View Show Notes and Transcript

Episode Description

What We Discuss with David O’Brien:

  • What is Identity & Access Management in Azure?
  • What is IAM from Hybrid vs in Cloud?
  • How does this compare to identity in AWS IAM/Organisations?
  • What kind of Human Users exist in Azure?
  • What kind of Robot Users exist in Azure?
  • How does Identity differ for Third Party in Azure?
  • How does Privilege Access Management work in Azure?
  • What kind of Deployment Types exist in a mature vs new built in Azure?
  • And much more…

THANKS, David O’Brien!

If you enjoyed this session with David O’Brien, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank David O’Brien on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hello, and welcome to another episode of what’s a coffee with Ashish! Today. We are talking about identity access management in Azure privileged identity access management in Azure. And I have a, one of our local favorites, MVP of Azure David, or Brien here. And I’m going to bring him in. Hey, David How are you?.

David O’Brien: [00:00:20] Morning Ashish!

Ashish Rajan: [00:00:21] . . Thanks for coming in, man.

David O’Brien: [00:00:23] Absolutely. Thanks for having me.

Ashish Rajan: [00:00:25] No problem. I know that it’s a tradition, right? cheers.

David O’Brien: [00:00:28] Cheers

Ashish Rajan: [00:00:31] we’ll be willing to do a no. David has there bit a, a Rick done guest for us and for people who don’t know you, who is able to Ryan.

David O’Brien: [00:00:40] David O’Bryan is, sort of MVP on for seven years now, I think.

and the owner and founder of Xirus, a Australian, cloud consulting company and the founder of Argos a new startup in the cloud security space.

Ashish Rajan: [00:00:58] Ooh, we should definitely get [00:01:00] some of those interesting conversations going about the products that you’re building as well. And, Just taking a pause there for a second, because clearly Azure you’ve mentioned a couple of times.

What is Azure cloud security for you?

David O’Brien: [00:01:15] Cool. a very, very big topic. Yeah.

Ashish Rajan: [00:01:19] Oh, like, what’s your definition of it? When people say cloud security, national, what do you think of it?

David O’Brien: [00:01:24] I think of, A lot of conversations with people and cuts. One of the reasons probably why you asked this question is because everybody understands something it’s.

w when you say security and, it, it starts with the people. And, that’s when we usually also started talking about identity management. and at some point we then get into actually the applications and, the network security and app security. but especially around cloud, it usually [00:02:00] starts around the IAM.

Ashish Rajan: [00:02:02] I think that’s a good topic because you mentioned you also do. I am, by the way. hi, fall deaf, right? You don’t, you’re not late enough menu. You came at the right time. I just wanted to call out that if you guys have any questions, just keep posting them on the comment section, say hello to David, as well as a nice people.

Even though he may be drinking tea right now, him & I are friends with tea and coffee We are nice people in general. So feel free to, he doesn’t even like. Coffee For anyone else we are twinning with our beards, that’s pretty much where it is. You just have to, he just happens to have a shorter beard for the moment. thanks for coming again, Paul and anyone else who wants to, to drop in and chime in, feel free to leave your comments in the chat window on the side.

And Identity & Access Management. What is identity and access management?. , and I know you can go in like, it’s like very broad topic, but to simplify it for people who are coming in, let’s talk about it from a perspective of the whole hybrid and, Azure kind [00:03:00] of perspective as well.

David O’Brien: [00:03:01] Yeah.

It’s so on Azure, IAM, it’s always. Around Azure Active Directory. So you always talk when somebody says IAM. Okay. Always is Azure active directory. That’s that’s what, that’s your domain. That’s your tenant. and that’s sometimes also some terminology that people confuse. It’s the tenant. That’s where your identity lives.

Yep. Is there an active directory? And if you’re coming from a more Microsoft. Background then the on premises, active directory, it’s similar to it, even though underlying technology is very different, but the principles are very similar. your identity lives in that Azure Active directory store and that’s where you control your access to your Azure subscription.

another thing that people sometimes, in the Azure portal, when you sign [00:04:00] up to it, confuses people a bit, I think, cause you sign up to an, Azure subscription. but really what you sign up to as a tenant and underneath that you get your subscription. but the tenant creation is a bit abstracted

away for you.

