hello everyone my name is abishek and welcome back to my Channel today is episode 12 of azure 0 To Hero series and in this video we are going to explore Azure identity and access management that is I am this video is going to be very very interesting because we are going to learn a lot of new things in today's video such as what exactly is this identity and access management what are the concepts in IM am that is authentication authorization what is our back what is roles what is service principle managed identities so it's going to be a lot of learning in today's video and I'll not leave you with that towards the end of this video we will also do a demonstration using which you can understand this concept very well so what we will do in the demo is basically I will show you how to access a file in the blob storage from a virtual machine securely that's more important so for that we will use a concept called managed identities so please watch this video till the end now before we start with the concepts for today let me quickly tell you that the notes for each and every episode will be available in the day wise folders in this GitHub repository so if you're looking for notes you can start this repository and get the continuous updates let's start with a real life example let's say there is a there is an office or a private property and there are two different persons one is a software engineer let's say devops engineer and two let's say is a network or it engineer and within this office is there are multiple areas multiple uh spaces like there is a Lobby there is uh cafeteria and also there is a secure area where you have the data center for your organization so there are servers and some secure information obviously there will be a security guard or there will be an automated system and what this system does is only genuine people are allowed to enter this private or the office property let's say there is a person who does not belong to this organization if this person tries to enter this office property then either the security guard or the automated system that your office has will block or won't allow this particular person to enter the property now if you talk about devops inine so devops engineer if the devops engineer shows valid ID devops engineer will be allowed to enter this uh secure property and devops engineer can access the lobby devops engineer is authorized to access the cafeteria but with the same ID card if devops engineer tries to authorize or tries to enter this data center will not be allowed to enter now if you take example of this network engineer so the network engineer with the valid ID will be authenticated by this automated security system and the network engineer is authorized to access the lobby network engineer is authorized to access the cafeteria and also network engineer is authorized to access the data center so now we have been talking about two terms one is authentication second one is authorization so in this example that we have learned what is authentication so authentication is about people carrying valid account or valid ID in this case to just enter the office property whereas authorization is the important thing which is verifying if the software engineer is allowed to or authorized to access the data center or network engineer is authorized to access the cafeteria let's convert this example into the world of cloud or Microsoft Azure to be specific similarly all these days when we were using the Microsoft Azure through the UI or through the CLI what we were doing we were basically accessing it using our root user or the administrative user so we are authenticated and we have access to everything but that should not be a real world case right a real world case should look something like this similarly even in your organization there will be developers in your organization there will be uh QE Engineers there will be devops Engineers there will be managers there will be uh Sr Engineers so you cannot Grant the administrative access just like what we have been doing all of these days to all of these people if you do that then there will will not be a proper auditing or tracking what if you give administrative access to everyone and one of the developers deletes everything on the Microsoft Azure platform knowingly or unknowingly this shouldn't happen so that's why there is a concept called identity and access management and it works with the same concept that I've explained here it works on the principle of authentication and authorization where probably to all of these people you will provide the authentication whoever is joining your organization you might authenticate them to use Microsoft Azure but there will be a very critical concept called authorization and using the authorization you will decide as a devops engineer or as a Microsoft admin you will decide that okay I would only like developers to authorize or to use Virtual Machine Services or I would like developers to create Del any resources but not delete particular resources on the Azure platform let's say managers probably you want managers to only read the things or just look at how the Microsoft Azure resources how many resources are created but you don't want them to create anything or delete anything so you can do that using authorization so authentication you have users and groups whereas in authorization you have roles so what can be the roles exactly what we are looking here right so developer can be a role QE can be a role devops can be a role manager can be a role so you can create users you can create groups and in the users you can put everyone in your organization in the grouping you can say okay uh 10 people belong to the developer group or uh 20 people of the organization belong to the QE group it doesn't matter if you group them and if you authenticate them unless you provide them the authorization just like here right everyone is authenticated to enter this particular property but the safe area which is the data center only the network engineer is allowed of course in this case this person who does not even have a valid ID is not even allowed to enter the property similarly in your case also there can be a new joiny or there can be be a hacker you will not provide authentication to them unless uh this new joiny validates or shows you a proper ID that uh you know I want to have access to Microsoft Azure hackers or any other people who are trying to access your envirment from outside you will not provide them the access to it so we will manage as devops Engineers or Microsoft admins we will take care of this I am and using the concept of authentication and authorization we will make sure that okay anyone in the organization we will create the users for them right