2.1. Identity Security Fundamentals

💡 First Principle: Every security decision in Azure starts with a single question: "Who are you, and what are you allowed to do?" Without a verified identity, there is no way to grant access, audit actions, or enforce policies—the entire security model collapses.

Think of identity like a building's access card system. The card itself proves who you are (authentication), while the card reader at each door checks what rooms you're allowed to enter (authorization). Without the card system, you'd have no way to control who enters which rooms—every door would either be locked to everyone or open to everyone.

What breaks without identity security? Everything. An attacker who compromises an identity doesn't need to find vulnerabilities in your applications or network—they simply walk through the front door with valid credentials. Over 80% of cloud breaches involve compromised identities, making this the most critical security domain to master.

Consider this scenario: Your organization is moving to Azure and needs to secure access for 5,000 employees, 200 applications, and numerous automated processes. Each requires a verified identity before accessing any Azure resource. How do you ensure the right entities have the right access to the right resources at the right time?