Azure Architecture Explained E-Book

Azure Architecture Explained

A comprehensive guide to building effective cloud solutions

David Rendón

Brett Hargreaves

BIRMINGHAM—MUMBAI

Azure Architecture Explained

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Preet Ahuja

Publishing Product Manager: Suwarna Rajput

Senior Editor: Sayali Pingale

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Manager: Sean Lobo

Proofreader: Safis Editing

Indexer: Sejal Dsilva

Production Designer: Ponraj Dhandapani

Senior Marketing Coordinator: Linda Pearlson

Marketing Coordinator: Rohan Dobhal

First published: September 2023

Production reference: 1230823

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83763-481-1

www.packtpub.com

I would like to express my deepest gratitude to my beloved family, whose unwavering support and unconditional love have made this journey possible. To my remarkable son; you are the shining star that fills my world with joy and purpose. Your laughter and innocent curiosity inspire me to be the best version of myself. And to my extraordinary wife; you are the anchor that keeps our family grounded, and the light that guides us through every storm. This book is a testament to the immeasurable impact you have had on my life, and I dedicate its words to each and every one of you.

– David Rendón

To my amazing wife and our three wonderful children. Their understanding of my working extra hours to write books makes the process so much easier – even if they still don’t know what I actually do for a living!

I’d also like to thank my incredible colleagues at IR77 Ltd. Thank you for your hard work, dedication, and friendship. I’m so lucky to work with such a talented team.

Finally, this book is for all of you who are passionate about learning and technology. I hope it inspires you to continue exploring the world of technical innovation.

– Brett Hargreaves

Foreword

At Microsoft, we work hard to create tools that enable businesses to build amazing solutions using the latest technologies. Azure in particular is a platform that has changed the world completely by providing the newest and most advanced services available, from AI, mass data storage, and data science to web apps, reporting, and analytics – in fact, just about every technology you can think of (and a few more!).

However, with tools as powerful and flexible as Azure, to get the most out of them, you need to know how to use them properly.

Security is, of course, a key aspect of any solution, and mistakes can easily be made if the services provided aren’t configured correctly. Similarly, costs can quickly get out of hand if you don’t manage them or make the best use of the right component for the job.

This is why Azure Architecture Explained is vital and does an amazing job of explaining some of the fundamental processes and designs to make sure your Azure solutions are secure, performant, resilient, and, of course, cost-effective.

David and Brett will walk you through how to implement security through identity and access management best practices, as well as implementing and using services such as Microsoft Defender and Entra.

You’ll learn how to choose and architect the right solutions for your needs, choose the right storage and compute mechanisms, as well as implement networking and governance processes to further secure and control your applications.

The book finishes with a great section on using infrastructure-as-code – using Bicep, Azure Pipelines, and CI/CD practices to deploy your systems quickly and easily in a controlled and repeatable manner.

Azure Architecture Explained has just the right mix of conceptual architecture and practical hands-on explanations to help you quickly and confidently start building state-of-the-art solutions using Microsoft’s best practices.

Sarah Kong

Microsoft Technical Trainer at Microsoft | Learning Room Expert | Coach | Blogger | Podcaster | Public Speaker

Contributors

About the authors

David Rendón, Microsoft MVP and Microsoft Certified Trainer, is a highly regarded expert in the Azure cloud platform. With over 15 years of experience as an IT professional, he has been deeply committed to Microsoft technologies, especially Azure, since 2010.

With a proven track record of leading and driving strategic success, David has over seven years of management experience, technical leadership, and collaboration skills.

David delivers private technical training classes worldwide, covering EMEA, South America, and the US, and he is a frequent speaker at renowned IT events such as Microsoft Ignite, Global Azure, and local user group gatherings in the US, Europe, and Latin America. Stay connected with David on LinkedIn at /daverndn.

Brett Hargreaves is a principal Azure consultant for Iridium Consulting, who has worked with some of the world’s biggest companies, helping them design and build cutting-edge solutions. With a career spanning infrastructure, development, consulting, and architecture, he’s been involved in projects covering the entire solution stack using Microsoft technologies.

He loves passing on his knowledge to others through books, blogging, and his online training courses.

About the reviewers

Vaibhav Gujral is a director at Capgemini, where he drives cloud innovation and excellence for BFSI clients across geographies. As a trusted technology advisor, he helps clients shape their cloud transformation solutions by understanding their business drivers, priorities, and challenges. He specializes in cloud strategy and governance, cloud security, cloud architecture, application architecture, microservices architecture, and FinOps and DevOps practices.

He has over 17 years of IT experience and is a 4x Microsoft Azure MVP, a prestigious award given to exceptional technical community leaders who share their expertise and passion for Azure. He runs the Omaha Azure User Group and is a regular speaker at conferences.

I’d like to thank my family and friends who understand the time and commitment it takes to make community contributions such as reviewing books. I would also like to thank Packt for offering me the opportunity to review this book.

Bram van den Klinkenberg has worked in IT for over 20 years. He grew from a helpdesk employee to a Windows server administrator to a change manager, and moved back to the technical side of IT as a DevOps engineer. In the past eight years, his focus has been on Azure and he has specialized in automation, Kubernetes, container technology, and CI/CD.

As a consultant, he has fulfilled roles as a senior cloud engineer, senior platform engineer, senior DevOps engineer, and cloud architect.

I would like to thank Packt and the writers for asking me to review their book. It has been a new and good experience that has also taught me new things and given me new insights.

