Cloud Security – Azure Active Directory authentication – Part 1

Azure AD Admin Center
Azure AD Admin Center

Hi All,

LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂

In last article Cloud Security- Introduction to Azure Security and Azure Security Center we discussed bit about Azure Security and Azure Security Center

These articles will also helps you to prepare exam – AZ-500 : Microsoft Azure Security Technologies towards the following topics:

  • Configure Azure Active Directory for workloads
  • Configure Microsoft Azure AD Privileged Identity Management

Today in this article we will discuss Azure AD Authentication and what it includes and then next subsequent articles for each and every Azure AD Authentication components.

What is Authentication?

  • Process of verifying user credentials / identity when user uses/sign in to a device, application or any service
  • Example – When user logins to Microsoft Cloud Service, user is validated against the credentials along with other mechanism like Microsoft Authentication App, Phone (either via text message or voice call) and so on
  • Microsoft identity platform (Azure Active Directory) implements the OpenID Connect protocol for handling authentication.

What is Azure Active Directory (V1.0)?

  • Cloud Identity Service. Centralized Identity provider in cloud
  • Identity Service / Identity Provider means it is responsible for verifying the identity of users and applications that exists in organization’s directory, and issue security tokens upon successful authentication of those users and applications
  • Powerful tool to protect user identities and credentials
  • Microsoft Online business services like M365 / Microsoft Azure requires Azure AD for sign-in and to protect identities
  • This service allows us to sign in and access resources in
    • Resources such as M365, Azure Portal, other SaaS applications
    • Our organization Intranet, Apps in our organization intranet application
    • Any other cloud apps developed by our organization
  • Azure AD can be used to automate user provisioning between Windows AD and M365
  • This service allows us to implement the applications which sign in / authenticate users with Microsoft or school account
  • This service supports us for writing applications for Single-Tenant or Multi-Tenant
  • Azure Active Directory for developers (v1.0) (Azure AD) simplifies authentication for application developers by providing identity as a service
  • There are libraries available to enable developers to authenticate users to cloud or on-premises AD, to fetch the tokens for calling secure API like Microsoft Graph. These libraries are called Azure Active Directory Authentication Library (ADAL) v1.0
  • This service allows us to call an API which it supports like Microsoft Graph, SharePoint etc as shown in below Fig:
Azure AD authentication
Fig1: Azure AD authentication
  • Azure AD is intended for
    • IT Admins
    • Developers
    • Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers

What is Microsoft Identity Platform (V2.0)?

  • Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform.
  • Microsoft identity platform allows us to write an applications which sign in to all Microsoft identities and get tokens to call respective secured APIs
  • It consist of Authentication Service, open-source libraries, application registration and configuration and so on.
  • This supports standard protocols like OAuth 2.0 and OpenID connect

Difference between Azure AD v1.0 platform and Microsoft Identity Platform

  • Azure AD v1.0 platform only supports to authenticate work and school account by requesting tokens from the Azure AD v1.0 endpoint using ADAL (Active Directory Authentication Library). But Microsoft Identity Platform v2.0 authenticates any Microsoft identity using MSAL (Microsoft Authentication Library) –
    • Work and school account
    • Personal accounts (such as Outlook.com, Hotmail.com, msn.com)
    • Social Identity such as Linked In, Facebook, Google
Azure AD authentication - MSAL supported account types
Fig2: Azure AD authentication – MSAL supported account types
Azure AD authentication - Difference between Azure AD v1.0 platform and Microsoft Identity Platform v2.0 for supported account types
Fig3: Azure AD authentication – Difference between Azure AD v1.0 platform and Microsoft Identity Platform v2.0 for supported account types – Image courtesy from MS site – https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison
  • From above figure, if we click on link “Help me choose…”, it shows details for each account type as
Azure AD authentication - MSAL supported account types details
Fig4: Azure AD authentication – MSAL supported account types details
  • For new application Microsoft recommends to use MSAL
  • Applications built with ADAL libraries continue to be supported.
Microsoft identity experience at a high level
Fig5: Microsoft identity experience at a high level – Image courtesy from MS site – https://docs.microsoft.com/en-us/azure/active-directory/develop/about-microsoft-identity-platform
New Azure AD Admin Center
Fig6: New Azure AD Admin Center portal

What Azure AD Authentication includes? Following are the authentication methods supported by Azure AD

  • Username and Password
  • Microsoft Authenticator App passwordless sign-in
  • OATH hardware token or FIDO2 security key
  • SMS-based passwordless sign-in

But for Security reasons, many accounts in organizations are enabled for Azure Multi Factor Authentication (MFA) which includes more verification methods such as Phone call, Security Question and so on.

Best practice is to have multiple verification methods for all users.

What Next? In next upcoming articles we will discuss each Azure AD authentication method. Stay tuned 🙂

For more details on Azure AD please visit our other article Azure Identity And Access Management Part 1 – Azure Active Directory – Overview

We have detailed series on Azure Active Directory, please have a look – https://knowledge-junction.in/category/azure-active-directory/

References

Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂

Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

1 Response

  1. September 28, 2020

    […] Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide Authentication to other cloud-based systems via OAuth. As an Identity Platform one of the it’s main feature is to verify, or authenticate, credentials when a user signs in to a device, application, or service. We have very good articles on Azure authentication and it can be found here. […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: