SlideShare a Scribd company logo

Azure role based access control (rbac)

Download as PPTX, PDF
Srikanth Kappagantula, profile picture
Srikanth Kappagantula

The document discusses the structure and management of Azure roles and access through role-based access control (RBAC) within the context of a startup, S5 Enterprise, led by Sara. It explains different types of Azure roles, their scopes, how they relate to Azure accounts, subscriptions, and resource groups, as well as best practices for role assignments and management of permissions. Key highlights include the responsibilities of various roles such as administrators and the importance of least privilege access when allocating permissions to users.

Technology
1 of 41
Downloaded 67 times
1
2
3
4
5
6
Most read
7
Most read
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
S5 Cloud Education Role A Role B Management of Azure Roles & RBAC Role C
S5 Cloud Education S5-Cloud-Education-105146271333771 S5 Cloud Education @s5cloudedu srikanth-kappagantula.blogspot.com https://medium.com/@s5cloudeducation https://www.slideshare.net/krishnasrikanthk sites.google.com/view/s5cloudeducation
S5 Cloud Education Srikanth Kappagantula explains Sara the specifics of different types of Azure roles and access management through RBAC, Role Based Access Control  Sara is the owner of the start-up “S5 Enterprise  Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita  Sara hired different professionals to support her in building applications to support her  She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants  Srikanth defines roles, explains role specifics, their scope, access management, etc Context
S5 Cloud Education Sara Owner, S5 Ent Srikanth Azure Administrator SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner Management HR & Accounting Shaila Accounting, S5 Ent Srini User Admin, S5 Ent Nara Administrator JC User Access Administrator Lucky Internal Auditor Development Teams Development Partners Operations Team Managed Services Partners Sailesh Auditor, External
S5 Cloud Education Definition of Role(s) Collection of permissions on objects in a namespace Role Namehas Namespace/Scope Permissions Security Principals Assigned to C R U D S C E N A R I O Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions LEAST PREVILEGE defines ability to perform only specific Actions at mentioned S C O P E N o t M o r e N o t L e s s
S5 Cloud Education What is Scope? Azure Account  A Global Unique Entity  Can be an Individual Account or an Organization Account  Account contains multiple subscriptions & active directory tenants  Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant  Representation of an organization  Unique instance of Azure Active Directory  Tenant has its own identities, and app registrations  Azure Active Directory Tenant can have more than 1 subscription Management Groups  Management groups are containers to manage access, policy, and compliance for multiple subscriptions  subscriptions in a management group automatically inherit the conditions Subscription  Agreement with Microsoft to use Microsoft cloud platforms or services  Billing Relationship between Party and Azure  Can host resource groups (resource containers) & Resources  1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group  Resource Group is logical container for Resources  Subscription can have 1 or more resource groups  1 Resource Group can be allocated only to one subscription  Resource Group stores its metadata in a location Resources  Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases  A Resource can be assigned to only one resource group  Location of a resource can be different from location of a resource group Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource Scope
S5 Cloud Education Relationship between Accounts & other objects Subscription Account Azure Active Directory Tenant Subscription Subscription Resource Group Subscription Resources 1..n 1..n 1..n 1..n 1..n Management Groups 1..n
S5 Cloud Education Types of Roles in Azure, Scope and Relationship Role Types in Azure Classic Subscription Administrator Roles Azure Active Directory Roles Azure Roles (based on RBAC) Role Type Scope Classic Subscription Administrator Roles Azure Account & Subscriptions Azure Active Directory Roles Azure Active Directory Tenant Azure Roles Management Group, Azure Subscriptions. Resource Groups & Resources
S5 Cloud Education What are these different types of roles in Azure? Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Azure Active Directory (Azure AD) roles  Used to manage Azure AD resources in a directory  Perform different functions  User management  License management  Manage domains Azure Roles  Based on Role based access control  Authorization system that provides fine grained access to azure resources  Has 4 fundamental roles and 70 built-in roles  Account Administrator  Service Administrator  Co-Administrator  Global Administrator  User Administrator  Billing Administrator  Owner  Contributor  Reader  User Access Administrator Account & Subscription(s) Management Identity Management Subscription & Resource(s) Management Users/Identities are allocated to roles with LEAST PREVILEGE which allows them to perform or not perform certain Actions
S5 Cloud Education Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources Account Administrator Service Administrator Co-Administrator  Max 1 per Azure Account  Manage (create/cancel) all subscriptions in Account  Manage & Change billing for subscriptions  Can change Service Administrator  Max 1 per Azure Subscription  Manage services in Subscription  Cancel subscription  Assign users to Co-Administrator role  Can associate to a different Active directory tenant  Max 200 per Azure Subscription  Can assign users to Co-Administrator role  Cannot change Service Administrator role  Cannot associate to a different Active directory tenant  Same permissions as Service Administrator but cannot cancel subscription * No other Roles are available at Account level and custom roles cannot be created
S5 Cloud Education Srikanth cautioned Sara with usage of Subscription Administrators Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the following best practices  Assess the need for the role before you assign it to a user  Service Administrator role can  Can change the Active Directory domain or even add new  Can cancel subscriptions  Can order services on subscription  Co-Administrators  Count should not be more than 1 or 2  Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
