Explain Azure AD identity types

  1. Home
  2. Explain Azure AD identity types

Go back to Tutorial

In this tutorial, we will learn and understand the various Azure AS identity types.

Azure AD manages different types of identities:

1. User

User identity is a representation of something that’s Azure AD manages. Employees and guests represent the users in Azure AD. However, if you have several users with the same access needs, you can create a group. Instead of assigning access privileges individually, you utilise groups to provide access permissions to all members of the group.

2. Service principal

A service principal is a secure identity that enables an application or service to access Azure resources. You may think of it as an application’s identity. However, an application must first register with Azure AD in order to outsource its identity and access functions to Azure AD.

Further, a service principal is created in each tenant where the application is used and references the globally unique app object. The service principal defines what the app does in the tenant, such as who accesses the app, and what resources the app can access.

3. Managed identity

A managed identity is automatically managed in Azure AD. Managed identities are typically used for managing the credentials for authenticating a cloud application with an Azure service. However, there are several benefits to using managed identities, including:

  • Firstly, application developers can authenticate to services that support managed identities for Azure resources.
  • Secondly, any Azure service that supports Azure AD authentication can use managed identities to authenticate to another Azure service.
  • Lastly, it has no extra cost.
Practice tests Azure AD identity types
Types of Managed Identity

There are two types of managed identities:

  • Firstly, System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. After a system-assigned managed identity enables. Then, an identity develops in Azure AD tieing to the lifecycle of that service instance. When the resource eliminates, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
  • Secondly, User-assigned. You may also create a managed identity as a standalone Azure resource. A user-assigned MI is for one or more instances of an Azure service. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service.
4. Device

A device is a piece of hardware, such as mobile devices, laptops, servers, or printers. Device identities can be set up in different ways in Azure AD for determining properties such as who owns the device. Using solutions like Microsoft Intune to manage devices in Azure AD helps a business to secure its assets while maintaining security and compliance standards. However, there are a variety of ways to add devices to Azure AD:

  • Firstly, Azure AD registered devices can be Windows 10, iOS, Android, or macOS devices. Azure AD register devices are typically personally, rather than by the organization.
  • Secondly, Azure AD joined devices exist only in the cloud. Azure AD joined devices are owned by an organization and signed in with their account. Users sign in to their devices with their Azure AD or synced Active Directory work or school accounts.
  • Lastly, Hybrid Azure AD joined devices can be Windows 7, 8.1, or 10, or Windows Server 2008, or newer. Hybrid Azure AD joins devices that the organization owns and signs in with an Active Directory Domain Services account belonging to that organization.
sc-900 online course

Reference: Microsoft Documentation

Go back to Tutorial

Menu