Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
This document provides an overview of Microsoft Azure security features, including:
- Shared responsibility model where Microsoft secures the platform and customers secure their data and applications
- Identity and access management, encryption of data at rest and in transit, network security controls, and logging/monitoring capabilities
- Security Center provides visibility into threats and advanced analytics to detect attacks
- Operations Management Suite allows collecting logs from Azure, on-premises, and other clouds to analyze security events
- Microsoft works with partners to provide additional virtual network appliances and security solutions to customers
- Azure provides a unified platform for modern business with compute, data, storage, networking and application services across global Azure regions and a consistent hybrid cloud.
- Azure focuses on security and privacy with an emphasis on detection, response, and protection across infrastructure, platforms and applications.
- Security is a shared responsibility between Microsoft and customers, with Microsoft providing security controls and capabilities to help protect customer data and applications.
Azure Active Directory (AAD) is a multi-tenant cloud-based identity and access management service. It provides features like multi-factor authentication, device registration, self-service password management, role-based access control, and application usage monitoring. AAD is better suited than on-premises Active Directory for managing users across multiple platforms and cloud applications/servers. It maintains a central directory for users and applications in Microsoft cloud services like Office 365. AAD supports two types of user accounts - Microsoft personal accounts for private use and work accounts managed by an AAD administrator for organizational access.
This document outlines an agenda for a presentation on Microsoft Azure in the enterprise. The agenda includes discussions of Microsoft's cloud strategy, an overview of Azure IaaS and PaaS offerings, Azure storage basics, Azure portals and APIs, Azure resource manager, Azure networking, security mechanisms, traffic management, cloud adoption methodology, Azure security center, and operational analytics. It also lists appendices on Azure stack, service fabric, DevOps, and how Azure is described by Gartner. The presentation aims to provide both a high-level overview and deeper dives into specific Azure services and capabilities.
This document discusses Azure networking features such as virtual networks, subnets, private and public IP addresses, load balancing, network security groups, routing, virtual network peering, and secure network designs. It provides an overview of these concepts with examples and considerations for using Azure networking components to design secure network architectures in Azure.
This document provides an overview of Mustafa Kara's background and expertise in datacenter transformation. It discusses his 10 years of experience in roles such as senior consultant, Azure MVP, technical manager, and technical trainer. It then outlines his work as a speaker and writer for Microsoft events, Virtual Academy, universities, and personal websites. The rest of the document discusses strategies for transforming the datacenter, including moving from on-premises physical servers and VMs to a hybrid cloud model using public cloud off-premises and cloud on-premises. It highlights tools like Azure Migrate and database migration services that can help analyze costs and migrate applications, VMs, and data.
This document provides an overview of Microsoft Azure security features, including:
- Shared responsibility model where Microsoft secures the platform and customers secure their data and applications
- Identity and access management, encryption of data at rest and in transit, network security controls, and logging/monitoring capabilities
- Security Center provides visibility into threats and advanced analytics to detect attacks
- Operations Management Suite allows collecting logs from Azure, on-premises, and other clouds to analyze security events
- Microsoft works with partners to provide additional virtual network appliances and security solutions to customers
- Azure provides a unified platform for modern business with compute, data, storage, networking and application services across global Azure regions and a consistent hybrid cloud.
- Azure focuses on security and privacy with an emphasis on detection, response, and protection across infrastructure, platforms and applications.
- Security is a shared responsibility between Microsoft and customers, with Microsoft providing security controls and capabilities to help protect customer data and applications.
Azure Active Directory (AAD) is a multi-tenant cloud-based identity and access management service. It provides features like multi-factor authentication, device registration, self-service password management, role-based access control, and application usage monitoring. AAD is better suited than on-premises Active Directory for managing users across multiple platforms and cloud applications/servers. It maintains a central directory for users and applications in Microsoft cloud services like Office 365. AAD supports two types of user accounts - Microsoft personal accounts for private use and work accounts managed by an AAD administrator for organizational access.
This document outlines an agenda for a presentation on Microsoft Azure in the enterprise. The agenda includes discussions of Microsoft's cloud strategy, an overview of Azure IaaS and PaaS offerings, Azure storage basics, Azure portals and APIs, Azure resource manager, Azure networking, security mechanisms, traffic management, cloud adoption methodology, Azure security center, and operational analytics. It also lists appendices on Azure stack, service fabric, DevOps, and how Azure is described by Gartner. The presentation aims to provide both a high-level overview and deeper dives into specific Azure services and capabilities.
This document discusses Azure networking features such as virtual networks, subnets, private and public IP addresses, load balancing, network security groups, routing, virtual network peering, and secure network designs. It provides an overview of these concepts with examples and considerations for using Azure networking components to design secure network architectures in Azure.
This document provides an overview of Mustafa Kara's background and expertise in datacenter transformation. It discusses his 10 years of experience in roles such as senior consultant, Azure MVP, technical manager, and technical trainer. It then outlines his work as a speaker and writer for Microsoft events, Virtual Academy, universities, and personal websites. The rest of the document discusses strategies for transforming the datacenter, including moving from on-premises physical servers and VMs to a hybrid cloud model using public cloud off-premises and cloud on-premises. It highlights tools like Azure Migrate and database migration services that can help analyze costs and migrate applications, VMs, and data.
The document provides an overview of the Windows Azure Platform. It describes the client, integration, and application layers that make up the platform. It also outlines the data services available, including storage, databases, computing resources, and networking capabilities. Finally, it discusses high availability and deployment options for ensuring reliability and uptime of applications and services built on the Azure platform.
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It authenticates over 1 trillion times since release and manages identity data for over 5 million organizations, including 86% of Fortune 500 companies using Microsoft Cloud services. Azure AD provides single sign-on, multi-factor authentication, and application access management across devices and platforms.
This is the Lesson 4 of the "Azure Governance - Free training" serie.
This document presents Azure Policy in-depth and lists all key items you should now when designing your Azure Policy Model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create, manage and assign Policy (Definition and Initiative Definition) to your Azure environment.
Creating and using a Custom Policies is also detailed on this document.
On-board services quickly, drive compliance against internal and external policies, and unlock developer agility with Azure's built-in governance services. Azure Policy will help you govern your Azure resources with simplicity, enforce policies and audit compliance, and monitor compliance continuously. Join Joseph Chan, principal group PM, who is behind all things Azure Policy.