Kasun Rajapakse, a DevOps engineer at Robeco Nederland, is a cloud enthusiast from Sri Lanka with over 9 years of experience. Specializing in Kubernetes, he shares his expertise through technical blogs at https://kasunrajapakse.me. As a speaker, Microsoft Certified Trainer, and MVP, Kasun actively contributes to the community. With certifications from Microsoft, AWS, and Google Cloud, he is dedicated to advancing cloud technologies. In addition to his blogging endeavors, Kasun actively contributes to the technology community through his engagements as a speaker at user groups and conferences.

Table of Contents

Preface

Part 1 – Effective and Efficient Security Management and Operations in Azure

1

Identity Foundations with Azure Active Directory and Microsoft Entra

Protecting users’ identities and securing the value chain – the importance of IAM in decentralized organizations

Authentication and authorization in Azure

Engaging and collaborating with employees, partners, and customers

The significance of digital identities in the modern IT landscape

Modernizing your IAM with Microsoft Azure AD

Life cycle management

Leveraging the Microsoft Cloud Adoption Framework

Azure AD terminology, explained

Securing applications with the Microsoft identity platform

Securing cloud-based workloads with Microsoft Entra’s identity-based access control

Azure AD

Microsoft Entra Permissions Management

Microsoft Entra Verified ID

Microsoft Entra workload identities

Microsoft Entra Identity Governance

Microsoft Entra admin center

Summary

2

Managing Access to Resources Using Azure Active Directory

Understanding the need for IAM

Understanding Azure AD (now Microsoft Entra ID)

Exploring the Microsoft Entra ID editions

Microsoft Entra ID Premium P2

Understanding the capabilities of Microsoft Entra ID

Task 1 – creating a new Azure AD tenant using the Azure portal

Task 2 – creating and configuring Azure AD users

Task 3 – creating an Azure AD group with dynamic membership

Hybrid identity – integrating your on-premises directories (Azure AD Connect sync and cloud sync)

Azure AD Connect sync

Azure AD Connect cloud sync

Azure AD Application Proxy

Azure AD Conditional Access

Azure AD PIM

Assigning roles in PIM

Summary

3

Using Microsoft Sentinel to Mitigate Lateral Movement Paths

Understanding the Zero Trust strategy

Understanding lateral movement

Leveraging Microsoft Sentinel to improve your security posture

Collecting data

Detecting threats

Investigating anomalies

Responding to incidents

Enabling Microsoft Sentinel

Global prerequisites

Enabling Microsoft Sentinel using the Bicep language

Enabling Microsoft Sentinel using the Azure portal

Setting up data connectors

Mitigating lateral movements

An Office 365 impersonation following a suspicious Azure AD sign-in

Suspicious inbox manipulation rules set following suspicious Azure AD sign-in

Summary

Part 2 – Architecting Compute and Network Solutions

4

Understanding Azure Data Solutions

Technical requirements

Understanding Azure storage types

Structured data

Unstructured data

Semi-structured data

Azure storage accounts

Understanding Azure database options

Azure SQL

Azure Cosmos DB

Creating a Cosmos DB account

Summary

5

Migrating to the Cloud

Technical requirements

Understanding migration options

Managing servers

Update management

VM backups

Modernizing applications

Scale sets

Azure App Service/Web Apps

Further modernization

Migrating data

Summary

6

End-to-End Observability in Your Cloud and Hybrid Environments

Understanding the importance of a monitoring strategy

Working on an effective monitoring strategy

Azure Monitor – a comprehensive solution for observability and efficiency

Components

Data sources

Consumption

Summary

7

Working with Containers in Azure

Understanding cloud-native applications

Understanding the difference between virtual machines and containers

Terminology

Azure Container Instances

Working with Azure Container Instances

Creating the Azure Container Registry instance

Pushing a container image to ACR

Creating an Azure Container Instance

Deploying Azure Container Instance for web app

Creating Azure Container Apps

Summary

Further reading

8

Understanding Networking in Azure

Connectivity in Azure

Design considerations for VNets

Exercise 1 – design and implement a virtual network in Azure

Enabling cross-virtual-network connectivity

Using service chaining to direct traffic to a gateway

The hub-spoke network topology in Azure

Azure virtual NAT

Hybrid networking

Azure VPN Gateway

Site-to-site VPN connections

Point-to-site VPN connections

Azure Virtual WAN

ExpressRoute

Decision tree on network topology

Load balancing

Load balancing non-HTTP(S) traffic

Load balancing HTTP(S) traffic

Network security

Azure DDoS protection

Azure Firewall

Exercise 2 – Azure Firewall – implement secure network access using the Bicep language

Azure WAF

Summary

9

Securing Access to Your Applications

Technical requirements

Designing for security

Securing traffic

SQL database firewalls

Web application VNet integration

Azure Firewall

Application Gateway

Azure Front Door

What to use and when?

Configuring network-level security

Testing and securing the app

Creating an Azure application gateway

Securing keys and secrets

Using managed identities

Summary

Part 3 – Making the Most of Infrastructure-as-Code for Azure

10

Governance in Azure – Components and Services

Planning a comprehensive cloud governance strategy

Understanding Azure governance

Azure governance – components and services

Management groups

Azure Policy

Azure Blueprints

Azure Resource Graph

Microsoft Cost Management

Microsoft Cost Management components

Summary

11

Building Solutions in Azure Using the Bicep Language

Unlocking the benefits of IaC with Azure Resource Manager

Authoring Bicep files

Bicep file structure

Working with parameters

Parameter data types

Bicep modules

Previewing Azure deployment changes using what-if

Summary

12

Using Azure Pipelines to Build Your Infrastructure in Azure

Understanding the relationship between continuous integration, continuous delivery, and pipelines

Understanding Azure Pipelines

Configuring Azure DevOps

Configuring Azure Repos

Importing a repository into Azure Repos

Configuring a build pipeline in Azure DevOps using the Classic Editor

Configuring a release pipeline in Azure DevOps using the Classic Editor

Configuring Azure Pipelines with YAML

Summary

13

Continuous Integration and Deployment in Azure DevOps

DevOps transformation – achieving reliable and efficient software development through CI and CD practices

CI in Azure DevOps using the Classic Editor

CD in Azure DevOps

CI/CD baseline architecture using Azure Pipelines

Building a multistage YAML pipeline

Configuring a new project in Azure DevOps

Configuring CI/CD pipelines with YAML

Summary

14

Tips from the Field

Azure governance

Azure monitoring

Identity management and protection

Azure networking

Azure containers

Summary

Index

Other Books You May Enjoy

Preface

In today’s rapidly evolving technological landscape, the community requires comprehensive guidance to fully explore the advanced features and use cases of Azure. This book provides you with a clear path to designing optimal cloud-based solutions in Azure. By delving into the platform’s intricacies, you will acquire the knowledge and skills to overcome obstacles and leverage Azure effectively.

The book establishes a strong foundation, covering vital topics such as compute, security, governance, and infrastructure-as-code. Through practical examples and step-by-step instructions, the book empowers you to build custom solutions in Azure, ensuring a hands-on and immersive learning experience.

By the time you reach the final pages of this book, you will have acquired the knowledge and expertise needed to navigate the world of cloud computing with confidence. Operating a cloud computing environment has become indispensable for businesses of all sizes, and Azure is at the forefront of this revolution. Discover strategies, best practices, and the art of leveraging the Microsoft cloud platform for innovation and organizational success. This book equips you with the tools to harness the full potential of Azure and stay ahead in today’s competitive digital landscape.

Who this book is for

The book is targeted toward Azure architects who develop cloud-based computing services or focus on deploying and managing applications and services in Microsoft Azure. They are responsible for various IT operations, including budgeting, business continuity, governance, identity, networking, security, and automation. It’s for people with experience in operating systems, virtualization, cloud infrastructure, storage structures, and networking and who want to learn how to implement best practices in the Azure cloud.Chapter 1

What this book covers

Chapter 1, Identity Foundations with Azure Active Directory and Microsoft Entra, covers key topics in IAM, including authentication, authorization, collaboration, and the significance of digital identities.

Chapter 2, Managing Access to Resources Using Azure Active Directory, provides an overview of Azure Active Directory and its capabilities for IAM, covering key components such as Azure Active Directory Connect, Azure Active Directory Application Proxy, Conditional Access, and Privileged Identity Management.

Chapter 3, Using Microsoft Sentinel to Mitigate Lateral Movement Paths, explores how Microsoft Sentinel detects and investigates security threats, compromised identities, and malicious actions. It emphasizes the importance of mitigating lateral movement, using Sentinel to prevent attackers from spreading within a network and accessing sensitive information.

Chapter 4, Understanding Azure Data Solutions, explores data storage options in Azure, including considerations for structured, semi-structured, and unstructured data. It covers Azure Storage accounts and SQL options and highlights Cosmos DB as a powerful NoSQL database solution for global solutions.

Chapter 5, Migrating to the Cloud, covers the migration of on-premises workloads to Azure, discussing strategies such as lift and shift, refactor, rearchitect, or rebuild. It explores options for moving compute to Azure, including scale sets and web apps for minimal code changes. Additionally, it addresses migrating SQL databases to Azure, considering questions, the potential issues, and utilizing the DMA tool for analysis and migration.

Chapter 6, End-to-End Observability in Your Cloud and Hybrid Environments, emphasizes the significance of a unified monitoring strategy across various environments, including Azure, on-premises, and other cloud providers.

Chapter 7, Working with Containers in Azure, provides insights into Azure containers, including their usage compared to Azure virtual machines, the features and use cases of Azure Container Instances, and the implementation of Azure container groups. It also explores the features and benefits of Azure Container Registry and the automation capabilities provided by ACR Tasks. Furthermore, it covers Azure Container Apps, its components, and how it enables running microservices on a serverless platform.

Chapter 8, Understanding Networking in Azure, emphasizes implementing controls to prevent unauthorized access and attacks. Designing a secure network is crucial in Azure, and this chapter explores the network security options, tailored to meet organizational security needs.

Chapter 9, Securing Access to Your Applications, emphasizes the importance of considering application architecture to secure access and explores tools such as VNet integration, SQL firewalls, Azure Firewall, Application Gateway, Front Door, Azure Key Vault, and managed identities to achieve this.

Chapter 10, Governance in Azure – Components and Services, addresses how Azure governance is crucial for the effective management of cloud infrastructure, compliance, security, cost optimization, scalability, and consistency. This chapter covers key components such as management groups, policies, blueprints, resource graphs, and cost management, highlighting the need for continuous improvement.

Chapter 11, Building Solutions in Azure Using the Bicep Language, discusses how Azure Bicep offers numerous benefits for organizations using Azure cloud services, simplifying resource provisioning through infrastructure-as-code templates. This enables consistent and repeatable deployments, reduces errors, and facilitates version control.

