Module 2: Azure Architecture and Services

Azure Active Directory
& RBAC

Master identity and access management with Azure Active Directory, Role-Based Access Control, authentication methods, and security features essential for cloud governance.

Azure AD Basics RBAC Roles Authentication Advanced Features

Learning Objectives

After completing this session, you'll be ready for Quiz 17 and able to:

Understand Azure AD editions and their features
Master RBAC roles (Owner, Contributor, Reader)
Configure authentication methods and MFA
Understand Azure AD tenants and management
Implement conditional access and identity protection
Work with Azure AD Connect and B2B scenarios
Understand Privileged Identity Management (PIM)
Configure custom roles and scope assignments

Azure Active Directory (Azure AD) - Your Identity Hub

Azure Active Directory is Microsoft's cloud-based identity and access management service. Think of it as the central security guard for your organization - it controls who can access what resources and under what conditions.

🏢 Company Badge System Analogy

🏢 Traditional Office

Employee badges control access to different floors and rooms

🌐 Azure AD (Cloud)

Digital identities control access to cloud resources and applications

🔒 Same Concept

Right person, right access, right time - whether physical or digital!

📊 Azure AD Editions (Critical for Quiz!)

Edition Features Comparison
Azure AD Free:

Up to 500,000 objects, basic reports, SSO

Azure AD Basic:

99.9% SLA, group-based access, branding

Premium P1:

Conditional access, MFA, advanced security

Premium P2:

Identity Protection, PIM, risk-based policies

Key Quiz Facts
Object Limits:

Free: 500,000 objects, Premium: Unlimited

Advanced Features:

Conditional Access needs Premium P1+

Identity Protection:

Risk-based access requires Premium P2

Quiz Tip:

Know which features need which edition!

🏢 Azure AD Tenants - Your Organization's Digital Home

What is a Tenant?
  • Dedicated instance: Your organization's private Azure AD space
  • Global uniqueness: Each tenant has a unique domain (contoso.onmicrosoft.com)
  • User container: All your organization's users and groups live here
  • Security boundary: Isolated from other organizations
Tenant Relationships
1 Tenant → Multiple Subscriptions

One organization can have many Azure subscriptions

User → Multiple Tenants

A user can be member of up to 500 tenants

Trust Relationship

Subscriptions trust the Azure AD tenant for authentication

Role-Based Access Control (RBAC) - Who Can Do What

RBAC is like assigning job roles in a company - each role has specific permissions. A security guard can't access the CEO's office, just like a Reader role can't modify Azure resources.

🎭 RBAC Core Components

👤 Security Principal

User, Group, Service Principal, or Managed Identity

🎯 Role Definition

Collection of permissions (Owner, Contributor, Reader)

🌐 Scope

Where the permissions apply (Resource, RG, Subscription)

🔗 Assignment

Linking Principal + Role + Scope together

🏆 Top 3 Built-in Roles (Essential for Quiz!)

Owner
  • • Full access to ALL resources
  • • Can manage access (assign roles)
  • • Can manage billing aspects
  • • Highest privilege level
  • • Can delete resources
Quiz Key: Only role that can manage access to others
Contributor
  • • Can create and manage resources
  • • Can modify resource configurations
  • • Can delete resources
  • • CANNOT manage access to resources
  • • No billing management
Quiz Key: All permissions except access management
Reader
  • • Can VIEW all resources
  • • Can read resource properties
  • • CANNOT make any changes
  • • CANNOT delete resources
  • • Read-only access everywhere
Quiz Key: View only, no modification permissions

🏗️ RBAC Scope Hierarchy & Inheritance

Management Group
↓ Inherits permissions
Subscription
↓ Inherits permissions
Resource Group
↓ Inherits permissions
Resource
Inheritance Rules
  • • Child scopes inherit parent permissions
  • • More permissive wins in conflicts
  • • Cannot restrict inherited permissions
  • • Assignment at lowest scope takes precedence
Best Practices
  • • Assign roles at appropriate scope level
  • • Use groups instead of individual users
  • • Follow principle of least privilege
  • • Regular access reviews and cleanup

⚙️ Custom Roles - Creating Your Own Permissions

When to Use Custom Roles
Specific Permissions:

Built-in roles are too broad or narrow

Compliance Requirements:

Need precise control for audit purposes

Service-Specific:

Permissions for specific Azure services

Custom Role Limits
Maximum Custom Roles

5,000 per Azure AD tenant

Role Assignments

4,000 per subscription maximum

Quiz Tip: Know the difference between Azure AD roles (manage Azure AD) and Azure RBAC roles (manage Azure resources)!

