In Microsoft Entra ID (formerly Azure Active Directory or Azure AD), several key concepts define the structure and management of identities, accounts, and resources within the cloud environment.
Understanding these concepts is crucial for effectively managing users, groups, roles, and access to resources.
Below is a breakdown of key Microsoft Entra ID Concepts:
1. Identity
Definition
An identity in Microsoft Entra ID is a representation of a person, device, or service that needs to authenticate and access resources.
An identity may include attributes such as username, email address, and password, along with other profile information like job title, department, etc.
Types of Identities
User Identity
Represents an individual user, typically associated with a username (e.g., user@contoso.com), and contains authentication information like passwords or multi-factor authentication methods.
Service Principal Identity
Represents an application or service that needs to authenticate to access resources on behalf of the application.
Device Identity
Represents a device that can authenticate to the organization’s network and access corporate resources, like a laptop or mobile phone.
Cloud Identity vs. On-Premises Identity
Cloud Identity
This is an identity that exists only in Microsoft Entra ID (Azure AD).
These identities do not exist in an on-premises Active Directory (AD) and are typically used for cloud-only users.
On-Premises Identity
This identity exists in an on-premises Active Directory and can be synchronized with Microsoft Entra ID using Azure AD Connect.
2. Account
Definition
An account in Microsoft Entra ID is an entity that represents a user, service, or device that has been registered or created within the directory to allow authentication and authorization.
Accounts in Entra ID can be user accounts, service accounts, or device accounts.
Types of Accounts
User Accounts
These represent individual users and are the most common type of account.
A user account is associated with a person and is typically used for logging into cloud services like Office 365, Microsoft Teams, or other applications integrated with Entra ID.
Service Accounts
These are typically non-human accounts (i.e., for applications or services) that are created to authenticate to the directory and access resources programmatically (via APIs or services).
Device Accounts
These represent devices that need to authenticate, such as Azure AD-joined or Hybrid Azure AD-joined devices (i.e., a company laptop or mobile device).
Account Management
Self-Service
Entra ID provides self-service options for users to manage their own account, including features like password reset and profile management.
Account Properties
Accounts have properties like email address, job title, group membership, authentication methods, and more that can be used for management, reporting, and policy enforcement.
3. Microsoft Entra ID Account
Definition
A Microsoft Entra ID account is a specific type of user account created within Microsoft Entra ID (Azure AD) for an individual or entity that needs to access cloud resources.
Types of Microsoft Entra ID Accounts
Cloud-only Microsoft Entra ID Account
This is an account created solely within Microsoft Entra ID.
It is used for users who do not have any on-premises Active Directory accounts.
Cloud-only accounts are typically used for organizations that are fully cloud-based and have no on-premises infrastructure.
Hybrid Microsoft Entra ID Account
This type of account exists in both on-premises Active Directory and Microsoft Entra ID. These accounts are synchronized between the on-premises AD and Entra ID using Azure AD Connect, allowing users to use the same credentials (username and password) to authenticate both on-premises and cloud resources.
External Accounts (B2B)
These are accounts for external users who need access to an organization's resources.
With Azure AD B2B (Business-to-Business) collaboration, external users can use their existing identities (from their home organizations or social accounts) to access your resources.
Account Features
Multi-Factor Authentication (MFA)
Microsoft Entra ID accounts can be protected with additional security measures, such as MFA, to prevent unauthorized access.
Self-Service Password Reset (SSPR)
Users with Entra ID accounts can reset their own passwords through self-service, reducing administrative burden and improving security.
Group Membership and Access Control
Users are often organized into groups (e.g., based on department or role), and group membership can be used to assign access to resources or applications.
4. Tenant/Directory
Definition
A tenant in Microsoft Entra ID represents an organization’s dedicated instance of the service.
A tenant is essentially a container for all identity and access management data for that organization, including users, groups, devices, and applications.
Key Concepts of Tenant/Directory
Directory
The tenant is associated with a directory, which is the place where identity data (like users, groups, roles, and devices) are stored.
Each tenant is isolated from others, ensuring that your organization's identity data is secure and separate from other organizations.
Tenant ID
Each tenant is assigned a globally unique identifier (GUID), known as the tenant ID.
This ID is used to uniquely identify the tenant within the Microsoft cloud ecosystem.
Domain
Each tenant can have one or more domains associated with it, such as contoso.com or contoso.onmicrosoft.com.
These domains can be verified to enable organizations to use their custom email addresses (e.g., user@contoso.com).
Tenant Isolation
Microsoft Entra ID tenants are logically isolated from each other, ensuring that only users and resources within a particular tenant can access that tenant’s data and services unless explicitly shared with other tenants.
Tenant Management
Administrators
Entra ID tenants have roles like Global Administrator, User Administrator, and Security Administrator to manage directory settings, users, applications, and security configurations.
Multi-Tenant Applications
Applications registered in Microsoft Entra ID can be multi-tenant, meaning they can be used by users across different tenants.
5. Azure Subscription
Definition
An Azure subscription is an agreement between an organization and Microsoft to use Azure services.
A subscription provides access to Azure resources, such as virtual machines, databases, networking services, and other cloud-based services.
Relationship to Entra ID
Azure Active Directory and Subscription
Every Azure subscription is associated with a single Microsoft Entra ID tenant.
The tenant acts as the identity provider for resources within the subscription.
Users who are part of the Entra ID tenant can be assigned access to Azure resources and services based on roles and permissions.
Subscription Ownership
The subscription is typically owned by a tenant, and administrators of that tenant can manage resources and assign roles within the subscription.
Subscriptions can be linked to a single tenant, though users from other tenants (external users) can access resources through Azure AD B2B or other access models.
Key Points about Azure Subscription
Resources and Billing
Subscriptions are linked to billing accounts.
All resources deployed within a subscription are billed under the corresponding subscription.
Resource Access
Users and groups within the associated Microsoft Entra ID tenant can be assigned roles to access and manage resources within the subscription.
These roles are assigned using Azure RBAC (Role-Based Access Control).
Types of Azure Subscriptions
Pay-as-you-go
A basic model where you are billed based on the resources you consume.
Enterprise Agreement (EA)
A subscription model for large organizations, often offering discounts and enterprise-wide management.
Microsoft CSP
A subscription model provided by Cloud Solution Providers who sell Azure services to customers.
Summary of Relationships
Microsoft Entra ID Account
Refers to an identity (such as a user, device, or service) that is created in Microsoft Entra ID for authentication and access to cloud resources.
Identity
A broader term that represents the distinct identity of a person, device, or service, which could exist in an on-premises directory, Microsoft Entra ID, or both.
Tenant/Directory
A tenant is a dedicated instance of Microsoft Entra ID that holds and manages all identity and access data for an organization.
The tenant ID is unique to each organization.
Azure Subscription
A subscription grants access to Azure cloud resources and services, and is linked to a Microsoft Entra ID tenant.
It allows users and groups in Entra ID to access and manage Azure resources, subject to roles and permissions.
Conclusion
Understanding these foundational concepts is key to effectively managing identity and access within Microsoft’s cloud environment.
They form the basis for authentication, authorization, resource management, and security across both Microsoft Entra ID and Azure.
Leave a Reply