Ashish Rajan: [00:04:17] Oh, interesting. and I think for people who probably don’t know the tenant definition, what tenants are, we did an episode on this. I think I’ll probably leave the link for it somewhere here, which was Azure one-on-one because it’s Azure two O one, we’re going one level up. And, from that perspective, does it change identity management from a perspective of, if I were to your point, AAD is different to the on prem active directory.

In AAD world, is the identity management still a localized user? Or like, what are you going to say? Like what are the different kinds of things?

Yeah. So, AAD has multiple types of users, [00:05:00] so you can, yeah. You create your local user, your locate, AAD user. That could be a cloud only user. and these identities usually have the, let’s say David O’Brien at, domain name.microsoft.com.

So, these are the cloud local users. And, as an alternative to that, Pretty much every enterprise on this planet, it’s most likely going to go and federate their local domains or their own domains onto Azure active directory. so that you can achieve single sign on with your on premises, David.

The domain name, the UPN, the user principal name into active directory. that’s how you also get your office365, email mailboxes on, so this Azure active directory identity spans a lot of [00:06:00] applications in the Microsoft space. but yeah, you have your local cloud users and your federated users.

All right. Okay. So, and federated by federated users, you mean single sign on? I guess you can have your domain. Okay. And is that I do want to dive deep into this a bit, but I think before we dive deep, it’s probably worthwhile calling out that, of these recommendations that are there for all. You can go federated or you can have other kinds of users.

Is there. A recommendation or a best practice for setting up identity in an Azure land considering it’s different from your on prem active directory and someone who’s listening in, it was probably like an on prem, a version of this, Right. How would they deal with, I guess, how should you, how should they go forward with them?

David O’Brien: [00:06:49] Yeah, look on there. There’s some big differences, even though it looks similar under the name is also similar with active directory. [00:07:00] underneath the authentication, it’s not covered offs. And it’s not ADAP, with which you get on prem, on active directory, it’s all modern authentication. so Sammy, rest cards, it’s fairly, very different, from the underlying tech you can achieve authentication, right?

And edit up, by deploying another Savage, which kind of hooks into AAD. but that, that could be a whole episode on its own.

Ashish Rajan: [00:07:32] Yeah.

David O’Brien: [00:07:33] The identity best practices really come down to the company that we’re talking about. So not every company needs to go and federate. if you, if you, if you’re g-mail user, our G suite company, G suite customer, then you might not have.

Office three 65 and exchange online. Yeah. [00:08:00] So they might not be need for you to federate your local identities into Azure. So local cloud users might be fine, but from, from an identity point of view, there’s then the whore. How do I secure my identities? How do I. On youth, actually human users, robot users versus guest users on cause that’s another type of identity.

you can invite, I could invite your identity, your external identity into my tenant as a guest user, and then give you access to certainly sources in my tenant. For example.

Ashish Rajan: [00:08:42] Wow. Maybe that’s why, that’s why I explained this topic, getting the most on the pole that I ran. Yeah. Just like, so there’s so many layers to it, right?

We’ve only, we haven’t even gone into the Azure land. We’re still like scratching the surface. Next is management. And just [00:09:00] within that point, we’ve kind of spoken about people who can be invited. Into my Azure tenant. And then there are people who are just part of the tenant, but then even within that, there’s almost like a, like self separate pockets of the different kinds of people you can have.

David O’Brien: [00:09:15] I think, you mentioned one very important thing. We’re not at this point talking about dessert.

Ashish Rajan: [00:09:23] Yeah, that’s right. You haven’t even gone into it yet.

David O’Brien: [00:09:26] So it’s called active directory, but, but you need to think of it as a separate thing. The active directory tenant really sits above all of these Microsoft applications of which is it’s one application that you can get access to from your tenant.

Ashish Rajan: [00:09:48] Yeah, and I think you’ve found it. This is the right way because people may. Make the mistake of comparing this to, I am just not exactly the same kind of the [00:10:00] same, but not the same. Isn’t that right?

David O’Brien: [00:10:02] Yeah. So you talking about AWS, right?

Ashish Rajan: [00:10:05] Yes. If you don’t want it every time. Yes.

