This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses resilient identity and access management with Azure AD.

Any component of Identity and Access Management is the process, policy and technology framework that covers management of identities and what they can access. IAM includes components that support authentication and authorization of user and other accounts in the system.

Any component of an IAM system can cause disruption. IAM resilience is the ability to endure disruption and recover with minimal impact to business. It is promoted by planning for disruptions assuming they will occur, reducing dependencies, complexity and single points of failure and ensure comprehensive error handling.

Recognizing and planning for contingencies is important but adding more identity systems with their dependencies and complexity could reduce their resilience. Azure AD managed identities provide such resilience. Instead of relying on certificate-based authentication alone, improving the resilience of the application by using Azure AD managed identities is recommended.

There are other elements to manage resilience, and these include applications that rely on the IAM system, public infrastructures that your authentication calls and include telecom companies, internet service providers and public key providers, cloud and on-premises identity providers, other services that rely on the IAM and the APIs to connect the services and on-premises components in your system.

Dependencies can be managed and authentication calls can be reduced so that the application is less chatty. Reducing the number of authentication calls and the number of dependencies in those calls increases resilience.

Long lived revocable tokens can be issued and used to overcome the short token validity period an application or another resource is accessed with. When the validity period is long, the token can be presented multiple times to gain access. Acquiring a new token reduces resilience due to interruption or involvement of user. But this might require weighing against the policy evaluations

Hybrid and on-premises resilience can be improved with by introducing an application proxy.

A multitenant application does not control how many tenants or the direct ownership of a resource to its tenant. The customer has the complete say in this. They may want to reassign a resource to another tenant. For example, if they decide to join a machine to a different tenant, they need to disconnect from the first tenant and then register again with the new tenant.  The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant.