# Azure Active Directory

**Azure Active Directory (Azure AD)** is a cloud-based identity and access management service from Microsoft that provides a set of capabilities to manage users, groups, and applications, and enables single sign-on (SSO) across a variety of cloud-based applications and services.

Azure AD acts as a central hub for managing and securing user identities and their access to resources in the cloud. It provides features such as user authentication, authorization, and access management, which can help organizations to secure their cloud-based assets and comply with industry regulations and standards.

## Tenants and Directories

A *tenant* is a dedicated instance of Azure AD that an organization or company uses to manage identity and access for its users and applications. Each tenant has its own set of users, groups, and applications, and is isolated from other tenants.

A *directory* is a container that holds objects such as users, groups, and applications. 

You can have multiple directories in a single tenant, which can be useful for managing different groups of users or applications. Additionally, you can invite users from other Azure AD tenants to access your applications, which can help facilitate collaboration and streamline workflows.

### Default Directory

The *default directory* is the directory that is created automatically when you create a new Azure AD tenant. This directory contains all of the objects that you need to manage user identities and their access to resources in the cloud. 

The default directory has a globally unique name that is automatically generated by Azure when the tenant is created. You can change the name of the default directory in Azure Active Directory. However, it's worth noting that changing the name of the default directory can have implications for the configuration of your Azure AD tenant and the applications that rely on it.

You can see the default directory name following these steps:
- Sign in to the Azure portal
- Search **Azure Active Directory** in the search-bar to access this service
- In left-hand side menu bar select **Properties** under the **Manage** section. 
- You can find the default directory name in the **Tenant properties** tab, under **Name**

## Users

In Azure Active Directory (Azure AD), *users* are the entities that represent people, services, or devices that require access to your organization's resources. Azure AD users can be either internal users (employees or contractors) or external users (such as vendors or partners).

When you create a user in Azure AD, you can assign them to specific roles and groups that determine their level of access to resources in your organization. Azure AD provides several built-in roles that you can use to control access, as well as custom roles that you can create to suit your organization's needs.

### Create a new user in Azure AD
To create a new user in Azure AD, follow these steps:
- Access the **Azure Active Directory** from the Azure portal
- In the **Azure Active Directory** page, click on **Users** under the **Manage** section
- Click on the **New user** button at the top of the page, and select **Create new user**. This will open the following page:

<p align="center">
    <img src="images/CreateNewUser.png" height="500" width="800"/>
</p>

- Fill in the user's details, such as their *principal* and display name, and password 

#### Principal Name

When creating a new user in Azure AD, you will be prompted to enter a *User Principal Name (UPN)* for the user. The UPN is a unique identifier for the user that is used for sign-in purposes. It typically takes the form of an email address.

The *@domain* portion of the UPN represents the domain name that is associated with your Azure AD tenant. The domain name is typically the same as your organization's internet domain name, such as `aicore.com`.

#### Password

If you choose to set the password manually, you can enter a password that meets your organization's password complexity requirements. Alternatively, you can choose to let Azure AD auto-generate a password for the user. This can be useful if you want to ensure that the password meets a certain level of complexity and randomness. To generate a password, you can tick the **Auto-generate password** button in the **Password** field. Azure AD will then generate a strong, random password that you can copy (using the **Copy to clipboard** button) and share with the user.

- Finally, to create the user click **Review + create**, and once the validations have passed click **Create**. The deployment might take a couple of minutes to complete. You should then be able to see the newly created user in the users list.

You can now sign in as the new user, using the **User Principal Name** and the password create in the previous steps. Once you have signed in as the new user, you will have access to the Azure resources that you have assigned to them based on their assigned roles and permissions. 

If you did not assign any roles when creating the user in Azure AD, the user will have no permissions to access any resources in Azure by default. This means that the user will not be able to sign in to the Azure portal or use any Azure services until you assign them appropriate roles. We will look in detail on how to assign roles to users in a later section.

### Invite a new user using Azure AD

In addition to creating a new user in Azure AD by manually entering their details, you can also invite users to create their own accounts by using the **Invite external user** option.

<p align="center">
    <img src="images/InviteNewUser.png" height="500" width="800"/>
</p>

You will need to enter the email address and display name of the user you want to invite. Optionally you can customise the message that will be included in the invitation email. An email invitation will be sent to the user's email address. The email will contain a link that the user can use to create their own account and set their own password.

<p align="center">
    <img src="images/UserInvitation.png" height="500" width="800"/>
</p>

When the user clicks on the link in the email, they will be taken to a page where they can create their own account. They will need to provide some basic information such as their name and password. Once they have created their account, they will be added to the group or groups that you specified, and they will have the roles and permissions that you assigned to those groups.

## Groups

*Groups* in Azure AD are used to manage access to resources and applications in your organization. They can be used to simplify access management, and to ensure that the right users have access to the right resources.

Groups can be created for different purposes, such as for teams, departments, or projects. By adding users to a group, you can grant them access to resources that the group is authorized to access. 
> This is more efficient than managing access individually for each user.

### Create a group in Azure AD

To create a new user in Azure AD, follow these steps:
- Access the **Azure Active Directory** from the Azure portal
- In the **Azure Active Directory** page, click on **Groups** under the **Manage** section
- Click on the **New group** button at the top-left of the page
- In the **New group** pane, select the group type that you want to create. Here, I will choose **Security**

#### Group types

*Security groups* are used to manage access to resources in Azure AD. You can use security groups to assign permissions to resources such as applications or other groups. You can also use security groups to control access to Azure resources like virtual machines, storage accounts, and databases.

