Chapter 13 — Azure Identity Services

Why Identity Matters in the Cloud

In traditional IT, security was primarily about network perimeters — firewalls kept attackers out. In cloud computing, resources are accessible from anywhere, so the focus shifts to identity as the primary security boundary.

Identity is the new perimeter. Controlling who can access what is the foundation of cloud security.

1. Microsoft Entra ID (formerly Azure Active Directory)

What Is It?

Microsoft Entra ID (previously called Azure Active Directory or Azure AD) is Microsoft's cloud-based identity and access management (IAM) service. It is the backbone of authentication and authorization for Azure, Microsoft 365, and thousands of third-party applications.

What Entra ID Does

Active Directory vs. Entra ID

Many people confuse on-premises Active Directory (AD) with Entra ID. They are different:

Entra ID is NOT just Active Directory in the cloud — it's a fundamentally different, cloud-native identity system.

Entra ID Editions

2. Authentication vs. Authorization

These two terms are often confused — both are essential:

Step 1 — Authentication:
  User enters username + password + MFA code
  Entra ID verifies: "Yes, this is Alice." ✓

Step 2 — Authorization:
  Alice tries to delete a VM
  RBAC check: "Alice has Reader role — she can't delete." ✗

3. Single Sign-On (SSO)

SSO allows users to log in once and access multiple applications without re-entering credentials.

Without SSO:
  Log in to Azure Portal → separate username/password
  Log in to Microsoft 365 → separate username/password
  Log in to Salesforce → separate username/password
  (3 logins, 3 passwords to remember)

With SSO:
  Log in once to Entra ID → access all three apps automatically
  (1 login, 1 password)

Benefits of SSO

• Better user experience (less password fatigue)

• Reduced helpdesk calls for password resets

• Single place to revoke access (disable one account = locked out everywhere)

• Better security (fewer passwords = fewer attack vectors)

Supported SSO Protocols

4. Multi-Factor Authentication (MFA)

MFA requires users to prove their identity with two or more verification methods:

Factor 1: Something you KNOW     → Password / PIN
Factor 2: Something you HAVE     → Phone / Hardware token
Factor 3: Something you ARE      → Fingerprint / Face recognition

MFA Verification Methods in Entra ID

Why MFA Matters

Even if someone steals your password, they still can't log in without the second factor.

Attack scenario:
  Attacker has your password  →  Types username + password
  MFA prompt on your phone    →  Attacker doesn't have your phone
  Result: Login BLOCKED ✓

Microsoft reports that MFA blocks 99.9% of automated account attacks.

5. Conditional Access

Conditional Access is an Entra ID feature that evaluates conditions before granting or denying access. It acts like an intelligent gatekeeper.

How It Works

User tries to sign in
      │
      ▼
Conditional Access Policy evaluates:
  - Who is the user?
  - What device are they on?
  - What app are they accessing?
  - Where are they signing in from? (location/IP)
  - Is the device compliant?
      │
      ▼
  Decision: Allow / Block / Require MFA / Require compliant device

Example Conditional Access Policies

6. Entra ID External Identities

Entra ID supports identity for people outside your organization:

Azure AD B2B (Business-to-Business)

Invite external users (partners, contractors, suppliers) to collaborate in your Azure or Microsoft 365 environment using their own organization's credentials.

Partner at Contoso logs in with their Contoso Microsoft account
→ Gets access to your SharePoint site or Azure resource
→ You don't create a password for them — they use their own

Azure AD B2C (Business-to-Consumer)

A customer identity and access management (CIAM) solution. Lets your customers sign in to your app using:

• Their email and a new password

• Social accounts (Google, Facebook, Apple)

• Custom identity providers

Your e-commerce app → Customer signs in with Google account → B2C handles authentication

7. Self-Service Password Reset (SSPR)

SSPR allows users to reset their own passwords without calling the helpdesk.

User forgets password
  ↓
Clicks "Forgot my password"
  ↓
Verifies identity (email / phone / security questions)
  ↓
Resets password themselves
  ↓
Back to work — no helpdesk ticket needed

Benefits:

• Reduces IT helpdesk burden significantly

• Faster for users (no wait time)

• Works 24/7

8. Role-Based Access Control (RBAC)

RBAC in Azure controls what actions users can perform on Azure resources.

How RBAC Works

A role assignment consists of:

1. Who (a user, group, or service principal)

2. What role (a collection of permissions)

3. What scope (management group, subscription, resource group, or resource)

Built-In Azure Roles

RBAC Inheritance

Role assigned at Subscription level
  → Applies to ALL resource groups in the subscription
    → Applies to ALL resources in those resource groups

You can assign a more restrictive role at a lower scope to override inherited permissions.

Identity Services Summary

Quick Recap

Entra ID       → Microsoft's cloud identity service (not traditional AD)
Authentication → Who are you? (verify identity)
Authorization  → What can you do? (control access)
SSO            → Login once, access everything
MFA            → Second verification = 99.9% attack protection
Conditional Access → Smart if-this-then-that policies for login
RBAC           → Owner > Contributor > Reader > custom roles

Official References

• Microsoft Entra ID overview

• Multi-Factor Authentication

• Conditional Access

• Azure RBAC overview

• Azure AD B2B

• Azure AD B2C

• Self-Service Password Reset

Next Chapter → Chapter 14: Azure Security Services