Authentication & Security Features

🔐 Multi-Factor Authentication (MFA) - Something You Are, Have, Know

🧠 Something You Know

Password, PIN, Security Questions

Knowledge Factor

📱 Something You Have

Phone, Hardware Token, Authenticator App

Possession Factor

👤 Something You Are

Fingerprint, Face Recognition, Voice

Inherence Factor

MFA Security: Using at least 2 of these 3 factors significantly improves security!

🔑 Azure AD Authentication Methods (Quiz Important!)

Traditional Methods
Password + SMS

Less secure, vulnerable to SIM swapping

Authenticator App

Microsoft Authenticator recommended for TOTP

Certificates

High security for device-based authentication

Passwordless Methods (Most Secure)
Windows Hello for Business

Biometric or PIN-based, device-bound

FIDO2 Security Keys

Hardware-based, phishing-resistant

Phone Sign-in

Microsoft Authenticator push notifications

🎯 Quiz Focus: Authentication Security Ranking
Most Secure: Passwordless (FIDO2, Windows Hello) → More Secure: Password + Authenticator App → Less Secure: Password + SMS

🔧 Self-Service Features - Empowering Users

Self-Service Password Reset (SSPR)
  • • Reduces helpdesk calls by 30-70%
  • • Users can reset their own passwords
  • • Requires multiple verification methods
  • • Can writeback to on-premises AD
  • • Available in Azure AD Premium editions
Quiz Tip: SSPR requires at least 2 verification methods
Self-Service Group Management
  • • Users can create and manage groups
  • • Owners can add/remove members
  • • Dynamic groups with rule-based membership
  • • Access request and approval workflows
  • • Integration with applications
Quiz Tip: Dynamic groups require Premium P1+

Advanced Azure AD Features

🚦 Conditional Access - Smart Security Decisions

Conditions
  • • User/Group
  • • Location
  • • Device state
  • • Application
  • • Risk level
Controls
  • • Require MFA
  • • Block access
  • • Compliant device
  • • Approved app
  • • Terms of use
Examples
  • • MFA for admins
  • • Block risky locations
  • • Require compliance
  • • App protection
  • • Session controls

IF user is from untrusted location AND accessing sensitive app THEN require MFA + compliant device

🛡️ Identity Protection (Premium P2)

Risk Detection
  • • Anonymous IP addresses
  • • Atypical travel patterns
  • • Malware-linked IPs
  • • Unfamiliar sign-in properties
  • • Leaked credentials
Risk Policies
  • • Sign-in risk policy
  • • User risk policy
  • • Automatic remediation
  • • Risk-based conditional access
Quiz Key: Identity Protection provides risk scoring for users and sign-ins

👑 Privileged Identity Management (PIM)

Just-in-Time Access
  • • Time-limited role activation
  • • Approval workflows
  • • Business justification required
  • • MFA on activation
Access Reviews
  • • Regular review of privileged access
  • • Automatic removal of unused access
  • • Self-attestation by users
  • • Manager or peer reviews
Quiz Key: PIM provides just-in-time access to prevent standing admin privileges

🌐 B2B Collaboration & Hybrid Integration

Azure AD B2B
  • • Invite external users
  • • Guest user accounts
  • • Use their own credentials
  • • Cross-organization collaboration
  • • Email invitation process
Use Case: Partner company access
Azure AD Connect
  • • Sync on-premises AD to Azure AD
  • • Password hash synchronization
  • • Pass-through authentication
  • • Federation (ADFS)
  • • Single sign-on (SSO)
Use Case: Hybrid environment
Application Proxy
  • • Publish on-premises apps
  • • Secure remote access
  • • No VPN required
  • • Single sign-on integration
  • • Pre-authentication via Azure AD
Use Case: Legacy app access

Hands-on Lab: Azure AD & RBAC Configuration

Let's create users, groups, and configure RBAC assignments to understand Azure AD identity management practically. This lab prepares you for Quiz 17's real-world scenarios.

1

Explore Your Azure AD Tenant

Understand your tenant structure and current configuration

🔍 Tenant Information:

  1. 1. Navigate to Azure Portal → Azure Active Directory
  2. 2. Note your tenant name (e.g., contoso.onmicrosoft.com)
  3. 3. Check Overview → Properties for tenant details
  4. 4. View Licenses → Check your Azure AD edition
  5. 5. Note: Free edition = up to 500,000 objects

📋 What to Observe:

  • • Tenant ID (unique identifier)
  • • Default directory name
  • • Country/Region setting
  • • Current user count
  • • Available licenses (Free vs Premium features)
2

