Identity and Access Management in Azure

"Identity revolves around who am I ? and how can I prove that I am the one who is claiming to be." 

Proving absolute need of access to the right people is key to success for every organization. Due to the growth of modern workspace and social life, identity management has become more challenging. Every day we deal with multiple identities within a corporate setting and forgetting identities of least recently used has become common. Thanks to "Forget Passport" - Self Service Password Reset features.  

To deal with this situation Microsoft usages its most powerful tools Active Directory - Single Source of Authority for on-premises domain user's and applications, known as On-Premises Identity, Azure Active Directory - Cloud Identity for all cloud-based application and resources and Hybrid Identities- which extends on-premises identities to the Azure Active Directory so that existing users can access cloud-based application using their identities. It enables all the management work on the on-premises active directory making it truly global as well as Central Identities Management.


Best Practices on Managing Identities in Azure

Centralized Identities:
It's the most favourable identity model for the enterprise customer where they have existing single sources of authentication management tools in place such as Active Directory. Active Directory Synchronization tools can be used to take the existing user's to the cloud or implement federated identities so that cloud users will come back to on-premises for the authentication purpose.

Cloud Only Identities: 
The startup company can take the advantages of Cloud Only Identities. It will help them to minimize the on-premises resources footprint and can move forward with operational expenses.

Choosing right Identity Model

Which identity model to adopt is the biggest decision to take and requires an in-depth understanding of the business model that currently they are adopting. Response to the following question might be helpful to take the decision based on the answer.

a. Do you have your presence in the Cloud?
b. How many users are there in your on-premises Active Directory?
c. How many application you are using?
d. Do they require Single Sign-on capabilities?
e. Are you ready to copy hash of the hash to the Cloud?

Comments

  1. cloudshinepro.com10 February 2021 at 05:06

    Thank you for sharing such a Magnificent post. I found this blog very useful for future references. keep sharing such informative blogs with us. Oracle Fusion Applications Training

    ReplyDelete

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more