Azure Identity Platform Architecture
Microsoft Entra IDThe cloud-native identity provider for Azure (formerly Azure Active Directory). Manages user and device identities, enforces MFA, applies Conditional Access policies, provides SSO to SaaS applications, and integrates with on-premises Active Directory via hybrid identity.Azure RBACRole-Based Access Control for Azure resources (VMs, storage, databases). Scopes flow from management group → subscription → resource group → resource. Built-in roles include Owner, Contributor, Reader. Principle of least privilege requires granting minimum permissions at the narrowest scope.Managed IdentityAn Azure-managed service principal (no password) used by Azure services to authenticate to other Azure services. System-assigned identities are tied to one resource lifetime; user-assigned identities can be shared across multiple resources. Eliminates credential management in application code.Conditional AccessA risk-based policy engine (requires Entra ID Premium P1) that evaluates user, device, location, and application context to block access or require MFA. Conditional Access is the policy engine; MFA is one of the controls it can enforce.Azure Key VaultA managed service for storing and accessing secrets (passwords, API keys, connection strings), certificates (TLS/SSL), and cryptographic keys. Supports Managed HSM for FIPS 140-3 Level 3 compliance. Soft-delete and purge protection prevent accidental or malicious deletion.Authentication Methods Comparison
| Method | Security | Use Case |
|---|---|---|
| Username / Password | Low | Legacy, avoid for new designs |
| MFA (SMS, Authenticator) | Medium-High | Standard user authentication |
| Passwordless (FIDO2, Windows Hello) | Highest | Modern workforce, phishing resistance |
| Managed Identity | Highest | Azure service-to-service auth |
| Service Principal | Medium | Non-Azure services, CI/CD pipelines |
Identity Scenarios
Cloud-Only (Entra ID)
- No on-premises AD; all identities native to Entra ID
- Fastest to implement; no sync complexity
Hybrid Identity (AD + Entra ID via Azure AD Connect)
- On-premises AD synced to Entra ID
- Supports password hash sync, pass-through auth, or federation (ADFS)
- Users sign in with corporate credentials across on-premises and Azure
Legacy App Access (Entra Application Proxy)
- Expose on-premises apps securely without VPN
- Conditional Access applies to proxied apps
- Eliminates need for VPN for remote users
Authorization Design Patterns
Azure RBAC vs. Entra ID Roles
| Dimension | Azure RBAC | Entra ID Roles |
|---|---|---|
| Controls | Azure resource access (VMs, storage, SQL) | Tenant administration (users, groups, security) |
| Examples | Owner, Contributor, Reader | Global Admin, User Admin, Password Admin |
| Scope | MG → Subscription → RG → Resource | Tenant-wide |
| Assignable to | Users, groups, service principals, managed identities | Users, groups |
Critical Design Rule: "Owner" in Azure RBAC does NOT grant Global Admin in Entra ID. They are independent control planes.
Managed Identity Architecture
- System-assigned: One identity per resource; auto-deleted when resource is deleted. Use for single-resource scenarios.
- User-assigned: Shared across multiple resources; independent lifecycle. Use when multiple services need the same permissions.
Key Vault Secret Rotation Design
Key Vault stores secrets securely but does NOT automatically rotate them. Rotation requires a separate implementation:
- Create new secret version in Key Vault (Logic App or Azure Function)
- Update application to reference latest secret version (or use
@latest) - Revoke old version after confirming application has migrated
Secret expiration: Setting an expiration date generates alerts but does NOT block access to the expired secret. Applications continue to function — rotation must be automated separately.
