📘 Day 2 – AZ-305: Designing Identity and Access in Azure

Hey friends! 👋

Welcome back to my AZ-305 learning journey. Yesterday, we talked about Azure Governance — the rules that keep your cloud clean and compliant.
Today, we’re moving into something just as important: Identity and Access.

If governance is about the “rules of the game,” identity and access is about who gets to play and what moves they can make. 🏓

🧭 What is Identity and Access?

In Azure, Identity is “who you are” (user, app, or service).
Access is “what you’re allowed to do.”

Azure uses Azure Active Directory (Azure AD) to handle all of this. Think of Azure AD as the central gatekeeper that:

• Lets the right people in ✅
• Keeps the wrong people out ❌
• Gives each person the right keys to the right doors 🔑

🔍 Key Concepts

1. Azure Active Directory (Azure AD)

Azure AD is Microsoft’s cloud-based identity service. It stores users, groups, and app identities. It also supports:

• SSO (Single Sign-On) – log in once, access many apps.
• MFA (Multi-Factor Authentication) – extra layer of security.
• External identities – invite partners, customers, or vendors to access resources.

💡 Example: Your marketing vendor logs into your SharePoint using their own Microsoft account, no new login needed.

2. Authentication Methods

Authentication = proving you are who you say you are.

In Azure AD, you can have:

• Password-based (classic, but not the safest)
• Passwordless (like Windows Hello, phone sign-in, or FIDO2 keys)
• MFA (combines something you know + something you have)

💡 Example: You log in with a password, then confirm a code sent to your phone.

3. Authorization Models – RBAC & PIM

Once authenticated, authorization decides what you can do.

• RBAC (Role-Based Access Control) – Assign roles like Reader, Contributor, or Owner.
• PIM (Privileged Identity Management) – Give admin rights only when needed (just-in-time access).

💡 Example: An IT admin gets full access for 2 hours to fix a server, then loses the rights automatically.

4. Conditional Access

This is Azure’s “if-then” security.

Example rules:

• If login comes from another country → require MFA.
• If using an unmanaged device → block access.

💡 Example: You log in from your work laptop in the office → no MFA needed. You log in from a coffee shop → MFA required.

5. Hybrid Identity

Not every company is 100% cloud. Many still use on-premises Active Directory.

Azure AD Connect syncs your local AD with Azure AD. This way:

• Users can have the same credentials for on-prem and cloud.
• You can choose sync-only or federation for login.

💡 Example: Your office AD account works to log in to Azure too.

6. Service Principals & Managed Identities

Applications and services also need identities — but they shouldn’t store passwords in code.

• Service Principal – identity for apps or services.
• Managed Identity – Azure automatically manages credentials for your app.

💡 Example: Your Azure Function accesses a database without storing any password in the code.

🏥 Real-Life Scenario

Let’s say you’re designing an identity solution for a bank:

• Use Azure AD to manage all employees.
• Enable MFA for everyone, especially for remote access.
• Set Conditional Access so only bank-owned devices can access sensitive data.
• Use PIM for IT admins.
• Enable Managed Identity for backend services connecting to the database.

✅ Secure and compliant!

🧠 Quick Quiz (Just for Fun!)

1. Which service is the main identity provider in Azure?
   👉 Answer: Azure Active Directory
2. What tool gives admin rights only when needed?
   👉 Answer: Privileged Identity Management (PIM)
3. Which feature enforces “if-then” login rules?
   👉 Answer: Conditional Access

✍️ Final Thoughts

Identity and Access is one of the most important parts of Azure security. Without proper identity controls, even the best governance plan won’t protect you.

👉 Tomorrow, I’ll study Designing a Logging and Monitoring Solution and share my notes here. See you then!

Cheers! 🙌