This document provides an overview of a training module on Microsoft Azure Active Directory. The training will cover configuring access to SaaS applications, multi-factor authentication, premium features of Azure AD, and running Windows Server AD workloads in Azure Virtual Machines. It consists of 7 modules that introduce Azure, cover Azure Virtual Machines, networking, Azure AD, cloud services/websites, and SQL Server/SharePoint. The instructor is introduced as well.
The document discusses how IT is transforming to play a more strategic role through increased cloud adoption. This is driving the need to better organize and govern resources as well as modernize applications to improve ROI. It provides an overview of key Azure services for security, monitoring, automation, governance, and resiliency to securely manage hybrid cloud environments at scale.
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
An Azure virtual network (VNet) provides connectivity and security for virtual machines and allows access to the public internet and other VMs. Network security groups contain rules that allow or deny network traffic, and Azure load balancers distribute incoming internet traffic across VMs. Availability sets distribute VMs across update and fault domains for redundancy and high availability. Virtual network gateways connect Azure VNets and on-premises networks, while Traffic Manager controls traffic distribution across endpoints in different datacenters.
The document provides information about Azure fundamentals and cloud computing concepts. It includes:
- A summary of an Azure fundamentals learning path on Microsoft Learn.
- Descriptions of cloud computing concepts like cloud deployment models (public, private, hybrid cloud), types of cloud services (IaaS, PaaS, SaaS), and compute approaches (containers, serverless computing).
- Details about Azure services across different categories like networking, compute, databases, and more.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This document provides an overview of Microsoft Azure training content including Azure Fundamentals, Storage, Webapps, Cloud Services, Virtual Machines, Media Services, and Active Directory. It describes key cloud computing concepts like IAAS, PAAS, and SAAS and compares traditional computing to cloud computing. It also summarizes several Azure services like Webapps, Storage, Cloud Services, Virtual Machines, Media Services, Azure Search, and Active Directory.
The document discusses various Azure networking services including Azure Load Balancer, Application Gateway, Traffic Manager, and Azure DNS. It provides an overview of each service, how they work, their key components and capabilities. It also includes some example questions to test understanding. The session agenda is to demo creating and configuring instances of each of these Azure services.
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Edureka!
** Microsoft Azure Certification Training: https://www.edureka.co/microsoft-azure-training**
This Edureka "Azure Active Directory” tutorial will give you a thorough and insightful overview of Microsoft Azure Active Directory and help you understand other related terms like Tenants, Domain services etc. Following are the offerings of this tutorial:
1. What is Azure Active Directory?
2. Azure AD vs Windows AD
3. Azure AD Audience
4. Azure AD Editions
5. Azure AD Tenants
6. Demo-Creating and using Active Directory
Check out our Playlists: https://goo.gl/A1CJjM
This is the Lesson 3 of the "Azure Governance - Free training" serie.
This document presents Azure Tags in-depth and lists all key items you should now when designing your Azure Tags model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create and apply Azure Tags to your Azure environment.
This document provides an overview of Azure Active Directory and its capabilities for identity and access management. It discusses key use cases such as providing secure access to applications, protecting access to resources from threats, automating user lifecycle management, and complying with regulations. It describes Azure AD features for conditional access, multi-factor authentication, application management, user provisioning, privileged identity management, and more. The document also compares Azure AD and Azure AD B2C and their suitability for business and consumer-facing applications respectively.
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
Azure Active Directory provides identity and access management capabilities that enable enterprises to securely manage access to thousands of cloud, mobile, and on-premises applications using a single identity for each user. The document discusses features of Azure Active Directory including single sign-on, user lifecycle management, integration with on-premises directories, security capabilities like multifactor authentication and conditional access, and tools for IT administration and end user self-service. Case studies are presented that highlight how various large companies leverage Azure Active Directory.
David J. Rosenthal gave a presentation about Microsoft's Azure cloud platform. He discussed how Azure can help companies with digital transformation by engaging customers, empowering employees, and optimizing operations. He provided examples of how companies are using Azure services like AI, IoT, analytics and more to modernize applications, gain insights from data, and improve productivity. Rosenthal emphasized that Azure offers a secure, flexible cloud platform that businesses can use to innovate, grow and transform both today and in the future.
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Shawn Ismail
In this session I go over what Azure accounts and subscriptions are. Further details are provided about various Admin roles in Microsoft Azure both at account and subscription level. This sessions ends with a demo of everything discussed in this session and singing up for a Trial Azure Subscription. Please subscribe to the channel to stay updated about the training. Also please comment on the training videos. Thank you!
http://www.cloudranger.net
YouTube: https://www.youtube.com/c/CloudrangerNetwork
The document provides an overview of the Windows Azure Platform. It describes the client, integration, and application layers that make up the platform. It also outlines the data services available, including storage, databases, computing resources, and networking capabilities. Finally, it discusses high availability and deployment options for ensuring reliability and uptime of applications and services built on the Azure platform.
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It authenticates over 1 trillion times since release and manages identity data for over 5 million organizations, including 86% of Fortune 500 companies using Microsoft Cloud services. Azure AD provides single sign-on, multi-factor authentication, and application access management across devices and platforms.
This is the Lesson 4 of the "Azure Governance - Free training" serie.
This document presents Azure Policy in-depth and lists all key items you should now when designing your Azure Policy Model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create, manage and assign Policy (Definition and Initiative Definition) to your Azure environment.
Creating and using a Custom Policies is also detailed on this document.
On-board services quickly, drive compliance against internal and external policies, and unlock developer agility with Azure's built-in governance services. Azure Policy will help you govern your Azure resources with simplicity, enforce policies and audit compliance, and monitor compliance continuously. Join Joseph Chan, principal group PM, who is behind all things Azure Policy.
This document provides an overview of a training module on Microsoft Azure Active Directory. The training will cover configuring access to SaaS applications, multi-factor authentication, premium features of Azure AD, and running Windows Server AD workloads in Azure Virtual Machines. It consists of 7 modules that introduce Azure, cover Azure Virtual Machines, networking, Azure AD, cloud services/websites, and SQL Server/SharePoint. The instructor is introduced as well.
The document discusses how IT is transforming to play a more strategic role through increased cloud adoption. This is driving the need to better organize and govern resources as well as modernize applications to improve ROI. It provides an overview of key Azure services for security, monitoring, automation, governance, and resiliency to securely manage hybrid cloud environments at scale.
