Define identity and access management

in Azure Active Directory

 15 min
 Module
 5 Units
 4.7 (3,286)
Rate it
Intermediate
Administrator
Azure
Azure Active Directory
Microsoft 365
Learn about identity and access management in Azure Active Directory and why identity
is a core component of your organization’s security posture.

Learning Objectives
In this module, you will learn to:
 Define the latest identity technologies.
 Understand the value of securing your identity.
 Explain how identity is core to security.

Introduction to identity technology

 3 minutes

Azure Active Directory (Azure AD) is Microsoft’s next evolution of identity and access
management solutions for the cloud. Microsoft introduced Active Directory Domain
Services in Windows 2000 to give organizations the ability to manage multiple on-
premises infrastructure components and systems using a single identity per user. Azure
AD takes this approach to the next level by providing organizations with an Identity as a
Service (IDaaS). Azure Active Directory (Azure AD) helps your employees sign in and
access:
  External resources, such as Microsoft Office 365, the Azure portal, and thousands
of other SaaS applications.
 Internal resources, such as apps on your corporate network and intranet, along
with any cloud apps developed by your own organization.

Most IT administrators are familiar with Active Directory Domain Services concepts. The
following table outlines the differences and similarities between Active Directory
concepts and Azure Active Directory.

Concept Active Directory Azure Active Directory

Users
Admin Organizations will use a combination of
management domains, organizational units, and groups in AD
to delegate administrative rights to manage the
directory and resources it controls.
Credential Credentials in Active Directory is based on
management passwords, certificate authentication, and
smartcard authentication. Passwords are
managed using password policies that are based
on password length, expiry, and complexity.
Apps
Azure AD provides built-in roles with its role-b
(RBAC) system, with limited support for creati
delegate privileged access to the identity system
resources it controls. Managing roles can be en
Privileged Identity Management (PIM) to prov
time-restricted, or workflow-based access to pr
Azure AD uses intelligent password protection
premises. Protection includes smart lockout plu
and custom password phrases and substitutions
significantly boosts security through multi-fact
passwordless technologies, like FIDO2. Azure
costs by providing users with a self-service pas
Concept Active Directory Azure Active Directory
Infrastructure Active Directory forms the basis for many In a new cloud world, Azure AD is the new con
apps infrastructure on-premises components, for accessing apps versus relying on networking co
example, DNS, DHCP, IPSec, WiFi, NPS, and authenticate, conditional access (CA) will cont
VPN access. have access to which apps under required cond
SaaS apps Active Directory doesn't support SaaS apps SaaS apps supporting OAuth2, SAML, and WS
natively and requires federation systems, such as be integrated to use Azure AD for authenticatio
AD FS.
Devices
Mobile Active Directory doesn't natively support mobile Microsoft’s mobile device management solutio
devices without third-party solutions. is integrated with Azure AD. Microsoft Intune
information to the identity system to evaluate d
Windows Active Directory provides the ability to domain Windows devices can be joined to Azure AD. C
desktops join Windows devices to manage them using can check if a device is Azure AD joined as pa
Group Policy, System Center Configuration authentication process. Windows devices can a
Manager, or other third-party solutions. Microsoft Intune. In this case, conditional acce
whether a device is complaint (for example, up
patches and virus signatures) before allowing a

With Microsoft's access and information protection solutions, you can deploy and
configure access to corporate resources across your on-premises environment and
cloud applications. And you can do it while protecting corporate information. The
following are scenarios provided by the latest identity and access technologies:

 Secure access to company resources from any location on any device

 Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications
 Manage Risk with Additional Multi-Factor Authentication for Sensitive
Applications
 Manage Risk with Conditional Access Control
 Configure Certificate Enrollment Web Service for certificate key-based renewal on
a custom port

Next unit: Understand the importance of identity

Understand the importance of identity
 3 minutes

Today, analyst firms report that the average enterprise’s employees collectively use
more than 300 software-as-a-service applications (and some estimates are much
higher). That number is rapidly expanding. Between the hyper-growth of these apps, the
rate at which they change and the business demand to harness new cloud capabilities
for business transformation, it’s challenging to keep up. Relying on an on-premises
identity solution as the control point makes connecting to all these cloud applications a
nearly impossible task. If you include all the user devices, guest accounts, and connected
objects, you have a management and security nightmare.