David O’Brien: [00:10:07] Yeah. AWS, I am lifts inside of the AWS account that you own.

and as well doesn’t necessarily have identities that live in a subscription. you do add back, so it will be access control it. you do do that inside of your subscription as well, but the identity in almost all cases is external to the business.

Ashish Rajan: [00:10:36] Interesting. And, so the easiest fear for anyone who’s probably listening when this goes in the podcast version, it’s a layer right on the top.

It basically across all subscription as a subscription, as an equal and of a Google product or an AWS account coming in, but this is the tenant. Does that layer right on the top. That’s where the identity is. But in an AWS context, it’s your individual account, which [00:11:00] has each of the identities in there.

And then you kind of do whatever you are back on that, right?

David O’Brien: [00:11:04] Yeah. So an AWS equivalent could be, you’ve got your AWS organization and you federate identity, external

Ashish Rajan: [00:11:15] identity,

David O’Brien: [00:11:17] and then jump into each of these AWS account with that same identity.

Ashish Rajan: [00:11:22] Yeah, perfect. And just to that a bit further, and the way I kind of described this to other people so that every normal day people can understand this as well.

And it doesn’t get too complicated. I described this than to choose set of boxes, one, that are human users. And then there is the robot users. So I think we’ve been scratching the surface on the human user so far. but in terms of. Covering up the human user client component. We kind of have to, if I’m just saying this correctly, you have a user defined in the tenant who may be a guest or an existing user.

was there any other user in that space that you want to call out [00:12:00] as a human user?

David O’Brien: [00:12:01] no, not really. No, you cannot eat it, but they’re located there

Ashish Rajan: [00:12:08] at that point, but it’s not like a different kind of user. Perfect. Okay. And what about the robot users then? That’s the other camp, which people don’t talk about?

David O’Brien: [00:12:16] Correct. if you come from an on premises, active directory, our words, then there’s this concept of a service account. Yeah. And, which would be a robot use thing is that, service accounts never really work any different to the David or Brian account. technically people just went and called a service account as underscore something.

and then that was his service account. technically it was just an active directory user. Microsoft did. At some point we lease a managed service account. however that had very limited support for [00:13:00] applications. so what people then go and do is they go to active directory and they sometimes also just create for robot scenarios, basically for application scenarios.

They sometimes go and apply that same. Mentality to active directory and just create another active directory user. which then needs to authentic authenticate against something. problem with that is that as a very, very, very, very, very lots of emphasis on that good practice. is that every Israel active directory user should have MFA and forced on them.

Right. It’s free. It’s out of the box. It’s literally one tick box that you take and your user has MSA and faults. Yeah. Obviously an application cannot respond on. Most [00:14:00] applications probably don’t respond to MFA claims out of the box. Right. And the, an application doesn’t own a phone, or can respond to any prompts.

So what people would then unfortunately do is they just don’t enforce MFA on these, on that user. Microsoft, however, went and fairly early on in the AED life. Basically they created something called an application and application registration. And if you go on Google or Bing or dr, go for it or whatever you want, you.

You probably search for the SPN service, principal name term, or just Apple registration. These are actual applicants identities that you can create. You get to the application ID, you create a secret, and then [00:15:00] the application. Can authenticate against any API that as well, and as a D and office three 65 exports with that application ID and application secret like a prop application.

Ashish Rajan: [00:15:17] Perfect. And I think that reminds me that she had third camp to this whole thing, which is the third party, which that has an identity into your Azure or AWS. And obviously. A lot of cloud providers have their own recommendation for a grade. This is how you do deal with human users. This is how you deal with robot users, but how do you deal with third party users?

What does that look like?

David O’Brien: [00:15:39] Yeah. So, yeah. Good question. Third party applications, with, without. But male thing, other companies there’s different levels of maturity or just like on AWS, they might ask for sometimes for an IAM user, [00:16:00] which isn’t necessarily the best. Sometimes they say, Hey, deploy this formation template and you get an am.

sometimes they say, Hey, we can assume a role is from our. You see two or whatever we have, same on a zoo. Sometimes they go and say, please create an AAD user for us and give us the username and password. Not necessarily. Great. the other ones, the thing is the application registration that adjusts mentioned.

Yeah. The might say, can you please create an app registration, give us the application ID and the application secrets. If they expose themselves already as a web application, then they might go and publish themselves into the enterprise application gallery. w which is another concept of applications where, for example, a let’s just take Facebook.

if you wanted to allow people [00:17:00] to log into Facebook from AAD, with your own identity. because he might be a workplace or user. Yeah. What place customer, and you want your, your employees to be able to log into Facebook workplace with their work identities. You can install this enterprise application out of the gallery for Facebook, and that would then Samit authenticate into Facebook.

Ashish Rajan: [00:17:28] Oh, right. Okay. And. So, okay. So I guess so summarizing that again. So we have a human users where the hour back is we have robot users all back as well. Yes. Perfect. And then there’s, isn’t this all back.

David O’Brien: [00:17:46] Yes.

Ashish Rajan: [00:17:48] Interesting. And where does the whole concept of, is it our back more in terms of say you’re defining a policy or a group policy in active directory or Ady in this context, I guess, [00:18:00] or is it more individual like of their objects called roles, WhatsApp thing?

Or how do I say it all back?

David O’Brien: [00:18:06] Yeah. So on we forgot about, we completely forget about group policy at this point. cause group policy doesn’t exist in a D. So we have built in roles and, and the thing, the important thing is we’re still not even talking about Zuora at this point.

Ashish Rajan: [00:18:25] yes. Go ahead.

David O’Brien: [00:18:27] We would stay talking about AAD, objects and resources. And, and in AED you can do our back, giving people, access of people and applications, access to groups. And, this would be your AED groups where we, where you just go and group identities together. And then you can add a group to a role turn, active directory role, which then give people.

[00:19:00] Specific permissions to AED. So in the AED, he can be a password administrator. You can be a security administrator. There’s dozens of bed enrollments. Now, if we want to talk about applying your identity and permissions to Azure going. Down into the application.

Ashish Rajan: [00:19:26] Maybe we should, we should probably get to the, the, the crux of it.

David O’Brien: [00:19:29] just, and, and, and S headfirst to think of as, as an application underneath. The AED tenant. So yeah, gifts. Some, you can give somebody access to AAD.

Ashish Rajan: [00:19:47] Yep.

David O’Brien: [00:19:49] Identity in AAD. You can give it access to a D thing to do things in there. Yeah. Create a user deleted user change. User’s password. Yeah. None of that. [00:20:00] It gives a user access to Israel.

Now the next step would be, if you needed access

Ashish Rajan: [00:20:09] is appointed to, we spoke about it for half an hour and we haven’t even reached Azure yet.

David O’Brien: [00:20:14] And I think that’s really the point that I’m trying to make. Right. You have your tenants layer on top of everything thing, but then you can give somebody access to office three 65 or Microsoft three 65.

You can give somebody access to the zoo, and other applications. From that AED tenant. Right. And once you’ve given somebody access to Azure, then we, again talk about other, add back aspects, like access to an Israel role, access to as a permission. So there’s a similar, but. Separate, add back Madu, not an identity [00:21:00] model, but add back module inside of the application called dessert.

Ashish Rajan: [00:21:04] And I think that is what’s really calling out as well to the fact that. Anyone who may be coming from another cloud provider, say Google cloud or AWS, they might find this concept quite weird. But I think coming from an a windows world, I think they’ve got the concept totally makes sense, because we’ve always had applications and you have, they’re almost like.

Your one active directory, which rules them all. Then you have a domain which is kind of, for lack of better. What am I’m going to compare it to tenant in this context, which is your domain. And that allows you to you kind of have access to different subscriptions applications and kind of so on.

David O’Brien: [00:21:41] Correct.

Ashish Rajan: [00:21:42] I know having, coming from an identity management background, myself, that we kind of have to talk about another company, which a lot of people and because we’re touching our back as well, which has normal user versus privileged user is that it’s our privileged user.

Now the whole concept is gel in a very different way [00:22:00] in AWS and Google cloud. That’s the whole concept of the jump in read only, and the new right by elevating your privileges. What does that look like in Azure land?

David O’Brien: [00:22:11] it by default. so we’re talking best practices here, right? So

Ashish Rajan: [00:22:19] ideal. Well, let’s go with little world first.

