课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra roles and role-based access control (RBAC) - Microsoft Security Copilot教程

课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra roles and role-based access control (RBAC)

- [Instructor] Microsoft Entra uses roles and role-based access control, RBAC, to manage resource access. Before we look at them, let's revisit the concept of authorization. What is authorization? There are users and the resources. The users want to access the resources. Authorization is the process of access control. There are different ways to implement access control. A popular method is role-based access control, or RBAC. To do that, you first need to define a role. A role is a collection of permissions. For example, in Microsoft Entra, the global administrator role can manage all aspects of Microsoft Entra ID and the Microsoft services that use Microsoft Entra ID. The global reader role can read everything that a global administrator can, but can't make any changes. Based on the role assignments, the access control will grant or deny the requested actions on the resources. Now let's look at Microsoft Entra role-based access control. It has four components, security principal, role, scope, and a role assignment. A security principle can be a user, group, or service principle. A role represents a set of permissions, such as user admin, application developer, or security admin. A scope defines affected resources, such as directory, devices, or applications, and a role assignment brings everything together. It assigns the role to the security principle for accessing the specified scope of resources. Microsoft Entra has two types of roles, built-in roles that has a fixed set of permissions, such as global administrator, user administrator, and the billing administrator. You can also create custom roles by selecting permissions according to your specific needs. Microsoft Entra roles can manage access to various Microsoft 365 services such as Microsoft Entra ID, Microsoft Defender Exchange, Intune, and Teams. We can categorize Microsoft Entra roles based on the services they cover. Microsoft Entra specific roles. This include roles like user admin, groups admin, or application admin, which are managing Microsoft Entra resources only. Service specific roles. This include roles like exchange admin, Intune admin, or Teams admin, which are focused on managing specific Microsoft 365 services. And cross-service roles, this include roles like global admin, security admin, or compliance admin, which have permissions across multiple services. While the concept of role-based access control is the same, there are different implementations of RBACs. For example, Microsoft Entra RBAC that we discussed controls access to Microsoft Entra resources. Azure RBAC manages access to resources on the Microsoft Azure Cloud, such as virtual machines, databases, or storage. Now let's look at roles in the Microsoft Entra Admin center. There are many building roles, like application administrator, application developer, billing administrator, and more. Select a role, for example, application developer. You can view the current role assignments and check the role description to see the summary and the role permissions. You can also create a new custom role. Enter role name, and add permissions for this custom role.

内容