Chapter 12, Using Azure Pipelines to Build Your Infrastructure in Azure, helps you understand how Azure Pipelines automates software development pipelines, minimizing errors and enabling development teams to concentrate on producing high-quality software. This chapter also covers Azure DevOps setup, repository configuration with Azure Repos, the creation of build and release pipelines, and verifying resource creation in the Azure environment.

Chapter 13, Continuous Integration and Deployment in Azure DevOps, discusses how incorporating CI/CD with Azure Pipelines enhances software delivery with improved quality, speed, and efficiency. This comprehensive platform automates the software delivery process, allowing teams to detect and resolve issues early, resulting in fewer bugs and stable releases.

Chapter 14, Tips from the Field, provides an overview of top best practices for organizations, including Azure governance, monitoring, access management, network security, and container deployment.

To get the most out of this book

Software/hardware covered in the book

Operating system requirements

An Azure subscription

None

Azure PowerShell

Windows, Linux, or macOS

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Azure-Architecture-Explained. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: When an Azure AD tenant is created, it comes with a default *.on.microsoft.com domain. A custom domain name such as springtoys.com can be added to the Azure AD tenant to make usernames more familiar to the users.

A block of code is set as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: As the modern IT landscape continues to evolve, so does the importance of effective identity and access management (IAM) solutions.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Azure Architecture Explained, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781837634811

Part 1 – Effective and Efficient Security Management and Operations in Azure

This section addresses how organizations can confidently leverage the power of the cloud while safeguarding their assets and maintaining a strong security posture.

This part has the following chapters:

1

Identity Foundations with Azure Active Directory and Microsoft Entra

In today’s rapidly changing digital landscape, businesses need to embrace cloud technology to remain competitive. Microsoft Azure provides a powerful suite of cloud services, enabling organizations to achieve scalability, agility, and cost-effectiveness. However, adopting Azure can be a daunting task, with a wide range of tools and services to navigate.

This book aims to simplify the process by providing a comprehensive guide to the most essential Azure topics, including managing access to resources, mitigating security threats with Microsoft Sentinel, understanding data solutions, and migrating to the cloud. With a focus on practical applications and real-world scenarios, this book also covers end-to-end observability, working with containers, networking, security principals, governance, building solutions with the Bicep language, and using Azure Pipelines for continuous integration and deployment. The book also includes tips from the field, sharing best practices and common pitfalls to avoid. By the end of this book, readers will have a solid foundation in Azure technologies and be well equipped to implement cloud solutions that drive their organization’s success.

As the modern IT landscape continues to evolve, so does the importance of effective identity and access management (IAM) solutions. Authentication and authorization, engaging and collaborating with employees, partners, and customers, and the significance of digital identities are just a few critical concepts that must be considered by organizations to maintain secure and efficient operations.

Azure Active Directory (AD), a cloud-based identity management service, is an integral component of Microsoft Entra. Microsoft Entra, a powerful identity-driven security tool, offers a comprehensive perspective on IAM in diverse environments. This chapter will delve into the importance of IAM in contemporary organizations, emphasizing the pivotal role of solutions such as Azure AD and Microsoft Entra in bolstering security measures.

In this chapter, we’ll cover the following main topics:

Let’s get started!

Protecting users’ identities and securing the value chain – the importance of IAM in decentralized organizations

Over the last decade, organizations have been decentralizing and outsourcing non-core functions to suppliers, factories, warehouses, transporters, and other stakeholders in the value chain, making it more complex and vulnerable. This is most notable in global manufacturing and retail, where decentralization is crucial to introduce efficiency, lower costs, and decrease supply chain disruption risks.

These companies are pursuing multiple strategies to maximize the value of the various functions across multiple external businesses. Each resource access can grant bridges to several security domains, making it a potential entry point for unauthorized users. This can lead to malicious intent or accidental information access by unknowing users.

As digital transformation continues to change how we interact with businesses and other users, the risk of identity data being exposed in breaches has increased, causing damage to people’s social, professional, and financial lives. What are your beliefs about protecting users’ identities?

In our opinion, every individual has the right to own and control their identity securely, with elements of their digital identity stored in a way that preserves privacy.

Organizations must have a comprehensive cybersecurity strategy to protect the value chain from security risks. A robust strategy involves a multi-layered approach that includes network segmentation, data encryption, secure access controls, and continuous monitoring to identify potential security breaches.

It’s also crucial to implement policies for data access and management across the value chain to control who has access to sensitive information and how it’s used. As organizations continue to decentralize and outsource non-core functions to suppliers, it’s essential to establish trust between partners and have transparency in data management to ensure data security and privacy.

Therefore, data protection and access control are essential for organizations to maintain the confidentiality, integrity, and availability of their digital assets. IAM is a critical component of modern cybersecurity, encompassing a range of technologies and processes that enable organizations to control user access to applications, systems, and data.

IAM is crucial to maintaining the security of an enterprise’s digital assets, including confidential data, applications, and systems. By implementing IAM, organizations can ensure that only authorized individuals can access sensitive information, reducing the risk of data breaches and cyberattacks. IAM also provides an efficient way to manage user accounts, credentials, and permissions, making adding or removing users as necessary easier.

IAM is a crucial technology framework that enables organizations to ensure that their resources are only accessed by authorized individuals. The framework includes two main functions: authentication and authorization. In the next section, we will discuss how IAM solutions can help organizations reduce security risks and protect their sensitive data from unauthorized access and data breaches.

Authentication and authorization in Azure

IAM is a technology framework that helps organizations ensure that the right people have access to the right resources. IAM includes two main functions: authenticationand authorization.

Authentication is the process of verifying the identity of a user. It ensures that a user is who they claim to be before they can access an organization’s resources. For example, when you log in to your email account, you must enter your username and password. This form of authentication helps the email provider ensure that you are the legitimate user of the account.

Authorization, conversely, is the process of determining what resources a user is allowed to access after their identity has been verified. For instance, once you have logged in to your email account, the email provider uses authorization to determine what you can do with your account. For example, you may have permission to read emails, compose emails, and send emails, but you may not have permission to delete emails. Authorization helps ensure that users only have access to the resources they are authorized to use.

Another vital component related to the preceding two concepts is multifactor authentication (MFA). Think of MFA as a security process that requires users to provide two or more credentials to access a system or application. These credentials can include something the user knows (such as a password), something the user has (such as a smart card or mobile phone), or something the user is (such as a fingerprint or facial recognition). By requiring multiple authentication factors, MFA makes it more difficult for unauthorized individuals to access sensitive information or systems, even if they do obtain one of the user’s credentials.

For example, a bank may require MFA when a user tries to access their online banking account. After entering their username and password, the user is prompted to enter a unique code generated by a mobile app or sent via text to their phone. This code is a second factor of authentication that proves the user’s identity beyond their login credentials. By requiring this extra step, the bank ensures that only the authorized user can access their account, even if someone else has obtained their login information.

With IAM, organizations can streamline their access management processes, reducing the burden on IT staff and improving overall efficiency. Additionally, IAM can help organizations comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR), by providing auditable access controls and ensuring user access aligns with policy requirements.

Effective IAM solutions help organizations enforce security policies and comply with regulations by ensuring users can access only the resources they need to do their jobs.

IAM solutions also provide audit trails and visibility into user activity, making identifying and mitigating security incidents and compliance violations easier. By implementing robust IAM strategies, organizations can reduce security risks and protect their sensitive data from unauthorized access and data breaches.

Engaging and collaborating with employees, partners, and customers

Collaboration and communication are critical components of a successful organization, and they can be challenging to achieve without the proper infrastructure in place. The IT team of an organization may struggle to provide secure access for external users, leaving employees isolated and limited to email communications, which can lead to inefficiencies in managing marketing campaigns and hinder the exchange of ideas between team members. However, with the proper infrastructure that supports IAM, organizations can improve productivity, reduce costs, and increase work distribution while fostering a culture of teamwork and sharing. Improved visibility and consistency in managing project-related information can help teams track tasks and commitments, respond to external demands, and build better relationships with partners and external contributors.

Organizations need to prioritize collaboration capabilities and invest in the right tools and technologies to realize these benefits. This can include everything from shared workspaces and project management platforms to video conferencing and secure access controls. By providing employees with the tools they need to work together effectively, businesses can create a more dynamic and responsive organization better equipped to compete in a rapidly changing marketplace.

The significance of digital identities in the modern IT landscape

In today’s digital age, digital identities are essential for accessing IT-related services. An identity strategy goes beyond just provisioning and adding or removing access but determines how an organization manages accounts, standards for validation, and what a user or service can access.

Reporting on activities that affect identity life cycles is also an essential component of an identity strategy. A well-formed identity infrastructure is based on guidelines, principles, and architectural designs that provide organizations with interoperability and flexibility to adapt to ever-changing business goals and challenges.

An effective identity infrastructure should be based on integration and manageability standards while being user-friendly and secure. In order to simplify the end user experience, the infrastructure should provide easy-to-use and intuitive methods for managing and accessing digital identities. With a well-designed and implemented identity infrastructure, organizations can reduce the risk of unauthorized access to their IT resources and improve their overall security posture. Additionally, a standardized identity infrastructure can facilitate collaboration between organizations and make it easier for users to access resources across multiple organizations.

Also, with the growing trend of organizations seeking to invest in cloud services to achieve modernization, cost control, and new capabilities, IAM capabilities have become the central pillar for cloud-based scenarios. Azure AD has become a comprehensive solution that addresses these requirements for both on-premises and cloud applications. The following section provides insights into common scenarios and demonstrates how Azure AD can help with planning and preparing organizations to use cloud services effectively.

Modernizing your IAM with Microsoft Azure AD

Microsoft’s Azure AD is a cloud-based IAM service designed to help organizations manage access to resources across different cloud environments. With Azure AD, organizations can control access to cloud applications, both Microsoft and non-Microsoft, through a single identity management solution. This enables employees to access the tools and information they need from any device, anywhere in the world, with increased security and efficiency.

The following figure highlights the structure of Azure AD.

Figure 1.1 – Azure AD

Azure AD provides several benefits for organizations looking to modernize their IT infrastructure. It offers seamless integration with other Azure services and enables IT administrators to manage user identities and security policies and access resources from a central location. Additionally, it provides MFA and Conditional Access policies to help protect against identity-based attacks.

Organizations can also use Azure AD to manage access to third-party applications, including Software as a Service (SaaS) applications, such as Salesforce, Box, and Dropbox, providing a consistent and secure user experience across different cloud environments.

However, IAM tasks can significantly burden IT departments, taking up valuable time that could be spent on higher-value work. A crucial piece of an IAM solution is its life cycle management capabilities.

Life cycle management

Provisioning new users can be tedious, requiring administration and configuration across multiple systems. Users may have difficulty obtaining the necessary access to perform their jobs, causing delays and inefficiencies.

