1.2 Manage access to Azure Resources Flashcards
What are the different roles in azure?
There are three types of roles available for access management
1. Entra roles - Resource type roles
- Manage access to azure resources
- Supports custom roles
- Scope can be specified at multiple levels such as management groups , subscription , resource groups , resources
- Microsoft Entra admin roles - Administrator type roles
-Manage access to Microsoft Entra Id resources
- supports custom roles
- Scope can be specified at the tenant level( Organization wide) , admin unit , or on an individual object such as an application
!Remmeber!:
RBAC
allows you to manage azure resources vs azure identities which is azure AD roles( global admin , user admin and billing admin) this gives you access to the entire tenant)
allows authorization
What is Microsoft Entra admin roles?
-Microsoft Entra roles includes built-in administrator roles that define permissions for managing Azure AD resources such as users , groups and applications. Examples include Global Administrator, User Administrator, and Application Administrator.
-Is used to manage Microsoft entra resources in Microsoft Entra ID such as users , groups , and domains. These roles are defined for the Microsoft Entra Tenant at the root level of the configuration.
The different Microsoft entra roles are:
Global Admin
Most powerful access
full access to all azure ad and other servie admin roles.
User admin
Can manage user accounts and groups in azure ad
- They can rest passwords , manage user roles and create nd manage user accounts
Application admin
Can manage application registrations , including creating and updating them
Billing admin
Make purchases
-Manage subscriptions
- Manage support tickets
- Monitor service health
What is Azure RBAC? (Azure roles)
- RBAC allows you to determine what operations specific users can do on specific resources and control what areas of a resource each user can access.
2.Azure RBAC is an authorization system built on Azure Resource Manager(ARM) that provides fine grained access management to azure resources such as compute and storage.
Things to know about Azure RBAC:
1. You can allow an application to access all resources in a resource group
- you can allow a user to manage all VM’S in a subscription and another user to manage virtual networks.
3
Manage Built in Azure roles
The built in azure role are:
1.Owner
Have full access to all resources, including the ability to delegate access to others. They can manage everything, from resource creation to deletion and can assign roles to others.
*Note: The service admin and co admin are assigned the owner role at the subscription level.
- Contributor
Have the ability to create and manage all types of Azure resources but cannot grant access to others. - Reader
Can only view resources - User access administrator
User Access Administrators can manage user access to Azure resources. They can assign roles to users, groups, and service principals but don’t have the rights to modify resources directly. - Backup operator
- Security reader
- VM contributor
*Make sure to know the difference between the owner , contributor and user access administrator roles.
Assign roles at different scopes ( Hierarchy)
RBAC controls access to resources by assigning azure roles. The role assignment consists of three elements:
1.Security principal
2.Role definition
3.Scope.
When you are scoping your permissions or policies at the different scopes it is inheritable and the inheritance cannot be broken.
Security principal
It is an object that represents a user , group , service principal or managed identity that is requesting access to azure resources.
You can assign a role to any of the security principals.
Role definition
-A role definition is a collection of permissions. A role definition lists the actions that can be performed such as read , write and
delete.
- A role definition consists of sets of permissions that are defined in a JSON file.
- Actions
identify what actions are allowed - NotActions
specify what actions are not allowed - DataActions
indicate how data can be changed or used - AssignableScopes
list the scopes where the role definition can be assigned
Things to know about role definitions:
1. provides built in roles and permission set. You can also create custom roles and permissions.
- The Owner built in role has the highest level of access privilege
- The system subtracts NotActions permissions from Actions permission to determine the effective permissions for a role
- The AssignableScopes permissions for a role can be management group , subscriptions , resource groups or resources
Example of a role definition
Example of role definition for the Contributor role is:
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete",
"Authorization/*/Write",
"Authorization/elevateAccess/Action"
] ,
“dataActions”: [],
“notDataActions”: []
“AssignableScopes” : [
“/”
[
Not authorized to delete or remove for all
Not authorized to write or change for all
Not authorized to increases the level or scope of access privileges
NotActions : No specific actions are listed , therefore all actions can effect the data
AssignableScopes : The role can be assigned to all scopes that affect data
Scope
Is a set of resources that the access will apply to. When you assign a role you ca further limit actions allowed by defining a scope.
You can specify a scope at four levels:
1.Management group
2. Subscription
3. resource group
4. resource
Role assignment
is the process of attaching a role definition to a user , group , service principal or managed identity at a particular scope for purpose of granting access.
In the example picture diagram:
1. You can see that the security principal is the marketing group
- The marketing group has been assigned the contributor role for the pharma sales resource group.
- This means that the marketing group can create or manage all the azure resources that are in the pharma sales resource group - The scope has been set to the resource group level
Interpret access assignments
