Azure AD: RBAC
Akshay Kalra
DevSecOps Engineer | SRE | Automation | Azure | AWS | Kubernetes | Kafka | IAC | Java
In this article, we will take a deep dive into one of the most essential aspects of Azure AD: Role-Based Access Control
Understanding RBAC
Azure AD offers two types of role definitions: built-in roles and custom roles. Built-in roles are pre-defined roles that have a predetermined set of permissions and cannot be modified. Examples of built-in roles in Azure AD include “Global Administrator,” which has full access to all Azure AD resources and settings, and “User Administrator,” which focuses on user management tasks such as password resets and user creation. These built-in roles provide a convenient starting point for access management. On the other hand, organizations can tailor their access requirements by creating custom roles to meet specific and intricate needs. Assigning permissions using custom Azure AD roles involves a two-step process: creating a custom role definition and then assigning it through a role assignment. This flexibility allows organizations to precisely configure access controls within their Azure AD environment.
A custom role definition is a collection of permissions selected from a predefined list. These permissions align with the permissions used in the built-in roles. Once you have defined your custom role, or even if you choose to use a built-in role, you can assign it to a user by creating a role assignment. A role assignment grants the user the permissions specified in the role definition, within a defined scope.
The two-step process of custom role creation and role assignment offers flexibility. It enables the use of a single role definition across various scopes. A scope determines the set of Azure AD resources accessible to the role member. The most common scope is organization-wide, where the custom role permissions are applicable to all resources within the organization. Additionally, a custom role can be assigned at an object scope, such as a specific application. This means that the same role can be assigned to one user for all applications in the organization, while another user may have the role with a scope limited to only a particular app.
By leveraging built-in roles and custom roles within Azure AD, organizations can effectively manage access permissions based on their specific requirements, granting users appropriate privileges within defined scopes.
The principle of least privilege
In addition to RBAC, Azure AD offers an advanced access management feature called Privileged Identity Management
Understanding PIM
PIM is a premium feature that comes with Azure AD Premium P2. It provides organizations with enhanced control over privileged access by enabling just-in-time access to administrators. This feature allows users to obtain temporary access to privileged roles
PIM offers several benefits for access management. First, it allows organizations to implement the principle of least privilege more effectively by granting temporary access only when necessary. This minimizes the exposure of privileged roles and reduces the potential impact of security breaches. Second, PIM provides detailed reporting and auditing
With PIM, users can become eligible members of an Azure AD role and activate that role for a limited time when required. Once the predefined timeframe expires, privileged access is automatically revoked. This just-in-time activation process ensures that privileged access is only granted when needed, reducing the attack surface and enhancing overall security.
PIM allows organizations to configure approval workflows for role assignments, ensuring that access to highly privileged roles is properly authorized. This adds an additional layer of control and oversight to the activation process. Furthermore, PIM can be configured to send notification emails when a role assignment is activated. These notifications serve as alerts, providing administrators with visibility and awareness of any changes in privileged access.
领英推荐
Understanding scope
Scope refers to the specific set of resources to which access permissions apply. When assigning a role, it is crucial to consider the scope to ensure that the access granted aligns with what is truly necessary. By carefully defining the scope, you can limit the potential risk to resources if the access of a security principal is compromised. In other words, restricting the scope ensures that only the essential resources are accessible, reducing the potential impact of any security breaches or unauthorized access. This approach helps maintain a higher level of security by minimizing the potential exposure of sensitive resources in case of a compromise.
Scope level
Azure RBAC offers flexible access management by providing four distinct scope levels: management group, subscription, resource group, and resource. Each scope level allows you to assign roles and permissions to users, groups, or applications based on the desired level of granularity and control. These scope levels enable organizations to effectively manage access to Azure resources by defining access permissions at different hierarchical levels. Let’s explore each of these scope levels in more detail.
Role assignment options
In Azure AD, there are multiple ways to assign roles to users based on your access requirements. The default method is to assign roles directly to individual users. Both built-in and custom Azure AD roles can be assigned to users, providing the necessary permissions for their designated responsibilities.
On top of the different options for role assignment, there are also multiple ways to assign roles and scopes in Azure RBAC, providing flexibility and options to suit different needs. The Azure portal offers a user-friendly interface that allows you to navigate to the desired resource, and assign roles or scopes to users, groups, or applications. This graphical interface simplifies the process of managing access permissions. Additionally, Azure PowerShell and Azure CLI (Command-Line Interface) provide command-line tools that enable automation and scripting for role assignments. With PowerShell cmdlets or CLI commands, you can programmatically assign roles and scopes, allowing for more streamlined and repeatable processes. Lastly, the Microsoft Graph API provides a RESTful interface that allows developers to integrate RBAC role assignment functionality into their custom applications and workflows. This approach offers programmatic control and customization over the role assignment process. Whether using the Azure portal, PowerShiell, CLI, or the Microsoft Graph API, these various methods provide flexibility in assigning roles and scopes based on individual preferences and automation requirements.