just like all these days we have been using the administrative user instead of providing administrative user to all of them what we will do is okay if there are 100 people in the organization we might create 100 users we will say okay everybody can access the Microsoft Azure we don't have any problem as admins we will create users for all of them and to make it even simple what we will do is out of this 100 people we will try to group these people we will say okay 10 of them are developers we will group them 20 of them are QE Engineers we will group them 10 of them are managers so we will do this for everyone but when it comes to authorization we will use a concept in Azure called as roles and using these rules we will say okay you are a developer then we have a role called read only role you are a q engineer okay we have a role called access virtual machines only role I'm just giving some examples these are not the real ones if you are a manager we have a role called Don't Do Anything role just kidding right so these are the different roles uh we will keep them pre we will create them before or we can create them at any point of time but as we create the users and groups we will assign these users and groups with the roles so you can correlate the same example now let's try to understand okay abishek you said that we will Implement I IM identity and access management using authentication and authorization this is a short notation authentication a and authorization you can put it as Au so you said that okay using authentication and authorization we will Implement IM am on Microsoft Azure but what is the service that we use for it for example if I want to create a virtual machine resource so in Azure there is a service called as BM service virtual machine service if I want to store something on Azure we have a service called as storage account and within the storage account we have blob storage we have file storage Etc ET right if I want to create a resource Group there is a resource Group service so to implement IM am there is a service called as Microsoft entra ID previously this was called as Microsoft active directory or you know uh it is also called as Azure active directory so it was called as ad or aad ad means active directory aad means Azure active directory but with the recent name change Microsoft active directory or Azure active directory is called as Microsoft entra ID right it's not Microsoft entra so Microsoft entra you know is uh something where all of the other services of Microsoft fall into the one that we are using is Microsoft entra ID right then there are other things like Microsoft entra XYZ Microsoft moft entra ABC but what we are using is Microsoft entra ID which was previously called as active directory or Azure active directory now let's take a quick look on the Microsoft board sorry the Azure board and try to see how to use this service it's very very simple uh just go to the console and search for Microsoft entra right Microsoft entra ID you got it and here towards the left side you have users groups of course you have things like roles and administrations you have app registrations extra uh intra connect don't worry about all of these things right we will start with the basics where we will try to understand what exactly is this users and groups and once we understand users and groups we will move towards roles and administrator let's click on the users you will see only one user user because when we have created this Microsoft Azure user and all this 11 days we have been only playing with the administrative user now let's try to create a new user create a new user and let me provide the name let me call this user as aders let's call the display name also as aders password do you want to autogen the password or you want to create the password by your own let's autogenerate the password anyways the user will have to change the password later so we need to copy this definitely uh because if you don't copy this you will have to uh fetch it the very hard way click on review plus create right and if you are okay with everything click on the create button so now I have copied the uh user password so you also have to copy it because I'm going to login with this particular user now and show you if you refresh so what we have done we have just created an identity for this particular user go to the uh top right of your screen and say switch in with a different account here what we will try to do is try to click on this button use another account and provide the email address you can also use the incognito window and click on the next button enter the password just paste the password that you have copied before and sign into this the very first thing that you have to do is uh change the password so provide the current password that you have copied and provide any password uh let me provide something like try to uh provide the password of your own click on the signin button action required your organization requires additional security information right now uh let me click on ask letterer we will have to fill that later point of time anyways but my intention is to show you that when we create an identity for the user and we don't Grant any access to the user if you go back and look at resource groups now this user will not be able to see any resource groups and let's say I want to create a resource Group with this user click on the resource Group now how do you create a resource Group you cannot even create a resource Group or let's say you go to the virtual machines this user does not even have permissions to create the virtual machine why because we have only authenticated the user we created the identity we have provided the user authentic ation but we did not provide user any authorization now who will create the authorization the person who has created the account also has to create the authorization how let's again go back so let's say sign in with a different account and let's sign in back with our account with our actual account where we have been doing the administrative things so now I am back with my administrative user my default user the one that I was trying to show you is if I search for virtual machines now I'll have an option here right I can click on the plus create button anyways let's go back to our Microsoft entra which is our admin area to manage the authentication and authorization so Microsoft entra ID and now if we go back to the user that I've have created others we have to GR Grant the roles to this user only when we Grant the roles to this user this user will be able to perform some actions how do I do that there is this thing called assigned roles so if you go here right now it shows that this user does not have any assigned roles but