S5 Cloud Education What happens when Sara creates an Azure Account Sara Azure Account Azure Active Directory Tenant 1 Azure Subscription 1 Account Administrator Service Administrator Owner Global Administrator User Administrator Roles Assigned Azure Account Classic Subscription Administrator Role(s) Account Administrator Service Administrator Azure Active Directory Tenant 1 Azure Active Directory Role(s) Global Administrator User Administrator Azure Subscription 1 Azure Roles Owner • Sara created an Azure account • Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation • AAD is identity management solution. More than 1 AAD tenant instance can be created later • Subscription is the billing relationship between azure and Sara. • More than 1 subscription can be created if you want to segregate billing for different applications • 1 AAD tenant can be linked to many subscriptions • 1 subscription can be linked to only one tenant • An Account can have multiple Active Directory tenants and Subscriptions Account & Subscription(s) Management Subscription & Resource(s) Management AD Identity Management
S5 Cloud Education Assignment/Transfer of Account Administration specific Roles to SaanV and Gita SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and created 1 subscriptions each  “S5 Retail” with SaanV  “S5 Pharma” with Gita Sara asked Srikanth to assign following roles  Make SaanV “Service Administrator” to subscription “S5 Retail”  Make Gita “Co-Administrator” to Subscription “S5 Pharma”  Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily) Can you suggest why She assigned SaanV, a Service Administrator while Gita a Co-Administrator?
S5 Cloud Education Srikanth details Azure Active Directory Roles  Used to manage Azure AD resources in a directory. Different functions include  User management  License management  Manage domains Global Administrator • Person who signup for azure Account • Manage access to admin features in Active Directory • Assign admin roles to others • Reset password for any user User Administrator • Create & Manage users • Manage support tickets • Manage service health • Change password for users Billing Administrator • Make Purchases • Manage Subscriptions • Manage support tickets • Manage service health Azure Active Directory Roles are specifically related to management of Active Directory objects and support different functions that can be set at directory level
S5 Cloud Education Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator  Azure AD and Azure resources are secured independently from each other  Global Administrator for AD may not have access to all management groups & subscriptions  There may be to elevate Global Administrator access to  Regain access / grant access to users or self on management groups & subscriptions  Allow apps to access the same  After access is elevated to Global Administrator, User access Administrator role is assigned  Toggle the elevated access once purpose is served  Elevation of access is mainly to allow Global Administrator act as User Access Administrator for management groups/subscriptions
S5 Cloud Education Do we have any other Azure Active Directory Roles? Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage  External Resources  Microsoft 365,  The Azure portal,  Other SaaS applications  Internal resources  Apps on your corporate network  Apps on intranet  Cloud apps developed by your own organization Different roles are available with Azure Active Directory to enable users to perform different functions on different objects Azure Active Directory roles are managed by Azure and custom roles for Azure Active Directory can be created only if you have Azure AD Premium P1 or P2 Azure AD Types Azure AD Free Azure AD Premium P1 Azure AD Premium P2 Pay As you Go
S5 Cloud Education Detailed list of other Azure Active Directory Administrator Roles List of Azure Active Directory Administrator Roles
S5 Cloud Education S5Ent Roles on Azure Active Directory AD Sara sees a need to • Manage Billing centrally • Create/Drop Users to a single AD domain • Administrator to manage AD end to end Sara asked Srikanth to assign following roles  Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator What is the Rationale behind Sara’s thought process? Shaila Accounting, S5 Ent Srini User Admin, S5 Ent
S5 Cloud Education What are Azure Roles Owner • Full Access to Resources • Delegate Access to Others Contributor • Create & Manage Azure Resources • Create new tenant in Azure Active Directory • Cannot grant access to resources Reader • Can view all the resources for a scope User Access Administrator • Manage user access to resources Based on Role based access control (RBAC) mechanism Are these the only roles we can use to manage Azure Subscription resources? Obviously No. Some of the other built-in roles include We have other roles created by Azure to perform different functions on Azure Services/Resources. Virtual Machine Contributor Storage Account Reader Network Contributor Backup Operator App Configuration Data Owner Custom Roles can be created in only Azure Roles
S5 Cloud Education Detailed list of other Azure built-in roles (based on RBAC) Click The Button Below List of Azure Roles
S5 Cloud Education What is Azure Role based access control (RBAC) Azure Role based access control (RBAC) in Azure manages access control for cloud resources. 3 QUESTIONS TO ANSWER Azure Role based access control (RBAC) is an authorization system built on Azure Resource Manager (ARM) which provides fine grained access to azure resources Who has access to an azure resource? What can they do with those resources? What specific areas they have access to? EXAMPLES DBA Group to manage SQL and NOSQL databases Network administrator to manage Virtual Networks and Application Administrator to manage App Services Project Administrator to manage resources in a resource group Storage Admin to manage storage accounts
S5 Cloud Education How Access Management is controlled in Azure RBAC Role based access control is enabled through - Role Definition Role Assignment Deny Assignment Custom Roles role definition (typically a role) is a collection of permissions. Supports operations like create, view, update and delete Manage Access to different azure resources at a specific scope is enabled by role assignment. Deny Access to different azure resources at a specific scope is enabled by deny assignment. Custom Roles are created when built- in roles cannot fulfill the purpose
S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
S5 Cloud Education Revisit “Role Definition” aka Role Role Definition is collection of permissions has Name and Description. Besides, Role Definition/Permission has 5 Components Actions Management operations that the role allows to be performed NotActions Management operations that are excluded from the allowed Actions DataActions Data operations that the role allows to be performed to your data within that object NotDataActions Data operations that are excluded from the allowed DataActions AssignableScope Scope the role is available for assignment. Management Operations control access to resources for e.g. access storage account, create, update and delete blob container, delete resource group & its resources Data Operations control access to data underlying resources for e.g. read log files in blob container, delete a message in a queue, write data into text file in a container Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. This role allows you to read the blob container and also the underlying blob data Storage Blob Reader role definition, which includes operations in the Actions properties. This role allows you to read the blob container. It is not allowed to read underlying data
S5 Cloud Education Role Definition (in terms of Syntax) { "Name": "", "Description": "", "Actions": [], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [] } { "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] }
S5 Cloud Education What are Role Assignments? Control access to resources using Role based access control (RBAC) in Azure by creating ROLE ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to ROLE ASSIGNMENT has 3 Elements
S5 Cloud Education 1. Who is Security Principal? A security principal is azure object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources User individual who has a profile in Azure Active Directory Group set of users created in Azure Active Directory Service Principal security identity used by applications/services to access specific Azure resources Managed Identity identity in Azure Active Directory that is automatically managed by Azure
S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
S5 Cloud Education 3. Define Scope Scope is the set of resources that the access applies to. Assign a role, and limit the actions allowed by defining a scope Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources Management Group Subscription (s) Resource Group (s) Resource(s) Each Management Group can have 1 or more subscriptions Each Subscription can have 1 or more resource groups Each Resource Group can have 1 or more resources and resource types Resource is smallest unit in the scope
S5 Cloud Education Definitions of objects in Scope Management Groups Management groups are containers to manage access, policy, and compliance across multiple subscriptions. Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC Controls. All subscriptions in a management group automatically inherit the conditions applied to the management group Subscriptions A subscription logically associates user accounts and the resources that were created by them. Organizations use subscriptions to manage costs and the resources that are created by users, teams, or projects. Resource Groups Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage accounts are deployed and managed. Resources Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage Accounts Inherit
S5 Cloud Education What are Deny Assignments? Set of Deny Actions to a Security Principal at a particular scope is DENY ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to DENY ASSIGNMENT has 3 Elements Deny Assignments prevents security principals to prevent performing actions at a scope even Role assignments are defined at one level above * Azure Blueprints and Azure managed apps are the only way to create deny assignments
S5 Cloud Education Sara interrupted Srikanth with a question At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will take precedence when both Role Assignment and Deny Assignment are defined Srikanth advised that RBAC always works with a role with limited access to perform a function At a Scope, Deny Assignment always precedes over Role Assignment
S5 Cloud Education Sara and Srikanth are assigning roles  Srikanth to oversee and manage administration across both subscriptions  Nara need to be able to create and drop services  JC to handle User Access for services for both subscriptions and Storage Management  Lucky and Sailesh need to address Auditing  Implementation of Services outsourced to Development Partners  Operations outsourced to Manage Services partners  Srikanth is assigned owner role  Nara is assigned Contributor role  JC is assigned User Access Administrator, Storage Account Contributor  Lucky & Sailesh are give Reader role Nara Administrator JC User Access Administrator Lucky Internal Auditor Sailesh Auditor, External
S5 Cloud Education Srikanth re-iterated about using resource specific roles  When permissions need to be granted to specific resource types in any scope, use resource specific roles  For e.g. for Storage you have role to support Actions and Data Actions  Storage Account Types and specific roles defined in diagram –  Blob  File  Queue
S5 Cloud Education Sara and Srikanth are assigning roles Problem  Implementation Services Team will have to access multiple services like storage, Virtual Machines, administration, monitoring, management  Operations team need to monitor and manage different services and even need to perform fixes and other support activities Solution  Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific scope  Create Groups and assign CUSTOM Roles which span across multiple services
S5 Cloud Education What are Custom Roles and Why?  Sometimes Azure Built-in roles does not serve the specific needs of your organization. Create custom roles to address the specific requirement  Custom Roles are user define roles with specific Actions, Data Actions, NotActions and Not Data Actions at a defined scope  Custom roles can be shared between subscriptions that trust the same Azure AD directory  Custom Roles can be created using Azure Powershell, Azure Portal, Azure CLI or Rest API It is easy to clone a role and edit the JSON document and assign permissions
S5 Cloud Education Custom Roles created to fulfil Sara azure RBAC requirements S5RetailAppDeveloper Subscription Retail Storage VM MySQL ELB Disk Disk Logs S5PharmaAppDeveloper S5EntLogViewer S5RetailStorageContributor S5EntDataAdmin S5EntSecretsManager S5RetailAppLogViewer S5PharmalStorageContributor Data
S5 Cloud Education Sara pointed one concern about subscription and Active Directory I understand that multiple subscriptions can be assigned to an Active Directory Tenant. • What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2. • She raised the concern if there may be a need to separate one of the subscriptions under a new domain Azure Active Directory Tenant 1 Subscription 1 Azure Active Directory Tenant 2 Subscription 1 Impacted RBAC Services Role Assignments Custom Roles  Roles Assignments are permanently deleted  Map Security Principals to corresponding objects in new AD Tenant  Recreate Role Assignments  Custom Roles are permanently deleted  Recreate custom roles and role assignments
S5 Cloud Education Sara has concerns on tracking changes in Azure RBAC To track changes with respect to auditing, especially  Create role assignment  Delete role assignment  Create or update custom role definition  Delete custom role definition Activity Log logs all the activities to support auditing and troubleshooting purposes  Changes in role assignments, custom role definitions and activities are tracked  Hosts the log data for 90 days
S5 Cloud Education Let us Check our Understanding
S5 Cloud Education Happy RBACing

More Related Content

PDF
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
PPTX
Azure Networking (1).pptx
Razith2
 
PDF
Microsoft Azure Active Directory
David J Rosenthal
 
PDF
TechnicalTerraformLandingZones121120229238.pdf
MIlton788007
 
PPTX
Azure storage
Raju Kumar
 
PPTX
Microsoft Sentinel Deployment V1.pptx
saadatali65
 
PPTX
Azure vnet
zekeLabs Technologies
 
PDF
The Nonprofit Guide to Google Analytics - Tapp Network.pdf
TechSoup
 
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
Azure Networking (1).pptx
Razith2
 
Microsoft Azure Active Directory
David J Rosenthal
 
TechnicalTerraformLandingZones121120229238.pdf
MIlton788007
 
Azure storage
Raju Kumar
 
Microsoft Sentinel Deployment V1.pptx
saadatali65
 
Azure vnet
zekeLabs Technologies
 
The Nonprofit Guide to Google Analytics - Tapp Network.pdf
TechSoup
 

What's hot (20)

PDF
[Azure Governance] Lesson 4 : Azure Policy
☁ Hicham KADIRI ☁
 
PDF
Microsoft Azure Security Overview
Alert Logic
 
PPTX
Introduction to Azure monitor
Praveen Nair
 
PPTX
Azure Security Overview
Allen Brokken
 
PPTX
Azure Cloud Governance
Jonathan Wade
 
PPTX
Azure Migrate
Mustafa
 
PPTX
Azure active directory
Raju Kumar
 
PDF
Azure Monitoring Overview
gjuljo
 
PPTX
Azure Sentinel.pptx
Mohit Chhabra
 
PPTX
Azure key vault
Rahul Nath
 
PPTX
Azure Identity and access management
Dinusha Kumarasiri
 
PPTX
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Timothy McAliley
 
PDF
Azure Security Overview
David J Rosenthal
 
PPTX
Azure Migration Program Pitch Deck
Nicholas Vossburg
 
PPTX
Azure governance
girish goudar
 
PDF
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
PPTX
Introduction to Microsoft Azure
Guy Barrette
 
PPTX
Microsoft Azure Technical Overview
gjuljo
 
PDF
Azure governance v4.0
Marcos Oikawa
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
[Azure Governance] Lesson 4 : Azure Policy
☁ Hicham KADIRI ☁
 
Microsoft Azure Security Overview
Alert Logic
 
Introduction to Azure monitor
Praveen Nair
 
Azure Security Overview
Allen Brokken
 
Azure Cloud Governance
Jonathan Wade
 
Azure Migrate
Mustafa
 
Azure active directory
Raju Kumar
 
Azure Monitoring Overview
gjuljo
 
Azure Sentinel.pptx
Mohit Chhabra
 
Azure key vault
Rahul Nath
 
Azure Identity and access management
Dinusha Kumarasiri
 
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Timothy McAliley
 
Azure Security Overview
David J Rosenthal
 
Azure Migration Program Pitch Deck
Nicholas Vossburg
 
Azure governance
girish goudar
 
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
Introduction to Microsoft Azure
Guy Barrette
 
Microsoft Azure Technical Overview
gjuljo
 
Azure governance v4.0
Marcos Oikawa
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
Ad

Similar to Azure role based access control (rbac) (20)

PDF
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Karim Vaes
 
PPTX
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Shawn Ismail
 
PPTX
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Marius Zaharia
 
PPTX
Azure subscription management with EA and CSP
Daichi Isami
 
PPTX
826182700-AZ-500T00A-ENU-Powerpoint-01.pptx
wisdomrobertkonudze
 
PDF
AWS Organizations & Service Control Policy
Bhuvaneswari Subramani
 
PDF
Understanding Azure AD
New Horizons Ireland
 
PDF
AZ-104 Course Training Presentation_KoFi.pdf
OlivierLumeau1
 
PPTX
Azure Day 1.pptx
masbulosoke
 
PDF
1BT_Tech_Talk_AWS_Cross_Account_Access
Crishantha Nanayakkara
 
PDF
Microsoft azure infrastructure essentials course manual
michaeldejene4
 
PPTX
48. Azure Active Directory - Part 1
Shawn Ismail
 
PPTX
Module3ksjdfbsdkfkasjdfbjkendfksdmnfckajs.pptx
trainingdecorpo
 
PDF
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
SkillCertProExams
 
PPTX
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
PPTX
Hitchhiker's Guide to Azure AD - SPSKC
Max Fritz
 
PDF
Azure Active Directory Interview Questions PDF By ScholarHat
Scholarhat
 
PPTX
03_DP_300T00A_Secure_Environment.pptx
KareemBullard1
 
PPTX
Leverage your application architecture with azure services
Sammani Palansuriya
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Karim Vaes
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Shawn Ismail
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Marius Zaharia
 
Azure subscription management with EA and CSP
Daichi Isami
 
826182700-AZ-500T00A-ENU-Powerpoint-01.pptx
wisdomrobertkonudze
 
AWS Organizations & Service Control Policy
Bhuvaneswari Subramani
 
Understanding Azure AD
New Horizons Ireland
 
AZ-104 Course Training Presentation_KoFi.pdf
OlivierLumeau1
 
Azure Day 1.pptx
masbulosoke
 
1BT_Tech_Talk_AWS_Cross_Account_Access
Crishantha Nanayakkara
 
Microsoft azure infrastructure essentials course manual
michaeldejene4
 
48. Azure Active Directory - Part 1
Shawn Ismail
 
Module3ksjdfbsdkfkasjdfbjkendfksdmnfckajs.pptx
trainingdecorpo
 
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
SkillCertProExams
 
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
Hitchhiker's Guide to Azure AD - SPSKC
Max Fritz
 
Azure Active Directory Interview Questions PDF By ScholarHat
Scholarhat
 
03_DP_300T00A_Secure_Environment.pptx
KareemBullard1
 
Leverage your application architecture with azure services
Sammani Palansuriya
 
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
Ad

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
Advanced IT Governance
University of Hertfordshire
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

Azure role based access control (rbac)

  • 1. S5 Cloud Education Role A Role B Management of Azure Roles & RBAC Role C
  • 2. S5 Cloud Education S5-Cloud-Education-105146271333771 S5 Cloud Education @s5cloudedu srikanth-kappagantula.blogspot.com https://medium.com/@s5cloudeducation https://www.slideshare.net/krishnasrikanthk sites.google.com/view/s5cloudeducation
  • 3. S5 Cloud Education Srikanth Kappagantula explains Sara the specifics of different types of Azure roles and access management through RBAC, Role Based Access Control  Sara is the owner of the start-up “S5 Enterprise  Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita  Sara hired different professionals to support her in building applications to support her  She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants  Srikanth defines roles, explains role specifics, their scope, access management, etc Context
  • 4. S5 Cloud Education Sara Owner, S5 Ent Srikanth Azure Administrator SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner Management HR & Accounting Shaila Accounting, S5 Ent Srini User Admin, S5 Ent Nara Administrator JC User Access Administrator Lucky Internal Auditor Development Teams Development Partners Operations Team Managed Services Partners Sailesh Auditor, External
  • 5. S5 Cloud Education Definition of Role(s) Collection of permissions on objects in a namespace Role Namehas Namespace/Scope Permissions Security Principals Assigned to C R U D S C E N A R I O Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions LEAST PREVILEGE defines ability to perform only specific Actions at mentioned S C O P E N o t M o r e N o t L e s s
  • 6. S5 Cloud Education What is Scope? Azure Account  A Global Unique Entity  Can be an Individual Account or an Organization Account  Account contains multiple subscriptions & active directory tenants  Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant  Representation of an organization  Unique instance of Azure Active Directory  Tenant has its own identities, and app registrations  Azure Active Directory Tenant can have more than 1 subscription Management Groups  Management groups are containers to manage access, policy, and compliance for multiple subscriptions  subscriptions in a management group automatically inherit the conditions Subscription  Agreement with Microsoft to use Microsoft cloud platforms or services  Billing Relationship between Party and Azure  Can host resource groups (resource containers) & Resources  1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group  Resource Group is logical container for Resources  Subscription can have 1 or more resource groups  1 Resource Group can be allocated only to one subscription  Resource Group stores its metadata in a location Resources  Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases  A Resource can be assigned to only one resource group  Location of a resource can be different from location of a resource group Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource Scope
  • 7. S5 Cloud Education Relationship between Accounts & other objects Subscription Account Azure Active Directory Tenant Subscription Subscription Resource Group Subscription Resources 1..n 1..n 1..n 1..n 1..n Management Groups 1..n
  • 8. S5 Cloud Education Types of Roles in Azure, Scope and Relationship Role Types in Azure Classic Subscription Administrator Roles Azure Active Directory Roles Azure Roles (based on RBAC) Role Type Scope Classic Subscription Administrator Roles Azure Account & Subscriptions Azure Active Directory Roles Azure Active Directory Tenant Azure Roles Management Group, Azure Subscriptions. Resource Groups & Resources
  • 9. S5 Cloud Education What are these different types of roles in Azure? Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Azure Active Directory (Azure AD) roles  Used to manage Azure AD resources in a directory  Perform different functions  User management  License management  Manage domains Azure Roles  Based on Role based access control  Authorization system that provides fine grained access to azure resources  Has 4 fundamental roles and 70 built-in roles  Account Administrator  Service Administrator  Co-Administrator  Global Administrator  User Administrator  Billing Administrator  Owner  Contributor  Reader  User Access Administrator Account & Subscription(s) Management Identity Management Subscription & Resource(s) Management Users/Identities are allocated to roles with LEAST PREVILEGE which allows them to perform or not perform certain Actions
  • 10. S5 Cloud Education Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources Account Administrator Service Administrator Co-Administrator  Max 1 per Azure Account  Manage (create/cancel) all subscriptions in Account  Manage & Change billing for subscriptions  Can change Service Administrator  Max 1 per Azure Subscription  Manage services in Subscription  Cancel subscription  Assign users to Co-Administrator role  Can associate to a different Active directory tenant  Max 200 per Azure Subscription  Can assign users to Co-Administrator role  Cannot change Service Administrator role  Cannot associate to a different Active directory tenant  Same permissions as Service Administrator but cannot cancel subscription * No other Roles are available at Account level and custom roles cannot be created
  • 11. S5 Cloud Education Srikanth cautioned Sara with usage of Subscription Administrators Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the following best practices  Assess the need for the role before you assign it to a user  Service Administrator role can  Can change the Active Directory domain or even add new  Can cancel subscriptions  Can order services on subscription  Co-Administrators  Count should not be more than 1 or 2  Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