Conditional Access Policy Patterns
| Scenario | Policy Configuration |
|---|---|
| Require MFA from untrusted networks | Users: All · Apps: Sensitive apps · Condition: Named Locations (exclude corporate) · Grant: Require MFA |
| Block legacy authentication | Users: All · Condition: Client apps = Legacy · Grant: Block |
| Compliant device required | Users: All · Condition: Device platforms · Grant: Require compliant device |
| Privileged admin MFA | Users: Global Admin, etc. · Grant: Require MFA + compliant device |
Hands-On: Configure Managed Identity for App Service + Key Vault
Step 1: Enable System-Assigned Managed Identity on App Service
- Open App Service > Settings > Identity
- Toggle System assigned to On
- Click Save — Azure creates the identity in Entra ID
- Copy the Object ID for use in access assignments
Step 2: Grant Key Vault Access to the Identity
- Go to the Key Vault > Access Control (IAM)
- Click Add role assignment
- Select role: Key Vault Secrets User (read-only) or Key Vault Secrets Officer (read/write)
- Select the App Service by name (managed identity is listed)
- Save
Step 3: Create a Secret in Key Vault
- Open Key Vault > Secrets > Generate/Import
- Enter secret name (e.g.,
ConnectionString) and value - Set optional expiration date
- Save
Step 4: Configure Conditional Access
- Open Entra ID > Security > Conditional Access
- Click New policy and name it (e.g., "Require MFA from untrusted networks")
- Select target users and cloud applications
- Set Conditions > Locations: Exclude named corporate IP ranges
- Set Grant: Require MFA
- Enable policy and test with a non-corporate IP
Step 5: Implement Hybrid Identity (Azure AD Connect)
- Download Azure AD Connect from Microsoft Download Center
- Install on-premises domain controller or identity server
- Run configuration wizard; connect to both on-premises AD and Entra ID
- Select sync scope: Choose specific OUs to synchronize
- Configure password hash sync
- Run initial sync; users appear in Entra ID within 30 minutes
AZ-305 Exam Focus
AZ-305 tests your ability to choose the right identity and authorization mechanism for design scenarios. Common question patterns involve: selecting the correct RBAC scope, choosing between managed identity vs. service principal, and recognizing when Conditional Access vs. MFA alone is the right answer.
Exam Trap
Azure RBAC vs. Entra ID Roles Confusion: These are separate control planes. Azure RBAC controls Azure resource access (VMs, databases, storage). Entra ID roles control tenant administration (user management, security settings). "Owner" in RBAC is not the same as "Global Admin" in Entra ID.
Exam Trap
Key Vault Stores but Doesn't Rotate: Storing a secret in Key Vault does NOT automatically rotate it. Rotation requires a Logic App, Azure Function, or custom automation. Secret expiration alerts but does not block access — applications still retrieve the expired secret until rotation is manually implemented.
Exam Trap
Managed Identities Can't Access Everything: Managed identities work for Azure resources that support Entra ID token authentication. They cannot authenticate to on-premises resources or services that don't support Entra ID. Use service principals for non-Azure resources.
Exam Trap
RBAC Inheritance Is a Double-Edged Sword: Permissions assigned at subscription scope cascade to all child resources. This is correct behavior — but the exam tests whether you assign roles at the narrowest appropriate scope (resource group or resource level) rather than subscription or management group level.
Exam Tip
Managed Identity over Service Principal: Always prefer managed identity for Azure service-to-service authentication. No credential management, no secret rotation, no hardcoded passwords. Only fall back to service principal when managed identity is not supported (e.g., CI/CD external to Azure, non-Azure services).
Must Memorize
Hybrid Identity Sync Options: Password Hash Sync (PHS) = most common, credentials sync to cloud. Pass-through Authentication (PTA) = credentials validated on-premises (no hash in cloud). Federation (ADFS) = redirect to on-premises IdP. Exam scenarios: PHS = simplest and resilient; PTA/Federation = stricter security, more complex.
Question — click to flip
Q: What is the key difference between Azure RBAC and Microsoft Entra ID roles?
Question — click to flip
Q: When should you use a user-assigned managed identity vs. system-assigned?
Question — click to flip
Q: What happens when a secret in Azure Key Vault reaches its expiration date?
Question — click to flip
Q: What is Conditional Access and how does it relate to MFA?
Question — click to flip
Q: An App Service needs to read secrets from Key Vault without storing credentials in code. What is the recommended approach?
Question — click to flip
Q: What is Azure AD Application Proxy used for?