David O’Brien: [00:22:21] Yeah. best practice would be you log into zoom with David. O’Brien use that account. And, all I have is either no permission at all. Or an a can’t see anything, or on get this lead only. Yeah, because, that’s my base permission and then there’s a feature, a service. that’s part of it’s an active directory, which is called privileged identity management.

Unfortunately, I want to say it does cost a bit of money, not much. I think [00:23:00] it’s $5 per user per month. Oh my gosh. So expensive. and it’s part of a license that almost every company has anyways.

Ashish Rajan: [00:23:12] You mean enterprise company would have, or.

David O’Brien: [00:23:15] most so pretty much every enterprise company will have it.

Yeah. And if you’re in an office to be 65 customer, for example, you were also already in most half that. so for most companies, it shouldn’t be an extra expenditure.

Ashish Rajan: [00:23:34] Yeah,

David O’Brien: [00:23:34] but it could be. So I’m just calling out it’s part of the license, flinched identity management or PIM. That would be where you go and then say, Hey, I want to request access to a different role to a higher privileged role.

And the nice thing about there’s actually. [00:24:00] You can actually configure a bit of a workflow around that, depending on the role. If I, for example said, I want access to the global administrative role and the global administrator role is essentially like your root account, for actual human users, right?

And, I could go and as a global administrator, I can delete whole as a subscription. Yeah. That’s a very high privileged Roy. And since I want to access that I can not request the access and then people have to approve that access. So there’s an actual approval workflow that can be put behind PIM. plus the access you get it’s time box.

So it’s also configurable with a maximum time of eight hours. So you don’t have standing permissions forever. that would be the ideal way to do privileged identity management on Azula. sometimes [00:25:00] people go and do it a bit different. the. Kind of apply the principles from on prem active directory, where you have your regular user, your non admin user that you use to log into your laptop fight sound that has here made a box and all of that configured.

And if you need to do admin work, you then have your, I dunno, underscore admin user and, on AAD, people do do that. Sometimes a sweat. They have a normal user that they log in with and they do higher privileged role or actions. They log out again and log in to AAD with the admin account, which might have higher control it’s on it’s shorter session talk and I’m fully aware and things like that.

[00:26:00] Ashish Rajan: [00:26:00] Yeah. Okay. And to your point, Well, and because of that, we are not going with Microsoft at the moment. You can probably talk about this. How many people are actually following this?

David O’Brien: [00:26:11] enterprise is quite a bit, I see. the smaller the company gets. and I think that’s just at some point also a startup thing where companies sometimes just need to ship something.

Right. And, the curiosity then come second. it. It does depend, the privileged to management. It’s a more advanced concept when it comes, when it comes to this. and as I said, there are ways to get around that I’m paying that extra license by just having second user, for example. which you have to go and log in with.

but then thank user always has these permissions. That’s not audit trace, [00:27:00] right. And if people have that user and have access to that user PP at some point, cause we are all lazy and, instead of logging in with one user. And then, and then realizing actually I need to do this other thing. At some point, we will always go and just log in with the admin user.

Ashish Rajan: [00:27:21] Wait, what are you? I don’t log in with my admin user. I have MFA exactly. Yeah, I was going to ask, we’ve kind of covered a few things and I just was going to, I note we didn’t cover manage identity as an, as a concept. What is that?

David O’Brien: [00:27:40] manage the identities or then the identities that you can give. To a newer resource.

So on are the equivalent on AWS could be the AWS, easy to instance fraud, for example. So, that an easy to instance [00:28:00] assumes. So let’s see we’re running an application. let us take our algos application. So our application runs on its functions and, so several lists and, I want application a.net core application needs to do something, on is the cosmos DB.

Our backend is a cosmos DB. no secret offering by Microsoft and, the application needs to authentic. She keyed against this other as a saboteur. We could obviously go and just hard cord on the access key or the connection string into our application. Right. We could do that. and, then David, the security auditor comes along and looks at the code and says, Oh, That don’t do that.

Ashish Rajan: [00:28:55] As you were saying that I was like, I was just keeping my ears flag Lala.

[00:29:00] David O’Brien: [00:29:02] So we’re obviously not doing that cause that’s a terrible practice.

Ashish Rajan: [00:29:08] kids do North forest is at home.

David O’Brien: [00:29:11] instead of what you can do is you can create a managed identity. That’s the application that the is a function in habits when it starts up.

So it’s can go and internally the there’s an endpoint on the internal function or the it’s over virtual machine. just like your instance, end point on AWS, where you can get your credentials from. So the application just codes that end point says, Hey, once on credentials. And, with those temporary credentials, I can then go and authenticate against other services and do something.

Ashish Rajan: [00:29:52] Interesting. And so. Am I right in putting this under the same campus or what uses as [00:30:00] well?


David O’Brien: [00:30:01] Yes and no. So the, Curt, obviously I was a go and, just create an app registration and give that app registration access, to cosmos DB and my function would get. from the environment failure bits, for example, to get the ID I’m secret, but then I have to go and rotate the secret every time.

Yeah. I have to go and manage that app registration and manage identity is managed. Okay.

Yeah. Sorry.

Ashish Rajan: [00:30:35] I could step back in bold Watson on of my using manager, identi and Watson are on my using app presentation. So. That’s maybe a better way to ask this question then what? So if I’m listening to this for the first time and I’m like, Oh shit, I’ve been hardcore in my connection strings, or I’ve been giving access to, I don’t know, name, application next Facebook, I guess, with a, by creating an Azure Ady [00:31:00] user.

but. What’s like, what are the use cases for using a managed identity versus app presentation?

David O’Brien: [00:31:09] Yeah, so I’m managed identities. I’m not supported by every resource. The, on the most important resources, that would need to managed identity do support it. So it’s a virtual machine support, managed identities, as a function support, managed identities, I think AKF on, so it’s community services.

they support managed identities now, logic app support, managed identities. so from the platform point of view, the most important services that would need it, do support it. Now, the question, however, is, does the application know how to get credentials from the managed identity endpoint? In our case flight sample, because [00:32:00] we are writing the application.

We know of how cloud works. We understand cloud. We know that we don’t go on hot code credentials. We don’t use an athletic trainer. We just create the managed identity and our code knows how to deal with that. If you’ve got, a legacy cots application running on the virtual machine, and your vendor says, by the way, we only support up to windows server 2008, which by the way, it’s end of life that don’t use it anymore.

but then there’s a very high chance that, that application, if it needs to go and. authentic kids to a storage account or a, as a secret data based flakes example, then there’s a very high chance that they don’t know how to use a managed identity and point. And they might ask you to either put in the app ID and app secret, or even a username and [00:33:00] password to, let’s say, take a disc snapshot and put it into a storage account.

Ashish Rajan: [00:33:06] Ah, right.

That’s a good segue into the question around, the fact that what is the difference in deployment between say a startup or how do you see that scale difference between tech startup versus a more mature organization and Azure?

David O’Brien: [00:33:22] I think that. So from a startup point of view. and I, it’s probably a really good example for that.

we absolutely care about providing business value, right? as a startup, I am never going to make money by managing a virtual machine and patching a Linux server or a windows server, or trying to figure out how to. I’ve run dispatch script on a Ubuntu server night. never unless I [00:34:00] have a startup that does that.

that’s not my business. My business is to create business value and provide business value. Which is why startups with usually tend to go, to more paths and managed offering. Right. so our guys, for example, we’re fully serverless. We have a static HTML app, on storage accounts, static website, connecting to as a function.

so your functions as a service with a no secret backend. And, there’s no need for us to worry about patching any information. Chuck, we need to worry about our code obviously and dependencies. but we don’t have to worry about to get every second time we do something. The other end. And I think the much more common deployment methods [00:35:00] is, and that’s true for us, but almost certainly also true for most other cloud providers is there’s a virtual machine that gets deployed, that on a good day is deployed into a scaling group and, Who knows how to scale up and down and in and out and in, and there’s a database backup.

So usually we, we do see a lot of virtual machines in the

Ashish Rajan: [00:35:28] tout. Oh, interesting. And to your point, I think this is kind of like towards the tail end as well, but I wanted to kind of clarify if I am it either one of those stages, right. At a startup level, or kind of like to your point about mature enough that I’m using serverless, is there.

I guess recommendation to the kind of identity should I have in a small team versus a large team, or like, I know it’s a very broad topic and it could be very specific to the use case, [00:36:00] but is there almost like a general pattern for, if you are a small firm, Arno, just use a user, that’s a soul, whatever.