*Microsoft 365 groups* are used for collaboration and communication within Microsoft 365 apps like Teams, SharePoint, and Outlook. When you create a Microsoft 365 group in Azure AD, a corresponding group is created in Microsoft 365. Members of the group can collaborate on documents, share files, and communicate with each other using Microsoft 365 apps.

Note that Microsoft 365 groups are only available if you have a Microsoft 365 subscription. Security groups are available for all Azure AD customers.

- Enter a name and a description for the group
- Click the **Create** button to create the group

Once the group is created, you can manage its settings and membership by selecting it from the list of groups in the Azure Active Directory Groups page.

> Note that to create a group in Azure AD, you must have the appropriate permissions. Typically, only users with the **Global administrator** or **User administrator** role can create groups. We will discuss more about roles in a future section.

### Add members to a group

To add members to a group, you need to navigate to the **Groups** page in Azure AD. Select the group you want to add members to, and then navigate to **Members** on the left-hand side menu under the **Manage** section.

Click on **Add members** and select the users you want to add to the group. For example, you can select the user previously created, and then press **Select**.

<p align="center">
    <img src="images/SelectMembers.png" height="500" width="800"/>
</p>

Once you have added members to the group, they will inherit the permissions and access rights associated with the group. You can also remove members from the group by selecting the user and clicking on **Remove**.

> In addition to adding individual users to groups, you can also add entire groups as members to another group. This can be useful if you want to grant access to a resource to a team or department rather than individual users.

## Role-Based Access Control

*Role-Based Access Control (RBAC)* is a security feature that allows you to control access to resources in Azure. With RBAC, you can assign roles to users, groups, and applications to control access to Azure resources at different levels, such as the subscription, resource group, or resource level.

> RBAC enables you to manage permissions effectively by granting the minimum level of access required to perform a task. RBAC also enables you to control who can manage resources and what actions they can perform on them.

Azure RBAC provides three built-in roles:
- *Owner*: This role has full access to all resources and can manage access to resources
- *Contributor*: This role can create and manage all resources but cannot grant access to others
- *Reader*: This role can view all resources but cannot make any changes

### Assign roles in Azure AD

When you assign roles in Azure AD, you are assigning roles at the Azure AD level. These roles apply to all Azure resources that the user has access to within the Azure AD tenant. In other words, the user can perform actions on all resources that they have access to within the Azure AD tenant.

To assign a role to a user or group in Azure AD, you must follow these steps:
- Navigate to the resource you want to assign the role to. For example, the user we have previously created.
- Click on **Assigned roles** in the left-hand menu
- Click on **Add assignments** and select the role you want to assign

<p align="center">
    <img src="images/AssignRoles.png" height="500" width="800"/>
</p>

For example, you could select **Global Reader** which will allow this user to read everything that a **Global Administrator** can but not update anything.
- Click **Save** to assign the role

### Assign roles using Azure's IAM feature

On the other hand, Azure's *Access Control (IAM) feature* allows you to manage access to Azure resources at a more granular level. With IAM, you can assign roles to users, groups, and applications for specific Azure resources, such as virtual machines, storage accounts, or databases. IAM roles apply only to the specific resource or resource group to which they are assigned.

Here's an example of using IAM to allow access to a user to a virtual machine in Azure:
- Navigate to the virtual machine in the Azure portal
- Select **Access control (IAM)** from the left-hand menu
- Click on the **Add** button and then **Add role assignment** to add a new role assignment

<p align="center">
    <img src="images/AddRoleAssignment.png" height="500" width="800"/>
</p>

- In the **Add role assignment** panel, select the appropriate role (e.g. **Virtual Machine Contributor**) from the dropdown menu. Click **Next** to proceed to the **Members** section
- In the **Assign access to** section, select **User, group, or service principal**
- Search for and select the user you want to grant access to
- Click **Select** to complete the role assignment and then finish assigning this role

Once the role assignment is saved, the user will have the appropriate permissions to perform actions on the virtual machine based on the role that was assigned. For example, if the user was assigned the **Virtual Machine Contributor** role, they would be able to start, stop, and restart the virtual machine, but would not be able to delete the virtual machine or modify its network settings.

> Therefore, if you want to assign roles to a user or group for a specific Azure resource or resource group, you would use IAM. If you want to assign roles to a user or group at the Azure AD level, you would use the Azure AD **Assigned Roles** feature.

It's important to note that IAM roles take precedence over Azure AD roles. So, if a user is assigned a role in IAM and a role in Azure AD, the IAM role will apply when the user is accessing the resource.


## Key Takeaways

- Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service
- A tenant is a dedicated instance of Azure AD that is used to manage identity and access for a single organization or customer
- A directory is a container for objects, such as users, groups, and applications, that are stored in Azure AD
- The default directory in Azure AD is created automatically when you sign up for Azure, and is named after the organization associated with your Azure subscription
- Users are objects in Azure AD that represent people who use your organization's resources
- Groups in Azure AD are used to organize users and manage their access to resources
- There are two types of groups in Azure AD: security groups, which are used to assign permissions to resources, and Microsoft 365 groups, which are used for collaboration
- Role-based access control (RBAC) is a built-in authorization system in Azure that allows you to manage access to Azure resources based on the roles assigned to users or groups
- RBAC can be managed either through the Azure portal's **Access control (IAM)** feature, or through Azure AD's **Assigned roles** tab for individual users