, self-service password reset, and hybrid identity support.
• Microsoft Entra ID P2: Includes all P1 features plus Identity Protection and Privileged Identity Management for enhanced security and governance.

Azure Entra ID Domain Services

Microsoft Entra Domain Services is a managed domain service that provides Active Directory (AD) features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication — without needing to deploy domain controllers (DCs) in Azure.

It is especially useful for running legacy apps in Azure that require traditional AD functionality but can’t work directly with Azure AD.

• Managed Domain: Microsoft hosts and maintains the domain controllers — no manual patching, replication setup, or updates needed.
• LDAP & Kerberos/NTLM support: Use for traditional applications that depend on directory authentication protocols.
• Domain Join: Azure virtual machines (Windows/Linux) can join the domain like they would in an on-premises AD environment.
• Group Policy: Configure domain-joined VMs using group policies, just like in a traditional on-prem AD setup.
• High Availability: Built-in redundancy with two domain controllers per region.

How It Works

• Entra Domain Services is integrated with your Azure AD tenant.
• It automatically syncs users, groups, and credentials (including password hashes) from Azure AD (or from on-prem AD via Azure AD Connect).
• Once enabled, it provides a domain-joinable DNS namespace (e.g., yourdomain.onmicrosoft.com) and you can configure OU structure and GPOs.
• Unlike Azure AD, it supports classic AD-based authentication protocols like LDAP and Kerberos.

Replication with On-Premises AD

Entra Domain Services does not replicate directly with on-premises Active Directory. Instead, it follows this flow:

• Azure AD Connect is used to sync your on-prem AD with Azure AD.
• Entra Domain Services then receives a one-way sync from Azure AD, including users, group memberships, and password hashes.
• Changes in Entra DS are not replicated back to Azure AD or your on-prem AD — it’s a read-only domain service from a management perspective.

Authentication Methods in Microsoft Entra ID

Microsoft Entra ID (formerly Azure AD) supports a broad set of modern and secure authentication methods, designed to protect user identities while enhancing convenience.

Key Authentication Methods

• Single Sign-On (SSO) - Enables users to log in once and access multiple applications without repeated credential prompts. It simplifies access across Microsoft 365, SaaS apps, and custom apps.
• Multi-Factor Authentication (MFA) - Adds a second layer of security by requiring another form of verification, such as a phone prompt, OTP, or biometric factor.
• Passwordless Authentication - Eliminates the need for traditional passwords, reducing risk and improving user experience: o Windows Hello for Business: Uses facial recognition, fingerprint, or PIN tied to a specific device. o Microsoft Authenticator App: Users approve sign-ins via push notification or app code. o FIDO2 Security Keys: Hardware-based authentication using USB or NFC keys for strong, phishing-resistant login.

External Identities

External Identities in Microsoft Entra ID (formerly Azure AD) enable organizations to securely collaborate with users outside their organization, such as partners, suppliers, contractors, and customers. These users can access apps and resources using their own credentials, without being added as full members of your directory.

• B2B Collaboration: Invite external users (guests) to access internal apps and resources. They can sign in using their own organizational, Microsoft, or social accounts.
• B2C Identity Management: Build customer-facing apps with customizable sign-in experiences using email, social logins (Google, Facebook), or local accounts.

External Identities help businesses maintain a secure boundary while enabling seamless, policy-driven access to external users—ideal for hybrid work, joint ventures, or client portals.

Azure Conditional Access**

Conditional Access in Microsoft Entra ID is a policy engine that makes automated decisions about whether to allow or block access based on signals such as:

• User location
• Device state
• Application being accessed
• Risk level of the sign-in

Key Capabilities:

• Adaptive Access Control: Require Multi-Factor Authentication (MFA) when users sign in from risky locations or untrusted devices.
• Policy Enforcement: Allow or deny access based on organizational policies (e.g., only compliant devices can access sensitive apps).
• Granular Control: Apply different rules for different users, groups, or apps (e.g., block legacy authentication).

Azure Role-Based Access Control (RBAC)

Azure RBAC is used to manage who has access to Azure resources, what actions they can perform, and on which resources.

Key Capabilities:

• Fine-Grained Access: Assign roles like Reader, Contributor, or Owner at different scopes (subscription, resource group, resource).
• Least Privilege Principle: Grant users only the permissions they need to do their job — nothing more.
• Custom Roles: Define roles with a specific set of permissions tailored to your organization’s needs.

In upcoming blogs, we will discuss more on Azure Cloud. To make this series more understandable, I am splitting this into multiple blogs

Part 1 - What is Cloud Computing and Services

Part 2 - What is Microsoft Azure

Part 3 - Azure Compute Storage and Networking

Part 4 - Azure Identity & Access Management

Part 5 - Azure Cloud Adoption Framework & Well Architected Framework

Part 6 - Azure Landing Zone

Thanks, 😊

If you have any comments, please drop me a line