  • 12. S5 Cloud Education What happens when Sara creates an Azure Account Sara Azure Account Azure Active Directory Tenant 1 Azure Subscription 1 Account Administrator Service Administrator Owner Global Administrator User Administrator Roles Assigned Azure Account Classic Subscription Administrator Role(s) Account Administrator Service Administrator Azure Active Directory Tenant 1 Azure Active Directory Role(s) Global Administrator User Administrator Azure Subscription 1 Azure Roles Owner • Sara created an Azure account • Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation • AAD is identity management solution. More than 1 AAD tenant instance can be created later • Subscription is the billing relationship between azure and Sara. • More than 1 subscription can be created if you want to segregate billing for different applications • 1 AAD tenant can be linked to many subscriptions • 1 subscription can be linked to only one tenant • An Account can have multiple Active Directory tenants and Subscriptions Account & Subscription(s) Management Subscription & Resource(s) Management AD Identity Management
  • 13. S5 Cloud Education Assignment/Transfer of Account Administration specific Roles to SaanV and Gita SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and created 1 subscriptions each  “S5 Retail” with SaanV  “S5 Pharma” with Gita Sara asked Srikanth to assign following roles  Make SaanV “Service Administrator” to subscription “S5 Retail”  Make Gita “Co-Administrator” to Subscription “S5 Pharma”  Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily) Can you suggest why She assigned SaanV, a Service Administrator while Gita a Co-Administrator?
  • 14. S5 Cloud Education Srikanth details Azure Active Directory Roles  Used to manage Azure AD resources in a directory. Different functions include  User management  License management  Manage domains Global Administrator • Person who signup for azure Account • Manage access to admin features in Active Directory • Assign admin roles to others • Reset password for any user User Administrator • Create & Manage users • Manage support tickets • Manage service health • Change password for users Billing Administrator • Make Purchases • Manage Subscriptions • Manage support tickets • Manage service health Azure Active Directory Roles are specifically related to management of Active Directory objects and support different functions that can be set at directory level
  • 15. S5 Cloud Education Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator  Azure AD and Azure resources are secured independently from each other  Global Administrator for AD may not have access to all management groups & subscriptions  There may be to elevate Global Administrator access to  Regain access / grant access to users or self on management groups & subscriptions  Allow apps to access the same  After access is elevated to Global Administrator, User access Administrator role is assigned  Toggle the elevated access once purpose is served  Elevation of access is mainly to allow Global Administrator act as User Access Administrator for management groups/subscriptions
  • 16. S5 Cloud Education Do we have any other Azure Active Directory Roles? Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage  External Resources  Microsoft 365,  The Azure portal,  Other SaaS applications  Internal resources  Apps on your corporate network  Apps on intranet  Cloud apps developed by your own organization Different roles are available with Azure Active Directory to enable users to perform different functions on different objects Azure Active Directory roles are managed by Azure and custom roles for Azure Active Directory can be created only if you have Azure AD Premium P1 or P2 Azure AD Types Azure AD Free Azure AD Premium P1 Azure AD Premium P2 Pay As you Go
  • 17. S5 Cloud Education Detailed list of other Azure Active Directory Administrator Roles List of Azure Active Directory Administrator Roles
  • 18. S5 Cloud Education S5Ent Roles on Azure Active Directory AD Sara sees a need to • Manage Billing centrally • Create/Drop Users to a single AD domain • Administrator to manage AD end to end Sara asked Srikanth to assign following roles  Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator What is the Rationale behind Sara’s thought process? Shaila Accounting, S5 Ent Srini User Admin, S5 Ent
  • 19. S5 Cloud Education What are Azure Roles Owner • Full Access to Resources • Delegate Access to Others Contributor • Create & Manage Azure Resources • Create new tenant in Azure Active Directory • Cannot grant access to resources Reader • Can view all the resources for a scope User Access Administrator • Manage user access to resources Based on Role based access control (RBAC) mechanism Are these the only roles we can use to manage Azure Subscription resources? Obviously No. Some of the other built-in roles include We have other roles created by Azure to perform different functions on Azure Services/Resources. Virtual Machine Contributor Storage Account Reader Network Contributor Backup Operator App Configuration Data Owner Custom Roles can be created in only Azure Roles
  • 20. S5 Cloud Education Detailed list of other Azure built-in roles (based on RBAC) Click The Button Below List of Azure Roles
  • 21. S5 Cloud Education What is Azure Role based access control (RBAC) Azure Role based access control (RBAC) in Azure manages access control for cloud resources. 3 QUESTIONS TO ANSWER Azure Role based access control (RBAC) is an authorization system built on Azure Resource Manager (ARM) which provides fine grained access to azure resources Who has access to an azure resource? What can they do with those resources? What specific areas they have access to? EXAMPLES DBA Group to manage SQL and NOSQL databases Network administrator to manage Virtual Networks and Application Administrator to manage App Services Project Administrator to manage resources in a resource group Storage Admin to manage storage accounts
  • 22. S5 Cloud Education How Access Management is controlled in Azure RBAC Role based access control is enabled through - Role Definition Role Assignment Deny Assignment Custom Roles role definition (typically a role) is a collection of permissions. Supports operations like create, view, update and delete Manage Access to different azure resources at a specific scope is enabled by role assignment. Deny Access to different azure resources at a specific scope is enabled by deny assignment. Custom Roles are created when built- in roles cannot fulfill the purpose
  • 23. S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
  • 24. S5 Cloud Education Revisit “Role Definition” aka Role Role Definition is collection of permissions has Name and Description. Besides, Role Definition/Permission has 5 Components Actions Management operations that the role allows to be performed NotActions Management operations that are excluded from the allowed Actions DataActions Data operations that the role allows to be performed to your data within that object NotDataActions Data operations that are excluded from the allowed DataActions AssignableScope Scope the role is available for assignment. Management Operations control access to resources for e.g. access storage account, create, update and delete blob container, delete resource group & its resources Data Operations control access to data underlying resources for e.g. read log files in blob container, delete a message in a queue, write data into text file in a container Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. This role allows you to read the blob container and also the underlying blob data Storage Blob Reader role definition, which includes operations in the Actions properties. This role allows you to read the blob container. It is not allowed to read underlying data
