Identity Objects in Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory (AAD), is an integrated cloud identity and access management solution. It enables the creation and management of various identity objects, the most common of which are Users, Groups, Managed Identities, and Service Principals. You can assign permissions directly to any identity object, add it to security groups and teams, assign it to any access level by using Role-Base-Access-control (RBAC).
Key Identity Objects:
Users: In Microsoft Entra ID, user identity objects allow individuals to authenticate using a username and password through the Azure portal.
Groups: Unlike users, groups are not used for authentication but are crucial for assigning permissions to a collection of users. This simplifies management by applying permissions to all members of a group rather than on an individual basis. For instance, when creating a Databricks workspace, one can leverage identity federation to map existing Microsoft Entra ID groups and permissions seamlessly.
Service Principals: These are specialized identity objects that enable third-party applications to access Azure resources. Commonly used in automation, such as ETL pipelines, service principals authenticate to Azure resources when deploying with tools like Bicep or Terraform. Each service principal is identified by an application ID and can use either a key or a certificate as credentials.
Managed Identities: A subset of service principals, managed identities offer an automated credential management solution, eliminating the need for manual credential handling. Managed identities are tied to Azure resources, with Azure automatically managing the authentication process and the credentials life cycle such as credential rotation. They are ideal for automating Azure management tasks, accessing databases, or interacting with Azure Key Vault.
Types of Managed Identities:
- System-assigned Managed Identities: Automatically created with an Azure resource (e.g., a virtual machine or App Service), their lifecycle is inherently linked to that of the parent resource. These identities are confined to the resource they are created with and are best suited for dependencies that involve a single Azure resource.
- User-assigned Managed Identities: Stand-alone Azure resources with an independent lifecycle. These identities can be associated with multiple Azure resources, which makes them ideal for scenarios requiring consistent access across several resources, such as multiple VMs accessing the same database.
This setup highlights the flexibility and security that Microsoft Entra ID provides, making it a robust choice for managing cloud identities and access control within Azure.
References
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
Comments
Post a Comment