Create Users and Security Groups

Set up test users and groups for RBAC practice

👤 Create Test Users:
User 1 - Developer:
  • • Name: John Developer
  • • Username: john.dev@yourdomain.com
  • • Department: IT
User 2 - Manager:
  • • Name: Sarah Manager
  • • Username: sarah.mgr@yourdomain.com
  • • Department: IT
👥 Create Security Groups:
Group 1:
  • • Name: Developers
  • • Type: Security
  • • Members: John Developer
Group 2:
  • • Name: Managers
  • • Type: Security
  • • Members: Sarah Manager

📝 Creation Steps:

  1. 1. Azure AD → Users → New User → Create User
  2. 2. Fill in required details, set temporary password
  3. 3. Azure AD → Groups → New Group → Security
  4. 4. Add created users as members
  5. 5. Note: Groups make RBAC management easier!
3

Assign RBAC Roles

Practice role assignments at different scopes

🛡️ Assignment Scenarios:

Scenario 1:
  • • Role: Reader
  • • Scope: Subscription
  • • Assign to: Developers group
Scenario 2:
  • • Role: Contributor
  • • Scope: Resource Group
  • • Assign to: John Developer
Scenario 3:
  • • Role: Owner
  • • Scope: Resource Group
  • • Assign to: Managers group

📝 Assignment Steps:

  1. 1. Go to Subscription or Resource Group
  2. 2. Click Access Control (IAM)
  3. 3. Click + Add → Add Role Assignment
  4. 4. Select Role, Assign access to User/Group
  5. 5. Search and select your users/groups
  6. 6. Review + assign
4

Test Role Permissions

Verify that roles work as expected

✅ Verification Tests:

  • Reader Test: Sign in as John Developer (through Developers group)
    • • Should see resources but cannot modify
    • • Try creating a VM → Should be blocked
  • Contributor Test: John's direct assignment
    • • Can create/modify resources in assigned RG
    • • Cannot manage access control (IAM)
  • Owner Test: Sarah Manager (through Managers group)
    • • Full control including access management
    • • Can assign roles to others
5

💰 Clean Up Test Resources

Remove test users to avoid confusion

🗑️ Cleanup Steps:

  1. 1. Remove role assignments first (IAM → Role assignments)
  2. 2. Delete groups (Azure AD → Groups → Delete)
  3. 3. Delete test users (Azure AD → Users → Delete)
  4. 4. Verify removal in Deleted users section

🧠 Get Ready for Quiz 17 - Sample Questions

Here are example questions similar to what you'll see in Quiz 17. Master these Azure AD and RBAC concepts!

Sample Question 1:

"Which RBAC role allows full access to all resources and can manage access?"

  • A) Contributor
  • B) Reader
  • C) Owner ✅
  • D) Administrator

Sample Question 2:

"What is the maximum number of objects in Azure AD Free?"

  • A) 50,000
  • B) 100,000
  • C) 500,000 ✅
  • D) Unlimited

📝 Quiz 17 Topics: Azure AD editions, RBAC roles, authentication methods, MFA, conditional access, PIM, B2B, groups, tenants

Take Quiz 17 Now

Session 17 Summary

🎯 Key Takeaways - Everything You Need for Quiz 17

🏢 Azure AD Fundamentals:

  • Tenant: Your organization's dedicated Azure AD instance
  • Editions: Free (500K objects), Basic (SLA), Premium P1/P2
  • Azure AD Connect: Sync on-premises AD to Azure AD
  • B2B: External user collaboration with guest accounts

🔐 Authentication & Security:

  • MFA: Something you know/have/are
  • Passwordless: Most secure (FIDO2, Windows Hello)
  • SSPR: Self-Service Password Reset (Premium feature)

🛡️ RBAC & Access Control:

  • Owner: Full access + can manage access to others
  • Contributor: Create/modify resources, NO access management
  • Reader: View-only access to all resources
  • Scope inheritance: Child scopes inherit parent permissions

👑 Advanced Features:

  • Conditional Access: IF conditions THEN controls (Premium P1)
  • Identity Protection: Risk detection & policies (Premium P2)
  • PIM: Just-in-time privileged access (Premium P2)

🎉 Azure AD & RBAC Mastered!

You now understand how to manage identities, control access with RBAC roles, configure authentication methods, and implement advanced security features in Azure Active Directory. You're ready to secure any Azure environment!

Azure AD Editions ✓ RBAC Roles ✓ Authentication Methods ✓ Conditional Access ✓ Identity Protection ✓ PIM & B2B ✓

🚀 Ready for Quiz 17?

Excellent! You've mastered Azure Active Directory and Role-Based Access Control concepts. Now test your knowledge with Quiz 17, which covers all the identity and access management topics from this session.

Take Quiz 17 - Azure AD & RBAC Continue to Session 18: Security Features