Identity and access management (IAM) architectures provide frameworks for protecting data and resources. Internal networks establish security boundaries in on-premises systems. In cloud environments, perimeter networks and firewalls aren't sufficient for managing access to apps and data. Instead, public cloud systems rely on identity solutions for boundary security.
An identity solution controls access to an organization's apps and data. Users, devices, and applications have identities. IAM components support the authentication and authorization of these and other identities. The process of authentication controls who or what uses an account. Authorization controls what that user can do in applications.
Whether you're just starting to evaluate identity solutions or looking to expand your current implementation, Azure offers many options. One example is Azure Active Directory (Azure AD), a cloud service that provides identity management and access control capabilities. To decide on a solution, start by learning about this service and other Azure components, tools, and reference architectures.
Introduction to identity on Azure
If you're new to IAM, the best place to start is Microsoft Learn. This free online platform offers videos, tutorials, and hands-on training for various products and services.
The following resources can help you learn the core concepts of IAM.
Learning paths
- Microsoft Security, Compliance, and Identity Fundamentals: Describe the capabilities of Microsoft Identity and access management solutions
- Implement Microsoft identity – Associate
- SC-300: Implement an identity management solution
- MS-500 part 1 - Implement and manage identity and access
Modules
Path to production
After you've covered the fundamentals of identity management, the next step is to develop your solution.
Design
To explore options for identity solutions, consult these resources:
For a comparison of three services that provide access to a central identity, see Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services.
To learn how to make IAM resilient, see Resilient identity and access management with Azure AD.
To compare options for reducing latency when integrating with an Azure network, see Integrate on-premises AD with Azure.
For information on associating billing offers with an Azure AD tenant, see Azure billing offers and Active Directory tenants.
To evaluate options for an identity and access foundation, see Azure identity and access management design area.
To explore ways to organize resources that you deploy to the cloud, see Resource organization.
For a comparison of various authentication options, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.
For a comprehensive hybrid identity solution, see How Azure AD Delivers Cloud Governed Management for On-Premises Workloads.
To learn how Azure AD Connect integrates on-premises directories with Azure AD, see What is Azure AD Connect?.
Implementation
When you've decided on an approach, implementation comes next. For deployment recommendations, see these resources:
For a series of articles and code samples for a multitenant solution, see Identity management in multitenant applications.
For information on deploying Azure AD, see these resources:
To learn how to use Azure AD and OAuth 2.0 to secure a single-page application, see Secure development with single-page applications (SPAs).
Best practices
With capabilities like automation, self-service, and single sign-on, Azure AD can boost productivity. For general information on benefitting from this service, see Four steps to a strong identity foundation with Azure Active Directory.
To check whether your Azure AD implementation aligns with the Azure Security Benchmark version 2.0, see Azure security baseline for Azure Active Directory.
Some solutions use private endpoints in tenants to connect to Azure services. To see guidelines for security issues regarding private endpoints, see Limit cross-tenant private endpoint connections in Azure.
For recommendations for the following scenarios, see Integrate on-premises AD domains with Azure AD:
- Giving your organization's remote users access to your Azure web apps
- Implementing self-service capabilities for end users
- Using an on-premises network and a virtual network that aren't connected by a virtual private network (VPN) tunnel or ExpressRoute circuit
For general information and guidelines on migrating applications to Azure AD, see these articles:
Suite of baseline implementations
These reference architectures provide baseline implementations for various scenarios:
- Create an AD DS resource forest in Azure
- Deploy AD DS in an Azure virtual network
- Extend on-premises AD FS to Azure
Stay current with identity
Azure AD receives improvements on an ongoing basis.
- To stay on top of recent developments, see What's new in Azure Active Directory?.
- For a roadmap showing new key features and services, see Azure updates.
Additional resources
The following resources provide practical recommendations and information for specific scenarios.
Azure AD in educational environments
- Introduction to Azure Active Directory Tenants
- Design a multi-tenant architecture for large institutions
- Design Tenant Configuration
- Design authentication and credential strategies
- Design an account strategy
- Design identity governance
- Updated Guidance for Microsoft 365 EDU Deployment during COVID-19