In Microsoft Azure, Azure Active Directory is the identity governance and administration layer that is used to manage access to resources such as instances of virtual machines, databases, applications, APIs, websites, etc. This identity layer is the control plane that helps protect your resources from intruders.
In this paper, we describe the architectures and best practices for implementing identity and access management across separate Azure environments. Not all organizations need to run separate environments. This document will help you understand if this configuration is appropriate for your organization.
We begin with an Introduction to delegated administration and isolated environments. In this introduction we describe various deployment scenarios and critical considerations for deciding if separate environments are appropriate for your organization. Ultimately, we help you choose the right architecture for your organization: Delegated administration in a single tenant, Resource isolation in multiple tenants, or Resource and identity isolation in multiple tenants. We then provide a comprehensive list of design considerations, or best practices.