Like if you’re a bigger user. Then you have a complex layer of you have managed identities, app frustrations. You’ve got all these complex things to deal with. Hardest is scale really well. And if this is a startup, this thing to this waking this turn right now, or by setting the right foundation so that it allows, I also, it’s almost like.

If I were to call it out as, anyone listening to build the right foundations from an identity perspective, how should they be thinking about this now? So that tomorrow when they become the next Facebook and self worth a hundred million dollars, this is where they will still be ready.

David O’Brien: [00:36:42] Yeah. So the, the good thing is, if you get.

You most likely not going to get yourself into, into a dead end? no, almost no matter what you do, there’s always an out. And, as a startup, I would say [00:37:00] you have your tenant. you don’t have to federate because you most likely not going to have anything to federate from. Yeah. so there’s no federal aid, your active directory into AAD.

On because startups usually don’t have any on-prem active directory. so start with your tenant secure the tenant. people do like to see that, you know, what MFA is, people do like to see that you understand basic security principles like that. you don’t log in with your highest privilege user.

You. Login with a base role and half the way to escalate into or elevate your permissions into a higher role. And then you go and scale it on the. Inside of your subscription initially. So you create a subscription and then as a startup, you have a nonprofit resource group, a deaf resource group. and I [00:38:00] think in the one Oh one, podcast, the other week, you talked about resource groups a bit, So you scaled it inside of that one subscription at one subscription, it’s highly scalable already.

and then you start creating more subscriptions, the larger you get, you might have a subscription for at some point then nonprofit products, death. the nice thing is he can move, move resources across subscriptions quite easily, or really, I don’t

Ashish Rajan: [00:38:29] know that. So it’s not. That’s really interesting.

Cause I think like coming from AWS and I don’t know if it’s a Google land is the same as well, but you can’t really move that easily if you kind of have it as a whole, I dunno, architecture tobacco at that point. How am I going to migrate my data, but I can have an object in one subscription a and I can move that to subscription B

David O’Brien: [00:38:49] yeah.

Without downtime.

Ashish Rajan: [00:38:51] So got it. Let you go into the, I just thought that was like something like, yeah.

David O’Brien: [00:38:57] it’s actually quite nice. I think [00:39:00] it’s fair to say that ideally on the way to move something is to just point your pipeline at the other subscription and deploy on from infrastructure as code and automation, but on.

I think when we’re outside of this idea, world public, then there is still a lot of click ops happening and people are deploying it

Ashish Rajan: [00:39:24] LA LA LA LA,

David O’Brien: [00:39:27] so

Ashish Rajan: [00:39:28] cannot hear you, David.

David O’Brien: [00:39:32] so it’s absolutely possible to then move something to a different subscription. the larger you get at some point an enterprise might even go and say, actually, we do also need a non-party tenant.

Yeah. So not just, cause they might be things that they want to test inside of that non, prior to tenant or against the tenant. It might also be that they take the whole separation of information of consents [00:40:00] and the blast radius very, very seriously and say everything non prod needs to be in the nonprofit tenant and only nonprofit subscriptions live underneath the nonprofit tenant.

And there’s no connection from that tenant to on-prem it’s completely separate and isolated.

Ashish Rajan: [00:40:20] Right. So, but then okay, to, to your point to summarize starter plan one subscription, you still have enough resources to work with as you grow, add what subscriptions have some segregation, and then, then you go into the complex land of.

Administration, when you talk about third party opera station, and we’re talking about designing for, I guess, for the future. That’s when you kind of talk about manager identity for you’re using different kinds of functions that how you were say,

David O’Brien: [00:40:47] yeah, I think startups were probably, and if you already talk about.

Serverless as a startup, they would probably already start using managed identities [00:41:00] and app registrations, because it’s the easiest way to achieve your goal is if you’re writing the yes. Yeah. Yeah. And it’s the simplest way to just get to where you need to go.

Ashish Rajan: [00:41:16] Interesting kind of towards the tail end of our show as well.

