microsoft-azure-identity-access-management-entra-id-rbac-mfa-sso

 

 

 

Identity and Access Basics 

 

Azure is one of the most popular cloud platforms, and many learners are eager to get started. However, beginners often feel overwhelmed due to the wide range of services and concepts. If you have no prior experience in cloud computing or Azure, the best place to start is with Azure Fundamentals (AZ-900). In this blog series, we will cover both theoretical concepts and practical hands-on exercises to help you build a strong foundation in Microsoft Azure.

We will also provide a real-world, enterprise-level roadmap to guide your learning journey step by step.


For Phase 1 (Cloud Fundamentals) the topics I listed are sufficient to understand Azure basics, but if your goal is to prepare properly for Microsoft Certified: Azure Fundamentals (AZ-900) and to build a solid base for later phases, you should expand Phase 1 slightly. 

Think of Phase 1 as “cloud literacy + Azure platform orientation.
Below is a complete but still beginner-level Phase 1 syllabus.


Phase 1 — Azure Fundamentals (Expanded) - CLICK HERE 

Phase 2 — Azure global infrastructure regions availability zones  (Expanded) - CLICK HERE   

Phase 2 — Azure core services compute storage networking overview  (Expanded) - CLICK HERE    

 

 

4. Identity and Access Basics 

• Very important for your IT support role.
• Understand identity services such as:
• Azure Active Directory (Entra ID)

Topics:

• Users
• Groups
• Role Based Access Control (RBAC)
• Multi-factor authentication
• Single Sign-On (SSO)

This connects strongly with Active Directory, which you already see in your job.


In this module we will learn many things like as an Objective we will complete these modules.


1) Describe directory services in azure, including Microsoft Entra ID and Microsoft Entra Domain Services.
2) Describe authentication methods in Azure, including single sign-on (SSO), multifactor authentication (MFA), and passwordless.
3) Describe external identities and guest access in Azure.
4) Describe Microsoft entra conditional access.
5) Describe azure role based access control (RBAC)
6) Describe the concept of Zero trust.
7) Describe the purpose of the defense in depth model.
8) Describe encryption concepts and key management options in azure.
9) Describe the purpose of Microsoft defender for cloud.

 

 

 

 

1. Microsoft Entra ID (formerly azure ID)

Cloud-based identity & access management (IAM) system.

2. Microsoft Entra Domain Services

Managed version of traditional active directory features in the cloud.
Like - Domain Joining, Group policy, and LDAP - without the burdening of maintaining, patching and backing up physical or virtual domain controllers.

Think of it as a 3-layer identity system :

On-premises (left)

Active directory (AD DS)
Stores:
      Users and groups
      Devices
      Policies

Uses:
    Kerberos / NTLM




Sync Layer (middle)

Microsoft entra connect
Sync identities between:
     On-premises AD <--> Cloud

This gives a hybrid identity (same user works everywhere)




Cloud (right)

Microsoft Entra ID (core brain)

Hanldes:
    Authentication (login, MFA)
    Single Sign-On (SSO)
    App access
    Device policies



Microsoft Entra Domain Services

Provides:
    Domain join
    Group Policy
    LDAP
    Kerberos / NTLM


👉 But without managing domain controllers

Img src : learn.microsoft.com

 

Key Concepts Simplified

1. Authentication (who are you?)
Login verification
MFA, password reset, risk detection


Example: Detects login from a new country



2. Single Sign-On (SSO)

One Login --> many apps

Example: Login once --> access outlook, Teams, custom apps



3. App management

Connect SaaS + Internal apps
Use same identity everywhere



4. Device management

Register devices
Enforce rules (only company laptop allowed)

How Sync Works (Very important)

Flow:


On-prem AD  ⇄  Entra Connect  ⇄  Entra ID  →  Domain Services
               (bi-directional)   (one-way)



Details:

AD <--> Entra ID --> bi-directional Sync
Entra ID --> Domain Services --> one-way only


Meaning:

Changes in AD <--> Entra ID sync both ways
Domain Services does NOT sync back

 

 

Why use this setup ?

Benefits

1. Hybrid identity

Same user works:
   On-prem
   Cloud
   Apps

2. Better security

Detect suspicious logins
Enforce MFA
Conditional access

3. No infrastructure management

No need to manage domain controllers in azure

4. Legacy + modern support

Old apps --> use LDAP / Kerberos
New apps --> use modern auth (OAUTH, SSO)

Who uses it ?

IT Admins --> Control access & Security
Developers --> add login/SSO to apps
Users --> manage passwords, sign on
Subscriber --> Microsoft 365, Azure, etc




Simple analogy

Think of it like this:

On-premises AD = your old office ID system
Entra ID = Cloud identify hub (smart + secure)
Entra Domain Services = legacy compatibility layer in cloud

One-line Summary

Microsoft Entra ID is the cloud identity brain, Entra Connect syncs identities, and Entra Domain Services provides traditional AD features without managing servers.