For example, the IT team of SpringToys, an online retail organization, may have to access and configure multiple identity utilities and repositories to onboard a new user for online services, making the process even more complicated. With an ad hoc manual method, achieving stringent levels of control and compliance with necessary regulatory standards can be challenging. Each time an employee needs to access an IT service, IT staff must manually handle the request and perform administrative tasks to enable access, creating inefficiencies and delays that impact productivity. By implementing a robust IAM solution, organizations can reduce the burden on IT staff, streamline IAM processes, and improve security and compliance posture.

Effective management of the identity life cycle can bring numerous benefits to organizations, including reducing the time and cost of integrating new users and improving security by controlling access to resources centrally.

By maximizing the investments in existing on-premises identities, organizations can extend them to the cloud, reducing the time for new users to access corporate resources and streamlining the provisioning process. Consistent application of security policies enhances the security posture and reduces exposure to outdated credentials. It also minimizes business interruptions and reduces the time and cost required to enable applications to be accessible from the internet.

Additionally, the increased capacity of IT to develop core application features and the ability to delegate specific administration tasks can lead to increased flexibility and auditing capabilities, enhancing the overall efficiency and effectiveness of IAM solutions.

Leveraging the Microsoft Cloud Adoption Framework

If your organization is on its journey of adopting Azure IAM, consider leveraging the Microsoft Cloud Adoption Framework (CAF) for Azure (https://bit.ly/azurecaf), a guide that helps organizations create and implement strategies for cloud adoption in their business.

It provides a set of best practices, guidance, and tools for different stages of cloud adoption, from initial planning to implementation and optimization. The framework is designed to help organizations develop a comprehensive cloud adoption plan, create a governance structure, and identify the right tools and services for their specific business needs.

The CAF comprises multiple stages: strategy, plan, ready, migrate, innovate, secure, manage, and govern. Each stage includes a set of recommended practices, tools, and templates that help organizations to assess their readiness, build a cloud adoption plan, migrate applications and data to the cloud, and optimize cloud resources.

The following figure highlights the CAF stages:

Figure 1.2 – Microsoft CAF for Azure

The framework is flexible and can be customized to fit an organization’s specific needs. It is designed to work with different cloud services and technologies, including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud.

Also, the CAF includes a specific IAM design area that focuses on providing guidance and best practices for designing secure and scalable IAM solutions in the Azure cloud platform. This includes managing identities, implementing authentication and authorization mechanisms, and establishing proper governance and compliance policies. By following the Azure IAM design principles, organizations can ensure their cloud environments are secure and compliant and effectively manage access to their cloud resources.

Utilize this framework to expedite your cloud adoption process. The accompanying resources can assist you in every stage of adoption. These resources, including tools, templates, and assessments, can be applied across multiple phases: https://bit.ly/azure-caf-tools.

Azure AD terminology, explained

Azure AD is a system used to manage access to Microsoft cloud services. It involves several terms that are important to understand. Identity is something that can be authenticated, such as a user with a username and password or an application with a secret key or certificate. An account is an identity that has data associated with it.

Azure AD supports two distinct types of security principals: user principals, which represent user accounts, and service principals, which represent applications and services. A user principal encompasses a username and password, while a service principal (also referred to as an application object/registration) can possess a secret, key, or certificate.

An Azure AD account is an identity created through Azure AD or another Microsoft cloud service, such as Microsoft 365. The account administrator manages billing and all subscriptions, while the service administrator manages all Azure resources.

The owner role helps manage Azure resources and is built on a newer authorization system, called Azure role-based access control (RBAC). The Azure AD Global Administrator is automatically assigned to the person who created the Azure AD tenant and can assign administrator roles to users.

An Azure tenant is a trusted instance of Azure AD created when an organization signs up for a Microsoft cloud service subscription. A custom domain name can be added to Azure AD to make usernames more familiar to users.

When an Azure AD tenant is created, it comes with a default *.on.microsoft.com domain. A custom domain name such as springtoys.com can be added to the Azure AD tenant to make usernames more familiar to the users.

For example, imagine SpringToys wanting to use Microsoft Azure to store and manage its data. They would need to create an Azure subscription, which would automatically generate an Azure AD directory for them. They would then create Azure AD accounts for each employee who needs access to the company’s data stored in Azure.

Each employee’s Azure AD account would be associated with their Microsoft 365 account, which they use to log in to their work computer and access company resources. The company could also add a custom domain name to Azure AD so that employees can use email addresses with their company’s domain name to log in to their Azure AD account, such as [email protected]. The company would also need to assign roles to each employee’s Azure AD account, such as the owner role or service administrator role, to manage access to Azure resources. In broad terms, Azure roles govern permissions for overseeing Azure resources, whereas Azure AD roles govern permissions for managing Azure AD resources.

The following table summarizes the Azure AD terminology:

Concept

Description

Identity

An object that can be authenticated

Account

An identity that has data associated with it

Azure AD account

An identity created through Azure AD or another Microsoft cloud service

Azure AD tenant/directory

A dedicated and trusted instance of Azure AD, a tenant is automatically created when your organization signs up for a Microsoft cloud service subscription

Azure AD is a crucial aspect of cloud security that enables organizations to control access to their resources and data in the cloud.