With cloud-based identity as the control point, you can help users be more productive
by providing access to apps and devices that are on-premises or in the cloud from
virtually anywhere and do so with incredible agility. Whether you’re just getting started
on your cloud journey or want to accelerate your identity modernization, Azure AD can
help you connect all your applications to achieve your business productivity and security
goals.
Next unit: Understand how identity is core to security

Understand how identity is core to

security
 3 minutes
Whether your assets are hosted on-premises or in the cloud, the security perimeter that
separates users and data from outside threats can no longer be drawn using network
lines. The perimeter is now drawn by identity components of authentication and
authorization that span across all your devices, services, hosts, and networks.

While the network perimeter keeps a basic security role, it can no longer guide the
security defense strategy because:

 Adversaries have demonstrated a consistent and ongoing ability to penetrate

network perimeters using phishing attacks.
 Organizational data, devices, and users often exist and operate outside traditional
network boundaries (whether sanctioned by IT or not).
 Port and protocol definitions and exceptions have failed to keep up with the
complexity of services, applications, devices, and data.

Organizations need to adopt different security philosophies and mindsets that are based
on rigorous management of authentication and authorization, not firewall rules and
exceptions.
Administrators are in control and need protection. The most important identities to
protect are the administrators of on-premises and cloud systems, especially identity
systems like Active Directory and Azure Active Directory. These administrators have
access to all the data hosted on their systems and should be protected, monitored, and
restricted appropriate with their high level of responsibility.

Next unit: Knowledge check

Summary
 1 minute

In this module, you learned about identity and access management in Microsoft 365 and
why identity is a core component of your organization’s security posture.

Now that you have completed this module, you should be able to:

 Define the latest identity technologies.

 Understand the value of securing your identity.
 Explain how identity is core to security.

Simplify access and identity provisioning

with Azure Active Directory
 46 min
 Module
 6 Units
 4.7 (2,087)
Rate it
Intermediate
Administrator
Azure
Microsoft 365
Learn about identity governance and how you can safeguard access to your
organization’s data.

Learning Objectives
In this module, you will learn to:
 Define single sign-on.
 Understand identity governance.
 Explain how to perform an access review.

Introduction to identity provisioning

  3 minutes

Sign on seamlessly to all connected apps

Single sign-on (SSO) adds security and convenience to signing on to applications in
Azure Active Directory (Azure AD).

With single sign-on, users sign on once to access domain-joined devices, company
resources, software as a service (SaaS) applications, and web applications. After signing
on, the user can launch applications from the Office 365 portal or the Azure AD MyApps
access panel. Administrators can centralize user account management and automatically
add or remove user access to applications based on group membership.

Without single sign-on, by contrast, users must remember application-specific

passwords and log into each application individually. IT staff needs to create and update
user accounts for each application such as Office 365, Box, and Salesforce.

Configure single sign-on

There are several ways to configure an application for single sign-on, depending on how
the application is configured for authentication.
  Cloud applications use OpenID Connect, OAuth, SAML, password-based, linked,
or disabled methods for single sign-on.
 On-premises applications use password-based, Integrated Windows
Authentication, header-based, linked, or disabled methods for single sign-on. The
on-premises choices work when applications are configured for Application Proxy.
Azure AD Application Proxy is a feature of Azure AD that supports SSO and
enables users to access on-premises web applications from a remote client,
removing the need for a VPN or a reverse proxy.

Next unit: Be proactive with identity governance

Be proactive with identity governance

 24 minutes

Azure Active Directory (Azure AD) Identity Governance allows you to balance your
organization's need for both security and employee productivity. Azure AD ensures the
right people have the right access to the right resources. Azure AD and Enterprise
Mobility + Security features allow you to mitigate access risk by protecting, monitoring,
and auditing access to critical assets -- while ensuring employee and business partner
productivity.

Access is easy to grant but much harder to keep track of. Not only do you need to track
who is given access to what resources, you also need to be able to revoke access in a
timely manner when it is no longer needed. Plus, access controls should apply to both
internal and external users.

Azure AD Identity Governance helps manage access using the following capabilities:

 Ensuring that only authorized users have access based on policies.

 Providing employees and guest users with workflows to request access.
 Establishing regular access reviews to validate if access if still needed.
 Establishing effective controls with time-limited access for privileged roles assignments.

Explore how to enable business-to-business collaboration in Azure AD

View a video version of the interactive guide (captions available in more languages).

Be sure to click the full-screen option in the video player. When you're done, use
the Back arrow in your browser to come back to this page.
Identity Governance helps organizations achieve a balance between productivity and
security. Just as important as how quickly can a new person access the resources they
need, is how should that person’s access change when they leave. Identity lifecycle
management is the foundation of Identity Governance. And effective governance at
scale requires modernizing the identity lifecycle management infrastructure for
applications.

