Azure Identity Services

With people increasingly able to work from anywhere, plus the rise of “bring your own device” strategies, mobile applications and cloud applications. Many of those access points are now outside the company’s physical networks. Identity has become the new primary security boundary. Accurately proving that someone is a valid user of your system with an appropriate level of access is critical to maintaining control of your data.

Identity and Access โ† target of attack ๐Ÿ˜ˆ
Physical Security

Azure Active Directory or Azure AD can also help consistently secure all of the applications accessed from the internet and from public networks. Be mindful not to confuse Active Directory (securing on premises applications) with Azure Active Directory (securing applications in the cloud).

Authentication and authorization both support everything else that happens and they occur sequentially in the Identity and Access process.

AuthenticationThe process of establishing the identity of a person or service that wants to access a resource. The end-user or service is challenged for a set of credentials, which are then used as the basis to create a security principle, and this security principle is used to establish the user’s Identity and Access Control.
You can establish whether the user is who they say they are.
AuthorizationThe process of establishing what level of access an authenticated person or service has. It specifies what application, data and resources they’re allowed to access, and what they can do with them.

Azure Active Directory is Microsoft’s cloud-based Identity and Access Management Service. Azure AD enables an organization’s employees to sign in and access both internal and external resources, while also keeping them secure. Users can sign in and access:

  • external resources
    • Microsoft 365, the Azure portal, SaaS applications, etc.
  • internal resources
    • the organization’s corporate network and applications, etc.

When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost.

A tenant represents an organization in Azure Active Directory. It’s a dedicated Azure AD instance that an organization receives and owns when it signs up for a Microsoft Cloud service. Azure AD provides services:

  • authentication
  • single sign-on
  • application management
  • device management

Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users. Perhaps the most popular method is to use Azure AD Connect.

Single sign-on (SSO) is important as organizations need a robust Identity and Access Management strategy that can handle the challenges of securing user and data access from the cloud. Multi-factor authentication is a process where users prompted during the sign-in process for an additional form of identification.

Conditional access is a tool that Azure Active Directory uses to allow or deny access to resources based on identity signals. These signals include:

  • who the user is
  • where the user is
  • what device the user is requesting access from

You can use the conditional access What If tool to know what to expect from the conditional access policies in your environment. It allows you to understand the impact of your new policies on your environment before you implement them.

Cloud Governance Strategy

The term governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced. When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. There are regulatory requirements that must be enforced and standards that must be followed for all cloud resources. Governance can be beneficial to organizations in a wide range of areas.

There’s no single cloud adoption path that works for every organization. But the main implementation stages are similar for all organizations and industries. The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. It helps you create and implement the business and technology strategies. The framework includes these stages:

  1. Define your strategy
    • Define and document your motivations
    • Document business outcomes
    • Develop a business case
    • Prioritize projects and choose the first one
  2. Make a plan
    • Create an inventory of the existing digital assets and workloads
    • Ensure that the right people are involved
    • Build skills readiness plan
    • Build cloud adoption plan
  3. Ready your organization
    • Create a landing zone (an environment in the cloud that helps you begin hosting your workload)
    • Expand the landing zone
  4. Adopt the cloud
    • Migrate your applications to the cloud
    • Might find ways to modernize your applications and build innovative solutions
  5. Govern your cloud environments
    • Define a methodology that incrementally takes you from your first steps to full governance
    • Use the governance benchmark tool to assess your current state and future state
    • Create a minimally viable product (MVP) that captures the first steps of your governance plan
    • Iteratively add governance controls that address tangible risks as you progress
  6. Manage your cloud environments
    • Establish your management baseline
    • Define business commitments
    • Expand the baseline
    • Perform a deeper architecture review to deliver on your resiliency and reliability commitments

Organization Structure

At the beginning of any cloud governance implementation, you identify a cloud organization structure that meets your business needs. This step often involves forming a cloud center of excellence team, also called a cloud enablement team, or a cloud custodian team. This team is empowered to implement governance practices, from a centralized location for the entire organization. Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions:

BillingYou can create one billing report per subscription, or organize
subscriptions by department, or by project. Resource tags can also help.
Access controlEvery subscription is associated with an Azure Active Directory tenant, which provides administrators the ability to set granular access, through defined roles by using Azure role-based access control.
Subscription limitsSubscriptions also have some resource limitations. Those limits should be considered
during your design phase.

Azure Role-Based Access Control

It is good security practice to grant users only the rights they need to perform their job and only to the relevant resources. Ordinarily when new resources are created, you would have to define the detailed access requirements for each individual and then update their access rights.

Azure role-based access control allows control over who has access to which Azure resources and what those people can do with those resources. You achieve control by assigning roles to users, groups, or applications at a particular scope:

  • A role might be described as a collection of permissions.
  • The scope is the set of resources that the access applies to.

By combining an Azure role and a scope, you can set finely tailored permissions for your Azure resources. The way you control access to resources is to create role assignments which control how permissions are enforced. A role assignment is the process of attaching a role to a security principle at a particular scope for the purpose of granting access.

A security principle is an object that represents a user, group, service principle or managed identity that is requesting access to Azure resources. For instance, Observers, Users managing resources, Admins and Automated processes illustrate the users or accounts that would typically be assigned each of the various roles.

Scope \ Built-in RoleReaderResource
Management groupObsUmrUmrUmrAdmins
Resource groupObsUmrUmrUmrAdmins
Obs = Observers, Umr = Users managing resources, Ap = Automated processes

The Reader can view resources, but is not allowed to make any changes. When you assign the Reader role to a group at the Subscription scope, the members of that group can view any Resource group and Resource within the Subscription.

The Contributor has full access to manage all resources, but is not allowed to assign roles. When you assign the Contributor role to an application at the Resource group scope, the application can manage resources of all types within that Resource group, but not other Resource groups within the Subscription.

The Owner role has full access to manage all resources, including the ability to assign roles in Azure RBAC. When you assign the Owner role to a user at the Management group scope, that user can manage everything and all Subscriptions within the Management group.

If the built-in roles don’t meet the specific needs of your organization, you can create your own Custom roles.

Azure RBAC is enforced on any action that is initiated against an Azure resource that passes through Azure Resource Manager, which is a management service that provides a way to organize and secure your Cloud resources. You typically access Azure Resource Manager from the Azure Portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Note that Azure RBAC doesn’t enforce access permissions at the application or data level, application security must be handled by your application.

Azure RBAC uses an Allow Model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. The Allow Model is cumulative. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

Resource Locks

A resource lock prevents resources from being accidentally deleted or changed. Even with Azure RBAC policies in place, there’s still a risk that people with the right level of access could delete critical Cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed. You can set the lock level to CanNotDelete or ReadOnly.

CanNotDeleteAuthorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
ReadOnlyAuthorized people can read a resource, but they can’t delete or change the resource.
Applying this lock, is like restricting all authorized users to the permissions granted by
the Reader role in Azure RBAC.

Resource locks apply regardless of RBAC permissions. Even if you’re an Owner of the resource, you must still remove the lock before you can perform the blocked activity.

To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure blueprints can automatically replace the resource lock if the lock is removed.

Resource Tags

You can use resource groups to manage related resources, however Resource tags are another way to organize resources. Tags provide extra information or metadata about your resources. Metadata is useful for a variety of purposes including:

Tag enables you to:
Resource managementlocate and act on resources that are associated with specific workloads, environments, business units, and owners.
Cost management and optimizationgroup resources so that you can report on costs, allocate internal cost centers, track budgets and forecast estimated cost.
Operations managementgroup resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs).
Securityclassify data by its security level.
Governance and regulatory complianceidentify resources that align with governance or regulatory compliance requirements.
Workload optimization and automationvisualize all of the resources that participate in complex deployments.

Azure Policy

How do you ensure that your resources stay compliant? Azure Policy is a service in Azure that enables you to create, assign and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.

Azure Policy enables you to define both individual policies and groups of related policies known as initiatives, which is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal. It evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. It can also prevent non-compliant resources from being created.

Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment phases of your applications.

Azure Blueprints

What happens when your cloud environment starts to grow beyond just one subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions? Instead of having to configure features like Azure policy for each new subscription, with Azure Blueprints, you can define a repeatable set of governance tools and standard Azure resources that your organization requires. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts. You can use Azure blueprints to scale their governance practices throughout the organization.

Privacy, Compliance and Data Protection Standards

Microsoft commits to protect customer and application data. The Microsoft’s Privacy Statement, the Online Services Terms and the Data Protection Addendum detail Microsoft’s commitment to protecting data and privacy in the cloud.

The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it and for what purposes.

The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft Online Services that you’re licensed through subscription.

The Data Protection Addendum (DPA) further defines the data processing and security terms for Online services. These terms include:

  1. Compliance with laws
  2. Disclosure of processed data
  3. Data security
    • security practices and policies
    • data encryption
    • data access
    • customer responsibilities and compliance with auditing
  4. Data transfer, retention and deletion

Managing Costs

Running on-premise data center requires you to maintain a facility and purchase power, cooler, and maintain your servers. However running data center in the cloud presents new ways to think about your IT expenses. You need to understand the factors that influence cost. The Total Cost of Ownership (TCO) Calculator helps you estimate the cost savings of operating your solution on Azure over time instead of in your on-premises data center.

Among these factors that affect the costs are:

  • Resource type and how you customize
  • Usage meters
  • Resource usage
  • Azure subscription types
  • Azure Marketplace

The decision of where to provision a resource can have cost consequences. Azure infrastructure is distributed globally, different geographic regions can have different prices.

Ideally, you want your provisions of resources to match your actual usage. Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. This information helps you configure your resources to match your actual workload. Quota limits on the number of similar resources that you can provision within your subscription. Licensing is another area that can dramatically impact your cloud spending.

Service-Level Agreement

A service-level agreement (SLA) is a formal agreement between a service company and the customer. For Azure, this agreement defines the performance standards, like uptime and connectivity, that Microsoft commits to the customer. A typical SLA includes:

  1. Introduction
    • What to expect
    • Scope
    • Subscription renewals
  2. General terms
    • Definition of terms
    • Defines the general terms of the agreement
  3. Details
    • Defines the specific guarantees for the service
    • Performance commitments: latency, uptime (9 hours for 99.9% and 52 min for 99.99%), etc.
    • Any additional terms specific to this service

Free products typically don’t have an SLA. Azure Status provides a global view of the health of azure services and regions.

An application SLA defines the requirements for specific application. Keeping that application SLA in mind. You’ll select the Azure products and services you need and provision your cloud resources according to those requirements.

A workload is a distinct capability or task that’s logically separated from other tasks in terms of business logic and data storage requirements. Each workload defines a set of requirements for availability, scalability, data consistency and disaster recovery. Suppose an application will require:

workload / serviceSLA
virtual machines (2x)99.9 %
Azure SQL database99.99 %
Azure load balancer99.99 %

You might notice that the SLAs of those workloads are not all the same. The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service.

Composite SLA = 99.9 % * 99.9 % * 99.99 % * 99.99 % = 99.78 %

Using multiple services adds an extra level of complexity and slightly increases the risk of failure.

My Certificate

For more on Azure Cloud Governance Strategy, please refer to the wonderful course here

Related Quick Recap

I am Kesler Zhu, thank you for visiting my website. Check out more course reviews at

Don't forget to sign up newsletter, don't miss any chance to learn.

Or share what you've learned with friends!

Leave a Reply

Your email address will not be published. Required fields are marked *