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
An Azure virtual network (VNet) provides connectivity and security for virtual machines and allows access to the public internet and other VMs. Network security groups contain rules that allow or deny network traffic, and Azure load balancers distribute incoming internet traffic across VMs. Availability sets distribute VMs across update and fault domains for redundancy and high availability. Virtual network gateways connect Azure VNets and on-premises networks, while Traffic Manager controls traffic distribution across endpoints in different datacenters.
The document provides information about Azure fundamentals and cloud computing concepts. It includes:
- A summary of an Azure fundamentals learning path on Microsoft Learn.
- Descriptions of cloud computing concepts like cloud deployment models (public, private, hybrid cloud), types of cloud services (IaaS, PaaS, SaaS), and compute approaches (containers, serverless computing).
- Details about Azure services across different categories like networking, compute, databases, and more.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This document provides an overview of Microsoft Azure training content including Azure Fundamentals, Storage, Webapps, Cloud Services, Virtual Machines, Media Services, and Active Directory. It describes key cloud computing concepts like IAAS, PAAS, and SAAS and compares traditional computing to cloud computing. It also summarizes several Azure services like Webapps, Storage, Cloud Services, Virtual Machines, Media Services, Azure Search, and Active Directory.
The document discusses various Azure networking services including Azure Load Balancer, Application Gateway, Traffic Manager, and Azure DNS. It provides an overview of each service, how they work, their key components and capabilities. It also includes some example questions to test understanding. The session agenda is to demo creating and configuring instances of each of these Azure services.
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Edureka!
** Microsoft Azure Certification Training: https://www.edureka.co/microsoft-azure-training**
This Edureka "Azure Active Directory” tutorial will give you a thorough and insightful overview of Microsoft Azure Active Directory and help you understand other related terms like Tenants, Domain services etc. Following are the offerings of this tutorial:
1. What is Azure Active Directory?
2. Azure AD vs Windows AD
3. Azure AD Audience
4. Azure AD Editions
5. Azure AD Tenants
6. Demo-Creating and using Active Directory
Check out our Playlists: https://goo.gl/A1CJjM
This is the Lesson 3 of the "Azure Governance - Free training" serie.
This document presents Azure Tags in-depth and lists all key items you should now when designing your Azure Tags model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create and apply Azure Tags to your Azure environment.
This document provides an overview of Azure Active Directory and its capabilities for identity and access management. It discusses key use cases such as providing secure access to applications, protecting access to resources from threats, automating user lifecycle management, and complying with regulations. It describes Azure AD features for conditional access, multi-factor authentication, application management, user provisioning, privileged identity management, and more. The document also compares Azure AD and Azure AD B2C and their suitability for business and consumer-facing applications respectively.
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
Azure Active Directory provides identity and access management capabilities that enable enterprises to securely manage access to thousands of cloud, mobile, and on-premises applications using a single identity for each user. The document discusses features of Azure Active Directory including single sign-on, user lifecycle management, integration with on-premises directories, security capabilities like multifactor authentication and conditional access, and tools for IT administration and end user self-service. Case studies are presented that highlight how various large companies leverage Azure Active Directory.
David J. Rosenthal gave a presentation about Microsoft's Azure cloud platform. He discussed how Azure can help companies with digital transformation by engaging customers, empowering employees, and optimizing operations. He provided examples of how companies are using Azure services like AI, IoT, analytics and more to modernize applications, gain insights from data, and improve productivity. Rosenthal emphasized that Azure offers a secure, flexible cloud platform that businesses can use to innovate, grow and transform both today and in the future.
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Shawn Ismail
In this session I go over what Azure accounts and subscriptions are. Further details are provided about various Admin roles in Microsoft Azure both at account and subscription level. This sessions ends with a demo of everything discussed in this session and singing up for a Trial Azure Subscription. Please subscribe to the channel to stay updated about the training. Also please comment on the training videos. Thank you!
http://www.cloudranger.net
YouTube: https://www.youtube.com/c/CloudrangerNetwork
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Marius Zaharia
Today's complex enterprise environments involve the existence of multiple identity structures, especially in the case of cloud resource management. The management and governance of Azure Active Directory tenants, cloud & federated identities, and authorizations and roles on Azure subscriptions and resources, is the purpose of this session.
Azure subscription management with EA and CSPDaichi Isami
This document discusses Azure subscription management for Enterprise Agreements (EA) and Cloud Solution Provider (CSP) programs. It provides an overview of EA and CSP models, how to collaborate between the two, and best practices for subscription structure. Key points covered include using the correct EA or CSP contract, finding administrators, designing subscription architecture across Azure Active Directory tenants, and using tools like the Global Subscription Filter. The document also provides examples of how subscriptions can be structured for customers and partners working with both EA and CSP subscriptions.
This presentation focus on evolution of AWS Account & the need for multi-account. What is AWS Organizations, how do you setup and use it effectively as well as efficiently create and manage multiple AWS accounts with consolidated billing, centralized logging, security and controlled policy. We will have look at the Service Control Policy, a sample multi-account strategy and the best practices while dealing with multi-accounts.
This document provides an overview of Microsoft Cloud OS and Azure services related to identity, governance, and storage. It discusses Microsoft certifications and learning paths for Azure. It covers Azure identity services like Active Directory, multi-factor authentication, and Azure AD Connect. It also summarizes Azure governance tools including policies, tags, and role-based access control. Finally, it outlines the various Azure storage services like Blob, File, Queue, and Disk storage.
This document discusses various AWS IAM concepts like cross-account access, AWS Organizations, service control policies, and role switching. It provides an overview of AWS credentials and policies. It also describes how to set up an AWS Organization with a master and member account and use service control policies to manage permissions across accounts. Demo sections show how to switch roles between accounts and create a read-only IAM role in a member account for cross-account access.
Microsoft azure infrastructure essentials course manualmichaeldejene4
This document provides an overview of a 3-day Microsoft Azure Infrastructure Essentials training course. The course covers Azure network services, compute, storage, backup, and Active Directory. It includes demonstrations and hands-on labs to develop skills in implementing Azure solutions. The course modules cover Azure management tools, virtual networks, virtual machines, storage, disaster recovery, and Active Directory. Upon completing the course, students will be able to manage Azure subscriptions using various tools and deploy and configure infrastructure components in Azure.
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfSkillCertProExams
• For a full set of 700+ questions. Go to
https://skillcertpro.com/product/microsoft-azure-security-technologies-az-500-practice-exam-set/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
Introduction to basic governance in Azure - #GABDKPeter Selch Dahl
This document discusses basic governance in Azure, including Azure AD PIM, Azure Locks, and Azure AD Access Review. It provides an overview of Azure Sentinel for security information and event management. It also discusses managing secrets with Azure Key Vault and using managed identities for Azure resources.