Securing applications with the Microsoft identity platform

Managing the information of multiple usernames and passwords across various applications can become challenging, time-consuming, and vulnerable to errors. However, this problem can be addressed using a centralized identity provider. Azure AD is one such identity provider that can handle authentication and authorization for various applications. It provides several benefits, including conditional access policies, MFA, and single sign-on (SSO). SSO is a significant advantage as it enables users to sign in once and automatically access all the applications that share the same centralized directory.

More broadly speaking, the Microsoft identity platform simplifies authentication and authorization for application developers. It offers identity as a service and supports various industry-standard protocols and open source libraries for different platforms. Developers can use this platform to build applications that sign in to all Microsoft identities, get tokens to call Microsoft Graph, and access other APIs. Simply put, by utilizing the Microsoft identity platform, developers can reduce the complexity of managing user identities and focus on building their applications’ features and functionality.

Microsoft’s identity platform can help organizations streamline identity management and improve security. Organizations can take advantage of features such as conditional access policies and MFA by delegating authentication and authorization responsibilities to a centralized provider such as Azure AD. Furthermore, developers can benefit from the platform’s ease of use, supporting various industry-standard protocols and open source libraries, making it easier to build and integrate applications.

By integrating your app with Azure AD, you can ensure that your app is secure in the enterprise by implementing Zero Trust principles.

As a developer, integrating your app with Azure AD provides a wide range of benefits that help you secure your app in the enterprise. One of the significant benefits of using Azure AD is the ability to authenticate and authorize applications and users. Azure AD provides a range of authentication methods, including SSO, which can be implemented using federation or password-based authentication. This simplifies the user experience by reducing the need for users to remember multiple passwords.

Another benefit of using Azure AD is the ability to implement RBAC, which enables you to restrict access to your app’s features based on a user’s role within the organization. You can also use OAuth authorization services to authenticate and authorize third-party apps that access your app’s resources.

The Microsoft identity platform supports multiple protocols for authentication and authorization. It is crucial to understand the differences between these protocols to choose the best option for your application.

One example is the comparison between OAuth 2.0 and SAML. OAuth 2.0 is commonly used for authorization, while SAML is frequently used for authentication. The OAuth 2.0 protocol allows users to grant access to their resources to a third-party application without giving the application their login credentials. On the other hand, SAML provides a way for a user to authenticate to multiple applications using a single set of credentials. An example of SAML being used in the Microsoft identity platform is with Active Directory Federation Services (AD FS) federated to Azure AD.

Another example is the comparison between OpenID Connect (OIDC) and SAML. OIDC is commonly used for cloud-based applications, such as mobile apps, websites, and web APIs. It allows for authentication and SSO using a JSON web token. SAML, on the other hand, is commonly used in enterprise applications that use identity providers such as AD FS federated to Azure AD. Both protocols support SSO, but SAML is commonly used in enterprise applications.

The following table summarizes the protocols and descriptions and their typical usage scenarios:

Protocol

Description

Use Cases

OAuth

OAuth is used for authorization, granting permissions to manage Azure resources

When managing permissions to access and perform operations on Azure resources

OIDC

OIDC builds on top of OAuth 2.0 and is used for authentication, verifying the identity of users

When authenticating users and obtaining information about their identity

SAML

SAML is used for authentication and is commonly used with identity providers, such as AD FS, to enable SSO in enterprise applications

When integrating with enterprise applications and identity providers, particularly with AD FS federated to Azure AD

Understanding these protocols and their differences can help you choose the best option for your application and ensure secure and efficient authentication and authorization.

As more companies transition their workloads to the cloud, they face the challenge of ensuring the security of their resources in these new environments. In order to effectively manage access to cloud-based workloads, organizations must establish definitive user identities and control access to data, while also ensuring authorized operations are performed. This is where Microsoft Entra comes in – which provides a set of multiple components that provide identity-based access control, permissions management, and identity governance to help organizations securely manage their cloud-based workloads.

Securing cloud-based workloads with Microsoft Entra’s identity-based access control

When transitioning workloads to the cloud, companies must consider the security implications of moving their resources. They need to define authorized users, restrict access to data, and ensure that employees and vendors only perform authorized operations. To centrally control access to cloud-based workloads, companies must establish a definitive identity for each user used for every service. This identity-based access control ensures that users have the necessary permissions to perform their jobs while restricting unauthorized access to resources.

Microsoft Entra comprises a set of multiple components, including the following:

Let’s look at them in detail.

Azure AD

To simplify the process of securing cloud-based resources, Azure AD, a cloud-based IAM service that is part of Microsoft Entra, offers features such as SSO and MFA, which helps protect both users and data. By learning the basics of creating, configuring, and managing users and groups of users, organizations can effectively control access to their cloud-based resources. Additionally, by managing licenses through Azure AD, organizations can ensure that their employees and vendors have access to the necessary tools to perform their jobs while maintaining a secure environment.

Azure AD provides three ways to define users, which are helpful for different scenarios. The first way is cloud identities, which only exist in Azure AD. These can include administrator accounts and users managed directly in Azure AD. Cloud identities are deleted when removed from the primary directory, making them an excellent option for managing temporary access to Azure resources. The following figure represents the cloud identity.

Figure 1.3 – Cloud identity

The second way is directory-synchronized identities, which exist in an on-premises AD. These users are brought into Azure through a synchronization activity with Azure AD Connect, making them useful for organizations with existing on-premises infrastructure.

You can leverage directory synchronization with Pass-through Authentication (PTA) or SSO withAD FS.

