Identities
Subscriptions
- Using Azure requires an Azure subscription which provides you with authenticated and authorized access to Azure products
- An Azure subscription is an identity in Azure Active Directory (Azure AD) or in a directory that an Azure AD trusts
Resource Levels
| Level |
Notes |
~AWS |
| Management groups |
- These are containers that allows to order Azure resources (hierarchically into collections) for multiple subscriptions
- All subscriptions in a management group automatically inherit the conditions applied to the management group
- The root management group's display name is Tenant root group (the ID is the Azure AD ID)
|
AWS OUs |
| Subscriptions |
- A subscription groups together user accounts and the resources that have been created by those user accounts
|
AWS Account |
| Resource groups |
- A resource group is a logical container for resources deployed on Azure
- Resource groups are also a scope for applying RBAC permissions
- Cannot be nested
 |
|
| Resources |
|
|
Identities
Azure AD
Source: Azure Active Directory – Security Overview
Identity Types
|
|
| Identity |
- Something that can be authenticated (users and apps)
|
| Principal |
- An identity acting with certain roles or claims
- Groups are often also considered principals because they can have rights assigned
|
| Service principal |
- An identity that is used by a service or application
|
| Managed identity for a service |
- An account on the organization's Azure AD tenant
- The Azure infrastructure will automatically take care of authenticating the service and managing the account
|
Identity Management
- Azure AD Connect integrates on-premises directories with Azure AD, providing both synchronization and sign in
- On Azure, users, groups, and roles are all stored in Azure Active Directory (Azure AD)
- The Azure Resource Manager API uses RBAC to secure all resource access management within Azure
