Authentication & Access
Authentication
Control |
Description |
Conditional access policies |
- Along with MFA, ensure that additional requirements are met before granting access:
- Block logins from suspicious IP addresses
- Deny access from devices without malware protection
- etc.
- Azure Active Directory provides conditional access policies that includes support for access policies based on group, location, or device state.
 |
Azure Application Proxy (for legacy apps) |
- Composed of two components:
- A connector agent that sits on a Windows server within your corporate network
- An external endpoint
- When a user navigates to the endpoint, they authenticate with Azure AD and are routed to the on-premises application via the connector agent
|
Azure AD Privileged Identity Management (PIM) |
- Additional paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD & Azure resource access reviews
- With the PIM service, you can manage, control, and monitor access to important resources in your organization
- Organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD
|
RBAC
|
|
 |
- Access management occurs at the Azure subscription level
- Identities are mapped to roles directly or through group membership
- Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy
- Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances
- Resource groups are also a scope for applying RBAC permissions
|
 |
- Diagram showing how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level
- Roles assigned at a higher scope are inherited by child scopes
- The access granted by a role, the effective permissions, is computed by subtracting the
NotActions operations from the Actions operations - Restrictions:
- A subscription is associated with only one Azure AD tenant
- A resource group is associated with only one subscription
- A resource can be bound to only one resource group
|
Components
Component |
Description |
Security Principal (who) |
User, Group, Service Principal |
Role Definition (what) |
Built-in roles:Owner : Has full access to all resources, including the right to delegate access to othersContributor : Can create and manage all types of Azure resources, but can't grant access to othersReader : Can view existing Azure resourcesUser Access Administrator : Lets you manage user access to Azure resources
|
Scope (where) |
- Where the access applies to
- Scope can be specified at multiple levels: management group, subscription, resource group, or resource
- Structured in a parent-child relationship (when you grant access at a parent scope, those permissions are inherited by the child scopes)
|
Role Assignment |
- A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access
- To grant access, you create a role assignment
- To revoke access, you remove a role assignment
- The role assignment scopes are defined in a custom role definition under
AssignableScopes
 |
Custom Roles
- Permissions needed to manage custom roles
- To manage custom roles, you'd need to be assigned to a role that has the related
Actions
and AssignableScopes
in the role definition
Task |
Action |
Description |
Create/Delete |
Microsoft.Authorization/roleDefinitions/write |
Users can create or delete custom roles for use in scopes |
Update |
Microsoft.Authorization/roleDefinitions/write |
Users can update custom roles in scopes. |
View |
Microsoft.Authorization/roleDefinitions/read |
Users can view the custom roles available for assignment at a scope. All built-in roles allow custom roles to be available for assignment |
Role Structure
{
"Name": "",
"IsCustom": true,
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}"
]
}
Azure RBAC Roles vs Azure AD Roles
Role |
Description |
Azure RBAC roles |
- Used to manage access to Azure resources
- Multiple scope levels (management group, subscription, resource group, resource)
|
Azure AD roles |
- Used to manage access to Azure AD resources (user accounts, passwords, domains)
- Scope only at tenant level
- Examples:
- Global Administrator:
- Can manage access to administrative features in Azure AD
- A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator
- By default, whoever signs up for the directory is automatically assigned this role
- User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users
- Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to RBAC permissions
|
Overlap |
An Azure AD Global Administrator can elevate their access to manage all Azure subscriptions and management groups:- This greater access grants them the Azure RBAC
User Access Administrator role for all subscriptions of their directory (N.B.: the User Access Administrator is assigned at the scope of root ) - Through the
User Access Administrator role, the Global Administrator can give other users access to Azure resources
 |