Identity basics with Entra ID - Azure Tutorial

Intra-ID used to be called Microsoft Azure Active Directory Services and it changed to Intra-ID, which was a good change because when people thought about Azure Active Directory, they thought, well, this must be Windows Active Directory in the cloud, like a PaaS service. that's not really what it is. Intra-ID is an identity service, and it allows you to give people access to things or authenticate users, lots of different things you can do with Intra-ID. Now, before we get into that, let's talk about what is identity. When we say that Intra-ID is an identity service, what is identity? Well, an identity just defines who are you. Actually, who or what are you is probably a better way to phrase that. And the reason I say that is because in Intra-ID, an identity could be a person, someone logging into your service, but it could also be an application. It could also be a managed identity, and a managed identity is a special identity type that represents Azure services within a certain region. Now that might be a little bit confusing right now. Think about it this way. Let's say that you've got some Azure App Service web apps that are running in the central US region, and you want to give them access to a virtual machine that's running in Azure. Now, normally your services can't directly access other services unless you give them that capability. And so you can use a managed identity to give access to a virtual machine for all these web applications that are running in that central US region. Enter ID manages sign-in, it manages authorization and access. Now, authorization is not like authentication. Authentication is the process of determining who or what someone is. Authorization is the process of determining, now that I know who or what this is that's accessing, what is it that they can do? That's authorization. And then access is like access control. So if your authorization says that you are, let's say an administrator, what does that mean as far as access goes? What can an administrator do? So Intra-ID gives you centralization of all of this type of thing across all of your Azure services. and not just your Azure services, also on-premises and across clouds. So if you have resources that are running, for example, in Amazon Web Services, you can use Microsoft Intra-ID to give people access to those Amazon Web Services resources, or give them access to resources on servers that are running on-premises. Now, when we talk about who and what are you, when it comes down to intra-ID, we have to recognize that, as I said, users aren't just people. They could also be applications. So if you want to give someone access to Amazon Web Services, you would use an application in intra-ID that allows access to Amazon Web Services. There are a lot of different applications that you can apply like that in EnterID. You can also integrate your own applications with EnterID. Now, if you're talking just about users, you can have users be individual people, but you can also organize users into groups, and that makes it easier to manage that kind of access. And then in EnterID, the way that you give access to people is you assign them to a role. And a role defines the what, as far as what someone can do. Once we know who that person or application or entity is, the role defines what they can do. When we do our demo a little bit later, I'm gonna show you how all of this works. Another really cool feature of Intra-ID is that it allows you to implement multi-factor authentication. This is extremely important in today's world because there are a lot of bad guys out there. Multi-factor authentication just provides an extra step to log in. Now, the way this works is, it uses something you know and something you have. That's two-factor authentication. The something you know could be a password, the something you have could be something like the cell phone that's pictured on this screen. So with two-factor authentication using a cell phone, for example, you might log in using your password on your computer, and then you get a notification on your phone to enter some code. Now you've got two-factor authentication, and this protects you from stolen or leaked passwords. This functionality is built into EnterID. You just have to enable it, and it works. Now, when I talk about giving other people access to things, or giving applications access to your Azure resources, for example, the primary way that we do that is using what's called role-based access control. This applies the role that we were talking about to that entity, the user or the application. This controls what can be done. So you use these roles to bundle different actions. There are a lot of roles that are specific to different types of Azure services. So for example, in App Service, there is a website contributor role, which allows people to contribute and help manage web applications, but it doesn't give them the ability to say, delete that web application or to give other people access to the web application. it just allows them the ability to help manage that application. You can use that as a role assignment to someone, which allows them to then have that capability. Now, it's important to understand that there's a scope to this RBAC, Role-Based Access Control scope, and the scope is defined by where you are when you apply that rule. Remember earlier on, we talked about the fact that your Azure resources are located inside of resource groups. So if you think about RBAC scope, you could apply that to a resource group. Let's say that you've got in that resource group, several different web applications. If you apply the website contributor role at the resource group level for a user, that gives them website contributor to all of the web applications in that resource group. In fact, if a new web application is created in that resource group, that user would have website contributor access to that new web application. However, you could also apply RBAC website contributor role at the web app level itself. So go into the resource group and apply that to a particular web application and that means that the scope is only that web application. So scope is important because that allows you to determine at what level does someone have this kind of access.