Identity and Access Management (IAM) Flashcards
Azure Role-Based Access Control (RBAC)
Azure Role-Based Access Control (RBAC)
Azure RBAC is a cloud-based access management system provided by Microsoft Azure. Its purpose is to regulate and control access to Azure resources
Implementation=
Security Principal: Who/what is being assigned access?
-Supports: Users, Security Groups, Apps, and Managed Identities.
Role Definition: What are the permissions?
-The permissions being granted, as defined by built-in or custom roles.
- Owner, Contributor, Reader, and Data
Scope: Where will the permissions apply?
-Management Group, Subscription, Resource Group, or Resource.
Entra ID Roles
Access control for Entra ID to our Entra ID Tenant, rather than Azure. An identity within the Tenant managing and working with the objects within the Tenant itself.
Implementation
Security Principal: Who/what is being assigned access?
-Supports: Users, Security Groups (requires P1 license), and Apps
Role Definition: The permissions being granted, as defined by built-in or custom roles.
-Custom Entra ID roles require Premium P1 licenses.
-Role-assignable groups require premium licensing
Scope: Tenant (Directory), Administrative Units, or app.
Azure RBAC Custom Roles
There may be scenarios where the predefined roles do not meet your specific requirements, and this is where Custom Roles come into play. The way we configure a Custom Role is by creating it with a Role Definition.
Role Definition:
-Metadata: Name, description, ID, etc.
-Permissions: For management/data operations
–Actions: Allowed control plane actions (not data operations) (you don’t have to deny)
–NotActions: Subtracted control plane actions (not denying)
–DataActions: Allowed data plane actions
–NotDataActions: Subtracted data plane actions
-Scope: Defines where the role can be used (AssignableScopes)
–Root: “/*” available to all scopes. Only usable by built-in roles
–Management Groups: “/providers/Microsoft.Management/managementGroups/ID” (For custom)
–Subscriptions: “/subscriptions/ID” (one or more) (For custom)
–Resource Groups: “/subscriptions/ID/resourcegroups/name” (one or more) (For custom)
Considerations:
-Custom Roles are available without any special licensing requirements
-Azure RBAC is not Azure Policy. RBAC is for permissing, Policy is for standards.
-To configure Custom Roles you require Owner, User Access Admin permissions.
Entra ID Custom Roles
There are scenarios where we might need to previde specific permissions that aren’t covered by built-in roles.
-Always starts with “microsoft.directory/”
Considerations
-Entra ID Custom Roles require Entra ID Premium P1 licensing at least.
-Using PowerShell or the MS Graph API provides more control over the role definition4
-To create a custom role you must have “Global Admin” or “Privileged Role Admin” permissions.