ManageEngine x Forrester | Tips to strengthen security in the age of AI

Azure AD Fundamentals

How access management works in Azure AD

The process of authenticating, authorising, and auditing access to IT systems, applications and services is known as access management. Access management is usually coupled with identity management resulting in identity and access management (IAM).Via rigid and strong control over access from on-premises to cloud-based services and infrastructure, access management aids with enhancing security and risk-reduction (in terms of exposure or access to privileged or critical organizational information).

Although access management solutions were originally created to support as on-premises software, in the current day and age, IDaaS has been leveraged by a considerable amount of organizations, which is essentially defined by Gartner as- “A predominantly cloud-based service in a multi-tenant or dedicated and hosted delivery model that brokers core identity governance and administration, access and intelligence functions to target systems on customers’ premises and in the cloud.”

The following topics discussed dive deep into the management of identity access in Microsoft’s Azure platform.

How Azure approaches access management

Azure IAM solutions help organizations with protection of access and other organizational resources inclusive of both the physical data centers and the cloud. These solutions extend the level of protection provided by introducing supplementary stages of validation which may include technology like MFA and access policies that are conditioned.

For a quick rundown, Azure access management solutions are designed in a specific way to help organizations with the following:

  • Creation and management of a single, core identity for every single user across the hybrid organizational platform
  • Capability of providing organizational services and applications with single sign-on (SSO)
  • The deployment of multi-factor authentication (MFA) across on-premises and cloud-based services and applications
  • Improvement in the productivity of users
  • Provision of secure remote access to web applications that are on-premises via Azure AD Application Proxy

The detailed ways to manage access in Azure are further discussed below.

Access management features and services in Azure

There are a handful of ways to manage access in Azure and, depending on the requirements and convenience, organizations can choose which way is optimal for them. The following are the possible ways to manage access on Azure via different solutions, applications, and features:

1. Azure Role-based access control (RBAC)

The relevance of access management grows when organizations decide to deal in the cloud. The recommended tool for cloud access management is RBAC.  Built on Azure Resource Manager, RBAC is an authorization system offering fine-grained management of access to resources on Azure.

Mainly, there are two aspects that makes Azure’s RBAC a hit, namely, segregation of duties, and the limited provision of the amount of access based on each employee’s job needs. Through these two underlying aspects, RBAC helps with the management of who has access to resources on Azure, the types of actions they can perform with those resources, and the areas they can access.

With Azure RBAC, the following exemplary actions can be carried out:

  • Separate management of virtual machines and virtual networks
  • Enabling complete resource management in a resource group like subnets and virtual machines
  • Permitting SQL database management in a subscription by a DBA (database administrator) group

How Azure approaches RBAC

In Azure RBAC, access to resources are controlled by the assignment of Azure roles. According to Microsoft, “This is a key concept to understand: it’s how permissions are enforced.”

There are three elements in role assignment, namely, security principal, role definition and scope.

Security principal

An object representing a user, group, service principal, or managed identity that performs the action of requesting access to the resources on Azure is known as a security principal. Roles can be assigned to all the mentioned security principals.

Role definition

An accumulation of permissions is known as a role definition; usually just known as a role. Read, write, and delete are some of the actions available and a role definition lists or displays all the actions that can be performed. Roles can range anywhere from being an owner to someone like a virtual machine contributor.

Although Azure has its own set of build-in roles, roles can be customized to adhere to specific organizational needs using Azure custom roles.


The applicability of access to a set of resources is known as scope. Via scope determination, the limit of allowed actions can be extended. This can be extremely handy, for example, when making a person a website contributor for a single resource group. Scope can be specified at four levels in Azure: management group, subscription, resource group and resource. Roles can be assigned at any level of the scope as scopes have a parent-child relationship structure.

2. Azure active directory (Azure AD)

Azure AD is an identity and access management service based on the cloud. Resources that are located externally like Microsoft 365, the Azure portal, and other software-as-a-service (SaaS) applications can be accessed by employees by using Azure AD. Applications lying in the space of organizational intranet network are classified as internal resources and Azure AD also aids with internal access management; moreover, internal resources may also include organizational cloud applications).

How Azure approaches AD

For IT Admins

Based on organizational requirements, IT admins can use Azure AD to exert access controls over their applications and the resources on the application.

For application developers

Azure AD can be used as a standards-based approach to add and integrate an application with single sign-on (SSO), thereby, enabling it to work with the pre-existing credentials of a user.