This document provides an overview of Azure Active Directory (Azure AD) presented by Max Fritz. It defines Azure AD as Microsoft's cloud-based identity and access management service. It describes key Azure AD features like single sign-on, multi-factor authentication, self-service password reset, and conditional access. It also explains how to connect Azure AD to an on-premises Active Directory using Azure AD Connect and how to access Azure AD using the Azure portal or PowerShell.
This document provides an overview of implementing a secure environment for an Azure SQL database. It discusses authentication options like Azure Active Directory authentication and SQL authentication. It also covers encrypting data at rest using Transparent Data Encryption (TDE) and encrypting data in transit. Additionally, it describes configuring firewall rules and private endpoints for network security. The document demonstrates configuring an Active Directory admin, permission chaining, and Always Encrypted for encrypting column values. It also discusses using Azure Key Vault for securely storing encryption keys.
Leverage your application architecture with azure servicesSammani Palansuriya
Microsoft Azure is an ever-expanding set of cloud services to help your organization meet the business challengers. Choosing the optimal service to solve the problem is the challenging part. Let’s take a common business problem and design an Application Architecture using azure services discussing some azure service and their usage considering basic architectural design aspects.
TechDays Finland 2020: Azuren tietoturva haltuun!Karl Ots
Azure-ratkaisujen suunnittelu, rakentaminen ja operointi tietoturvallisesti ei ole lainkaan suoraviivaista. Sekä käytettävissä olevista tietoturvakontrolleista että ohjeistuksesta on niin laaja ylitarjonta, että alkuun on hankala päästä, parhaiden käytäntöjen käytöstä puhumattakaan.
Tätä haastetta ei lainkaan helpota se, että organisaatioiden olemassa oleva tietoturvaosaaminen on harvoin siellä, missä ketterien digitaalisten sovellusten rakentaminen on. Miten voimme saada Azuren palveluista hyödyt irti, jos digisovellusten ja tietoturvavaatimusten maailmat eivät kohtaa?
Tässä esityksessä Karl käy käytännönläheisesti läpi työkalut ja prosessit, joilla suojataan Azure-sovellukset ja -infrastruktuuri, suunnittelupöydältä tuotantoon vientiin asti. Esityksen jälkeen kuulija tuntee Azuressa käytössä olevat tietoturvakontrollit sekä niiden vaikutuksen tietoturvaan, sovelluskehitystehokkuuteen ja kustannuksiin. Kuulijalla osaa myös soveltaa oppimaansa päivittääkseen oman organisaationsa tietoturvavaatimukset Azure-aikaan.
Azure Networking, Azure Storage, Enterprise Azure Active Directory, Daemon or Server application authentication workflow, Worker processes, Daemon, Daemon application to Web API, Azure Active Directory in old azure portal, ASM, Azure active directory and Mutl-tenant applications, Sharding, Federation, Shared singe, RBAC, Differences between AAD and AD DS, Azure AD Subscription models, Azure Domain Names, Manage Users, Groups,Co-Admin Role, Default Azure Active Directory, Adding access to another azure subscription. Contributor, Owner , Roles in Azure Subscriptions, Roles, MFA, Multi-Factor Authentication, How does MFA works, Scenarios for Azure MFA, Setting up MFA in Azure AD, Setting MFA, Azure Authenticator, Hybrid AD solutions, AD DS, Federated Trust, Domain Controller, AD, AAD Connecter, AD FS, AAD, Active Directory Password synchronization, Benefits of Active Directory, Active Directory Replication, vulnerabilities with multiple Domain Controller, Azure AD features, Synchronization with AD Connect, Write-back policies, Azure AD Health COnnect, Installing Azure AD COnnect Health,Integrating Azure AD and SaaS Applications, Benefits of using SaaS Solutions with your products, Benefits of SaaS Solutions, Azure Marketplace, DropBox Integrations with AAD, New Relic Integrations, New Relic, Dropbox, Azure AD Enterprise Application, VSTS integration for Automated Builds, Federation Overview, Claims, Single Sign On, Federated Trusts, Claim based authentications, Federated trusts, Claims Processing, Web Application Proxy, ADFS Proxy, ADFS 2.0 Proxy, How does ADFS proxy works for internal users, How does ADFS proxy works for internal users,Azure AD B2C Directory, B2C applications, Business 2 Customers application, 3rd Party Authentication, Bearer Token, OAuth, 3rd Party Identity Provider, OAuth server, Azure AD B2C Authentication & Authorization, Implementing Azure AD B2C Directory, Setting up Single Sign On with Facebook, Google, Microsoft. Linkedin, SignUP Policies, SignIN Policies, Email SignUp, SignUpSignIN PolicyID, Configuring Application with Azure Application ID,Modern Applications, Requirements for Modern Apps, API, Logic Applications, Mobile App, Web App, Function App, Go To Market, Microsoft Application Platform, App Service Plan, App Service Environment - Private Infrastructure, Why use App Service, App service Features & Capabilities, Azure App Service, Virtual Machine, Service Fabric & Cloud Services Comparison, Creating a Mobile App, Swagger UI, API Apps, API management, API APPS & API Management, Implementing API APP via Visual Studio,
This whitepaper describes how, by exploiting the capabilities of Active Directory Federation Services (ADFS) you can deliver both secure and efficient authentication to Office 365 and other cloud services.
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environmentFelipe Prado
The document discusses various ways to compromise an Azure Active Directory (Azure AD) environment. It describes how Azure AD roles, applications, and service principals work and how their complex permission systems can be leveraged. It also explains how linking an on-premise Active Directory to Azure AD via Azure AD Connect, as well as other Azure integrations like Azure DevOps, can be exploited to escalate privileges and access cloud resources. The document emphasizes that while cloud services provide benefits, they also require users to securely configure and manage access themselves to protect their data and environments.
Similar to Azure role based access control (rbac) (20)
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsLinda Zhang
This brochure gives introduction of MYIR Electronics company and MYIR's products and services.
MYIR Electronics Limited (MYIR for short), established in 2011, is a global provider of embedded System-On-Modules (SOMs) and
comprehensive solutions based on various architectures such as ARM, FPGA, RISC-V, and AI. We cater to customers' needs for large-scale production, offering customized design, industry-specific application solutions, and one-stop OEM services.
