Azure Active Directory Data Security Considerations ~ via Microsoft

Azure Active Directory (AD) is composed of the following high-level components:

Directory Data: is the data stored for your directory system. The directory data is created from the identity and access data provided by your organization to populate the service. This data includes the following entities and their attributes: Users, groups and group memberships, devices, applications,and roles. Directory Data also includes the metadata necessary to represent the relationships between these objects; some of which is provided by the customer and some of which is created by Azure AD services based on user actions such as registering applications, joining devices, etc.

Core Store: is the complete set of an organization’s Directory Data is stored in a logical container (a "tenant") in a specific scale unit in the Azure AD distributed data store. The Azure AD storage is divided into scale units, and each unique scale unit holds multiple tenants. The Azure AD core store also provides the directory data access interfaces to other services.

Authentication Services: Processes user input, validates credentials, and implements the authentication flows, endpoints, and security tokens required by the different industry standards supported by the system. The industry standards define the format and exchange patterns for issuing, renewing, canceling, and validating security tokens provided by the authentication services as a security token service (STS).

Identity Security and Protection Services: Provides identity-driven protection to users when interacting with the system such as Azure Multi-factor Authentication (MFA), Azure AD Identity Protection, and Conditional Access.

Identity and Access Management (IAM) Services: Provides advanced identity management features such as self-service password reset, self-service group management, dynamic group membership, automated app assignment, provisioning for third-party services, management interfaces, and reporting capabilities.

Azure AD Services: Provides customers the infrastructure necessary to integrate existing on-premises infrastructure to Azure AD.

  • Azure AD Connect provides synchronization of on-premises directory users to the cloud.

  • Azure AD Connect Health provides monitoring and analytics for synchronization, federation, and domain services.

  • Azure AD Application Proxy enables secure publishing of on-premises web applications for remote access.

  • Azure AD Domain Services Provides managed domain services, such as domain join, group policy, LDAP, Kerberos, and NTLM authentication. These services are fully compatible with Windows Server Active Directory.

Azure AD Identity Governance: Provides customers governance capabilities such as Azure AD Privileged Identity Management (PIM) Just In time (JIT) access to privileged roles, access certification, attestation campaigns, alerting, and reporting.

Azure AD External Identities: Provides authentication services for external identities, such as users in partner organizations or consumers.


Microsoft, June 2020. Internet Link to Document --