Scenario: User signs in to a cloud app (e.g., Microsoft 365)



User:

Username: atul@hackingtruth.org
Account originally created in on-prem active directory
Synced to microsoft Entra ID

Step-by-step login flow

Step 1: User opens an app

Example:

Outlook / Teams / Custom SaaS app
App redirects user to Microsoft Entra ID login page



Step 2: User enters username

atul@hackingtruth.org


Microsoft entra ID checks:

Does this user exist?
Where is the identity coming from? (Cloud vs synced)



Step 3: Authentication decision

Now there are 3 possible paths depending on setup:



Option A: Cloud authentication (most common)

Password hash is synced to cloud
Login happens directly in Microsoft entra ID

👉 Flow:

User → Entra ID → Password verified → success




Option B: Pass-through authentication (PTA)


Password stays on-prem
Entra sends request to on-prem agent

👉 Flow:

User → Entra ID → On-prem agent → AD verifies → Response back




Option C: Federation (eg. ADFS)

Authentication fully handled on-prem

👉 Flow:

User → Redirect to ADFS → AD verifies → Token returned



Step 4: Security checks (VERY Important)

Before granting access, Microsoft Entra ID evaluates risk:

Is login from new country ?
Unknown device ?
Suspicious behavior?


Action

Allow
Block
Require MFA



Step 5: MFA (if required)

Example:
      Phone notification
      OTP code


Only after passing MFA --> continue




Step 6: Token issued

Entra ID generates a token (like a temporary pass)

This token contains

User identity
Permissions
Group



Step 7: Single Sign-On (SSO)

Now user can acces multiple apps without re-login

• Outlook ✅
• Teams ✅
• SharePoint ✅
• Custom apps ✅

👉 Because they trust the same identity provider

What about on-prem apps?

If user accesses an on-prem app:

With hybrid setup:
   can use:
       Kerberos / NTLM
       Or application proxy via Entra iD



Where Domain Services fits

If using Microsoft Entra DOmain Services:

Example: Legacy app in Azure VM

Flow:


User (Entra ID)
   ↓
Synced to Domain Services
   ↓
VM uses LDAP / Kerberos





Visualizing the whole flow



[User]
   ↓
[Microsoft Entra ID]  ← security + MFA + SSO
   ↓
   ├── Cloud Apps (M365, SaaS)
   ├── On-prem Apps (via proxy / federation)
   └── Domain Services (legacy apps)

Key takeaway

👉 Microsoft Entra ID is the gatekeeper

It:

Authenticates users
Applies security policies
Issues access tokens
Enables SSO across everything

Real-world analogy

Think of it like airport security:

• AD (on-prem) → your passport office
• Entra ID → airport security + boarding system
• MFA → extra identity check
• Token → boarding pass
• SSO → access to all gates without re-check

FIDO2 Security Keys

FIDO2 is an open standard for passwordless authentication built on the web authentication (WebAuthn) specification

A physical key (USB / NFC / Bluetooth) used to login in without a password

How is it works?

1. Register the key - Plug in or tap it once
   Plus in or tap it once


2. Login
   Choose "Security Key" at sign-in

3. Authentication
   Tap the key (or use fingerprint on it)



Users register a FIDO2 key and then select it at the sign-in screen as their primary authentication method. Because the hardware device handles authentication, there's no password that could be exposed or guessed.





🧠 One-line takeaway

👉 FIDO2 = plug key + tap = login (no password needed)




Describe External Identities 


External Identities (Guest user) can sound similar to single sign-on, but they're used for cross-tenant and consumer access scenarios. External users can bring their own identities, whether those are work accounts, government-issued digital identities, or socail identities such as google or facebook.

Describe Azure conditional access

Conditional access is a tool that microsoft entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Conditional access helps IT administrators:

Empower users to be productive wherever and whenever.
Protect critical assets.



Rule-based control for sign-ins

• It decides:
• ✅ Allow
• 🔒 Require MFA
• ❌ Block

How is it works (3 steps)

1. Collect signals

Who (user / role)
Where (location / IP)
Device (managed or not)
App being accessed




2. Make a decision

Based on rule you set:

Normal login --> allow
Risky login --> require MFA
High risk --> block




3. Enforce it

Grant access
Ask for MFA
Deny access





Real example

Example 1

Office location + known laptop
👉 Allow (no MFA)



Example 2

Login from another country 
👉 Require MFA



Example 3

Unknown device + risky sign-in
👉 Block



Example 4

Admin account login
👉 Always require MFA




What you can control


Require MFA for:
Admins
External access


Allow only:
Approved apps
Managed devices


Block:
Unknown locations
Risky sign-ins





One-line takeaway

👉 Conditional Access = “If these conditions are met → then allow / require MFA / block”




Describe Azure role-based access control


When you have multiple IT and engineering teams, how can you contorl what access they ahave to the resouces in your cloud enviornment? THe principle of least privilege says you should only grant access up to the level needed to complete a task. If you only need read access to a storage blob, then you should only be granted read access to that storage blob - not write access, and not access to other blobs. It's a good security practice to follow.

Describe Zero Trust model

Zero Trust Model 

Never trust, always verify  with dont trust users, devices, or network so always check every request.


