Security and Identity Management in Azure

In this article, we will look into Azure Security and Identity management. This article is useful for those who are beginners in Azure and those who are preparing AZ 900 exam.

Azure Security

Azure provides Azure Security Center to manage and protect threat for hybrid cloud services. It also provides an Azure Secure score to improve the security score by adding more and more security controls for your Azure services.

Azure offers Basic protection and security features at no cost. Microsoft Azure provides advance level of security with Azure Defender and this is a paid feature by Microsoft Azure.

Azure Defender

It providers Just in Time VM access, Regulatory Compliance dashboard, threat protection for PaaS services.

Azure Sentinel

It is an advance security analytics feature given by Azure for entire enterprise. It is a Security Information and Event Management Solution (SIEM).
Azure Sentinel uses Artificial Intelligence to detect and respond for a threat detection.

Lifecycle of Microsoft Azure Sentinel

  • Collect Data
  • Detect the threat
  • Investigate the threat
  • Respond

Azure DDoS

DDoS (Distributed Denial of Services) attack is a large scale attack to affect the genuine traffic load to down the service or application.
Azure offers 2 DDoS protection-

DDoS Protection Basics

It protects against common network layer attack and is provided by default by Azure with no cost.
DDoS basics provides a basic level of protection from DDoS attack.

DDoS Protection Standard

It can prevent up to 60 different DDoS attack types. DDoS Standard is a paid Azure service.
It provides threat data, metrics and related reports to analyze. If you choose to enable DDoS Standard service, you will get quick support from DDoS protection Rapid Response Team (DRR Team)

Azure Key Vault

To run a software application, we need API Key, Database credentials, Password, Certificates and more. Azure recommend to not to store all these sensitive information within your code or application.

Instead of storing confidential information into your application, Azure offers Azure Key Vault to store these data in it.

So, in Azure Key Vault we can store API Keys, Certificate, Password etc.

As per Microsoft –

Azure Key Vault is a safeguard cryptographic keys and other secrets used by cloud applications and services.

Azure Active Directory Identity Management

Azure AD Identity Management allow users to manage identity and access in Azure cloud.

Active Directory

Active Directory is a centralized database to store user’s credentials and authorization details.

Azure Active Directory

It is an active directory service in Azure to manage authentication and authorization to Azure resources.

Activer Directory Federation Service (ADFS) – It provides SSO (Single Sign On) features in Azure.

Azure AD Connect – It is a process to synchronize on-premise Active Directory with Azure Active Directory. It sync all the users with their credential and access details.

Azure Active Directory Multi Factor Authentication (Azure AD MFA)

Azure AD MFA uses any 2 of below authentication mechanism –

  • User id and password
  • From a trusted device
  • Finger print or Face recognition

Azure AD MFA is important for Administrator to avoid unauthorized access to Azure resource.
In order to enable Azure AD MFA, you need to use Azure Active Directory Identity Protection.

Azure Active Directory also offers self service password reset feature, only if Global admin enables it.

Conditional Access

Conditional Access is one of the premium services available in Azure Active Directory with P1 and P2 licenses only.

Suppose an user is logging to Azure services from an unexpected location or untrusted device, then in this case Multi Factor Authintication (MFA) should be mandatory to avoid unauthorize access.

Role Based Access Control (RBAC)


RBAC in Azure is used to configure Authorization for Azure resources.
It contains below information –

  • Who is the user? (User Credentials)
  • What permission he/ she has? (User Role)
  • What Scope? (Resource/ Subscription)

Other Points to note for Security and Identity in Azure

  • Changing default directory in Azure doesn’t change billing ownership for that subscription.
  • One Azure subscription can be connected to one Azure AD Directory.
  • One Azure AD Directory can not be associated to more than one Azure Subscription., however multiple Azure subscription can linked to same Azure AD Directory.
  • When an Azure Subscription expires, the linked Azure AD tenant is not deleted. It can be linked to a different subscription.

Hope you like this article.

If you are preparing for AZ 900 certification, then follow this link - Microsoft Azure Fundamentals (AZ-900) Certification Sample Questions
Please follow and like us:

Leave a Comment