【Azure】Basic analysis of Microsoft Azure (9) Functions and uses of Azure identity, identity management, and Azure AD

This series of blog posts is still being updated and is included in the column: "Azure Quest: Building a Cloud Computing World" .

The list of articles in this series is as follows:

【Azure】Basic analysis of Microsoft Azure (3) CapEx and OpEx in cloud computing operations, how to distinguish between CapEx and OpEx
【Azure】Basic analysis of Microsoft Azure (4) Data center, region and region pair, availability zone and Geographical area
[Azure] Basic analysis of Microsoft Azure (5) Management group, subscription, resource and resource group and hierarchical relationship of the core architecture [Azure] Basic
analysis of Microsoft Azure (6) Virtual machine VM and virtual machine scale set in computing services , Azure Function and Azure Container
[Azure] Microsoft Azure Basic Analysis (7) Virtual Network VNet, Gateway, Load Balancer Load Balancer in Azure Network Services [
Azure] Microsoft Azure Basic Analysis (8) Azure Storage Service: Explore Blob Storage, Queue storage, file storage characteristics and applicable scenarios
[Azure] Basic analysis of Microsoft Azure (9) Functions and uses of Azure identity, identity management, and Azure AD

I. Introduction

In today's digital age, identity and access management has become an integral part of organizations and businesses. With the popularity of cloud computing and online services, it is particularly important to ensure the security, convenience and accuracy of authorization of user identities. In this field, Azure, as a leading cloud platform, provides rich and powerful identity and access management solutions.

This article will lead readers to understand the core concepts and services related to Azure identity and access management, focusing on Azure Directory Service (Azure Active Directory) and its related functions and features. By understanding the basic principles and working mechanism of Azure AD, readers will be able to better understand how to use Azure to manage user identities, control access rights, and achieve centralized authentication and authorization management.

Second, prerequisite knowledge: Identity (identity), Authentication (authentication) and Authentication (authentication)

You have heard these words more or less, but will you be confused? In the first half of this chapter, here are some basic knowledge points

• Identity : Identity refers to identifying and representing an entity (such as a user, device, or application) in a system. Each entity has a unique identifier, usually a username, email address, or digital ID. An identity provides unique identification of an entity so that the system can identify and track the actions and permissions of that entity.

For example, one of our registered accounts is regarded as one Identity（身份）. When we log in to the Azure portal, we use our own identity. We usually use a user name and password to identify ourselves; Note: Identity (identity) can also mean an application or server.

• Authentication : Authentication is the process of confirming that an entity's identity is valid. It typically involves verifying that the credentials provided by an entity, such as usernames and passwords, match their previously registered identities. Authentication ensures that only authenticated users or entities can access a system or resource. Common authentication methods include username/password, multi-factor authentication (such as SMS verification code, token or biometrics), etc.

To put it simply: in the process of verifying identity, you use a secret key or certificate to identify yourself, which is called identity verification.

Summary of key points:

• Authentication of a person or service wishing to access a resource
• Ask a party for legitimate credentials and provide the basis for creating security principals for identity and access control.
• sometimes calledaz AuthN

• Authorization : Authorization refers to assigning specific permissions and access rights to authenticated entities. Authorization determines the actions an entity can perform and the scope of resources it can access. Authorization enables the system to ensure that only authenticated and authorized entities can perform certain actions or access protected resources. Authorization can be managed based on roles, organizational structures, specific permissions, or other policies.

Authorization can be understood as: ensuring that only authenticated identities can access resources to which they have been granted access

Summary of key points:

• Determines the level of access that an authenticated person or service has.
• Specifies what data is allowed to be accessed and what can be done with it.
• Sometimes abbreviated as AuthZ.

It's worth noting here: In Azure, Azure manages Authentication and Authorization through Azure Active Directory.

3. Azure Directory Service (AD)

3.1 What is Azure AD

Azure Active Directory (Azure AD) is a directory service that can be used to log in to and access developed Microsoft cloud applications and cloud applications. Azure AD also helps you maintain an on-premises Active Directory deployment.

In simple terms , Azure Directory Service can be understood as an organization's digital identity management center. It allows organizations to centrally manage user accounts, organizational structure, and application access. With Azure Directory Services, you can create and manage user accounts, assign and revoke access permissions, and monitor and audit user activity.

Using Azure Directory Service, you can achieve Single Sign-On (Single Sign-On), which means that users only need one login credential to access multiple applications and services, improving user experience and work efficiency. It also offers multi-factor authentication for enhanced security, such as using SMS verification codes, tokens or biometrics.

Azure Directory Services also integrates with other Azure services and third-party applications and can serve as a hub for authentication and authorization, enabling organizations to easily scale and manage their cloud resources. Additionally, Azure Directory Services supports hybrid environments and can integrate with on-premises Active Directory, enabling organizations to establish trust between cloud and on-premises.

Summary of key points :

• commonly known asAzure AD
• is a cloud-based Identity service
• Can be synchronized with an existing on-premises Active Directory or used independently. Allows for identity sharing in the cloud (eg Microsoft 365), mobile native applications.
• No SLA for free tier, 99.9% for standard and premium tiers
• Commonly available services include:
  • Authentication
    • Self-Service Password Reset
    • Multi-factor authenticationMulti-factor authentication (MFA/2FA)
    • Customize banned password list and smart lock service.
  • Single Sign-On (SSO)
  • Application management. Manage cloud and on-premises applications using Azure AD Application Proxy, SSO, My Apps Portal (also known as Access Panel), and SaaS applications.
  • Business-to-Business (B2B) Identity Services: Manage guest users and external partners.
  • Business-to-Customer (B2C) Identity Services: Customize and control how users register, log in, and manage their profiles when using applications and services.
  • for device management
    • Manage how your cloud or on-premises devices access corporate data.