I can click on ADD assignments and these all of the things that you see here are the ones that are created by default by Microsoft azure so you can either use this default roles or as a devops engineer you can also create some roles for your organization let's say the roles here are group administrator or the roles here are attribute assignment application developer what does an application developer can do by using the default role can create application registrations independent users can register application settings application administrator can create and manage all aspects of app registrations and Enterprise apps so if you don't want to do this let's say okay abishek uh I don't want to Grant any of the default rules so what you can do is again just go back to Microsoft entra entra ID and here you have something called roles and administrators click on this then so you can see the information Mark here which says to create custom roles your organization needs Microsoft inra ID premium P1 or P2 start with a free trial of course you get a 30 days free trial like you can click here and go with the free trial option you get 30 days of free but it's a very straightforward thing I don't want to uh subscribe to this Microsoft entra ID premium so you know just assume that just like you have application administrator here application developer here similarly you can create new roles called as devops Engineers or developers that you can do using the custom rules right so now we understood what exactly is this authentication what exactly is authorization where we understood the concept that is users rules now what is groups very simple uh if you go back to the users section as your organization grows right now I just have one user here that is others similarly you might have some thousand users and let's say out of these thousand users 100 are developers and 200 are Q engine so you did not create any groups but what you did is for all of them you created like for adash you created a user right for abishek you created a user for XYZ you created a user and for each of them you uh let's say granted some rules that is for this person you granted the developer role for this person you granted uh developer role manually you granted all of them developer roles and then one fine day you got a request that all of these developers right all the 100 developers should have an additional role along with the developer they should have an additional role called right okay so in future they should have developer plus right which is another role now it will be very difficult for you to go to each and every user and add the right role similarly if QE wants any new role then it will be difficult to add that new role to all 200 people so what is very easy just go to the group section here and what we will do is we will try to group these users that is the 100 developers of course you have to create all the users you have to create the 100 users but what we will do is we will grant or we will group all these 100 users or any new developers that are going to come tomorrow if 10 developers uh come to the organization then we will create the users for all 10 of them but every time we create a new developer or this 100 developers we will group them into this developer group and in future if we want to add any particular role or remove any particular role it will be very simple we can directly go to the role and we can either add or remove permissions right that way what we can do is we can effectively manage instead of going to 100 users and trying to add permissions or remove permissions if you combine them as a group we can do it very simply through the groups concept so this is about authentication authorization users roles and groups now comes a very interesting concept right okay abishek this is about users but there is another very important aspect that is resources trying to access each other you know as a devops engineer you create virtual machines and let's say you have also created a blob storage now one of the developer comes to you and this developer sends you a jira request or something and ask you abishek I want my virtual machine to access a file from this blob storage or a blob from the container whatever you would like to call okay so the developer comes to you and says that abishek I want to access a file from the container blob storage now how would you do this this is a resource of azure now till now we discussed about the users groups but now the requirement is that how would you enable one resource talk to the other resource and this is a very common case right in future when we are going to learn about uh cicd when we are going to learn about uh AKs that is kubernetes you know you might want your AKs that is your kubernetes parts inside your kubernetes cluster to access file storage resources right or you want your uh cacd Azure devops to access the blob storage probably the cicd artifacts and logs you might want to store in the blob storage or in future when we learn terraform you might want your terraform uh State file to be stored in the blob storage so here one terraform sorry one Azure resource has to talk to the another Azure resource till now we discussed about users but here we are talking about resources in simple terms whether it is users or whether it is resources we will call all of them as identities but the identities are different here user is a different identity and resource is a different identity when user wants to perform any actions on the Microsoft Azure we have users groups and roles whereas when one resource want to talk to other resource in Microsoft Azure then we will discuss about Concepts that is service principle and managed identities so here when we talk about service principle or managed identities what what they do is very simple just like how a user is assigned with a role to authorize to do some actions on the Microsoft Azure similarly we will assign a particular resource let's say a virtual machine we will assign this virtual machine we can either assign a service principle or we can create a managed identity using which they can access other resources such as blob storage AG so here we have roles and here we have managed identities or service principle that's the only difference both of them are identities but for users we have roles and for virtual machines or any other Microsoft a resources we have managed identities or service principles now what is the difference between them right obviously when I say two things your first question has to be abishek why there are two things for users only there is one role but for resources why we have two concepts one is service principle and other is managed identities I'll explain this in a very very simple