MYIR, recognized as a national high-tech enterprise, is also listed among the "Specialized
and Special new" Enterprises in Shenzhen, China. Our core belief is that "Our success stems from our customers' success" and embraces the philosophy
of "Make Your Idea Real, then My Idea Realizing!"
How Netflix Builds High Performance Applications at Global ScaleScyllaDB
We all want to build applications that are blazingly fast. We also want to scale them to users all over the world. Can the two happen together? Can users in the slowest of environments also get a fast experience? Learn how we do this at Netflix: how we understand every user's needs and preferences and build high performance applications that work for every user, every time.
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
this resume for sadika shaikh bca studentSadikaShaikh7
I am a dedicated BCA student with a strong foundation in web technologies, including PHP and MySQL. I have hands-on experience in Java and Python, and a solid understanding of data structures. My technical skills are complemented by my ability to learn quickly and adapt to new challenges in the ever-evolving field of computer science.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
What's Next Web Development Trends to Watch.pdfSeasiaInfotech2
Explore the latest advancements and upcoming innovations in web development with our guide to the trends shaping the future of digital experiences. Read our article today for more information.
How to Avoid Learning the Linux-Kernel Memory ModelScyllaDB
The Linux-kernel memory model (LKMM) is a powerful tool for developing highly concurrent Linux-kernel code, but it also has a steep learning curve. Wouldn't it be great to get most of LKMM's benefits without the learning curve?
This talk will describe how to do exactly that by using the standard Linux-kernel APIs (locking, reference counting, RCU) along with a simple rules of thumb, thus gaining most of LKMM's power with less learning. And the full LKMM is always there when you need it!
Are you interested in learning about creating an attractive website? Here it is! Take part in the challenge that will broaden your knowledge about creating cool websites! Don't miss this opportunity, only in "Redesign Challenge"!
Data Protection in a Connected World: Sovereignty and Cyber Securityanupriti
Delve into the critical intersection of data sovereignty and cyber security in this presentation. Explore unconventional cyber threat vectors and strategies to safeguard data integrity and sovereignty in an increasingly interconnected world. Gain insights into emerging threats and proactive defense measures essential for modern digital ecosystems.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Interaction Latency: Square's User-Centric Mobile Performance MetricScyllaDB
Mobile performance metrics often take inspiration from the backend world and measure resource usage (CPU usage, memory usage, etc) and workload durations (how long a piece of code takes to run).
However, mobile apps are used by humans and the app performance directly impacts their experience, so we should primarily track user-centric mobile performance metrics. Following the lead of tech giants, the mobile industry at large is now adopting the tracking of app launch time and smoothness (jank during motion).
At Square, our customers spend most of their time in the app long after it's launched, and they don't scroll much, so app launch time and smoothness aren't critical metrics. What should we track instead?
This talk will introduce you to Interaction Latency, a user-centric mobile performance metric inspired from the Web Vital metric Interaction to Next Paint"" (web.dev/inp). We'll go over why apps need to track this, how to properly implement its tracking (it's tricky!), how to aggregate this metric and what thresholds you should target.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Hire a private investigator to get cell phone recordsHackersList
Learn what private investigators can legally do to obtain cell phone records and track phones, plus ethical considerations and alternatives for addressing privacy concerns.
3. S5 Cloud
Education
Srikanth Kappagantula explains
Sara the specifics of different
types of Azure roles and access
management through RBAC,
Role Based Access Control
Sara is the owner of the start-up “S5 Enterprise
Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita
Sara hired different professionals to support her in building applications to support her
She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of
Accounts, Subscriptions, and Tenants
Srikanth defines roles, explains role specifics, their scope, access management, etc
Context
4. S5 Cloud
Education
Sara
Owner, S5 Ent
Srikanth
Azure Administrator
SaanV
Partner, S5 Retail
Gita
Partner, S5 Pharma
Partner Management HR & Accounting
Shaila
Accounting, S5 Ent
Srini
User Admin, S5 Ent
Nara
Administrator
JC
User Access
Administrator
Lucky
Internal Auditor
Development
Teams
Development Partners
Operations Team
Managed Services
Partners
Sailesh
Auditor, External
5. S5 Cloud
Education
Definition of Role(s)
Collection of permissions on objects in a namespace
Role
Namehas
Namespace/Scope
Permissions
Security Principals
Assigned to
C R U D
S C E N A R I O
Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to
perform or not perform certain Actions
LEAST PREVILEGE defines ability to perform only specific Actions
at mentioned S C O P E
N o t M o r e N o t L e s s
6. S5 Cloud
Education
What is Scope?
Azure Account
A Global Unique Entity
Can be an Individual Account or an
Organization Account
Account contains multiple subscriptions & active
directory tenants
Organization is Business Entity and identified
by one/more public DNS domain names
Azure Active Directory Tenant
Representation of an organization
Unique instance of Azure Active Directory
Tenant has its own identities, and app
registrations
Azure Active Directory Tenant can have more
than 1 subscription
Management Groups
Management groups are containers to
manage access, policy, and compliance for
multiple subscriptions
subscriptions in a management group
automatically inherit the conditions
Subscription
Agreement with Microsoft to use Microsoft
cloud platforms or services
Billing Relationship between Party and Azure
Can host resource groups (resource
containers) & Resources
1 Subscription can be allocated to only 1
Active Directory Tenant
Resource Group
Resource Group is logical container for
Resources
Subscription can have 1 or more resource
groups
1 Resource Group can be allocated only to
one subscription
Resource Group stores its metadata in a
location
Resources
Resources are instances of azure services for
e.g. virtual machines, storage, or SQL
databases
A Resource can be assigned to only one
resource group
Location of a resource can be different from
location of a resource group
Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource
Scope
7. S5 Cloud
Education
Relationship between Accounts & other objects
Subscription
Account
Azure Active
Directory Tenant
Subscription
Subscription
Resource
Group
Subscription
Resources
1..n
1..n
1..n
1..n
1..n
Management
Groups
1..n
8. S5 Cloud
Education
Types of Roles in Azure, Scope and Relationship
Role Types in Azure
Classic
Subscription
Administrator
Roles
Azure Active
Directory Roles
Azure Roles
(based on RBAC)
Role Type Scope
Classic Subscription
Administrator Roles
Azure Account & Subscriptions
Azure Active Directory
Roles
Azure Active Directory Tenant
Azure Roles Management Group, Azure Subscriptions.
Resource Groups & Resources
9. S5 Cloud
Education
What are these different types of roles in Azure?
