What is the azure active directory and how Azure AD works?

santosh
15 Jul, 2023

Introduction

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It provides a comprehensive solution for managing user identities, enabling secure access to various applications and resources within an organization’s ecosystem. Azure AD serves as a centralized authentication and authorization platform, offering features such as single sign-on, multi-factor authentication, role-based access control, and integration with external identity providers. It is widely used by organizations to enhance security, streamline user management, and enable seamless access to cloud and on-premises applications.

! Let’s illustrate how Azure Active Directory (Azure AD) works with a sequence diagram

UserAzureADApplicationAccess requestAuthentication request (including client ID)Login pageEnter credentials (username, password)Validate credentialsAuthentication response (Success, including access token)Access grantedAuthentication response (Failure)Access deniedalt[Valid credentials][Invalid credentials]UserAzureADApplication

  1. User’s Access Request to the Application:

    • The user initiates a request to access the application’s resources, such as a web application or an API.

  2. Application’s Authentication Request to Azure AD:

    • The application sends an authentication request to Azure AD, indicating that it requires the user to be authenticated before granting access.
    • The request includes the application’s client ID, which is a unique identifier assigned to the application when it is registered with Azure AD. This client ID helps Azure AD identify and authorize the application during the authentication process.

  3. Azure AD’s Login Page Response to the User:

    • Azure AD responds to the application’s authentication request by presenting a login page to the user.
    • The login page is hosted by Azure AD and provides a secure environment for the user to enter their credentials.

  4. User’s Credential Submission to Azure AD:

    • The user enters their credentials, typically a username and password, into the login page.
    • The credentials are securely transmitted to Azure AD for validation.

  5. Azure AD’s Validation of the Credentials:

    • Azure AD validates the user’s credentials by comparing them with the stored information in its user directory.
    • If multi-factor authentication is enabled, Azure AD may also prompt the user for additional verification steps, such as a code sent to their mobile device.

  6. Authentication Response from Azure AD to the Application:

    • If the user’s credentials are valid, Azure AD generates an authentication response and issues an access token to the application.
    • The authentication response includes information such as the user’s unique identifier (object ID) and the tenant ID, which represents the Azure AD directory managing the authentication process.
    • The access token is a security token that contains claims about the user and their authorized access rights.

  7. Application’s Access Grant/Denial Response to the User:

    • Based on the authentication response received from Azure AD, the application determines whether to grant or deny access to the user.
    • If access is granted, the application proceeds to provide the requested resources or services.
    • If access is denied, the user may be prompted to re-enter their credentials or redirected to an error page indicating the denial of access.

Understanding Client ID, Tenant ID, and Scopes:

  • Client ID: A client ID is a unique identifier assigned to an application registered with Azure AD. It serves as a credential for the application to authenticate itself with Azure AD and helps Azure AD identify and authorize the application during the authentication process.
  • Tenant ID: A tenant ID represents the Azure AD directory that manages the user accounts and authentication process. It ensures that the user’s credentials are verified against the correct directory. Each Azure AD tenant has a unique tenant ID.
  • Scopes: Scopes define the level of access or permissions that an application requests from Azure AD. They specify the resources or actions that the application wants to access on behalf of the user. Scopes can be specific to the application or defined by industry standards like OAuth 2.0. For example, a scope may include “user.read” to request read access to user information.

API-to-API communication

Let’s illustrate how Azure AD can authenticate API-to-API communication using an example scenario and a corresponding sequence diagram.

Scenario: We have two applications, “App A” and “App B,” that need to communicate securely through API calls. Both applications are registered with Azure AD and require authentication for API access.

Here’s the sequence diagram depicting the authentication process:

AppAAppBAzureADAPI RequestAccess Token Request (Client Credentials Flow)Access Token (Client Credentials Flow)API Request with Access TokenAPI ResponseAppAAppBAzureAD

Explanation for each step:

  1. App A initiates an API request to App B.

    • App A needs to access a specific resource or functionality provided by App B.

  2. App B requests an access token from Azure AD.

    • App B authenticates itself with Azure AD using the client credentials flow.
    • The client credentials flow allows applications to obtain an access token without user involvement.
    • App B includes its client ID and client secret (or a certificate) in the request to Azure AD to prove its identity.

  3. Azure AD issues an access token to App B.

    • Azure AD validates the client credentials provided by App B and verifies its identity.
    • If the authentication is successful, Azure AD generates an access token for App B.
    • The access token contains information about the application’s identity and authorized permissions.

  4. App B includes the access token in the API request to App A.

    • App B includes the received access token in the authorization header of the API request to App A.
    • The access token serves as proof that App B has been authenticated by Azure AD and has the necessary permissions to access App A’s API.

  5. App A validates the access token.

    • App A receives the API request from App B, including the access token.
    • App A validates the access token by verifying its authenticity and checking its claims.
    • The validation process may include checking the token’s signature, expiration, and issuer.

  6. App A processes the API request and sends a response to App B.

    • If the access token is valid, App A processes the API request, performs the necessary operations, and generates a response.
    • App A sends the response back to App B, completing the API-to-API communication.

In this authentication process, Azure AD acts as the trusted identity provider and issues access tokens to authenticate the API-to-API communication between App A and App B. This ensures secure and authorized interaction between the applications.

The client credentials flow used in this example is suitable for application-to-application communication, where there is no user involved in the authentication process. Other authentication flows, such as authorization code flow or client credentials flow with user delegation, may be more appropriate depending on the specific requirements of your scenario.

Types of authentication Azure AD Supports

Azure Active Directory (Azure AD) offers various types of authentication methods to cater to different security and user experience requirements. Here are some common types of authentication supported by Azure AD:

  1. Username and Password Authentication:

    • This is the most common authentication method where users provide their username and password to authenticate.
    • Azure AD validates the credentials against the user directory and grants access if the credentials are correct.

  2. Multi-Factor Authentication (MFA):

    • MFA adds an extra layer of security by requiring users to provide additional verification factors.
    • Azure AD supports various MFA options, including SMS codes, phone calls, mobile app notifications, and hardware tokens.
    • Users must provide the second factor, along with their username and password, to complete the authentication process.

  3. Federated Authentication:

    • Azure AD enables organizations to federate their identity systems with Azure AD, allowing users to authenticate using their existing credentials.
    • This method leverages industry-standard protocols like Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) to establish trust between Azure AD and the identity provider.
    • Users can authenticate through their organization’s identity provider, and Azure AD acts as the broker between the application and the identity provider.

  4. Social Identity Providers:

    • Azure AD supports authentication with popular social identity providers such as Microsoft accounts, Google, Facebook, and Twitter.
    • Users can log in to applications using their social media credentials, simplifying the authentication process and improving user convenience.

  5. Certificate-based Authentication:

    • Azure AD allows the use of client certificates for authentication.
    • Applications can present a client certificate during the authentication process, and Azure AD validates the certificate to establish trust and grant access.

  6. Windows Hello for Business:

    • Windows Hello for Business is a biometric authentication method supported by Azure AD.
    • It allows users to authenticate using their fingerprints, facial recognition, or PINs on devices that support Windows Hello.
    • This method provides a convenient and secure way to authenticate without relying on traditional passwords.
Next Post Previous Post
No Comment
Add Comment
comment url