Finally, there are guest users that might exist outside of Azure or can be on a different Azure AD tenant. These can be accounts from other cloud providers or Microsoft accounts, such as an Xbox Live account. Guest users are invited to access Azure resources. They can be removed once their access is no longer necessary, making them an excellent option for external vendors or contractors who require temporary access.

Managing permissions is a critical aspect of Zero Trust security and is increasingly challenging for organizations adopting a multi-cloud strategy. With the proliferation of cloud services and identities, high-risk cloud permissions are exploding, creating a larger attack surface for organizations. IT security teams are pressured to ensure access to their expanding cloud estate is secure and compliant. However, the inconsistency of cloud providers’ native access management models makes it even more complex for security and identity teams to manage permissions and enforce least privilege access policies across their entire environment.

Microsoft Entra Permissions Management

Organizations need a cloud infrastructure entitlement management (CIEM) solution such as Microsoft Entra Permissions Management to enable comprehensive visibility into permissions assigned to all identities across multi-cloud infrastructures such as Microsoft Azure, AWS, and Google Cloud Platform (GCP). Microsoft Entra Permissions Management can detect and right-size unused and excessive permissions while continuously monitoring permissions to maintain a least privilege access policy. By implementing a CIEM solution such as Permissions Management, organizations can improve their cloud security posture and better manage access to their cloud-based resources.

Microsoft Entra Verified ID

The digital identity we use today is controlled by other parties, leading to potential privacy concerns. Users give apps and devices access to their data, making it challenging to track who has access to which information. Securely exchanging data with consumers and partners is difficult in the enterprise world. A standards-based decentralized identity system can improve user and organizational control over data, resulting in increased trust and security for apps, devices, and service providers.

Decentralized identifiers (DIDs) are a key component of verifiable credentials (VCs) in Azure AD. DIDs are unique identifiers created in a decentralized system and are not controlled by a central authority. DIDs can be used to represent individuals, organizations, devices, and other entities in a secure and privacy-preserving way. They can also be used to prove ownership of digital assets, such as domain names or social media handles.

Azure AD supports using DIDs and VCs to enable secure and trusted digital identities. This allows organizations to reduce the reliance on traditional usernames and passwords and instead use more secure and privacy-preserving methods for identity verification. The article also highlights the benefits of using DIDs and VCs, including increased security, privacy, and interoperability. It provides resources for developers and organizations to use DIDs and VCs in Azure AD.

Microsoft Entra workload identities

In the world of cloud computing, a workload identity is essential for authenticating and accessing other resources and services securely and efficiently. Workload identities can take different forms, such as a user account that an application uses to access a database or a service role attached to an instance with limited access to a specific resource. Regardless of its form, a workload identity ensures that the software entity can securely access the resources it needs while also helping to prevent unauthorized access and data breaches.

In Azure AD, a workload identity is a way for a software program, such as an application or service, to identify and authenticate itself when accessing other services and resources. There are three types of workload identities in Azure AD: applications, which are like templates that define how a program can access resources; service principals, which are like local copies of applications that are specific to a particular tenant; and managed identities, which are a special type of service principal that don’t require a developer to manage passwords or credentials.

Here are a few examples of how you can leverage workload identities:

As organizations embrace digital transformation, the need for the secure and efficient management of access to resources becomes increasingly important. Microsoft Entra Identity Governance is a tool designed to address this need, enabling companies to balance productivity and security by ensuring the right people have access to the right resources. Identity Governance uses a foundation of identity life cycle management to keep track of who has access to what resources and ensure that access is updated as needed.

Microsoft Entra Identity Governance

Microsoft Entra Identity Governance is a tool that helps organizations balance the need to keep their data secure and ensure employees can get their work done efficiently. It helps by ensuring the right people have access to the right things, and the company can keep an eye on who is accessing what. This helps reduce the risk of someone getting access to something they shouldn’t have and helps the company ensure employees can still do their jobs.

Identity Governance helps organizations to manage access to their resources in a way that balances productivity and security. It is designed to answer questions such as “Who should have access to which resources?” and “How can we ensure that access is appropriate and secure?” To do this, Identity Governance relies on a foundation of identity life cycle management, which involves keeping track of who has access to what resources and making sure that access is updated as needed. This process helps organizations ensure that their resources are protected while enabling their employees to get the access they need to do their jobs.

Sometimes, organizations need to work with people outside of their own company. Azure AD B2B collaboration is a feature that allows companies to safely share their apps and services with other people, such as guests and partners from different organizations. This way, organizations can maintain control over their own data while still allowing others to use their resources. Microsoft Entra entitlement management will enable organizations to decide which users from other organizations can request access and become guests in their directory. It will also remove these guests when they no longer need access.

Microsoft Entra admin center

Microsoft launched the Entra admin center for its Microsoft 365 and Azure AD customers. And you can log in to the portal using your Microsoft 365 account. The Entra admin center provides customers with better security, governance, and compliance features for their organization.

The portal is accessible through the following URL: https://entra.microsoft.com.

As you can see, Microsoft Entra helps organizations to make sure the right people have access to the right things. It does this by verifying who someone is and allowing them to access the apps and resources needed to do their job. Microsoft Entra works across different environments, such as cloud and on-premises systems. It also makes it easier for people to access what they need by using smart tools to make quick decisions about who should have access to what.

Summary

This chapter covered several important topics related to IAM in the modern IT landscape. We discussed authentication and authorization, which are crucial components of any IAM solution. Then, we moved on to explore the importance of engaging and collaborating with employees, partners, and customers, as well as the role that digital identities play in this process.