Chapter Five

Security & Identity

Eight services that form an Azure tenant's security posture, with Microsoft Entra ID at the center. On Azure, identity is the primary perimeter — most breaches are identity failures, not network ones.

8 services

Core Terminology

Azure security centers on Entra ID and a layered defense model. These terms recur across the chapter.

Tenant

An instance of Microsoft Entra ID — the directory of users, groups, and app registrations that backs an organization's identities.

RBAC

Role-based access control: permissions granted by assigning roles (Owner, Contributor, Reader, or custom) at a scope from management group down to a single resource.

Conditional Access

Entra ID policies that gate sign-in on signals — user, device, location, risk — requiring MFA or blocking access when conditions are not met.

Managed Identity

An Entra identity for a workload, eliminating secrets in code. System-assigned ties to one resource; user-assigned is shared.

Service Principal

The identity an application uses to authenticate to Entra ID — the non-human account behind app registrations and automation.

Key Vault

A managed store for secrets, keys, and certificates, with access governed by RBAC or vault policies and every access logged.

Services in This Chapter

Microsoft Entra ID

The cloud identity and access service behind every Azure sign-in (formerly Azure AD). Users, groups, app registrations, MFA, and Conditional Access.

Entra External ID

Customer and partner identity — sign-up, sign-in, and federation for external users (the successor to Azure AD B2C). Keeps customer identities out of your corporate tenant.

Azure Key Vault

Managed storage for secrets, encryption keys, and certificates, with HSM-backed key options and full access logging. The place application secrets belong.

Managed Identities

Entra identities Azure manages for your workloads, so they authenticate to other services with no secrets to store, rotate, or leak.

Web Application Firewall

Managed protection against the OWASP Top 10 and bots, attached to Application Gateway or Front Door. Filters malicious HTTP before it reaches the app.

DDoS Protection

Always-on detection and mitigation of volumetric and protocol attacks against public endpoints, with tuned policies on the Network protection tier.

Microsoft Defender for Cloud

Cloud security posture management and workload protection — misconfiguration findings, a secure score, and threat detection across Azure and hybrid resources.

Microsoft Sentinel

A cloud-native SIEM and SOAR built on Log Analytics. Collects signals across the estate, hunts for threats with KQL, and automates response.