Cloud Identity
Cloud identity is the simplest identity model. It’s the same form of identity you typically use when you sign up for other consumer cloud services or access retail and personal banking sites.
Microsoft Entra ID(formerly Azure Active Directory and generally shortened to Azure AD, or AAD), the cloud-based directory service equivalent of on-premises Active Directory Domain Services, is the foundation of security in the Microsoft 365 ecosystem. With regards to Microsoft 365 and cloud identity, the identity is stored and completely managed inside Entra ID and Microsoft 365. You can manage this identity through the Microsoft 365 admin center(https://admin.microsoft. com), the Azure portal (https://aad.portal.azure.com), or by scripting with PowerShell or Microsoft Graph.
When a user authenticates to the service, the user is providing an identity that has been created in the service. This user identity is separate from any other identity they may have (such as the username and password they use to log in to their computer or other services).
Unlike on-premises Active Directory, which is organized in a hierarchy, Entra ID is flat. Delegation and policy application for users and objects is relational—that is to say, it is assigned via a combination of group memberships and administrative roles as opposed to inheriting rights, roles, or permissions based on being placed in a certain organizational unit container.
Hybrid Identity
Hybrid identity (or synchronized identity) refers to the integration of an on-premises identity provider (IdP) with a cloud IdP. Changes made in one environment (typically, the on-premises environment) are synchronized with and made available in the cloud environment.
To utilize a hybrid or synchronized identity in your Microsoft 365 deployment, you should install and configure a directory synchronization service to copy your identity data from an on-premises directory to Azure AD. Microsoft has a free software appliance,Azure AD ID Connect (AAD Connect), that
performs this function.
There are also third-party vendors that provide similar solutions, though they are outside the scope of the MS-900 exam and may not support all the identity provisioning and protection features of the Microsoft 365 platform.
The concept of synchronized identity has three core sub-configuration concepts:
- Synchronized identity with cloud authentication
- Synchronized identity with pass-through authentication
- Federated identity
All these configurations include the optional ability to synchronize user password data.
Linking On-Premises and Cloud Identities
Objects synchronized with Azure AD are linked to their on-premises account by way of a property called ImmutableID. The ImmutableID value in Azure AD is a base64 conversion of an object’s on-premises Azure AD objectGuid value. You can obtain the ImmutableID value for any on-premises directory object with the following PowerShell command, where sAMAccountName is the pre-Windows-2000 account name for an identity whose ImmutableID value you wish to compute:
$ImmutableID = [system.convert]::ToBase64String((Get-AdUser sAMAccountName).objectGuid.ToByteArray())
Let’s say you have a user object whose GUID value is c0587102-28af-4546-983b-cd9f59fcc4d2. After running that value through the conversion, the resulting value to be stored in $ImmutableID is the base64 string value AnFYwK8oRkWYO82fWfzE0g==.
To get a better understanding of what each identity model does, let’s dig into them deeper.