Next unit: Define the right access to safeguard

identities and data

Define the right access to safeguard

identities and data
 5 minutes

Azure Active Directory (AD) lets you collaborate internally as well as externally. Users can
join groups, invite guests, connect to cloud apps, and work remotely from their work or
personal devices. The convenience of self-service however, has led to a need for better
access management capabilities.

How do you:
  Ensure new employees have the right access to be productive?
 Ensure access is removed when people—especially guests—leave or change
teams?
 Ensure access rights aren't excessive, which can indicate a lack of control over
access and lead to audit findings?
 Engage with resource owners to ensure they regularly review who has access to
their resources?

To help you address these questions, Azure AD has developed a capability called access
reviews.

Azure AD access reviews help you recertify and audit users' access to resources,
ensuring that their access is appropriate and reviewed on a regular basis. Access reviews
enable organizations to efficiently address excess access risks and provide more visibility
about them to users in departments beyond IT. If you're only concerned about guests,
then access reviews make it easy to scope the review for guests only.

To understand how Azure AD access reviews help you manage access, consider four sets
of users:

 Members of Office groups. Office 365 users can create as many groups as they
wish. Access reviews allow you to manage membership of those groups.
 Members of security groups. Access reviews help you manage users both
cloud-only or synchronized from on-prem to cloud who should or shouldn't be in
a group.
  Users who have been directly assigned to an application.
 Guest users. If you're only concerned about guests who have been invited to
your directory, we make it easy to scope the review to be on guests only.

Flexibility in reviewer assignments

Azure AD access review provides flexibility in how you assign the reviewers. You can
assign the owners of a group directly so they can review the access of a group. Or you
can select multiple specific individuals as reviewers.

When to use access reviews

Azure AD Access Reviews can be used in a variety of circumstances:

 Too many users in privileged roles. It's a good idea to check how many users
have administrative access, how many of them are Global Administrators, and if
there are any invited guests or partners that have not been removed when their
tasks are complete.
 When automation is not feasible. You can create rules for dynamic membership
in security groups or Office 365 Groups. But sometimes HR data is not in Azure AD,
or users still need access after leaving the group. You can then create a review of
that group to ensure those who still need it have continued access.
 When a group is repurposed. If you have a group that is going to be synced to
Azure AD, it would be useful to ask the group owner to review the group
membership prior to the group being used in a different risk context.
 For business critical data access. For certain resources, you might require
people outside of IT to regularly sign out and justify why they need continued
access.
 To maintain a policy's exception list. As the IT administrator, you can manage
policy exceptions, avoid policy error exceptions, and provide auditors with proof
that these exceptions are reviewed regularly.
 To confirm group owners still need guests in their groups. Employee access
might be automated with some on-premises access management, but that’s not
the case for guests. If a group gives guests access to business sensitive content,
then it's the group owner's responsibility to confirm the guests still have a
legitimate business need for access.

You can set up recurring access reviews of users at set frequencies such as weekly,
monthly, quarterly, or annually, and the reviewers will be notified at the start of each
review. A user-friendly interface and smart recommendations make approving or
denying access easy.

Next unit: Establish an identity governance process

Continue

Establish an identity governance process

 8 minutes

With Azure Active Directory (Azure AD), you can easily ensure that users have
appropriate access. You can ask the users themselves or a decision maker to participate
in an access review and recertify (or attest) to users' access. The reviewers can give their
input on each user's need for continued access based on suggestions from Azure AD.
When an access review is finished, you can then make changes and remove access from
users who no longer need it.

Begin an access review

To begin an access review, select the Azure AD group or application you want to
manage access to. Decide whether you want individual users to review their own access,
or one or more users review access for everyone. Then:

1. Navigate to the Identity Governance page.

2. If this is your first time using access reviews, select Onboard and Onboard Now.
3. Select Create an access review from the Getting started page

4. On the Access Review screen, provide a name, Start date, frequency/duration,

and end date. These settings will apply to either members of a group or users
assigned to an application. Select the group or application along with the
reviewers:
5. Once the review is created, the access review will initialize and then start on the
assigned date.
6. Reviewers assigned to the access review will receive an email from Microsoft,
prompting them to review access:

7. On the Access review page, they can select either the groups and apps that
require access reviews, or the access packages:
8. Once the reviewer has opened the access review, they are able to approve or
deny the access. Here three users are selected and denied for access to the Intune
Administrators group:
 9. The Identity Governance access review pane then updates with the results of the
access review, and users denied access are removed from the group.

Next unit: Knowledge check

Summary
 1 minute

In this module, you learned about identity governance and how you can safeguard
access to your organization’s data.

Now that you have completed this module, you should be able to:

 Define single sign-on.

 Understand identity governance.
 Explain how to perform an access review.