3.2 External identity of Azure AD

External identities are people, devices, services, etc. that are external to the organization. Azure AD external identities refer to all the ways in which you can securely interact with users outside your organization.

External identity sounds similar to single sign-on. With external IDs, external users can "bring their own ID". Whether they have a corporate or government-issued digital ID, or an unmanaged social ID like Google or Facebook, they can log in with their credentials. The identity provider for external users manages their identities, and you can use Azure AD or Azure AD B2C to manage access to apps to protect resources.

3.2.1 Business-to-business (B2B) collaboration

Collaborate with external users by having them sign in to Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.) using their preferred identities. B2B collaboration users are typically represented in the directory as guest users.

3.2.2 B2B direct connection

Establish two-way trusts with other Azure AD organizations for seamless collaboration. B2B direct connection currently supports Teams shared channels, allowing external users to access your resources in their own Teams instance. B2B Direct Connect users aren't visible in your directory, but they are visible in Teams shared channels and can be monitored in Teams admin center reports.

3.2.3 Azure AD Business to Customer (B2C)

Publish modern SaaS apps or custom-developed apps (other than Microsoft apps) to consumers and customers while using Azure AD B2C for identity and access management.

4. Azure authentication method

Azure supports multiple authentication methods, including standard passwords , single sign-on (SSO), multi-factor authentication (MFA), and password-less authentication .

Whether it is Azure or our ordinary development, we have come into contact with these authentication methods more or less. For a long time, security and convenience seem to be contradictory. Thankfully, new authentication solutions offer both security and convenience.

Passwordless authentication has high security and high convenience, while the password itself has low security and high convenience.

4.1 Single Sign-On (SSO)

Azure Single Sign-On (SSO) is an authentication and access management mechanism that allows users to access multiple related applications and services through a single login without having to authenticate individually in each application.

Specifically, Azure SSO uses a set of standards and protocols (such as SAML, OAuth, and OpenID Connect) to enable users to seamlessly access multiple applications and services integrated with Azure AD after authenticating once.

Here's how Azure Single Sign-On works:

1. User login: Users provide credentials (such as username and password) to log in to Azure AD (Azure Active Directory) through authentication.

2. Issuing Tokens: Once a user is authenticated, Azure AD issues a security token that contains information about the user's successful authentication.

3. Token passing: When a user tries to access an application that requires authentication, their browser or application passes a token to the application.

4. Token Validation: Once the application receives the token, it sends it to Azure AD for validation. Azure AD verifies the signature and validity of the token and confirms the user's identity.

Single sign-on: If token verification is successful, the user is considered authenticated and can access the application without having to log in again. This way, users can seamlessly switch and access other Azure AD-integrated applications without having to re-enter their credentials.

Single sign-on is only as secure as the original authenticator, because subsequent connections are based on the security of the original authenticator.

4.2 Multi-Factor Authentication

Multi-factor authentication is the process of prompting the user for an additional form (or factor) of authentication during the login process. MFA helps protect against password compromise (in cases where the password is compromised but the second factor is not).

Multi-Factor Authentication improves identity security by limiting the impact of credential exposure, such as stolen usernames and passwords. When multi-factor authentication is enabled, an attacker who has a user's password also needs to have the user's phone or fingerprint to fully authenticate.

Compare multi-factor authentication and single-factor authentication. With single-sign-of-authentication, an attacker needs only a username and password to authenticate. Multi-factor authentication should be enabled whenever possible, as it greatly increases security.

4.3 Passwordless authentication

Features like MFA are a great way to protect an organization, but users are often frustrated by additional security protections beyond having to remember passwords. When doing so is easy and convenient, users are more likely to comply with it. The passwordless authentication method is more convenient because the password is removed and replaced with something you specify, as well as your own or something you already know.

A more common example is that when you log in to Windows, in addition to using password authentication to log in, you can also use PIN or fingerprint to log in.

Every organization has different needs when it comes to authentication. Microsoft Global Azure and Azure Government offer the following 3 options for passwordless authentication integrated with Azure Active Directory (Azure AD):

• Windows Hello for Business
• Microsoft Authenticator app
• FIDO2 security key

5. Summary at the end of the paper

This article introduces the concepts and services of identity and access management as they relate to Azure. First, we learned the meaning and difference of "Identity", "Authentication" and "Authorization". We then took a deep dive into Azure Directory Service (Azure Active Directory) and its capabilities, including Azure AD, external identities for Azure AD, business-to-business (B2B) collaboration, and Azure AD business-to-customer (B2C).

In terms of authentication, we learned about the different authentication methods offered by Azure, including single sign-on (SSO), which allows users to access multiple applications and services integrated with Azure AD through a single login to improve user experience and work efficiency. Additionally, security measures such as multi-factor authentication and password-less authentication are covered.

Overall, Azure provides powerful and flexible identity and access management solutions that help organizations securely and efficiently manage access to users and applications. With Azure Directory Services and different authentication methods, organizations can achieve centralized identity management, single sign-on, and hardened security for improved user experience and data protection.

[ 本文作者 ]   bluetata
[ 原文链接 ]   https://bluetata.blog.csdn.net/article/details/131012518
[ 最后更新 ]   06/20/2023 2:42
[ 版权声明 ]   如果您在非 CSDN 网站内看到这一行，
说明网络爬虫可能在本人还没有完整发布的时候就抓走了我的文章，
可能导致内容不完整，请去上述的原文链接查看原文。