Let's talk a bit about Azure Architecture and Identity Access Management

Richard — Sun, 24 May 2026 12:32:32 +0000

If you read my previous post, you might remember Richard Inc., our beloved (though make-believe) Nigerian food delivery startup that recently made it to the cloud. Well, status update: business is booming! Orders are now coming in from all over the country, the app is running smoothly, customers are happy, and Richard (the founder in this story) has hired 200 staff. This includes a few developers writing code, a few managers approving budgets, interns doing God-knows-what, and maybe automated robots handling food deliveries outside daylight hours. Now every single one of these people (except maybe the robots) need access to the company's cloud resources on Azure.

To provide access as quickly as possible, he provided a master login — one username, one password. Once logged in, he figured all members could then navigate the platform. Big mistake! Just 3 days after this, an overexcited intern, thinking he was in the test environment, accidentally deletes the entire production database on a Friday at 4:55 p.m., just before the weekend rush! Richard nearly had a stroke! It is to prevent strokes for founders like Richard that Azure has an entire system built around who you are, what you are allowed to touch, and how far that permission reaches — kind of like a well-run company organizational chart.

At the top are Management Groups, kinda like Richard Inc.'s business divisions — one division handling deliveries, another for acquiring groceries, another perhaps handling the logistics of expansion. Policies and permissions set at this level can be inherited by everything underneath.

Below Management Groups are Subscriptions, almost like departments within the business divisions. Subscriptions in Microsoft Azure are essentially containers within which most cloud resources are created and managed. Also, because they tie resource usage to a billing account, when assigned to departments within the divisions of Richard Inc., each department gets its own invoice, providing cost visibility (a neat business trick very useful in planning).

Next are Resource Groups, kinda like project folders within which the actual cloud tools live: logical containers that organize related cloud resources together — Virtual Machines (cloud computers running Richard Inc.'s software), Databases (storing every order, every customer, every delivery record), Storage Accounts (holding receipts, images, invoices), and Load Balancers (which distribute incoming traffic across multiple backend servers or computing resources so that no single server bears a disproportionate share of the workload — like traffic wardens making sure that when ten thousand people order "jollof rice" at the same time, no single server has a breakdown).

Now, how do we solve the intern problem? Simple! Microsoft Entra ID (formerly called Azure Active Directory/Azure AD). Microsoft Entra ID is essentially like a smart staff register and assigns identities in four ways — User Identities, Groups, Service Principals, and Managed Identities. Identities assigned to real people such as Richard the founder, his developers, managers, and yes, the intern, are User Identities. If there are maybe 50 developers requiring permission, creating individual user identities can be exhausting. One way around this is putting everyone involved in a Group and assigning permissions to the group that every identity within the group instantly inherits. Once permissions are assigned to the group, every member of that group inherits those permissions automatically. Service Principals and Managed Identities are slightly more technical (we'll talk about these another time).

All identities and access rules for Richard Inc exist inside a dedicated private identity space in Microsoft cloud called Azure Entra Tenant associated with one or more unique addresses/domains

Now, what happens when a User attempts to log in? First, Authentication — basically the bouncer at the door who checks if you are actually who you say you are. To prove your identity, you provide a username, password, and even multi-factor authentication (where you also have to confirm via your phone or a secondary device).

Next is Authorisation, where Azure decides, "Okay, we know it's you — but what rooms are you allowed to enter?" The single most important safeguard that would have prevented the intern from deleting production files.

Still, this is a lot! How does Azure handle authorizations for, say, 10,000 employees? Yikes! The poor Cloud Engineer, huh? Lol, not quite.

Using something called Role-Based Access Control, or RBAC, authorizations can be done at scale — not by writing a custom set of rules per individual, but by assigning roles to individuals, each role coming with a predefined set of powers.

For this Role-Based Access Control model, there are four roles worth knowing: Owner, Contributor, Reader, and User Access Administrator. The Owner can do everything — create, delete, modify, and hand out permissions to others. This is Richard himself (the founder), or maybe his Chief Technology Officer. Contributors can build and manage resources but cannot grant permissions to anyone else, e.g., senior developers. The Reader can see everything and touch absolutely nothing. Perfect for an investor who wants visibility or a compliance auditor reviewing the system. And then there's the User Access Administrator, who can only manage permissions — can't create a single resource, just handles who has access to what. Great for an operations manager who onboards and offboards staff regularly.

In all of these roles, however, one golden rule applies — Least Privilege, which essentially means: "Give every person and every system the minimum access needed to do the specific job, nothing more."

Another important idea in Azure RBAC is Scope. Beyond the assigned Role, how widely does it apply? The wider the scope, the more powerful the role. A Contributor at Management Group level can touch everything in every department. A Contributor at Resource Group level can only touch one project folder. Same role, very different levels of power.

Oh, by the way, the intern was reassigned to Reader access only. He's doing great!

Today I finally understood what cloud computing actually means

Richard — Mon, 18 May 2026 15:27:54 +0000

The "Swapped" animated movie was such an interesting watch on Netflix. Lovely graphics, great humor, with a reminder of the powerful bonds of friendship and family. It had it all! All this was thanks to a series of powerful computers housed in data centers delivering computing services over thousands of miles. The power of the cloud moved Netflix from a DVD rental service by mail to a leading global platform offering a vast selection of movies, TV shows, documentaries, and even games through its streaming service.

As far back as 2005, a Nigerian company trying to launch a website would spend millions buying expensive servers, renting server rooms, providing constant power, installing cooling systems, hiring a full IT team to babysit processes 24/7, and paying for security — all before writing a single line of code. Now, the same company can rent all these resources over the internet through a subscription, without the burden of infrastructure, space, or personnel, and have full freedom to specify computing needs (service models) and who has access to these platforms (deployment models)!

Imagine the same Nigerian company — say Richard Inc. (lol) — against all odds, gets running and does very well in the market, providing, say, food delivery services online. A good business day also brings with it huge strains on limited internal servers and suddenly, crash! The server goes dark. For a new business, this could be catastrophic, and new customers, after just a few minutes of service timeout, may swivel into the waiting arms of the competition. With cloud computing, a good business day can stay a blessing, with servers scaled up to match rising demand and customers none the wiser.

What if something happens to these computers? We know systems fail and natural disasters happen. Is Richard Inc. or Netflix just one catastrophe (flood, fire outbreak, etc.) away from going dark? While for traditional data centers this might be the end of operations, cloud services transcend these hurdles with the principle of redundancy. Data redundancy means copies of essential company data can be stored in multiple places locally within a data center, in multiple sites in a region called availability zones, and even across regions in different geographical locations! This redundancy also cuts across power supply grids, with primary grid power giving way to instant battery backup, generator power, multiple grid connections, and even renewable energy backups in sequence to ensure no power outage — not even for a millisecond.

The powerful system of the cloud suddenly opens up doors for small businesses to competitively thrive globally where this would otherwise not be possible. To soar in the global space, one must reach for the cloud! (Haha, see what I did there?)

DEV Community: Richard

Let's talk a bit about Azure Architecture and Identity Access Management

Today I finally understood what cloud computing actually means