Subscribers of Microsoft 365, Office 365, Azure, or Dynamic CRM Online

Being a subscriber means that they are already a part of Azure AD as every tenant of Microsoft 365 or M365, Office 365 OR O365, Azure, or Dynamic CRM Online is an Azure AD tenant by default. If a subscriber wants, they can initiate immediate access management to apps integrated with the cloud. Provision and access to these services is how Azure AD handles access management.

3. Azure B2C (Azure business-to-customer)

On the one hand, Azure business-to-business or Azure B2B collaboration is an offering which enables sharing of application and services with partners or guest users from a different organization residing externally. Although apps and services are shared, control over this data is retained by the true owner.

On the other hand, Azure business-to-customer or Azure B2C, is an offering that delivers B2C identity-as-a-service (IaaS).

How Azure approaches B2C

By using existing social, organizational or local account identities, an organization’s customers can access applications and services through the use of SSO. Azure B2C uses standards-based authentication protocols and other supported protocols can be OAuth 2.0, OpenID Connect and SAML. Standards-based authentication protocols also integrate well with most contemporary apps and widely used software. Via Azure AD B2C, building a SSO solution for organizational apps on the Web, on mobile including for APIs becomes convenient and relatively easy.

4. Azure AD DS (Azure active directory domain services)

Azure AD DS is another cloud offering that bestows organizations with managed domain services. Features like domain join, LDAP and authentication systems like Kerberos and NTLM which has complete compatibility with legacy on-premises AD, are available are possible with Azure AD DS. Azure AD DS also include offerings like group policy support.

How Azure approaches AD DS

A major aspect of Azure AD is that users can use these domain services to get the benefits of Azure AD without the deployment, management and patching of domain controllers (DCs). Users are allowed to log-in using their existing credentials as Azure AD DS integrates with existing tenants of Azure AD. Moreover, through existing groups and user accounts, access to resources can be controlled and managed.

A unique namespace needs to be defined when creating an Azure AD managed domain, which is going to act as your domain name. Identity information is replicated by Azure AD DS from Azure AD and synchronization of user account information is also possible from a pre-existing on-premises AD. Having said that, running a cloud-only environment does not require the legacy on-premises AD. In the case of an organization running a hybrid environment with both on-premises AD and Azure AD DS, on-premises user accounts, group memberships, and credentials can be synchronized to Azure AD through Azure AD Connect. These objects are available within the Azure AD DS managed domain once the synchronization is successfully complete.

5. Azure MFA (Multi-factor authentication)

Organizations are offered two-step verification by Azure MFA. Recognizing that MFA’s true strength is its layered approach requires to put some thought into it, as compromising multiple factors of authentication far outweighs the difficulty of comprising a combination of username/password.

How Azure approaches MFA

The concept of MFA is pretty straightforward across most industries. MFA requires two or more methods of authentication which should include, something users know –typically a password, something users possess– typically a smart device like a mobile phone, and something users are– fingerprint or other forms of biometrics.

MFA was designed to enhance the protection of data and apps while retaining end-user convenience. Azure MFA is offered as a part of Microsoft 365 Business or Azure AD Premium, and the complete use of the MFA feature inclusive of Conditional access policies is also a part of these offerings. Required MFA for users and administrators is also possible in Azure AD Free and standalone Office 365 licenses. In order to safeguard global administrator accounts in all Azure and Office 365 subscriptions, a subset of the capabilities of Azure MFA is made available.

Final note

With so many different methods to manage access, Azure is a highly scalable IAM service for almost all sizes of business. The elimination of multiple digital identities through such diverse methods is a major aspect of modern authentication that Azure strives towards. Apart from being cost-effective and easy-to-use, Azure can be integrated with a variety of applications and platforms, both on-premises and cloud-based. Azure comes with other security features as well, which include tracking, monitoring and alerting, and configuration of logins that seem anomalous. Overall, Azure is a solid cloud computing service that can streamline access management in accordance to user wants and needs.

Related posts
Azure Active DirectoryAzure AD Fundamentals

Understanding Tombstone Objects in Active Directory

Active Directory FundamentalsAzure AD FundamentalsRecent Posts

Before migrating to Active Directory Domain Services (AD DS) 2022

Azure AD Fundamentals

Azure AD Pass-through - On-premises authentication in the cloud

Azure AD Fundamentals

How to unlock Azure AD account


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.