BeginnerIdentity

Identity & Access Management

Understand Azure Active Directory (now Entra ID), users, groups, authentication, Multi-Factor Authentication (MFA), and Conditional Access—the foundation of identity-driven security.

🧠 ELI5 Explanation

identity is like a driver's license. Authentication is showing your license to prove you're you. Authorization is what you're allowed to do (drive a car, but not a truck).

Azure AD (Entra ID) is a global phone book that stores identities and decides who gets access. MFA is asking for your license AND a secret PIN—two proofs instead of one. Conditional Access is saying "I'll let you in, but only if you use MFA AND you're in the office (trusted location)".

Technical Explanation

Azure Active Directory (Entra ID)

Azure AD is Microsoft's cloud-based identity service:

Directory: Stores users, groups, applications, devices
Tenant: Isolated instance of Azure AD (your company's identity namespace)
Global: Available worldwide, synchronizes across regions

Unlike on-premises Active Directory (Windows Server), Azure AD is built for cloud, supports SSO (Single Sign-On), and integrates with SaaS apps.

Users & Groups

Users: Individual identities (alice@contoso.com)

Groups: Collections of users for easier permission management

Security Group: Control who can access resources
Microsoft 365 Group: For collaboration (Teams, SharePoint, email)

Best practice: Assign permissions to groups, not individuals. Example: assign "Developers" group to VM, not alice, bob, charlie individually.

Authentication vs Authorization

Authentication	Authorization
Proves you are who you say you are	Determines what you're allowed to do
"Is this alice?"	"Can alice delete this resource?"
Methods: password, MFA, fingerprint	Methods: RBAC, policies, rules

Multi-Factor Authentication (MFA)

Requires two or more proof methods:

Something you know: Password, PIN
Something you have: Phone (SMS, authenticator app), FIDO key
Something you are: Fingerprint, face recognition

Example MFA flow: User enters password → receives SMS code → enters code → approved.

Azure tools: Microsoft Authenticator app, TOTP, hardware tokens, phone call.

Conditional Access

Dynamic policies that grant or deny access based on conditions:

Example policy:

If user location = "outside office" → require MFA
If device = "not managed" → block access
If risk = "high" → require password change

Enforces Zero Trust: don't blindly trust that someone is authorized; check conditions real-time.

Visual Representation

Authentication & Authorization Flow


      User logs in

      ↓

      Azure AD: "Who are you?"

      User: "alice@contoso.com" + password + MFA

      ↓

      Azure AD: "Verified! (AUTHENTICATION PASSED)"

      ↓

      User: "Can I access VM?"

      Azure AD: "Are you in the 'DevOps_Admins' group?"

      Result: Yes → Access granted (AUTHORIZATION PASSED)

Hands-on: Managing Users & MFA

# View current Azure AD tenant
az account show --query tenantId

# List all users in tenant
az ad user list --query "[].{displayName:displayName, userPrincipalName:userPrincipalName}" --output table

# List security groups
az ad group list --query "[].{displayName:displayName, objectId:objectId}" --output table

# List members of a specific group
az ad group member list --group "DevOps_Admins" --query "[].{displayName:displayName}" --output table

# Create a new security group
az ad group create --display-name "SecurityOps_Team" --mail-nickname "secops"

Real-world Use Case

Scenario: A startup with 50 employees uses Azure. They hire a new contractor.

Process:
1. Create user account: contractor@startup.com in Azure AD
2. Add to "Contractors" security group
3. Grant "Contractors" group limited access to specific resources
4. Enforce Conditional Access: contractor must use MFA + company-managed device
5. When contractor leaves, disable account (not delete, for audit trail)

Benefit: Managing permissions per group > per user. Easier to onboard/offboard.

Summary

Azure AD (Entra): Cloud identity service storing users, groups, apps.
Authentication: Proves identity (password, MFA).
Authorization: Controls what authenticated users can do (RBAC, policies).
MFA: Requires two proof methods—passwords alone are not enough.
Conditional Access: Dynamic policies based on conditions (location, device, risk).

Interview Questions

Q (Beginner): What is the difference between authentication and authorization?
A: Authentication proves you're who you claim (login), authorization decides what you can do after logging in.

Q (Beginner): Why is MFA important?
A: Passwords can be stolen. MFA adds a second factor, so even if password is leaked, account isn't compromised.

Q (Intermediate): Why should you assign Azure roles to groups instead of individuals?
A: Easier management (add/remove user from group instead of reassigning each role), consistency, audit trail clarity.

Q (Intermediate): What does Conditional Access do?
A: Dynamically enforces security policies based on real-time conditions (location, device, risk level). Example: require MFA if accessing from untrusted location.

Q (Scenario): Your CEO travels internationally and tries to access Azure portal from a new location. Conditional Access blocks them, requiring MFA. Is this correct security?
A: Yes. Zero Trust principle: never blindly trust. Even executives must verify identity when accessing from unusual locations. This prevents account compromise.