Classic
Subscription
Administrator
Roles
Have full access to the Azure subscription & Account
Can manage resources using Portal & ARM API’s
Created when Azure Account is created
Azure Active
Directory
(Azure AD)
roles
Used to manage Azure AD resources in a directory
Perform different functions
User management
License management
Manage domains
Azure Roles
Based on Role based access control
Authorization system that provides fine grained
access to azure resources
Has 4 fundamental roles and 70 built-in roles
Account Administrator
Service Administrator
Co-Administrator
Global Administrator
User Administrator
Billing Administrator
Owner
Contributor
Reader
User Access Administrator
Account &
Subscription(s)
Management
Identity
Management
Subscription &
Resource(s)
Management
Users/Identities are allocated to roles with LEAST PREVILEGE
which allows them to perform or not perform certain Actions
10. S5 Cloud
Education
Classic Subscription Administrator Roles
Have full access to the Azure
subscription & Account
Can manage resources
using Portal & ARM API’s
Created when Azure
Account is created
Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources
Account Administrator Service Administrator Co-Administrator
Max 1 per Azure Account
Manage (create/cancel) all subscriptions
in Account
Manage & Change billing for
subscriptions
Can change Service Administrator
Max 1 per Azure Subscription
Manage services in Subscription
Cancel subscription
Assign users to Co-Administrator role
Can associate to a different Active
directory tenant
Max 200 per Azure Subscription
Can assign users to Co-Administrator
role
Cannot change Service Administrator
role
Cannot associate to a different Active
directory tenant
Same permissions as Service
Administrator but cannot cancel
subscription
* No other Roles are available at Account level and custom roles cannot be created
11. S5 Cloud
Education
Srikanth cautioned Sara with usage of Subscription Administrators
Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the
following best practices
Assess the need for the role before you assign it to a user
Service Administrator role can
Can change the Active Directory domain or even add new
Can cancel subscriptions
Can order services on subscription
Co-Administrators
Count should not be more than 1 or 2
Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
12. S5 Cloud
Education
What happens when Sara creates an Azure Account
Sara Azure Account
Azure Active
Directory Tenant 1
Azure
Subscription 1
Account
Administrator
Service
Administrator
Owner
Global
Administrator
User
Administrator
Roles Assigned
Azure Account
Classic Subscription Administrator Role(s)
Account Administrator Service Administrator
Azure Active
Directory Tenant 1
Azure Active Directory Role(s)
Global Administrator User Administrator
Azure
Subscription 1
Azure Roles
Owner
• Sara created an Azure account
• Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation
• AAD is identity management solution. More than 1 AAD tenant instance can be created later
• Subscription is the billing relationship between azure and Sara.
• More than 1 subscription can be created if you want to segregate billing for different applications
• 1 AAD tenant can be linked to many subscriptions
• 1 subscription can be linked to only one tenant
• An Account can have multiple Active Directory tenants and Subscriptions
Account & Subscription(s)
Management
Subscription & Resource(s)
Management
AD Identity Management
13. S5 Cloud
Education
Assignment/Transfer of Account Administration specific Roles to SaanV and Gita
SaanV
Partner, S5 Retail
Gita
Partner, S5 Pharma
Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and
created 1 subscriptions each
“S5 Retail” with SaanV
“S5 Pharma” with Gita
Sara asked Srikanth to assign following roles
Make SaanV “Service Administrator” to subscription “S5 Retail”
Make Gita “Co-Administrator” to Subscription “S5 Pharma”
Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily)
Can you suggest why She assigned
SaanV, a Service Administrator while Gita a Co-Administrator?
14. S5 Cloud
Education
Srikanth details Azure Active Directory Roles
Used to manage Azure AD resources in a directory. Different functions include
User management License management Manage domains
Global Administrator
• Person who signup for azure Account
• Manage access to admin features in
Active Directory
• Assign admin roles to others
• Reset password for any user
User Administrator
• Create & Manage users
• Manage support tickets
• Manage service health
• Change password for users
Billing Administrator
• Make Purchases
• Manage Subscriptions
• Manage support tickets
• Manage service health
Azure Active Directory Roles are specifically related to management of Active Directory objects and support
different functions that can be set at directory level
15. S5 Cloud
Education
Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator
Azure AD and Azure resources are secured independently from each
other
Global Administrator for AD may not have access to all management
groups & subscriptions
There may be to elevate Global Administrator access to
Regain access / grant access to users or self on management
groups & subscriptions
Allow apps to access the same
After access is elevated to Global Administrator, User access
Administrator role is assigned
Toggle the elevated access once purpose is served
Elevation of access is mainly to allow Global Administrator act as User
Access Administrator for management groups/subscriptions
16. S5 Cloud
Education
Do we have any other Azure Active Directory Roles?
Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage
External Resources
Microsoft 365,
The Azure portal,
Other SaaS applications
Internal resources
Apps on your corporate network
Apps on intranet
Cloud apps developed by your own organization
Different roles are available with Azure Active Directory to enable users to perform
different functions on different objects
Azure Active Directory roles are managed by Azure and custom
roles for Azure Active Directory can be created only if you have
Azure AD Premium P1 or P2
Azure AD Types
Azure AD Free Azure AD
Premium P1
Azure AD
Premium P2
Pay As you Go
17. S5 Cloud
Education
Detailed list of other Azure Active Directory Administrator Roles
List of Azure Active Directory Administrator Roles
18. S5 Cloud
Education
S5Ent Roles on Azure Active Directory AD
Sara sees a need to
• Manage Billing centrally
• Create/Drop Users to a single AD domain
• Administrator to manage AD end to end
Sara asked Srikanth to assign following roles
Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator
What is the Rationale behind Sara’s thought process?
Shaila
Accounting, S5 Ent
Srini
User Admin, S5 Ent
19. S5 Cloud
Education
What are Azure Roles
Owner
• Full Access to Resources
• Delegate Access to Others
Contributor
• Create & Manage Azure
Resources
• Create new tenant in
Azure Active Directory
• Cannot grant access to
resources
Reader
• Can view all the resources
for a scope
User Access Administrator
• Manage user access to
resources
Based on Role based access control (RBAC) mechanism
Are these the only roles we can use to manage Azure Subscription resources?
Obviously No. Some of the other built-in roles include
We have other roles created by Azure to perform different functions on Azure Services/Resources.
Virtual Machine
Contributor
Storage Account
Reader
Network
Contributor
Backup Operator
App Configuration
Data Owner
Custom Roles can be created in only Azure Roles
21. S5 Cloud
Education
What is Azure Role based access control (RBAC)
Azure Role based access control (RBAC) in Azure manages access control for
cloud resources.
3 QUESTIONS TO ANSWER
Azure Role based access control (RBAC) is an authorization system built on
Azure Resource Manager (ARM) which provides fine grained access to azure
resources
Who has access to an
azure resource?
What can they do with
those resources?
What specific areas
they have access to?
EXAMPLES
DBA Group to
manage SQL and
NOSQL databases
Network administrator to
manage Virtual Networks
and Application
Administrator to manage
App Services
Project
Administrator
to manage
resources in a
resource
group
Storage Admin
to manage
storage
accounts
22. S5 Cloud
Education
How Access Management is controlled in Azure RBAC
Role based access control is enabled through -
Role Definition Role Assignment Deny Assignment Custom Roles
role definition
(typically a role) is
a collection of
permissions.
Supports
operations like
create, view,
update and delete
Manage Access to
different azure
resources at a
specific scope is
enabled by role
assignment.
Deny Access to
different azure
resources at a
specific scope is
enabled by deny
assignment.
Custom Roles are
created when built-
in roles cannot
fulfill the purpose
23. S5 Cloud
Education
What is Role Definition
A role definition (typically a role) is a collection of permissions.
A role definition lists the operations that can be performed, such as read, write, and delete
2 Types of Roles
Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team)
High Level
Resource Specific
Type
Custom Roles are user defined roles which define
different access mechanisms to different Resource
Specific Types
* Segregation into high level and resource specific types is only for our understanding
24. S5 Cloud
Education
Revisit “Role Definition” aka Role
Role Definition is collection of permissions has Name and Description. Besides,
Role Definition/Permission has 5 Components
Actions
Management operations
that the role allows to be
performed
NotActions
Management operations
that are excluded from
the allowed Actions
DataActions
Data operations that the
role allows to be
performed to your data
within that object
NotDataActions
Data operations that are
excluded from the
allowed DataActions
AssignableScope
Scope the role is
available for assignment.
Management Operations control access to
resources for e.g. access storage account, create,
update and delete blob container, delete resource
group & its resources
Data Operations control access to data underlying
resources for e.g. read log files in blob container,
delete a message in a queue, write data into text
file in a container
Storage Blob Data Reader role definition, which
includes operations in both the Actions and DataActions
properties. This role allows you to read the blob
container and also the underlying blob data
Storage Blob Reader role definition, which includes
operations in the Actions properties. This role allows
you to read the blob container. It is not allowed to read
underlying data
26. S5 Cloud
Education
What are Role Assignments?
Control access to resources using Role based access control (RBAC) in Azure by
creating ROLE ASSIGNMENTS
Security Principal Role Definition Scope
Identity that requests access to
an azure resource
collection of permissions set of resources that the
access applies to
ROLE ASSIGNMENT has 3 Elements
27. S5 Cloud
Education
1. Who is Security Principal?
A security principal is azure object that represents a user, group, service
principal, or managed identity that is requesting access to Azure resources
User individual who has a profile in Azure Active Directory
Group set of users created in Azure Active Directory
Service Principal security identity used by applications/services to access specific Azure
resources
Managed Identity identity in Azure Active Directory that is automatically managed by Azure
28. S5 Cloud
Education
What is Role Definition
A role definition (typically a role) is a collection of permissions.
A role definition lists the operations that can be performed, such as read, write, and delete
2 Types of Roles
Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team)
High Level
Resource Specific
Type
Custom Roles are user defined roles which define
different access mechanisms to different Resource
Specific Types
* Segregation into high level and resource specific types is only for our understanding
29. S5 Cloud
Education
3. Define Scope
Scope is the set of resources that the access applies to.
Assign a role, and limit the actions allowed by defining a scope
Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources
Management Group
Subscription (s)
Resource Group (s)
Resource(s)
Each Management Group can
have 1 or more subscriptions
Each Subscription can have 1 or
more resource groups
Each Resource Group can have 1 or
more resources and resource types
Resource is smallest unit in the scope
30. S5 Cloud
Education
Definitions of objects in Scope
Management
Groups
Management groups are containers to manage access, policy, and compliance across multiple subscriptions.
Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC
Controls. All subscriptions in a management group automatically inherit the conditions applied to the management
group
Subscriptions
A subscription logically associates user accounts and the resources that were created by them.
Organizations use subscriptions to manage costs and the resources that are created by users, teams,
or projects.
Resource Groups
Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage
accounts are deployed and managed.
Resources
Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage
Accounts
Inherit
31. S5 Cloud
Education
What are Deny Assignments?
Set of Deny Actions to a Security Principal at a particular scope is DENY
ASSIGNMENTS
Security Principal Role Definition Scope
Identity that requests access to
an azure resource
collection of permissions set of resources that the
access applies to
DENY ASSIGNMENT has 3 Elements
Deny Assignments prevents security principals to prevent performing actions at a
scope even Role assignments are defined at one level above
* Azure Blueprints and Azure managed apps are the only way to create deny assignments
32. S5 Cloud
Education
Sara interrupted Srikanth with a question
At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will
take precedence when both Role Assignment and Deny Assignment are defined
Srikanth advised that RBAC always works with a role with limited access to perform a function
At a Scope, Deny Assignment always precedes over Role
Assignment
33. S5 Cloud
Education
Sara and Srikanth are assigning roles
Srikanth to oversee and manage administration across both subscriptions
Nara need to be able to create and drop services
JC to handle User Access for services for both subscriptions and Storage
Management
Lucky and Sailesh need to address Auditing
Implementation of Services outsourced to Development Partners
Operations outsourced to Manage Services partners
Srikanth is assigned owner role
Nara is assigned Contributor role
JC is assigned User Access Administrator, Storage Account Contributor
Lucky & Sailesh are give Reader role
Nara
Administrator
JC
User Access
Administrator
Lucky
Internal Auditor
Sailesh
Auditor, External
34. S5 Cloud
Education
Srikanth re-iterated about using resource specific roles
When permissions need to be granted to specific resource types in any scope, use resource specific roles
For e.g. for Storage you have role to support Actions and Data Actions
Storage Account Types and specific roles defined in diagram –
Blob
File
Queue
35. S5 Cloud
Education
Sara and Srikanth are assigning roles
Problem
Implementation Services Team will have to access multiple services like storage, Virtual Machines,
administration, monitoring, management
Operations team need to monitor and manage different services and even need to perform fixes and other
support activities
Solution
Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific
scope
Create Groups and assign CUSTOM Roles which span across multiple services
36. S5 Cloud
Education
What are Custom Roles and Why?