way you know whether you are using service principle or whether you are using managed identity underlying Azure is going to create a service principle ignore my typos and spelling mistakes so even if you create managed identity Azure is going to create a service principle but the advantage of using managed identity is see when you create a service Principle as an administrator your responsibility would be to rotate that is to timely change the access keys right let's say you create a service principle for virtual machine you want this uh service princi principle to be rotated and you want to make sure that uh nobody gets access to this service principle so as a user you have to maintain some security standards just like certificates when we create an SSL certificate we want the SSL certificate to be uh rotated in 90 days 270 days or 360 days according to the complaints of the organization similarly if you create the service principal as a devop enger you want to maintain this service principle you want to make sure that it is timely rotated uh it is kept in a sensitive way they are secure enough that nobody gets access to it but when you are using the managed identities then Azure will take care of it so if you're using managed identities Azure will rotate them and Azure will make sure about the security of your service principal so that's why it's better to use managed identities in most of the cases and when service principles are required in future if there is any requirement I'll definitely talk about that in today today's video let's see how to create this managed identity and how to use this managed identity so now we will go towards the demo part where I will create a virtual machine I will create a storage account within I'll create a container and within the container I'll create a blog what is a Blog anything that you create within the container is a Blog so I'm going to create a file and I want my virtual machine to access this file we will write a simple shell script within the virtual machine we will deploy the shell script in the virtual machine and when you execute this uh shell script it should access the file and it should print the file details why this example abishek why this demo because we are going to as devop iners use these kind of examples a lot uh developers might come to us and ask that establish connection between a pod and file storage virtual machine and the uh storage account where my virtual machine wants to write files to the storage account there is some log files there is any kind of configuration okay now so I'm on my virtual machine Microsoft Azure console let's create a resource Group let's start with that why am I creating Resource Group every day when I'm uh teaching you some examples because towards the end of the video I will delete the resource Group and you can also delete the resource Group just make habit of it create the resource Group uh let's call it as managed identity po review plus create and create so I have created a resource group called managed identity Po and within this Resource Group I'm going to first create a virtual machine or let's first create a storage account that's fine so let's search for uh storage account and let's call this uh storage account as Resource Group has to be managed identity POC and storage account name has to be let me call this as abishek or let's give a generic name so that you people can also use that something different you cannot use the same storage account of course so let me use something like managed po managed po storage account let's keep it East us that's totally fine but just make sure you have your uh storage account and uh you also have your virtual machine in the same region otherwise we have to make some changes then uh let's do proceed with Advanced I don't want to modify any of these things let's keep them I'm fine with the defaults so let's click on the proceed button review plus create so now my the storage account is getting created and within the storage account I'm going to create a blob within the container container is the other word for uh blob storage so don't don't get confused I explained that during the uh storage account class as well let's wait for the uh deployment to be done or meanwhile you can also go ahead and create the virtual machine anything is fine you can also do that parallely there is no restriction okay deployment is done click on go to resources and click on containers so we will create a container let's call this as container as a test container you can give any name click on Create and within the test container what I will do is you can upload any file let me upload a HTML file but you can upload a text file as well doesn't matter I think I have a HTML file handy so that's the only reason index HTML and what I'll do in the virtual machine I'll run some shell script that should print the contents of this HTML file click on the upload right so my index. HTML is uploaded on the uh container that is called as test container right now what I'm going to do is I'll go back and search for virtual machine Mach because we are going to run a shell script in this video better create a uh Linux virtual machine otherwise you have to write a Powershell script by your own Azure virtual machine and we will go with the defaults only thing is I'll just use a UB to Virtual Machine someone has asked me in the last class can we also create with username and password in the comment section yes we can definitely create virtual machines with username and password but the more secure way is to use the SSH Keys uh virtual machine name uh let's call it as managed demo VM right so this is manage demo VM I've have just given any random name region is East US trusted launch let's keep this default uh this is a free service eligible one see just like SS you can also give password let's try uh it's very simple let's call the user as Azure user and you can give any password so I have given the password as Azure user XY Z you can give any password SSH is allowed perfect review plus create I'm not going to change any other details and once this virtual machine is created then comes our concept of managed identity so what we are going to do again if I have to explain to the virtual machine we are just going to Grant some role if we understand that in the users concept so this is virtual machine and within the storage account we have a file in the container so what I'm going to do is to the virtual machine I'm going to Grant a role in this case this is called as managed identity apart from managed identity you can do it in multiple other ways but this is the better way to do it create virtual machine my bad I should have clicked on the create okay let's do it now so now my virtual