I’m currently getting ready for the AZ-900 examination and recently I studied the azure core identity services module in it. So I thought to write an introductory article on it because it might help someone who is getting ready for examination like me or someone who has an interest in learning the basics in Azure AD.
Authentication vs. Authorization
So before going into deep, first we have to understand the difference between the two keywords authentication and authorization. You may already know this. But anyway I’ll quickly explain it.
So, the process of identifying someone himself or herself is called authentication.
For example, Say If I tell you I am Kalpani, someone will ask me to prove it. How can I prove it? Probably I can show you an ID card issued by the government, the passport, or my driving license. So that is authentication.
Then what is authorization?
Based on the identity that I have proved; the immediate next question comes is what I can do or what I cannot do with that identity in a particular organization or a system? In the context of Azure, What are the different services which I can access and where I do not have access, is called authorization.
Multi-factor authentication
When I log into a particular website, I provide my username and password and think somehow the password got leaked. Then somebody without authorized access and have my password can access data and services in it.
So how can we mitigate this issue? That is when we need multi-factor authentication (MFA). In addition to the username and password, one has to also provide the identity in the form of probably an OTP which they are going to get on their mobile, or phone call through a mobile network. Otherwise, they can have a mobile app installed, and on that app, they have to confirm that they are the person who is logging in.
So Multi-Factor Authentication works by requiring two or more of the following authentication methods:
- Something you know, typically a password.
- Something you have, such as a trusted device that is not easily duplicated. (Eg: phone or hardware key)
- Something you are — biometrics like a fingerprint or face scan.
Azure Active Directory (AAD)
Now, let’s see who is going to provide this authentication, authorization, and who is going to take care of these multi-factor authentication features. In Azure, we have the Azure Active Directory for that. We call it, an identity and access management service in Azure.
- Authentication
- Single sign-on (SSO)
- Application management
- Device management
Active Directory to Azure Active Directory
It is very easy for businesses to adopt azure in their organization because almost every organization has an on-premise active directory. That means the users of their organization are already in the on-premise active directory. Now, what Microsoft does was they provide a facility to sink all the on-premise identities into azure Ad. If a user existing on-premise, the same username and password can be also added to azure with some tool such as Azure AD connect. This is the most popular way to connect your existing AD to Azure AD.
#conditional-access #azure #azure active directory
