Understanding Azure IAM and Managed Identities

Apr 21, 2025

Azure Identity and Access Management (IAM) - Lecture Notes

Introduction

  • Speaker: Abishek
  • Series: Azure 0 to Hero
  • Episode: 12
  • Topic: Azure Identity and Access Management (IAM)
  • Key Concepts:
    • Authentication and Authorization
    • Role-Based Access Control (RBAC)
    • Roles, Service Principal, Managed Identities
    • Demonstration on accessing Azure Blob Storage securely

Concepts in IAM

Authentication vs. Authorization

  • Authentication:
    • Verifying if a person or entity is genuine.
    • Example: A DevOps Engineer showing a valid ID to enter an office.
  • Authorization:
    • Determining what authenticated users are allowed to do.
    • Example: A Network Engineer accessing a data center while a DevOps Engineer cannot.

Azure Identity and Access Management

  • Provides authentication and authorization for Azure resources.
  • Why IAM is important:
    • Prevents unauthorized access and actions within Azure.
    • Ensures security and accountability.

Implementation

Users, Groups, and Roles

  • Users: Individual identities with specific access needs.
  • Groups: Collections of users to simplify management.
  • Roles: Define what actions a user or group can perform.
    • Examples: Developer role, Manager role, etc.

Azure Active Directory

  • Now known as Microsoft Entra ID.
  • Used for implementing IAM in Azure.
    • Previous names: Active Directory (AD), Azure Active Directory (AAD).

Demonstration

Objective

  • Demonstrate secure access to Azure Blob Storage from a Virtual Machine (VM) using Managed Identities.
  • Steps:
    1. Create a Resource Group.
    2. Create a Storage Account and a Blob Container.
    3. Create a Virtual Machine.
    4. Enable Managed Identity for the VM.
    5. Assign roles to the VM to access Blob Storage.
    6. Run a shell script on the VM to access and print a file from Blob Storage.

Detailed Steps

  1. Create a Resource Group
    • Purpose: To organize resources.
  2. Create a Storage Account
    • Set up Blob Storage within the account.
  3. Create a Blob Container
    • Upload a file (e.g., index.html).
  4. Create a Virtual Machine
    • Use a Linux VM for shell scripting.
  5. Enable Managed Identity
    • Assign a system-managed identity to the VM.
  6. Role Assignment
    • Use Access Control (IAM) to assign Blob Storage Owner role to the VM.
  7. Run Shell Script
    • Retrieve access token for managed identity.
    • Access Blob Storage and print file contents.

Key Concepts Explained

Managed Identities

  • System-Assigned Managed Identity: Automatically created and tied to a specific Azure resource.
  • User-Assigned Managed Identity: Created independently and can be used by multiple resources.
  • Service Principal: Underlying identity used by Managed Identities.
    • Managed by Azure, ensuring security and automatic key rotation.

Example Use Cases

  • Allowing Azure DevOps to access Blob Storage for logs and artifacts.
  • Configuring Terraform to store state files in Blob Storage.

Conclusion

  • Demonstrated how IAM principles apply to both users and Azure resources.
  • Managed Identities streamline resource-to-resource communication securely.
  • Useful for scenarios involving secure resource access in Azure.
  • Resources: GitHub repository for notes and scripts.
  • Next Steps: Explore other Azure services and IAM applications.

Full transcript