In this blog post, I have discussed the design azure authentication and authorization in brief from Azure Solution Architect Design AZ-304 perspective. This blog will cover azure authentication and authorization, MFA (Multi-Factor Authentication), Recommendations to secure identity infrastructure in Azure, SSO, Hybrid identity in Azure, Azure B2B identity, root, and management groups in Azure.
Apart from this, you can also check my blog on Planning and Recommendation of Virtual Networks which is another blog from Microsoft certified Azure Solution Architect Design
What Is Authentication?
Authentication is the process of proving who you are and who you say you are? Microsoft identity platform implements the OpenID Connect protocol for handling authentication, authentication, and authorization
Azure App Service provides built-in authentication support, so you can sign in users and access data by writing minimal or no code in your web app
What Is Authorization?
Authorization is the act of granting an authenticated party permission to do something. Microsoft identity platform implements the OAuth 2.0 protocol for handling authorization.
Azure App Service provides built-in authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.
Difference Between OAuth And OpenID Connect
OAuth is used for authorization and OpenID connect used for authentication. OpenID Connect is built on top of OAuth 2.0. So terminology and flow are similar between the two, you can both authenticate the user using OpenID Connect and get authorization to access a protected resource that the user owns using OAuth 2.0 in one request.
Azure Multi-Factor Authentication supplies added security to your identities by acquiring two or more elements complete the authentication, that elements fall in three categories:
- Something you know: Which might be a password or answer to a security question.
- Something you possess: This might be a mobile app that receives a notification or a token- generating device.
- Something you are: Which typically is a biometric property, such as a fingerprint or a face scan used on many mobile devices
Conditional access is an Azure tool that brings signals together to make decisions and enforce organizational policies. this is the workflow and conditional access and architecture of Azure Multi-Factor Authentication
Five Steps For Securing Identity Infrastructure In Azure
These steps are the recommendation also which will help you to protect from cyber-attacks using Azure AD.
1. Strengthen your credentials
Use strong authentication, Ban common passwords and turn off traditional complexity and expiration rules, protect against leaking credentials, Take advantage of intrinsically secure, easier to use credentials
2. Reduce your attack surface area
Block invalid authentication entry points, Restrict user consent operations, Implement Azure AD privileged identity management
3. Automate threat response
Implement user risk security policy using Azure AD Identity protection, Implement sign-in risky policy using Azure AD identity protection
4. Utilize cloud intelligence
Monitor Azure AD Connect health in hybrid environments, Monitor Azure AD Identity protection events
5. Enable end-user self-service
Implement self-service password reset, implement self-service group and application access, Implement Azure AD access reviews
Azure AD Seamless Single Sign-On (SSO)
In this user automatically signed in from a corporate device to the corporate network. When enabled users don’t need to type the password or sign in Azure AD. Seamless SSO can be combined with either password hash or pass-through authentication sign in methods
Seamless SSO is free, It does not require paid editions of Azure AD
Multi-Factor Authentication For Hybrid Identity In Azure
Here Lots of questions occur like:
- Is your company trying to secure Microsoft apps?
- How are apps published?
- Where are the users going to be located??
- Are the users familiar with Multi-FactorAuthentiation?
- Does your company need to protect privileged accounts with MFA?
So depending upon this there is a decision tree called “Hybrid Identity Decision Tree” where we have to see what type of authentication method and hybrid identity that we have to choose. So based on customer requirements we have to follow this flow chart and adopting the ideal way for azure cloud
Azure Active Directory B2B
So with Azure AD B2B partners use their own identity management solution, so there is no external administration overhead for you organization
- You don’t need to manage external account and passwords
- You don’t need to sync accounts and manage account lifecycle
- Guest user sign-in and service with their own, work, school identities
- Invite guest users using the email identity of their choice
- Guest user follow redemption steps to follow
Hierarchy Of Management Groups And Subscriptions In Azure
- 10000 management group in a single directory of Azure
- Each management group and subscription can only support one parent in Azure
- Each management group have many children
- All subscription and management groups are within a single hierarchy in each directory of Azure
- A management group tree up to six levels of depth (Doesn’t include the root level and subscription level)
Root Management Group For Each Directory in Azure
- Every directory is a given single management group called root management group in Azure
- This root management group is built into the hierarchy to have all management groups and subscriptions fall into it
- This root management group allows for global policies and RBAC assignments are applied in directory level
- Azure AD global administrator needs to elevate themselves to a user access administrator rules role of the root group initially.
- After elevating access administrator can assign any RBAC role to other directory users of the group to manage the hierarchy in Azure
- Microsoft Azure Architect Design Step By Step Activity Guides (Hands-On Labs)
- Authorization and Authentication [Official Microsoft]
- Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
- Core Cloud Service: Azure Compute Options
- [AZ-304] Microsoft Azure Architect Design (beta): Everything You Need To Know
Next Task For You
Interested in preparing the exam for Azure Certifications as well? Check out this blog post to know all about exam preparation Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design. Also, check out this blog to know more about the core services of azure [AZ-900] Microsoft Azure Core Services: Compute, Network, Storage & Database
Click on the register now button below to register for a Free Masterclass on Microsoft Azure Solutions Architect Certification, Live Demo & Q/A which will help you clear the exam with flying colors.