  • 25. S5 Cloud Education Role Definition (in terms of Syntax) { "Name": "", "Description": "", "Actions": [], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [] } { "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] }
  • 26. S5 Cloud Education What are Role Assignments? Control access to resources using Role based access control (RBAC) in Azure by creating ROLE ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to ROLE ASSIGNMENT has 3 Elements
  • 27. S5 Cloud Education 1. Who is Security Principal? A security principal is azure object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources User individual who has a profile in Azure Active Directory Group set of users created in Azure Active Directory Service Principal security identity used by applications/services to access specific Azure resources Managed Identity identity in Azure Active Directory that is automatically managed by Azure
  • 28. S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
  • 29. S5 Cloud Education 3. Define Scope Scope is the set of resources that the access applies to. Assign a role, and limit the actions allowed by defining a scope Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources Management Group Subscription (s) Resource Group (s) Resource(s) Each Management Group can have 1 or more subscriptions Each Subscription can have 1 or more resource groups Each Resource Group can have 1 or more resources and resource types Resource is smallest unit in the scope
  • 30. S5 Cloud Education Definitions of objects in Scope Management Groups Management groups are containers to manage access, policy, and compliance across multiple subscriptions. Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC Controls. All subscriptions in a management group automatically inherit the conditions applied to the management group Subscriptions A subscription logically associates user accounts and the resources that were created by them. Organizations use subscriptions to manage costs and the resources that are created by users, teams, or projects. Resource Groups Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage accounts are deployed and managed. Resources Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage Accounts Inherit
  • 31. S5 Cloud Education What are Deny Assignments? Set of Deny Actions to a Security Principal at a particular scope is DENY ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to DENY ASSIGNMENT has 3 Elements Deny Assignments prevents security principals to prevent performing actions at a scope even Role assignments are defined at one level above * Azure Blueprints and Azure managed apps are the only way to create deny assignments
  • 32. S5 Cloud Education Sara interrupted Srikanth with a question At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will take precedence when both Role Assignment and Deny Assignment are defined Srikanth advised that RBAC always works with a role with limited access to perform a function At a Scope, Deny Assignment always precedes over Role Assignment
  • 33. S5 Cloud Education Sara and Srikanth are assigning roles  Srikanth to oversee and manage administration across both subscriptions  Nara need to be able to create and drop services  JC to handle User Access for services for both subscriptions and Storage Management  Lucky and Sailesh need to address Auditing  Implementation of Services outsourced to Development Partners  Operations outsourced to Manage Services partners  Srikanth is assigned owner role  Nara is assigned Contributor role  JC is assigned User Access Administrator, Storage Account Contributor  Lucky & Sailesh are give Reader role Nara Administrator JC User Access Administrator Lucky Internal Auditor Sailesh Auditor, External
  • 34. S5 Cloud Education Srikanth re-iterated about using resource specific roles  When permissions need to be granted to specific resource types in any scope, use resource specific roles  For e.g. for Storage you have role to support Actions and Data Actions  Storage Account Types and specific roles defined in diagram –  Blob  File  Queue
  • 35. S5 Cloud Education Sara and Srikanth are assigning roles Problem  Implementation Services Team will have to access multiple services like storage, Virtual Machines, administration, monitoring, management  Operations team need to monitor and manage different services and even need to perform fixes and other support activities Solution  Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific scope  Create Groups and assign CUSTOM Roles which span across multiple services
  • 36. S5 Cloud Education What are Custom Roles and Why?  Sometimes Azure Built-in roles does not serve the specific needs of your organization. Create custom roles to address the specific requirement  Custom Roles are user define roles with specific Actions, Data Actions, NotActions and Not Data Actions at a defined scope  Custom roles can be shared between subscriptions that trust the same Azure AD directory  Custom Roles can be created using Azure Powershell, Azure Portal, Azure CLI or Rest API It is easy to clone a role and edit the JSON document and assign permissions
  • 37. S5 Cloud Education Custom Roles created to fulfil Sara azure RBAC requirements S5RetailAppDeveloper Subscription Retail Storage VM MySQL ELB Disk Disk Logs S5PharmaAppDeveloper S5EntLogViewer S5RetailStorageContributor S5EntDataAdmin S5EntSecretsManager S5RetailAppLogViewer S5PharmalStorageContributor Data
  • 38. S5 Cloud Education Sara pointed one concern about subscription and Active Directory I understand that multiple subscriptions can be assigned to an Active Directory Tenant. • What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2. • She raised the concern if there may be a need to separate one of the subscriptions under a new domain Azure Active Directory Tenant 1 Subscription 1 Azure Active Directory Tenant 2 Subscription 1 Impacted RBAC Services Role Assignments Custom Roles  Roles Assignments are permanently deleted  Map Security Principals to corresponding objects in new AD Tenant  Recreate Role Assignments  Custom Roles are permanently deleted  Recreate custom roles and role assignments
  • 39. S5 Cloud Education Sara has concerns on tracking changes in Azure RBAC To track changes with respect to auditing, especially  Create role assignment  Delete role assignment  Create or update custom role definition  Delete custom role definition Activity Log logs all the activities to support auditing and troubleshooting purposes  Changes in role assignments, custom role definitions and activities are tracked  Hosts the log data for 90 days
  • 40. S5 Cloud Education Let us Check our Understanding

