AZURE ACTIVE DIRECTORY(AD) CONCEPTS

IDENTITY
A thing that can get authenticated. An identity can be a user with a username and password.
Identities also include applications or other servers that might require authentication through secret
keys or certificates.
ACCOUNT
An identity that has data associated with it. You cannot have an account without an identity.
AZURE AD ACCOUNT
An identity created through Azure AD or another Microsoft cloud service, such as
Office 365. Identities are stored in Azure AD and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or school account.
AZURE SUBSCRIPTION
Used to pay for Azure cloud services. You can have many subscriptions and
they're linked to a credit card.
AZURE TENANT
A dedicated and trusted instance of Azure AD that's automatically created when your
organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft
Intune, or Office 365. An Azure tenant represents a single organization.
• Single tenant - Azure tenants that access other services in a dedicated environment are considered
single tenant.
• Multi-tenant - Azure tenants that access other services in a shared environment, across multiple
organizations, are considered multi-tenant.
ACCOUNT ADMINISTRATOR
This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables
you to manage all subscriptions in an account.

SERVICE ADMINISTRATOR
This classic subscription administrator role enables you to manage all Azure resources, including access. This
role has the equivalent access of a user who is assigned the Owner role at the subscription scope.
OWNER
This role helps you manage all Azure resources, including access. This role is built on a newer authorization
system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to
Azure resources.
AZURE AD GLOBAL ADMINISTRATOR
This administrator role is automatically assigned to whomever created the Azure AD tenant. You can
have multiple Global administrators, but only Global administrators can assign administrator roles (including
assigning other Global administrators) to users.
AZURE AD DIRECTORY
Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the
tenant's users, groups, and apps and is used to perform identity and access management functions for tenant
resources.
CUSTOM DOMAIN
Every new Azure AD directory comes with an initial domain name, for eg: domainname.onmicrosoft.com. In
addition to that initial name, you can also add your organization's domain names. Your organization's domain
names include the names you use to do business and your users use to access your organization's resources, to
the list. Adding custom domain names helps you to create user names that are familiar to your users, such as
[email protected].
MICROSOFT ACCOUNT (MSA)
Personal accounts that provide access to your consumer-oriented Microsoft products and cloud
services. These products and services include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft
account is created and stored in the Microsoft consumer identity account system that's run by Microsoft.

AZURE AD LICENSES
To enhance your Azure AD implementation, you can also add paid features by upgrading to Azure
Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing
free directory. The licenses provide self-service, enhanced monitoring, security reporting, and secure access for
your mobile users.
1.Azure Active Directory Free - Provides user and group management, on-premises directory synchronization,
basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and
many popular SaaS apps.
2.Azure Active Directory Premium P1 - In addition to the Free features, P1 also lets your hybrid users access
both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-
service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-
service password reset for your on-premises users.
3.Azure Active Directory Premium P2 - In addition to the Free and P1 features, P2 also offers Azure Active
Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company
data and Privileged Identity Management to help discover, restrict, and monitor administrators and their
access to resources and to provide just-in-time access when needed.
4."Pay as you go" feature licenses - You can also get licenses for features such as, Azure Active Directory
Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your
customer-facing apps.

https://learn.microsoft.com/en-us/azure/active-directory/
FEATURES OF AD
Application management
Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal,
and Software as a Service (SaaS) apps
Authentication
Manage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom
banned password list, and smart lockout.
Azure Active Directory for developers
Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs,
or custom APIs.
Business-to-Business (B2B)
Manage your guest users and external partners, while maintaining control over your own corporate
data.
Business-to-Customer (B2C)
Customize and control how users sign up, sign in, and manage their profiles when using your apps.
Conditional Access
Manage access to your cloud apps.
Device Management
Manage how your cloud or on-premises devices access your corporate data.
Domain services
Join Azure virtual machines to a domain without using domain controllers.
Enterprise users
Manage license assignments, access to apps, and set up delegates using groups and administrator
roles.
Hybrid identity
Use Azure Active Directory Connect and Connect Health to provide a single user identity for
authentication and authorization to all resources, regardless of location (cloud or on-premises).
Identity governance
Manage your organization's identity through employee, business partner, vendor, service, and app
access controls. You can also perform access reviews.
Identity protection
Detect potential vulnerabilities affecting your organization's identities, configure policies to respond to
suspicious actions, and then take appropriate action to resolve them.
Managed identities for Azure resources
Provide your Azure services with an automatically managed identity in Azure AD that can authenticate
any Azure AD-supported authentication service, including Key Vault.
Privileged identity management (PIM)
Manage, control, and monitor access within your organization. This feature includes access to
resources in Azure AD and Azure, and other Microsoft Online Services, like Microsoft 365 or Intune.
Reports and monitoring
Gain insights into the security and usage patterns in your environment.
Workload identities
Give an identity to your software workload (such as an application, service, script, or container) to
authenticate and access other services and resources.