Identities
Subscriptions
- Using Azure requires an Azure subscription which provides you with authenticated and authorized access to Azure products
- An Azure subscription is an identity in Azure Active Directory (Azure AD) or in a directory that an Azure AD trusts
Resource Levels
Level |
Notes |
~AWS |
Management groups |
- These are containers that allows to order Azure resources (hierarchically into collections) for multiple subscriptions
- All subscriptions in a management group automatically inherit the conditions applied to the management group
- The root management group's display name is Tenant root group (the ID is the Azure AD ID)
|
AWS OUs |
Subscriptions |
- A subscription groups together user accounts and the resources that have been created by those user accounts
|
AWS Account |
Resource groups |
- A resource group is a logical container for resources deployed on Azure
- Resource groups are also a scope for applying RBAC permissions
- Cannot be nested
 |
|
Resources |
|
|

Identities
Azure AD

Source: Azure Active Directory – Security Overview
Identity Types
|
|
Identity |
- Something that can be authenticated (users and apps)
|
Principal |
- An identity acting with certain roles or claims
- Groups are often also considered principals because they can have rights assigned
|
Service principal |
- An identity that is used by a service or application
|
Managed identity for a service |
- An account on the organization's Azure AD tenant
- The Azure infrastructure will automatically take care of authenticating the service and managing the account
|
Identity Management

- Azure AD Connect integrates on-premises directories with Azure AD, providing both synchronization and sign in
- On Azure, users, groups, and roles are all stored in Azure Active Directory (Azure AD)
- The Azure Resource Manager API uses RBAC to secure all resource access management within Azure