Edit

Get started with identity architecture design

Identity and access management (IAM) is a foundational element of cloud architecture. In on-premises systems, internal networks establish security boundaries. In cloud environments, perimeter networks and firewalls alone aren't sufficient for managing access to apps and data. Instead, public cloud systems rely on identity solutions for boundary security.

An identity solution controls access to an organization's apps and data. Users, devices, and applications have identities. IAM components support the authentication and authorization of these identities. Authentication controls who or what uses an account. Authorization controls what a user can do in applications.

Azure services for identity

Azure provides a range of services for identity:

Architecture

Diagram of a hybrid cloud identity architecture that uses Microsoft Entra ID.

Download a Visio file of this architecture.

The previous diagram demonstrates a typical basic or baseline identity implementation. For real-world solutions that you can build in Azure, see Identity architectures.

Explore identity guides, architectures, and solution ideas

The articles in this section include guides and fully developed architectures that you can deploy in Azure and expand to production-grade solutions. Solution ideas demonstrate implementation patterns and possibilities to consider as you plan your identity proof-of-concept (POC) development. These articles can help you decide how to use identity technologies in Azure.

Identity guides

Technology choices. The following articles help you evaluate and select the best identity technologies for your workload requirements:

Multitenant identity

Identity architectures

The following production-ready architectures demonstrate end-to-end identity solutions that you can deploy and customize.

Hybrid identity

Cross-cloud identity

Identity solution ideas

The following identity solution ideas demonstrate implementation patterns and possibilities to explore:

Organizational readiness

Organizations at the beginning of the cloud adoption process can use the Cloud Adoption Framework for Azure to access proven guidance that accelerates cloud adoption.

  • Identity and access management design area: Evaluate options for your identity and access foundation, including authentication, authorization, separation of duties, and hybrid identity synchronization with Microsoft Entra ID.

  • Azure billing offers and Microsoft Entra tenants: Understand how billing offers associate with Microsoft Entra tenants and how subscriptions relate to tenant structures.

  • Resource organization: Establish consistent patterns for naming, tagging, subscription design, and management group hierarchy to organize identity and other resources deployed to the cloud.

To help ensure the quality of your identity solution on Azure, follow the guidance in the Azure Well-Architected Framework. The Well-Architected Framework provides prescriptive guidance for organizations that seek architectural excellence and describes how to design, provision, and monitor cost-optimized Azure solutions. For identity-specific guidance, see Architecture strategies for identity and access management, which covers authentication, authorization, conditional access, and identity lifecycle management across all five Well-Architected Framework pillars.

Best practices

Follow these best practices to improve the security, reliability, performance, and operational quality of your identity workloads on Azure.

Stay current with identity

Azure identity services evolve to address modern data challenges. Stay informed about the latest updates and features.

To stay current with key identity services, see the following articles:

  • Microsoft Entra releases and announcements: Stay current with recent developments across the Microsoft Entra product family, including new features, plan-for-change announcements, and deprecations.

  • Azure updates: A roadmap showing new key features, updates, and announcements for Azure identity services.

Other resources

The following resources can help you discover more about Azure identity services.

Microsoft Entra ID in educational environments

These resources provide guidance for designing and deploying Microsoft Entra ID in educational institutions. They cover tenant architecture, identity governance, and credential management for students and faculty.

  • Introduction to Microsoft Entra tenants: Learn about Microsoft Entra tenants in educational environments, including tenant creation, identity security boundaries, directory objects, and administration.

  • Design a multitenant architecture for large institutions: Design principles and guidance for educational organizations that have more than 1 million users and need a multitenant Microsoft Entra architecture.

  • Design tenant configuration: Configure security and access policies across Microsoft Entra tenants, including external identities, Conditional Access, device management, and self-service options.

  • Design authentication and credential strategies: Authentication methods and credential management for educational organizations, including passwordless authentication, SSPR, and MFA for students and faculty.

  • Design an account strategy: Plan cloud-only and hybrid account creation strategies for large educational institutions, including provisioning with Microsoft Entra Connect and School Data Sync.

  • Design identity governance: Identity lifecycle management, entitlement management, access reviews, and Privileged Identity Management for educational organizations.

  • Microsoft Education Solution Guide: Deployment guidance for Microsoft 365 Education. It covers tenant setup, identity, applications, security, and device management across A1, A3, and A5 license tiers.

Amazon Web Services (AWS) or Google Cloud professionals

To help you get started quickly, the following articles compare Azure identity options to other cloud services and provide migration guidance:

Service comparison

Migration guidance

If you're migrating from another cloud platform, see the following articles: