Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
3. S5 Cloud
Education
Srikanth Kappagantula explains
Sara the specifics of different
types of Azure roles and access
management through RBAC,
Role Based Access Control
Sara is the owner of the start-up “S5 Enterprise
Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita
Sara hired different professionals to support her in building applications to support her
She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of
Accounts, Subscriptions, and Tenants
Srikanth defines roles, explains role specifics, their scope, access management, etc
Context
4. S5 Cloud
Education
Sara
Owner, S5 Ent
Srikanth
Azure Administrator
SaanV
Partner, S5 Retail
Gita
Partner, S5 Pharma
Partner Management HR & Accounting
Shaila
Accounting, S5 Ent
Srini
User Admin, S5 Ent
Nara
Administrator
JC
User Access
Administrator
Lucky
Internal Auditor
Development
Teams
Development Partners
Operations Team
Managed Services
Partners
Sailesh
Auditor, External
5. S5 Cloud
Education
Definition of Role(s)
Collection of permissions on objects in a namespace
Role
Namehas
Namespace/Scope
Permissions
Security Principals
Assigned to
C R U D
S C E N A R I O
Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to
perform or not perform certain Actions
LEAST PREVILEGE defines ability to perform only specific Actions
at mentioned S C O P E
N o t M o r e N o t L e s s
6. S5 Cloud
Education
What is Scope?
Azure Account
A Global Unique Entity
Can be an Individual Account or an
Organization Account
Account contains multiple subscriptions & active
directory tenants
Organization is Business Entity and identified
by one/more public DNS domain names
Azure Active Directory Tenant
Representation of an organization
Unique instance of Azure Active Directory
Tenant has its own identities, and app
registrations
Azure Active Directory Tenant can have more
than 1 subscription
Management Groups
Management groups are containers to
manage access, policy, and compliance for
multiple subscriptions
subscriptions in a management group
automatically inherit the conditions
Subscription
Agreement with Microsoft to use Microsoft
cloud platforms or services
Billing Relationship between Party and Azure
Can host resource groups (resource
containers) & Resources
1 Subscription can be allocated to only 1
Active Directory Tenant
Resource Group
Resource Group is logical container for
Resources
Subscription can have 1 or more resource
groups
1 Resource Group can be allocated only to
one subscription
Resource Group stores its metadata in a
location
Resources
Resources are instances of azure services for
e.g. virtual machines, storage, or SQL
databases
A Resource can be assigned to only one
resource group
Location of a resource can be different from
location of a resource group
Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource
Scope
7. S5 Cloud
Education
Relationship between Accounts & other objects
Subscription
Account
Azure Active
Directory Tenant
Subscription
Subscription
Resource
Group
Subscription
Resources
1..n
1..n
1..n
1..n
1..n
Management
Groups
1..n
8. S5 Cloud
Education
Types of Roles in Azure, Scope and Relationship
Role Types in Azure
Classic
Subscription
Administrator
Roles
Azure Active
Directory Roles
Azure Roles
(based on RBAC)
Role Type Scope
Classic Subscription
Administrator Roles
Azure Account & Subscriptions
Azure Active Directory
Roles
Azure Active Directory Tenant
Azure Roles Management Group, Azure Subscriptions.
Resource Groups & Resources
9. S5 Cloud
Education
What are these different types of roles in Azure?
Classic
Subscription
Administrator
Roles
Have full access to the Azure subscription & Account
Can manage resources using Portal & ARM API’s
Created when Azure Account is created
Azure Active
Directory
(Azure AD)
roles
Used to manage Azure AD resources in a directory
Perform different functions
User management
License management
Manage domains
Azure Roles
Based on Role based access control
Authorization system that provides fine grained
access to azure resources
Has 4 fundamental roles and 70 built-in roles
Account Administrator
Service Administrator
Co-Administrator
Global Administrator
User Administrator
Billing Administrator
Owner
Contributor
Reader
User Access Administrator
Account &
Subscription(s)
Management
Identity
Management
Subscription &
Resource(s)
Management
Users/Identities are allocated to roles with LEAST PREVILEGE
which allows them to perform or not perform certain Actions
10. S5 Cloud
Education
Classic Subscription Administrator Roles
Have full access to the Azure
subscription & Account
Can manage resources
using Portal & ARM API’s
Created when Azure
Account is created
Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources
Account Administrator Service Administrator Co-Administrator
Max 1 per Azure Account
Manage (create/cancel) all subscriptions
in Account
Manage & Change billing for
subscriptions
Can change Service Administrator
Max 1 per Azure Subscription
Manage services in Subscription
Cancel subscription
Assign users to Co-Administrator role
Can associate to a different Active
directory tenant
Max 200 per Azure Subscription
Can assign users to Co-Administrator
role
Cannot change Service Administrator
role
Cannot associate to a different Active
directory tenant
Same permissions as Service
Administrator but cannot cancel
subscription
* No other Roles are available at Account level and custom roles cannot be created
11. S5 Cloud
Education
Srikanth cautioned Sara with usage of Subscription Administrators
Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the
following best practices
Assess the need for the role before you assign it to a user
Service Administrator role can
Can change the Active Directory domain or even add new
Can cancel subscriptions
Can order services on subscription
Co-Administrators
Count should not be more than 1 or 2
Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
12. S5 Cloud
Education
What happens when Sara creates an Azure Account
Sara Azure Account
Azure Active
Directory Tenant 1
Azure
Subscription 1
Account
Administrator
Service
Administrator
Owner
Global
Administrator
User
Administrator
Roles Assigned
Azure Account
Classic Subscription Administrator Role(s)
Account Administrator Service Administrator
Azure Active
Directory Tenant 1
Azure Active Directory Role(s)
Global Administrator User Administrator
Azure
Subscription 1
Azure Roles
Owner
• Sara created an Azure account
• Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation
• AAD is identity management solution. More than 1 AAD tenant instance can be created later
• Subscription is the billing relationship between azure and Sara.
• More than 1 subscription can be created if you want to segregate billing for different applications
• 1 AAD tenant can be linked to many subscriptions
• 1 subscription can be linked to only one tenant
• An Account can have multiple Active Directory tenants and Subscriptions
Account & Subscription(s)
Management
Subscription & Resource(s)
Management
AD Identity Management
13. S5 Cloud
Education
Assignment/Transfer of Account Administration specific Roles to SaanV and Gita
SaanV
Partner, S5 Retail
Gita
Partner, S5 Pharma
Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and
created 1 subscriptions each
“S5 Retail” with SaanV
“S5 Pharma” with Gita
Sara asked Srikanth to assign following roles
Make SaanV “Service Administrator” to subscription “S5 Retail”
Make Gita “Co-Administrator” to Subscription “S5 Pharma”
Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily)
Can you suggest why She assigned
SaanV, a Service Administrator while Gita a Co-Administrator?
14. S5 Cloud
Education
Srikanth details Azure Active Directory Roles
Used to manage Azure AD resources in a directory. Different functions include
User management License management Manage domains
Global Administrator
• Person who signup for azure Account
• Manage access to admin features in
Active Directory
• Assign admin roles to others
• Reset password for any user
User Administrator
• Create & Manage users
• Manage support tickets
• Manage service health
• Change password for users
Billing Administrator
• Make Purchases
• Manage Subscriptions
• Manage support tickets
• Manage service health
Azure Active Directory Roles are specifically related to management of Active Directory objects and support
different functions that can be set at directory level
15. S5 Cloud
Education
Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator
Azure AD and Azure resources are secured independently from each
other
Global Administrator for AD may not have access to all management
groups & subscriptions
There may be to elevate Global Administrator access to
Regain access / grant access to users or self on management
groups & subscriptions
Allow apps to access the same
After access is elevated to Global Administrator, User access
Administrator role is assigned
Toggle the elevated access once purpose is served
Elevation of access is mainly to allow Global Administrator act as User
Access Administrator for management groups/subscriptions
16. S5 Cloud
Education
Do we have any other Azure Active Directory Roles?
Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage
External Resources
Microsoft 365,
The Azure portal,
Other SaaS applications
Internal resources
Apps on your corporate network
Apps on intranet
Cloud apps developed by your own organization
Different roles are available with Azure Active Directory to enable users to perform
different functions on different objects
Azure Active Directory roles are managed by Azure and custom
roles for Azure Active Directory can be created only if you have
Azure AD Premium P1 or P2
Azure AD Types
Azure AD Free Azure AD
Premium P1
Azure AD
Premium P2
Pay As you Go
17. S5 Cloud
Education
Detailed list of other Azure Active Directory Administrator Roles
List of Azure Active Directory Administrator Roles
18. S5 Cloud
Education
S5Ent Roles on Azure Active Directory AD
Sara sees a need to
• Manage Billing centrally
• Create/Drop Users to a single AD domain
• Administrator to manage AD end to end
Sara asked Srikanth to assign following roles
Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator
What is the Rationale behind Sara’s thought process?
Shaila
Accounting, S5 Ent
Srini
User Admin, S5 Ent
19. S5 Cloud
Education
What are Azure Roles
Owner
• Full Access to Resources
• Delegate Access to Others
Contributor
• Create & Manage Azure
Resources
• Create new tenant in
Azure Active Directory
• Cannot grant access to
resources
Reader
• Can view all the resources
for a scope
User Access Administrator
• Manage user access to
resources
Based on Role based access control (RBAC) mechanism
Are these the only roles we can use to manage Azure Subscription resources?
Obviously No. Some of the other built-in roles include
We have other roles created by Azure to perform different functions on Azure Services/Resources.
Virtual Machine
Contributor
Storage Account
Reader
Network
Contributor
Backup Operator
App Configuration
Data Owner
Custom Roles can be created in only Azure Roles
21. S5 Cloud
Education
What is Azure Role based access control (RBAC)
Azure Role based access control (RBAC) in Azure manages access control for
cloud resources.
3 QUESTIONS TO ANSWER
Azure Role based access control (RBAC) is an authorization system built on
Azure Resource Manager (ARM) which provides fine grained access to azure
resources
Who has access to an
azure resource?
What can they do with
those resources?
What specific areas
they have access to?
EXAMPLES
DBA Group to
manage SQL and
NOSQL databases
Network administrator to
manage Virtual Networks
and Application
Administrator to manage
App Services
Project
Administrator
to manage
resources in a
resource
group
Storage Admin
to manage
storage
accounts
22. S5 Cloud
Education
How Access Management is controlled in Azure RBAC
Role based access control is enabled through -
Role Definition Role Assignment Deny Assignment Custom Roles
role definition
(typically a role) is
a collection of
permissions.
Supports
operations like
create, view,
update and delete
Manage Access to
different azure
resources at a
specific scope is
enabled by role
assignment.
Deny Access to
different azure
resources at a
specific scope is
enabled by deny
assignment.
Custom Roles are
created when built-
in roles cannot
fulfill the purpose
23. S5 Cloud
Education
What is Role Definition
A role definition (typically a role) is a collection of permissions.
A role definition lists the operations that can be performed, such as read, write, and delete
2 Types of Roles
Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team)
High Level
Resource Specific
Type
Custom Roles are user defined roles which define
different access mechanisms to different Resource
Specific Types
* Segregation into high level and resource specific types is only for our understanding
24. S5 Cloud
Education
Revisit “Role Definition” aka Role
Role Definition is collection of permissions has Name and Description. Besides,
Role Definition/Permission has 5 Components
Actions
Management operations
that the role allows to be
performed
NotActions
Management operations
that are excluded from
the allowed Actions
DataActions
Data operations that the
role allows to be
performed to your data
within that object
NotDataActions
Data operations that are
excluded from the
allowed DataActions
AssignableScope
Scope the role is
available for assignment.
Management Operations control access to
resources for e.g. access storage account, create,
update and delete blob container, delete resource
group & its resources
Data Operations control access to data underlying
resources for e.g. read log files in blob container,
delete a message in a queue, write data into text
file in a container
Storage Blob Data Reader role definition, which
includes operations in both the Actions and DataActions
properties. This role allows you to read the blob
container and also the underlying blob data
Storage Blob Reader role definition, which includes
operations in the Actions properties. This role allows
you to read the blob container. It is not allowed to read
underlying data
26. S5 Cloud
Education
What are Role Assignments?
Control access to resources using Role based access control (RBAC) in Azure by
creating ROLE ASSIGNMENTS
Security Principal Role Definition Scope
Identity that requests access to
an azure resource
collection of permissions set of resources that the
access applies to
ROLE ASSIGNMENT has 3 Elements
27. S5 Cloud
Education
1. Who is Security Principal?
A security principal is azure object that represents a user, group, service
principal, or managed identity that is requesting access to Azure resources
User individual who has a profile in Azure Active Directory
Group set of users created in Azure Active Directory
Service Principal security identity used by applications/services to access specific Azure
resources
Managed Identity identity in Azure Active Directory that is automatically managed by Azure
28. S5 Cloud
Education
What is Role Definition
A role definition (typically a role) is a collection of permissions.
A role definition lists the operations that can be performed, such as read, write, and delete
2 Types of Roles
Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team)
High Level
Resource Specific
Type
Custom Roles are user defined roles which define
different access mechanisms to different Resource
Specific Types
* Segregation into high level and resource specific types is only for our understanding
29. S5 Cloud
Education
3. Define Scope
Scope is the set of resources that the access applies to.
Assign a role, and limit the actions allowed by defining a scope
Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources
Management Group
Subscription (s)
Resource Group (s)
Resource(s)
Each Management Group can
have 1 or more subscriptions
Each Subscription can have 1 or
more resource groups
Each Resource Group can have 1 or
more resources and resource types
Resource is smallest unit in the scope
30. S5 Cloud
Education
Definitions of objects in Scope
Management
Groups
Management groups are containers to manage access, policy, and compliance across multiple subscriptions.
Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC
Controls. All subscriptions in a management group automatically inherit the conditions applied to the management
group
Subscriptions
A subscription logically associates user accounts and the resources that were created by them.
Organizations use subscriptions to manage costs and the resources that are created by users, teams,
or projects.
Resource Groups
Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage
accounts are deployed and managed.
Resources
Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage
Accounts
Inherit
31. S5 Cloud
Education
What are Deny Assignments?
Set of Deny Actions to a Security Principal at a particular scope is DENY
ASSIGNMENTS
Security Principal Role Definition Scope
Identity that requests access to
an azure resource
collection of permissions set of resources that the
access applies to
DENY ASSIGNMENT has 3 Elements
Deny Assignments prevents security principals to prevent performing actions at a
scope even Role assignments are defined at one level above
* Azure Blueprints and Azure managed apps are the only way to create deny assignments
32. S5 Cloud
Education
Sara interrupted Srikanth with a question
At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will
take precedence when both Role Assignment and Deny Assignment are defined
Srikanth advised that RBAC always works with a role with limited access to perform a function
At a Scope, Deny Assignment always precedes over Role
Assignment
33. S5 Cloud
Education
Sara and Srikanth are assigning roles
Srikanth to oversee and manage administration across both subscriptions
Nara need to be able to create and drop services
JC to handle User Access for services for both subscriptions and Storage
Management
Lucky and Sailesh need to address Auditing
Implementation of Services outsourced to Development Partners
Operations outsourced to Manage Services partners
Srikanth is assigned owner role
Nara is assigned Contributor role
JC is assigned User Access Administrator, Storage Account Contributor
Lucky & Sailesh are give Reader role
Nara
Administrator
JC
User Access
Administrator
Lucky
Internal Auditor
Sailesh
Auditor, External
34. S5 Cloud
Education
Srikanth re-iterated about using resource specific roles
When permissions need to be granted to specific resource types in any scope, use resource specific roles
For e.g. for Storage you have role to support Actions and Data Actions
Storage Account Types and specific roles defined in diagram –
Blob
File
Queue
35. S5 Cloud
Education
Sara and Srikanth are assigning roles
Problem
Implementation Services Team will have to access multiple services like storage, Virtual Machines,
administration, monitoring, management
Operations team need to monitor and manage different services and even need to perform fixes and other
support activities
Solution
Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific
scope
Create Groups and assign CUSTOM Roles which span across multiple services
36. S5 Cloud
Education
What are Custom Roles and Why?
Sometimes Azure Built-in roles does not serve the
specific needs of your organization. Create custom roles
to address the specific requirement
Custom Roles are user define roles with specific
Actions, Data Actions, NotActions and Not Data Actions
at a defined scope
Custom roles can be shared between subscriptions that
trust the same Azure AD directory
Custom Roles can be created using Azure Powershell,
Azure Portal, Azure CLI or Rest API
It is easy to clone a role and edit the JSON document and assign permissions
37. S5 Cloud
Education
Custom Roles created to fulfil Sara azure RBAC requirements
S5RetailAppDeveloper Subscription Retail
Storage
VM
MySQL
ELB
Disk
Disk
Logs
S5PharmaAppDeveloper
S5EntLogViewer
S5RetailStorageContributor
S5EntDataAdmin
S5EntSecretsManager
S5RetailAppLogViewer
S5PharmalStorageContributor
Data
38. S5 Cloud
Education
Sara pointed one concern about subscription and Active Directory
I understand that multiple subscriptions can be assigned to an Active Directory Tenant.
• What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2.
• She raised the concern if there may be a need to separate one of the subscriptions under a new domain
Azure Active Directory Tenant 1
Subscription 1
Azure Active Directory Tenant 2
Subscription 1
Impacted RBAC Services
Role
Assignments
Custom Roles
Roles Assignments are permanently deleted
Map Security Principals to corresponding
objects in new AD Tenant
Recreate Role Assignments
Custom Roles are permanently deleted
Recreate custom roles and role
assignments
39. S5 Cloud
Education
Sara has concerns on tracking changes in Azure RBAC
To track changes with respect to auditing, especially
Create role assignment
Delete role assignment
Create or update custom role definition
Delete custom role definition
Activity Log logs all the activities to support auditing and troubleshooting purposes
Changes in role assignments, custom role definitions and activities are tracked
Hosts the log data for 90 days
Sara, a young entrepreneur running “S5 Enterprise”. Sara is planning to launch 2 business applications “S5 Retail” and “S5 Pharma” partnering with SaanV and Gita respectively.
With the cloud revolution in place, Sara is planning to host applications on Azure. Sara hired different professionals to support her in building applications to support her
Sara believes in understanding things before she applies. Besides Sara had gone through fundamentals of Azure before she decided to launch application. Sara understand that users need to be given least privilege to perform their functions. She wants to implement Best practices while building their solution on Azure.
Sara converses with Srikanth Kappagantula, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants while setting up Azure Account
The Team includes
Business Partners
SaanV, Partner “S5 Retail”
Gita, , Partner “S5 Pharma”
Internal Team
Srikanth Kappagantula, Azure Administrator
Srini, User Admin
Shaila, Accounting
Nara, Administrator
JC, User Access Administrator
Lucky, Internal Auditor
External Teams
Sailesh, External Auditor
Development Team, Development Partners
Operations Team, Managed Services Partners
Role is collection of permissions on objects in a namespace.
Generally a Role has a unique name and a description with collection of permissions.
Roles are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace.
Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions.
Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less
Scope is the set of resources that the access applies to and when a role is assigned, we can further limit the actions allowed by defining a scope. To understand scope, let us define some common terms we use across the solution.
Azure Account
A Global Unique Entity
Can be an Individual Account or an Organization Account
Account contains multiple subscriptions & active directory tenants
Organization is Business Entity and identified by one/more public DNS domain names
Azure Active Directory Tenant
Representation of an organization
Unique instance of Azure Active Directory
Tenant has its own identities, and app registrations
Azure Active Directory Tenant can have more than 1 subscription
Management Groups
Management groups are containers to manage access, policy, and compliance for multiple subscriptions
Subscriptions in a management group automatically inherit the conditions
Subscription
Agreement with Microsoft to use Microsoft cloud platforms or services
Billing Relationship between Party and Azure
Can host resource groups (resource containers) & Resources
1 Subscription can be allocated to only 1 Active Directory Tenant
Resource Group
Resource Group is logical container for Resources
Subscription can have 1 or more resource groups
1 Resource Group can be allocated only to one subscription
Resource Group stores its metadata in a location
Resource
Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases
A Resource can be assigned to only one resource group
Location of a resource can be different from location of a resource group
Roles are defined at a pre-defined scope or roles will be allocated at a specific scope
Each Account can have 1 or more Azure Active Directory Tenant and subscriptions
Each Azure Active Directory Tenant can be linked to more than 1 subscription while converse is not true
Every Organization can have multiple Management Groups
Every Management Group can have more than 1 subscription
Every subscription can have more than 1 resource group
Every resource group can have more than 1 resource
Types of Roles in Azure
There are 3 types of roles in Azure that can be assigned at a scope
Classic Subscription Administrator roles
Classic Subscription roles are applied at Azure account level. These roles deal with management of Account and configuration of their Active Directory Tenant(s) and Subscription(s). Mostly these roles are managed by user/organization who creates the account. They nominate other users to manage the account to handle specific functions. These roles comes with unlimited access. Be very cautious when you assign this role to a user
These roles are built and only managed by Microsoft. We can create custom role(s) at this level.
Azure Active Directory Tenant roles
Azure Active Directory Tenant roles as name suggests, are related to Azure Active Directory Tenant. These roles have full/unlimited access to AD objects and properties tagged to role identified. Mostly 2-3 roles are mostly used if we are dealing only with Azure. In case, we are even opting for Microsoft 365, then more number of roles need to be used to manage functions.
At Active Directory Tenant level, you can create custom roles that span across multiple objects. Only Active Directory P1 and Active Directory P2 supports creating custom roles
Azure roles
These roles are based on Role based access control (RBAC). These can be applied to Management Group(s) -> Subscription(s) -> Resource Group(s) -> Resource(s). The roles exhibit inheritance in relation to scope and when applied at a scope, the role access automatically applies the same to child scope. The role at a scope carries additive nature to child scope(s).
Custom roles can be created to address specific needs at this level
Classic subscription administrators have full access to the Azure subscription
Service Administrator & Co-Administrator roles are assigned to the Account who signup Subscription with Azure
Service Administrator & Co-Administrator roles are equivalent to Azure Role “Owner” at Subscription scope
Role/Role definition is collection of permissions on objects in a namespace.
Generally a Role has a unique name and a description with collection of permissions. A role definition are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace.
Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions.
Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less