Core idea

Even if someone is: Inside your network ❌ NOT trusted
Using company device ❌ NOT trusted

👉 Everything must be verified first

 

Principle 

1. Verify explicitly

Always check:
User identity
Location
Device
Risk level

👉 Example: login from new country → require MFA

2. Least privilege access

Give minimum access needed

Just-In-Time (temporary access)
Just-Enough-Access (only what’s needed)

👉 Example: admin access only for 1 hour



3. Assume breach

Act like attacker is already inside

Segment access
Monitor behavior
Detect threats early

👉 Example: limit access between systems




Old vs Zero Trust



| Old (Traditional)    | Zero Trust        |
| -------------------- | ----------------- |
| Trust inside network | Trust nothing     |
| VPN = safe           | Always verify     |
| One-time login       | Continuous checks |




Real example


User logs in from:

Public WiFi
Personal laptop



👉 System checks:

• Identity ✔️
• Device ❌
• Location ⚠️

👉 Result:

• Allow basic apps
• Require MFA
• Block sensitive access

One-line takeaway

Zero trust = verify every user, every device, every time === no exception.

Describe defense-in-depth

Multiple layers of security to protect data

Not relying on one defense
If one layer fails --> others still protect

Like protect data by slowing down and stopping attackers




Layers (outer --> inner)

1. Physical 

Physical Building, servers
--> Locks, cameras

2. Identity & Access

Control who can access
MFA, SSO, Permissions

3, Perimeter

Protect network edge
Firewalls, DDoS protection

4. Network

Control internal traffic
Segmentation, deny-by-default

5. Compute

Secure machines (VMs)
Patching, antivirus

6. Application

Secure apps
Fix vulnerabilities, secure code

7. Data (Core)

Protect actual data
Encryption, access control

Example

Attacker tries to access data:

Pass firewall ❌
Gets blocked by MFA ❌
Even if inside → data is encrypted ❌

👉 Attack fails

One-line takeaway

👉 Defense-in-Depth = multiple security layers protecting data, not just one

Describe encryption and key management in Azure

Encryption helps protect data confidentiality by making data unreadable to unauthorized users.



Encryption at rest and in transit

• In Azure, encryption is commonly discussed in two forms:
• Encryption at rest protects data when it is stored, such as in database, disks, and storage accounts.
• Encryption in transit protects data while it moves between services, applications, and users.

🔑 Key Management (Azure Key Vault)

Central place to store and manage sensitive stuff


Stores:

Secrets (passwords, connection strings)
Encryption keys
Certificates (SSL / TLS)

Why use key Vault ?

• No hardcoding secrets in code
• Control access (who can use keys)
• Rotate keys regularly
• Track usage (audit logs)

Example

App uses:

Azure SQL (data stored)
Azure Storage



👉 Data is:

Encrypted at rest ✔️
Encrypted in transit ✔️


👉 Keys stored in:

Azure Key Vault




Extra security features

• 🔄 Key rotation (auto update keys)
• 👤 Access control (RBAC)
• 📊 Auditing (who used what)

🧠 One-line takeaway

👉 Encryption protects data, and Azure Key Vault securely manages the keys and secrets used for that encryption





Microsoft Defender for Cloud (Simple Explanation)


Microsoft defender for cloud is a security service that monitors, protects, and improves the security of your cloud and on-premises resources.

Core Idea

It does 3 main things :

1. Assess (Find problems)
2. Secure (Fix problems)
3. Defend (stop attacks)


This is the most important memory trick.

 

What does it Protect ?

Azure
On-premises
Hybrid
Other clouds (AWS GCP)

Means one dashboard for everything 



1. Assess (Know Your Security Status)

Finds:

Weak passwords
Open ports
Vulnerabilities


Gives:

Recommendations
Secure Score

2. Secure (Improve Protection)

Helps you.

Apply security policies
Follow best practices


Example:

Close unused ports
Enable encryption



3. Defend (Detect & Respond)

Detects:

Attacks
Suspicious activity

 

Gives:

Alerts
Fix suggestions




Key Features (Compressed Version)

 

• Security recommendations
• Secure score
• Threat alerts
• Vulnerabilites scanning
• Multi-cloud supports

Real-Life example

You create a VM with open ports

 

• Defender for cloud:
• Detecs risk
• Suggest fix
• Alerts if attack happens

Important Concepts Made Easy



Secure Score

👉 A number showing how secure you are

Higher score = better security ✅
Lower score = more risk ❌

Azure Arc

👉 Helps connect:

On-premises servers
Other cloud resources

👉 So Defender can monitor them too



CSPM (Don’t Overthink)

👉 Just remember:

CSPM = checks your cloud security posture

Exam Ready Answer

👉
Microsoft Defender for Cloud is a security management and threat protection service that helps assess, secure, and defend resources across Azure, hybrid, and multi-cloud environments.

Memory Trick (Very Powerful)

Defender = Security Guard 🛡️

• - Checks your system (Assess)
• - Fixes weaknesses (Secure)
• - Stops attacks (Defend)

Final One-Line Summary

👉 Defender for Cloud continuously monitors your environment, improves security posture, and protects against threats.