Sometimes Azure Built-in roles does not serve the
specific needs of your organization. Create custom roles
to address the specific requirement
Custom Roles are user define roles with specific
Actions, Data Actions, NotActions and Not Data Actions
at a defined scope
Custom roles can be shared between subscriptions that
trust the same Azure AD directory
Custom Roles can be created using Azure Powershell,
Azure Portal, Azure CLI or Rest API
It is easy to clone a role and edit the JSON document and assign permissions
37. S5 Cloud
Education
Custom Roles created to fulfil Sara azure RBAC requirements
S5RetailAppDeveloper Subscription Retail
Storage
VM
MySQL
ELB
Disk
Disk
Logs
S5PharmaAppDeveloper
S5EntLogViewer
S5RetailStorageContributor
S5EntDataAdmin
S5EntSecretsManager
S5RetailAppLogViewer
S5PharmalStorageContributor
Data
38. S5 Cloud
Education
Sara pointed one concern about subscription and Active Directory
I understand that multiple subscriptions can be assigned to an Active Directory Tenant.
• What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2.
• She raised the concern if there may be a need to separate one of the subscriptions under a new domain
Azure Active Directory Tenant 1
Subscription 1
Azure Active Directory Tenant 2
Subscription 1
Impacted RBAC Services
Role
Assignments
Custom Roles
Roles Assignments are permanently deleted
Map Security Principals to corresponding
objects in new AD Tenant
Recreate Role Assignments
Custom Roles are permanently deleted
Recreate custom roles and role
assignments
39. S5 Cloud
Education
Sara has concerns on tracking changes in Azure RBAC
To track changes with respect to auditing, especially
Create role assignment
Delete role assignment
Create or update custom role definition
Delete custom role definition
Activity Log logs all the activities to support auditing and troubleshooting purposes
Changes in role assignments, custom role definitions and activities are tracked
Hosts the log data for 90 days
Sara, a young entrepreneur running “S5 Enterprise”. Sara is planning to launch 2 business applications “S5 Retail” and “S5 Pharma” partnering with SaanV and Gita respectively.
With the cloud revolution in place, Sara is planning to host applications on Azure. Sara hired different professionals to support her in building applications to support her
Sara believes in understanding things before she applies. Besides Sara had gone through fundamentals of Azure before she decided to launch application. Sara understand that users need to be given least privilege to perform their functions. She wants to implement Best practices while building their solution on Azure.
Sara converses with Srikanth Kappagantula, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants while setting up Azure Account
The Team includes
Business Partners
SaanV, Partner “S5 Retail”
Gita, , Partner “S5 Pharma”
Internal Team
Srikanth Kappagantula, Azure Administrator
Srini, User Admin
Shaila, Accounting
Nara, Administrator
JC, User Access Administrator
Lucky, Internal Auditor
External Teams
Sailesh, External Auditor
Development Team, Development Partners
Operations Team, Managed Services Partners
Role is collection of permissions on objects in a namespace.
Generally a Role has a unique name and a description with collection of permissions.
Roles are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace.
Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions.
Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less
Scope is the set of resources that the access applies to and when a role is assigned, we can further limit the actions allowed by defining a scope. To understand scope, let us define some common terms we use across the solution.
Azure Account
A Global Unique Entity
Can be an Individual Account or an Organization Account
Account contains multiple subscriptions & active directory tenants
Organization is Business Entity and identified by one/more public DNS domain names
Azure Active Directory Tenant
Representation of an organization
Unique instance of Azure Active Directory
Tenant has its own identities, and app registrations
Azure Active Directory Tenant can have more than 1 subscription
Management Groups
Management groups are containers to manage access, policy, and compliance for multiple subscriptions
Subscriptions in a management group automatically inherit the conditions
Subscription
Agreement with Microsoft to use Microsoft cloud platforms or services
Billing Relationship between Party and Azure
Can host resource groups (resource containers) & Resources
1 Subscription can be allocated to only 1 Active Directory Tenant
Resource Group
Resource Group is logical container for Resources
Subscription can have 1 or more resource groups
1 Resource Group can be allocated only to one subscription
Resource Group stores its metadata in a location
Resource
Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases
A Resource can be assigned to only one resource group
Location of a resource can be different from location of a resource group
Roles are defined at a pre-defined scope or roles will be allocated at a specific scope
Each Account can have 1 or more Azure Active Directory Tenant and subscriptions
Each Azure Active Directory Tenant can be linked to more than 1 subscription while converse is not true
Every Organization can have multiple Management Groups
Every Management Group can have more than 1 subscription
Every subscription can have more than 1 resource group
Every resource group can have more than 1 resource
Types of Roles in Azure
There are 3 types of roles in Azure that can be assigned at a scope
Classic Subscription Administrator roles
Classic Subscription roles are applied at Azure account level. These roles deal with management of Account and configuration of their Active Directory Tenant(s) and Subscription(s). Mostly these roles are managed by user/organization who creates the account. They nominate other users to manage the account to handle specific functions. These roles comes with unlimited access. Be very cautious when you assign this role to a user
These roles are built and only managed by Microsoft. We can create custom role(s) at this level.
Azure Active Directory Tenant roles
Azure Active Directory Tenant roles as name suggests, are related to Azure Active Directory Tenant. These roles have full/unlimited access to AD objects and properties tagged to role identified. Mostly 2-3 roles are mostly used if we are dealing only with Azure. In case, we are even opting for Microsoft 365, then more number of roles need to be used to manage functions.
At Active Directory Tenant level, you can create custom roles that span across multiple objects. Only Active Directory P1 and Active Directory P2 supports creating custom roles
Azure roles
These roles are based on Role based access control (RBAC). These can be applied to Management Group(s) -> Subscription(s) -> Resource Group(s) -> Resource(s). The roles exhibit inheritance in relation to scope and when applied at a scope, the role access automatically applies the same to child scope. The role at a scope carries additive nature to child scope(s).
Custom roles can be created to address specific needs at this level
Classic subscription administrators have full access to the Azure subscription
Service Administrator & Co-Administrator roles are assigned to the Account who signup Subscription with Azure
Service Administrator & Co-Administrator roles are equivalent to Azure Role “Owner” at Subscription scope
Role/Role definition is collection of permissions on objects in a namespace.
Generally a Role has a unique name and a description with collection of permissions. A role definition are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace.
Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions.
Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less