Azure Identity & Security
Checking access...
Entra ID (formerly Azure Active Directory)
Entra ID is Azure’s cloud identity and access management service — the foundation of authentication and authorization in Azure. Unlike AWS IAM (which controls access to AWS APIs), Entra ID also handles user identity, device registration, and single sign-on (SSO) for SaaS applications.
# List users in your Entra ID tenantaz ad user list --output table
# Create a new useraz ad user create \ --display-name "Jane Doe" \ --user-principal-name jane@contoso.com \ --password "P@ssw0rd123!" \ --mail-nickname janeEntra ID supports Conditional Access policies — rules that evaluate user, device, location, and application state before granting access. For example, you can require MFA for all console logins but skip MFA for trusted office IP ranges.
Entra ID vs AWS IAM
AWS IAM manages infrastructure access (API keys, roles for EC2/Lambda). Entra ID manages user identity (employees, guest users, device compliance). In modern architectures you use both — IAM for AWS resources, Entra ID for human authentication.
RBAC (Role-Based Access Control)
Azure RBAC defines who (security principal) can do what (role definition) to which resource (scope). Scopes are hierarchical: management group → subscription → resource group → resource.
# Assign Contributor role to a user at resource group scopeaz role assignment create \ --assignee jane@contoso.com \ --role Contributor \ --resource-group my-rgBuilt-in roles include Owner, Contributor, Reader, and service-specific roles (e.g., Virtual Machine Contributor, Storage Blob Data Owner). You can also create custom roles.
Azure Policy
Azure Policy enforces organizational compliance by evaluating resources against rules. Unlike RBAC (who can act), Policy governs what resources are allowed.
{ "mode": "All", "policyRule": { "if": { "field": "location", "notIn": ["eastus", "westus", "westeurope"] }, "then": { "effect": "deny" } }}This policy denies any resource creation outside approved regions. Azure Policy can also audit, append tags, or auto-remediate non-compliant resources.
Defender for Cloud
Defender for Cloud is Azure’s cloud security posture management (CSPM) and workload protection platform — comparable to AWS GuardDuty + Security Hub + Inspector combined.
# Enable Defender for Cloud on a subscriptionaz security pricing create \ --name VirtualMachines \ --pricing-tier StandardIt provides:
- Secure score — A percentage measuring your security posture
- Recommendations — Actionable steps to harden resources
- Just-in-time VM access — Lock down inbound ports and open them on approval
- File integrity monitoring — Track OS and application file changes
Key Vault
Azure Key Vault is a managed service for storing secrets, encryption keys, and certificates — equivalent to AWS Secrets Manager + KMS.
# Store a database connection stringaz keyvault secret set \ --vault-name my-vault \ --name db-connection \ --value "Server=tcp:my-server.database.windows.net;..."Key Vault supports soft-delete and purge protection, and integrates with Azure RBAC and managed identities.
Managed Identities
Managed identities provide Azure services with an automatically managed identity in Entra ID — no need to embed credentials in code.
# Enable system-assigned managed identity on a VMaz vm identity assign \ --resource-group my-rg \ --name web-serverOnce assigned, the VM can authenticate to any Azure resource that supports Entra ID authentication (Key Vault, Blob Storage, SQL Database) without storing any credentials.
Tip
Always use managed identities over service principals or access keys when possible. Managed identities rotate the credential automatically and eliminate the risk of leaked secrets.
Summary
Azure’s security model centers on Entra ID for identity, RBAC for fine-grained authorization, Azure Policy for governance guardrails, and Defender for Cloud for continuous posture monitoring. Together these services give enterprises the controls needed for regulated workloads.