AZ-900 Episode 25 | Azure Identity Services | Authentication, Authorization & Active Directory (AD)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Identity and Access Management is one of the most important topics for anyone working with Azure. Today we will discuss the basics of Azure Active Directory, Identities, Authentication, Authorization, and MFA.

📺 Video: https://youtu.be/b_WIjY-burU

🌐 Site: https://marczak.io/az-900/#ep25

🧠 Practice Test https://marczak.io/az-900/episode-25/practice-test

👍︎︎ 6 👤︎︎ u/AdamMarczakIO 📅︎︎ Oct 13 2020 🗫︎ replies

Captions

hey everyone welcome back this is adam and in this episode of azure fundamentals we'll cover one of the most important topics when it comes to azure which is identity and access management stay tuned [Music] management of other identities is one of the most critical topics when it comes to azure so whether you're trying to be a developer architect or administrator you should at least understand the basics of it as such today we'll learn about couple of terms when it comes to identity to things like what is identity what is authentication authorization multi-factor authentication and we'll also cover azure active directory service without further ado let's talk about identity first identity in general means a fact of being something or someone for example our user accounts are considered identity so when we log into azure portal we use our own identities and we typically identify ourselves using username and passwords but identity can also mean an application or server which will identify itself with a secret key or certificate in the process of verification of that identity is called authentication so if user connects to your server presented himself with username for instance tom authentication server will require tom to present some sort of authentication factor like a password only then tom session will be established and the identity will be verified so whenever we logged into azure portal we needed to present our own credentials this is the process of authentication but once the identity is verified there's another process called authorization when tom will try to access one of our services his account will need to be validated whether this account was granted an access by the resource owner in this case services can do it on its own or they can contact an external authorization server whether tom has been granted access to this specific service this process of ensuring that only authenticated identities get access to the resources for which they have been granted access to by the resource owner is called authorization we see that in every aspect of the management for the azure platform if we go to azure resource group that means we already have access to view that resource group if we try to create or delete resource group or any service within that resource group that means we've been granted access to do so and this process of checking that is called authorization and all of that things like controlling verifying tracking and managing access to authorized users and applications is called access management and here comes azure active directory everything that we did so far in azure portal when we as a users were connecting to azure and managing our subscriptions our resources like vms databases and resource groups went through azure id so not only azure ide is storing our azure accounts but also is granting permissions to access azure resources and it governs all the access to those specific resources also it's worth noting that azure id doesn't only work with azure platform if you are using one of the live.com services like skype maybe an outlook or onedrive again your user account on live.com is also stored in azure id and also azure ids governing access to those services if you're using your organizational resources like onedrive for business sharepoint power bi teams or any other product from office 365 platform again you are going through azure id it manages your users groups licenses and access to those services and lastly you can even extend your own applications with authorization and authentication features of azure active directory so azure id is quite powerful service let me show you quickly how it works as you have seen throughout the multiple demos that i did so far there are many ways to access azure active directory the one that i will use right now is using the top screen search bar and using azure id from the recent services and in this panel i'll be able to manage everything related to azure active directory and my azure identities one important thing is that in order to manage azure active directory you need to have a global administrator role only then you will be able to manage every aspect of it on the left hand side you have a lot of panels that allow you to manage most important things when it comes to identities for example users and groups as part of this demo let's create new user identity let's navigate to users panel on the left hand side select new user to create new user and start filling in the form for the identity part we need to fill in the username which is our login i will create tom doe user at my domain but if you want you can use the custom domain here as well then i need to provide a display name tom doe this is the name that will be displayed everywhere else in azure portal especially when we search for the specific user and provide the first name and last name if we scroll down we need to generate the first password we can either auto generate or type one ourselves and once this is done we can select create and our new user identity has been created we can prove that this identity works by logging to azure portal which we'll do in just a second but for now let's also navigate back and go to groups and let's create new group in this case i will create a new security group and call this group developers and i will assign one membership to this group so i will add tom as member of this group so let's search for tom select his user and hit select tom has been added and group has been created now that we have tong created and our group created and tom assigned to that group we can grant them access so let's go to our resource groups inside of the resource group panel i will navigate to two resource groups one is called az900 firewall in this resource group i will navigate to access control and grant them role assignment in this role as an element i'll grant them an owner privilege this is simply a full administrative access to this resource group and i will search for developers group and select it and hit save i will also go back to another research group called az 900 nva routing again go to access control hit add select the role assignment and this time give a reader role again to tom and select home and hit save everything has been added successfully that means we can switch the browser and log in as tom and in here i can navigate to portal azure.com and log in as tom in order to get full username of tom the easiest way is to go back to azure active directory go to users select tom and select his full username paste it into that portal hit next and now provide the password once you provide the password you need to provide a new password on the first login hit sign in and on the next screen select skip and sign in to azure portal as you can see we were able to log into azure portal with no issues at all our new identity is created and if we will navigate to resource groups we should see two resource groups for which we've granted access moment ago the propagation of the security will take a moment so we just need to give it a brief second and all of the resource groups are now visible so for this one tom has an owner privilege because he was added in a group as an owner for this one tom only has reader privilege so if tom would go to nva routing and try to stop one of the virtual machines he would not be able to as part of his reader role but if he would navigate back to firewall select one of the servers there and hit stop he should be able to because he's an owner on this resource group this is as far as we will go today because we'll have a separate episode on role base access control in azure but this is how easy you can manage access to your azure platform and azure resources with azure active directory so to summarize azure active directory is our identity but also access management services in azure it allows us to manage our identities so things like users groups and applications but also manage our access for our azure resources so all the things like subscriptions research groups roles role assignments and all the authentication and authorization settings for our organization it is also worth mentioning that azure active directory is a centralized system for login to any other microsoft cloud platform like azure microsoft 365 office 365 and live.com services like skype onedrive etc etc but i also want to mention that if your organization uses active directory in your on-premises environment you can use a sync service that will sync your on-premise identities with the cloud so you will be able to use the same accounts for both environments which is extremely important for hybrid cloud environments and organizations that are starting to move to the cloud one last topic that i want to touch on is called multi-factor authentication the times that we live in right now providing username and password is simply not enough servers will need more credentials more authentication factors from their users in order to prove their identity for example providing a code that was sent to their mobile phones this type of process is called multi-factor authentication it's a process of presenting two or more pieces of evidence factors if you will to prove one's identity so multi-factor authentication is a process of authenticating using more than one factor more than one evidence to prove your identity and there are many factor types that you can use for example knowledge factor so something you know like a password or a pen you can use possession factor so something you have like a phone token card or key you can also use physical characteristic factor to something you are like a fingerprint voice face or iris we very often see one of those three or a combination of those three using our mobile devices but there are different factor types like a location factor so somewhere you are for example gps location there are many different factor types so multi-factor authentication simply means use more than one of those factor types and all of that is of course supported by azure id it's a simple on off switch and you are protected all of the materials for this episode can be found under episode 25 on my website and that's it when it comes to identity and access management in azure if you like this episode hit thumbs up leave a comment and subscribe to see more if you want to move to the next episode simply click on the side or follow the playlist and see in the next one

Info

Channel: Adam Marczak - Azure for Everyone

Views: 45,233

Rating: 4.9863482 out of 5

Keywords: Azure Fundamentals, Full Course, az 900, azure, identity, azure active directory, active directory, azure ad, ad, access management, authentication, authorization

Id: b_WIjY-burU

Channel Id: undefined

Length: 11min 41sec (701 seconds)

Published: Tue Oct 13 2020