Editor's Notes

  • #4: Sara, a young entrepreneur running “S5 Enterprise”. Sara is planning to launch 2 business applications “S5 Retail” and “S5 Pharma” partnering with SaanV and Gita respectively. With the cloud revolution in place, Sara is planning to host applications on Azure. Sara hired different professionals to support her in building applications to support her Sara believes in understanding things before she applies. Besides Sara had gone through fundamentals of Azure before she decided to launch application. Sara understand that users need to be given least privilege to perform their functions. She wants to implement Best practices while building their solution on Azure. Sara converses with Srikanth Kappagantula, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants while setting up Azure Account
  • #5: The Team includes Business Partners SaanV, Partner “S5 Retail” Gita, , Partner “S5 Pharma” Internal Team Srikanth Kappagantula, Azure Administrator Srini, User Admin Shaila, Accounting Nara, Administrator JC, User Access Administrator Lucky, Internal Auditor External Teams Sailesh, External Auditor Development Team, Development Partners Operations Team, Managed Services Partners
  • #6: Role is collection of permissions on objects in a namespace. Generally a Role has a unique name and a description with collection of permissions. Roles are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace. Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions. Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less
  • #7: Scope is the set of resources that the access applies to and when a role is assigned, we can further limit the actions allowed by defining a scope. To understand scope, let us define some common terms we use across the solution. Azure Account A Global Unique Entity Can be an Individual Account or an Organization Account Account contains multiple subscriptions & active directory tenants Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant Representation of an organization Unique instance of Azure Active Directory Tenant has its own identities, and app registrations Azure Active Directory Tenant can have more than 1 subscription Management Groups Management groups are containers to manage access, policy, and compliance for multiple subscriptions Subscriptions in a management group automatically inherit the conditions Subscription Agreement with Microsoft to use Microsoft cloud platforms or services Billing Relationship between Party and Azure Can host resource groups (resource containers) & Resources 1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group Resource Group is logical container for Resources Subscription can have 1 or more resource groups 1 Resource Group can be allocated only to one subscription Resource Group stores its metadata in a location Resource Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases A Resource can be assigned to only one resource group Location of a resource can be different from location of a resource group Roles are defined at a pre-defined scope or roles will be allocated at a specific scope
  • #8: Each Account can have 1 or more Azure Active Directory Tenant and subscriptions Each Azure Active Directory Tenant can be linked to more than 1 subscription while converse is not true Every Organization can have multiple Management Groups Every Management Group can have more than 1 subscription Every subscription can have more than 1 resource group Every resource group can have more than 1 resource
  • #9: Types of Roles in Azure There are 3 types of roles in Azure that can be assigned at a scope Classic Subscription Administrator roles Classic Subscription roles are applied at Azure account level. These roles deal with management of Account and configuration of their Active Directory Tenant(s) and Subscription(s). Mostly these roles are managed by user/organization who creates the account. They nominate other users to manage the account to handle specific functions. These roles comes with unlimited access. Be very cautious when you assign this role to a user These roles are built and only managed by Microsoft. We can create custom role(s) at this level. Azure Active Directory Tenant roles Azure Active Directory Tenant roles as name suggests, are related to Azure Active Directory Tenant. These roles have full/unlimited access to AD objects and properties tagged to role identified. Mostly 2-3 roles are mostly used if we are dealing only with Azure. In case, we are even opting for Microsoft 365, then more number of roles need to be used to manage functions. At Active Directory Tenant level, you can create custom roles that span across multiple objects. Only Active Directory P1 and Active Directory P2 supports creating custom roles Azure roles These roles are based on Role based access control (RBAC). These can be applied to Management Group(s) -> Subscription(s) -> Resource Group(s) -> Resource(s). The roles exhibit inheritance in relation to scope and when applied at a scope, the role access automatically applies the same to child scope. The role at a scope carries additive nature to child scope(s). Custom roles can be created to address specific needs at this level
  • #11: Classic subscription administrators have full access to the Azure subscription Service Administrator & Co-Administrator roles are assigned to the Account who signup Subscription with Azure Service Administrator & Co-Administrator roles are equivalent to Azure Role “Owner” at Subscription scope
  • #29: Role/Role definition is collection of permissions on objects in a namespace. Generally a Role has a unique name and a description with collection of permissions. A role definition are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace. Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions. Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less