I think unbelievable 45 minutes went by so quickly. Yes. I’ve got, three fun questions for you because you’re a return guest. I wonder some of your answers. This is a change since the last time we spoke, that was like Brico written and now both go, well, not post COVID yet in COVID. Maybe we can have a bowl score, whatever the episode has come the whole circle, but.

just want to ask, what do you spend most time on many not working on cloud or technology

David O’Brien: [00:41:47] on me personally.

Oh, it’s not a, what are your hobbies question

Ashish Rajan: [00:41:54] more late. I was going to say you’ve got, you’ll probably include you’re flying or

David O’Brien: [00:41:58] so I’ve, [00:42:00] I’ve been a private pilot for 20 years now. and, I’m actually going flying right after the set. Podcasts

Ashish Rajan: [00:42:07] or just so that you’ve got the high from the podcast and now you’re literally going hi.

Hi. Hi.

David O’Brien: [00:42:14] so I think if I don’t talk about. Technology and cloud, you will catch me talking about planes. and sometimes at the same time.

Ashish Rajan: [00:42:26] Fair enough. Fair point. and yeah, I can vouch for, if you guys follow, David O’Bryan on his social, you’d probably see that picture of amazing shorts of Melbourne as well.

What is something that you’re proud of, which is not only on social media?

David O’Brien: [00:42:41] Not on, I think I share way too much on social media.

Ashish Rajan: [00:42:46] Yeah.

David O’Brien: [00:42:49] I, w w with Alex being too, I don’t know, too,

Ashish Rajan: [00:42:57] too, too personal to open. [00:43:00]

David O’Brien: [00:43:00] but I’m very proud of, what I’ve. Pete over the last 10 or 12 years in my career now. I’ve, I’m very proud about being, being able to move continents on six and a half years ago.

cause clearly I’m not Australian.

Ashish Rajan: [00:43:19] really?

David O’Brien: [00:43:20] Yeah. I wouldn’t think that pick up, but that’s not an Australian accent. So, I’m very proud of, of the fact that my wife and I, my wife, Sandra, and I almost been able to achieve this big, big move.

Ashish Rajan: [00:43:37] no. Well, I think moving countries is not easy, no matter what the age, so good on you guys as well.

The final question, what’s your favorite restaurant cuisine that you can share with?

Corbett. Cause I know you’re pretty recovered answer and probably the guests are the audience listening in as well. Knows it. So in COVID what’s been your favorite [00:44:00] GoTo, a dish or a restaurant, I guess considering taiko is still open in Melbourne.

David O’Brien: [00:44:04] Yeah. So, we, we live in Jalong, right? So we’re not. Yeah, we’re not technically in the very strict lockdown.

so we’re allowed to go further than five kilometers. the, we’ve been to a really, really nice, trusted farm up near Ballarat, where, where they had, a truffle dog, just like what we have a legato, Hunter trough. So we actually did. trust. so they let the dog loose on that fan and the dog.

Dug up the trophies and, we then had, yeah, and, and we, we then had, trusted pizza. So the traffic that we just hunted in the morning, they shaved them on onto the pizza. And that was sweet. So I think at, to answer the question, it’s the, the [00:45:00] cuisine with the nicest experience around it, I just like to eat.

and, if there’s a really nice, it’s experienced nice people around, then I think that’s. The cuisine that we did like,

Ashish Rajan: [00:45:14] Oh, nice. And we have a few, I have a few people who are extra long hair as well. It seems like we need to live in Geelong as well, but thanks so much for your time. And where can people find you if they have any followup questions on this Azure identity question?

David O’Brien: [00:45:27] Yeah. So, I’m obviously on LinkedIn. so you can find me there, David O’Brien, I’m on Twitter at David underscore. O’Brien. on, if you have any consulting questions, you can reach out on travelers that come to the X I R U S. and if you want to know more about, cloud security, posture management, that’s the startup that we are about to launch very, very soon, called Argos.

So you can go to argos-security.io, to [00:46:00] learn more about that.

Ashish Rajan: [00:46:02] Awesome. Thank you. And thanks so much for joining us this time, and I’ll add that in the show notes as also people can reach out, but thanks so much for your time again.

David O’Brien: [00:46:10] Thank you.

Ashish Rajan: [00:46:12] Thanks for coming. Can’t wait to have you again, man. Thanks so much again.

I’ll talk to you soon.

David O’Brien: [00:46:16] Absolutely. Thanks.

More Videos