machine is getting created great so the virtual machine is also created go to the resource and now comes the interesting part so just like virtual machine for most of the things like this is my managed demo VM if you scroll down you will see the section called as identity click on this section and what you need to do to use this concept of managed identity enable this and click on the save button save so now I have enabled system assigned managed identity there are two things one is system assign managed identity other is user assign managed identity so system assign managed identity is is automatically created and assigned to this particular system whereas I can also create a managed identity and I can assign that to multiple Azure resources let's restrict our understanding to system assign managed identity so now this is created as you can see when you created the managed identity a principle is also created either you can copy this or you can also copy this anything is fine now let me go back to the storage account storage and what I am going to do in the storage account I will go to the storage account and within the storage account I will go to this section called access control or I am and here I'm going to do a very simple thing that is click on ADD Ro assignment and within the add rooll assignment I am going to assign the identity that I have created right and I'm literally doing the same thing even for the bank example that I have taken or previously the users and role assignment that we have done we were doing the same thing right technically even for the user what we were doing is we are assigning a role to the user that is we are assigning a identity with a role similarly I have created a manage I have enabled the manage identity and to the manage identity I'm going to assign the rule so here you can assign any particular role now let's say I want to assign the owner where my virtual machine owns the complete uh storage or the uh containers within the storage account future when we do more and more examples we can restrict always start with basic example and then you can fine tune it you know even now I can give you an example where instead of owner we can just provide the data reader right but just to make sure uh for beginners uh it is easy to understand right so that's why I'm just going with the owner access click on next search for managed identity and in the managed identity click on the select members button and here provide virtual machine and this is my manage demo virtual machine select click on the review plus assign button adding role assignment now I assume everything is done let's see if something is missing while doing the demo part we will try to fix it because most of the times even I do it uh directly on the Azure portal because I don't get time to do the demo most of the times so if if there are any issues we will try to fix that's that's not a problem right so we have created the identity and we have assigned the identity with the role and you can also verify that if you go back to the virtual machine again click on the uh identity section Azure role assignments so here you should see the role that is assigned to the virtual machine see storage blob data owner perfect now let's take a terminal let me pull a terminal very quickly and let me increase the font size and what we will do here is first connect to the virtual machine so for that I need the virtual machine IP address so my virtual machine I have a public IP address to this uh virtual machine copy this SSH Azure user at the rate virtual machine I did not use the SSH keys so I just have to provide the password that I've have created I hope you remember the password so aure user I've log into this virtual machine perfect now if you go to the GitHub repository I have couple of commands so the First Command what we will do in today's video is we will try to fetch the access token of the managed identity right for that this is the command where for the managed identity that we have created we will fetch the keys which is just like the password or the access token that you can understand it is saying see what is it saying you don't have JQ I just created this virtual machine so let me say Pudo apt update just to update the repositories and I also have to install the JQ because in the command I am using something called JQ if you scroll towards the right so we have been using this JQ now let's say sud sudo appt install JQ proceed perfect JQ is also installed in 5 4 3 2 1 perfect now let's enter the command back you can Echo this to see if access token is copied or not see this is the access token for the managed identity that we have created now I just have one more command where I will try to right this is a command where in the command you have to replace obviously you have to replace this command with your storage account let me show it here so there are three variables in the command one is your storage account one is your container name and one is your blob name so what is my storage account so let me copy this let me copy this entire thing and here access token I've I got the access token and stored it in the variable that's totally fine what is my blob name so blob name is nothing but the file name so in my case The Blob name is is index. HTML you can also store them in variables container name that is the blob storage name that I have created which is test and the storage account name what is my storage account name I don't remember let me go back and see so search for uh storage accounts and okay this is the storage account in your case this can be different so please try to modify and now let me try to enter and see if there is any issue we will try to fix but there is no issue so this is my HTML file that got printed so what did we do in this virtual machine we accessed the storage account and we accessed the file inside the storage account this is a very useful demonstration you can also do this in Python you can also do it in Java probably take help of chat GPT or some other source but shell scripting is a very simple way of doing it uh in future if someone asks you let's say you are a devops engineer and someone asks you you can show them that okay I've created the managed identity I have set up the connection between virtual machine and storage my part is done just for testing I used this shell scripting you can get the shell script from the GitHub resource I've used the shell script and I verified that it works fine so my responsibility is done now within your application you can write python code you can write nodejs you can tell that to the developer right so this is a video and this is a demonstration I hope you thoroughly enjoyed it see you all in the next video take care bye-bye