Azure AD

What is work group and domain services.

What is active directory?

Active Directory is a Microsoft directory service that manages and organizes information about
resources on a network, such as users, computers, printers, and other network devices. It provides a
centralized database for storing and managing this information, which allows network administrators
to manage network resources more efficiently and securely.

Active Directory is a hierarchical database that is organized into domains, each of which can contain
multiple objects, such as users, groups, and computers. It uses a domain name system (DNS) to locate
network resources and provides authentication and authorization services for users and computers
on the network.

Active Directory enables network administrators to manage network resources from a central
location, making it easier to deploy software updates, manage security settings, and enforce policies
across the network. It also allows administrators to delegate administrative tasks to specific users or
groups, which can help streamline management and improve security.

User ,Group,Computer,Organization units

What is Azure AD

Azure Active Directory (Azure AD) is a cloud-based directory and identity management service from
Microsoft. It provides identity and access management for cloud-based and on-premises resources.
Azure AD is built on top of the same technology as Active Directory, which is used to manage
identities and access in Windows-based networks, but it is designed for the cloud.

Azure AD provides features such as single sign-on, multi-factor authentication, and access control for
cloud-based applications and resources. It also supports integration with on-premises directories,
such as Active Directory, to provide a seamless experience for users who need access to both cloud-
based and on-premises resources.

Azure AD supports a wide range of authentication protocols, including SAML, OAuth, and Open Id
Connect, which allows it to integrate with a broad range of cloud-based and on-premises applications.
It also provides a range of APIs and developer tools to enable developers to build custom integration's
with Azure AD.

Cloud based directory, identity management, Access control to applications, Provide SSO for cloud
based application, Integrate easily to on premise AD,copies of data is available in at least 2 regions,
High reliable if data center failure.

Azure AD Dashboard & Editions

Azure AD has a web-based management console called the Azure AD Dashboard that provides
administrators with a central location to manage their Azure AD tenant. The dashboard provides a
comprehensive view of the tenant's identity and access management settings, and allows
administrators to manage users, groups, and applications.

The Azure AD Dashboard provides a range of features, including:

Users and groups management: Administrators can create, edit, and delete user and group accounts,
and assign roles and permissions to these accounts.

Applications management: Administrators can manage application access, configure single sign-on
(SSO), and manage application proxy settings.

Conditional access: Administrators can configure conditional access policies to control access to
resources based on specific conditions, such as location, device\
Pricing Table
Type of Permissions

Azure AD provides several types of permissions that can be assigned to users or groups for managing
resources and performing actions within the Azure AD tenant. Some of the key permission types in
Azure AD include:

Owner: The owner permission provides full control over the Azure AD tenant and all its resources.
Owners can add and remove users, assign permissions, and manage subscriptions.

Contributor: The contributor permission provides the ability to create and manage resources within a
specific resource group. Contributors can create, modify, and delete resources, but cannot modify
permissions.

Reader: The reader permission provides read-only access to resources within a specific resource
group. Readers can view resources but cannot make any changes.

User Access Administrator: The user access administrator permission provides the ability to manage
user access to resources within a specific resource group. User access administrators can add or
remove users from groups and assign permissions to resources.

Global Administrator: The global administrator permission provides full control over all Azure AD
resources, including the ability to manage subscriptions, users, groups, and applications.

Application Administrator: The application administrator permission provides the ability to manage
application registrations and configure SSO settings for applications.

These permissions can be assigned to users or groups at the subscription, resource group, or resource
level, depending on the level of access required. It is important to carefully manage permissions to
ensure that users have the appropriate level of access to resources without compromising security or
compliance requirements.

Azure AD role?

Azure AD provides several built-in roles that can be assigned to users or groups to manage Azure AD
resources and perform specific tasks within the Azure AD tenant. These roles are designed to provide
granular access control over Azure AD resources and allow administrators to assign specific
permissions to users based on their responsibilities.

Some of the key built-in roles in Azure AD include:

Global Administrator: This role provides full access to all Azure AD resources, including the ability to
manage users, groups, applications, and subscriptions.

User Administrator: This role provides the ability to manage user accounts, reset passwords, and
manage group membership.
Application Administrator: This role provides the ability to manage application registrations and
configure SSO settings for applications.

Conditional Access Administrator: This role provides the ability to configure conditional access
policies to control access to resources based on specific conditions, such as location, device, or user
account status.

Security Administrator: This role provides the ability to manage security settings and access to
resources within the Azure AD tenant.

Help desk Administrator: This role provides the ability to manage password reset requests and other
user-related tasks.

These built-in roles can be combined and customized to create custom roles that meet specific
organizational needs. Administrators can also assign permissions directly to users or groups without
using roles, but using roles helps to simplify access management and ensure that users have the
appropriate level of access to resources.

Subscription level permission in Azure AD

Subscription level permissions in Azure AD are used to manage access to Azure resources at the
subscription level. A subscription is the basic unit of billing and access control in Azure, and it provides
a logical container for deploying resources such as virtual machines, storage accounts, and databases.

Subscription level permissions are used to control who can create, modify, or delete resources within
a specific subscription. These permissions are managed through Azure role-based access control
(RBAC), which is a system that allows administrators to assign roles to users or groups to control
access to Azure resources.

There are several built-in roles that can be assigned at the subscription level in Azure AD, including:

Owner: This role provides full control over the subscription and all its resources, including the ability
to manage access control for the subscription.

Contributor: This role provides the ability to create and manage resources within the subscription,
but cannot modify access control for the subscription.

Reader: This role provides read-only access to resources within the subscription.

In addition to these built-in roles, administrators can create custom roles with specific permissions
that meet the needs of their organization. For example, a custom role could be created to provide
access to a specific type of resource within a subscription, or to restrict access to certain types of
resources.

It is important to carefully manage subscription level permissions to ensure that users have the
appropriate level of access to resources without compromising security or compliance requirements.
RBAC in Azure

Role-based access control (RBAC) is a system used in Azure to control access to resources based on
user roles. RBAC allows administrators to assign roles to users, groups, and service principals to
control what they can and cannot do within an Azure subscription or resource group.

RBAC in Azure consists of three main elements:

Roles: Azure provides several built-in roles that can be assigned to users and groups, such as Owner,
Contributor, and Reader. These roles define the permissions that users have within the subscription
or resource group.

Role assignments: Administrators can assign roles to users, groups, or service principals to grant
access to resources. A role assignment consists of a role definition and a security principal (user,
group, or service principal).

Scope: RBAC is applied at the subscription or resource group level. Administrators can assign roles to
users or groups for a specific subscription or resource group.

By using RBAC, administrators can simplify access management and ensure that users have the
appropriate level of access to resources. For example, an administrator can assign the Contributor
role to a development team for a specific resource group, which allows them to create and manage
resources within that resource group without giving them full access to the entire subscription.

In addition to the built-in roles, administrators can create custom roles that provide specific
permissions for their organization's needs. Custom roles can be created based on built-in roles or by
defining new permissions for specific actions or resources.

User, Groups & Audit Logs in Azure

User, groups, and audit logs are important components of Azure AD, which is the identity and access
management service in Azure. These components are used to manage user access to Azure resources
and to track and monitor user activities within Azure.

Users: Azure AD allows administrators to create and manage user accounts for accessing Azure
resources. Users can be assigned roles and permissions to control what resources they can access and
what actions they can perform. Users can also be authenticated using various methods, such as
passwords, multi-factor authentication, and single sign-on.

Groups: Azure AD groups are used to manage sets of users and assign permissions to those groups. By
creating groups, administrators can manage access to resources more efficiently and reduce the
number of individual permissions that need to be assigned. Groups can be created based on user
roles, departments, or projects.

Audit logs: Azure AD provides audit logs that track user activities within Azure. These logs can be used
to monitor and investigate security incidents, compliance issues, and user behavior. Audit logs record
events such as user sign-ins, role assignments, changes to security policies, and administrative
activities. Audit logs can be searched and filtered to find specific events, and can be exported to other
tools for further analysis.

Overall, users, groups, and audit logs are essential components of Azure AD that allow administrators
to manage user access to Azure resources, assign permissions, and track user activities. By using these
components effectively, administrators can ensure that users have the appropriate level of access to
resources and can maintain security and compliance within Azure.

 Users