Compiled Thoughts
Home About

AZ-305 Authentication and Authorization solutions

April 26, 20251817 words10 min read
certification
azure
AI summarised

AZ-305 Azure Solutions Architect Expert

Azure Recommendations for Authentication and Authorization Solutions

1. Recommend an Authentication Solution

Microsoft Entra ID is the cornerstone for secure authentication in Azure. Key recommendations include:

  • Modern Authentication: Implement passwordless methods (FIDO2, Microsoft Authenticator) and enforce Multi-Factor Authentication (MFA) to reduce credential theft risks12.
  • Service Principals: Use these non-human identities to authenticate applications, scripts, or services without exposing user credentials. Service principals act as local representations of applications in each tenant, enabling secure access to resources34.
    • Key Use Cases:
      • Automating CI/CD pipelines or DevOps workflows54.
      • Cross-tenant access via Azure Lighthouse36.

2. Recommend an Identity Management Solution

Microsoft Entra ID provides centralized identity management:

  • Hybrid Identity: Synchronize on-premises Active Directory with Entra ID using Entra Connect16.
  • Managed Identities: Prefer these over service principals for Azure-native resources (e.g., VMs, App Services) to eliminate credential management. Managed identities are automatically rotated and tied to the resource lifecycle478.
  • Service Principals: Use for non-Azure or external applications (e.g., third-party tools) where managed identities are unavailable. Assign least-privilege RBAC roles to limit access94.

3. Recommend a Solution for Authorizing Access to Azure Resources

Azure RBAC is the standard for authorization, augmented by management groups:

  • Role Assignments: Assign roles (e.g., Contributor, Reader) at the management group level to enforce hierarchical inheritance. Policies and permissions cascade to all child subscriptions and resources108.
    • Example: Assigning Reader at the root management group grants read access across all subscriptions10.
  • Service Principals: Assign RBAC roles to service principals for automated workflows (e.g., granting Storage Blob Contributor to a DevOps pipeline’s service principal)54.
  • Best Practices:
    • Use groups instead of individual users for role assignments.
    • Limit management group hierarchy depth (max 6 levels) for simplicity10.

4. Recommend a Solution for Authorizing Access to On-Premises Resources

  • Active Directory: Primary solution for local authorization.
  • Azure Arc-enabled Servers: Extend Azure RBAC to on-premises/multi-cloud servers. Use service principals for secure onboarding and management116.
    • Assign Azure Connected Machine Onboarding role to service principals for at-scale server registration116.
  • Hybrid Applications: Use Entra ID service principals to authenticate on-premises apps accessing Azure resources (e.g., APIs, storage)612.

5. Recommend a Solution to Manage Secrets, Certificates, and Keys

Azure Key Vault is the centralized solution for secrets management:

  • Access Control: Use Azure RBAC (preferred) or Key Vault access policies. Assign roles at management group scope to inherit permissions across multiple vaults13148.
  • Service Principals & Managed Identities:
    • Grant managed identities access to Key Vault for Azure resources (e.g., VMs, Functions) to retrieve secrets securely152.
    • Use service principals for external applications requiring certificate/client secret authentication48.
  • Best Practices:
    • Enable logging and monitoring via Azure Monitor for audit trails1516.
    • Rotate secrets automatically and enforce least-privilege access1516.

Summary Table

RequirementAzure RecommendationKey Tools & Concepts
AuthenticationMicrosoft Entra ID with passwordless/MFAService principals for automation34, Managed identities78
Identity ManagementEntra ID + Managed IdentitiesHybrid identities via Entra Connect16
Authorization (Azure Resources)Azure RBAC + Management Groups for hierarchical inheritance10Assign roles at management group level, service principals for automation54
Authorization (On-Premises)Active Directory + Azure Arc-enabled servers116Service principals for onboarding, Azure RBAC via Arc6
Secrets/Certificates/KeysAzure Key Vault with RBAC1314Managed identities for secure access, RBAC inheritance via management groups148

Key References

  • Service Principals: Enable secure application authentication and automation without user credentials3412.
  • Management Groups: Simplify RBAC and policy enforcement across subscriptions via hierarchical inheritance108.
  • Azure Key Vault: Securely manage secrets with RBAC and automated rotation131516.

By integrating these solutions, you achieve a secure, scalable, and governance-aligned authentication and authorization framework in Azure.

Summarised with Perplexity.

Footnotes

  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices 2 3
  2. https://learn.microsoft.com/en-us/azure/key-vault/general/authentication 2
  3. https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals 2 3 4
  4. https://www.techtarget.com/searchcloudcomputing/tip/Managed-identity-vs-service-principal-for-Azure-apps 2 3 4 5 6 7 8 9
  5. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops 2 3
  6. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management 2 3 4 5 6 7 8
  7. https://www.atmosera.com/blog/azure-service-principal-vs-managed-identity/ 2
  8. https://docs.azure.cn/en-us/key-vault/general/security-features 2 3 4 5 6 7
  9. https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts
  10. https://learn.microsoft.com/en-us/azure/governance/management-groups/overview 2 3 4 5
  11. https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-identity-authorization 2 3
  12. https://endjin.com/blog/2019/01/managing-applications-using-azure-ad-service-principals-and-managed-identities?feed=comments-rss2 2
  13. https://learn.microsoft.com/en-us/azure/key-vault/general/overview 2 3
  14. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration 2 3
  15. https://learn.microsoft.com/en-us/azure/security/fundamentals/secrets-best-practices 2 3 4
  16. https://blogs.technicax.com/2025/02/20/best-practices-for-azure-key-vault-security/ 2 3

If you want to get in touch and hear more about this topic, feel free to contact me on or via .

© 2025 Andrei Bodea