Manage authorization by using Microsoft Entra ID

Question 1

Azure Management Groups

Answer 1

Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups; the governance conditions you apply cascade by inheritance to all associated subscriptions.

Management groups give you enterprise-grade management at scale, no matter what type of subscriptions you might have. However, all subscriptions within a single management group

Question 2

Facts about managment groups

Answer 2

10,000 management groups can be supported in a single directory.

A management group tree can support up to six levels of depth.

This limit doesn’t include the Root level or the subscription level.
Each management group and subscription can only support one parent.

Each management group can have many children.

All subscriptions and management groups are within a single hierarchy in each directory.

Question 3

Root Management Group?

Answer 3

Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Microsoft Entra ID Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As an administrator, you can assign your account as the owner of the root management group

Question 4

Facts about the Root Management Group

Answer 4

default, the root management group’s display name is Tenant root group and operates itself as a management group. The ID is the same value as the Microsoft Entra tenant ID.

To change the display name, your account must be assigned the Owner or Contributor role on the root management group.

The root management group can’t be moved or deleted, unlike other management groups.

All subscriptions and management groups fold up into one root management group within the directory.

All resources in the directory fold up to the root management group for global management.

New subscriptions are automatically defaulted to the root management group when created.

All Azure customers can see the root management group, but not all customers have access to manage that root management group.

Everyone who has access to a subscription can see the context of where that subscription is in the hierarchy.
No one is given default access to the root management group. Microsoft Entra ID Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.

Question 5

inital setup of mangement groups

Answer 5

When any user starts using management groups, there’s an initial setup process that happens. The first step is the root management group is created in the directory. Once this group is created, all existing subscriptions that exist in the directory are made children of the root management group. The reason for this process is to make sure there’s only one management group hierarchy within a directory. The single hierarchy within the directory allows administrative customers to apply global access and policies that other customers within the directory can’t bypass. Anything assigned on the root will apply to the entire hierarchy, which includes all management groups, subscriptions, resource groups, and resources within that Microsoft Entra ID tenant

Question 6

Azure role-based access control

Answer 6

Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.

Question 7

Security principal

Answer 7

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals.

Question 8

Scope

Answer 8

Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group

Question 9

Role assignments

Answer 9

A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

Question 10

Groups - What happens if a user is multiple groups

Answer 10

Role assignments are transitive for groups which means that if a user is a member of a group and that group is a member of another group that has a role assignment, the user will have the permissions in the role assignment.So what happens if you have multiple overlapping role assignments? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. Therefore, in this case, the Reader role assignment has no impact.

Question 11

Deny Assignments RBAC

Answer 11

Previously, Azure RBAC was an allow-only model with no deny, but now Azure RBAC supports deny assignments in a limited way. Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. Deny assignments take precedence over role assignments.

Question 12

How Azure RBAC determines if a user has access to a resource

Answer 12

A user (or service principal) acquires a token for Azure Resource Manager. The token includes the user’s group memberships (including transitive group memberships).
The user makes a REST API call to Azure Resource Manager with the token attached.
Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.
If a deny assignment applies, access is blocked. Otherwise, evaluation continues.
Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.
Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the roles include Actions that have a wildcard (*), the effective permissions are computed by subtracting theNotActions from the allowed Actions. Similarly, the same subtraction is done for any data actions.

Question 13

Where is Azure RBAC data stored?

Answer 13

Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource.

When a role assignment or any other Azure RBAC data is deleted, the data is globally deleted. Principals that had access to a resource via Azure RBAC data will lose their access.

Question 14

Why is Azure RBAC data global?

Answer 14

Azure RBAC data is global to ensure that customers can timely access resources regardless from where they are accessing. Azure RBAC is enforced by Azure Resource Manager, which has a global endpoint and requests are routed to the nearest region for speed and resilience. Therefore, Azure RBAC must be enforced in all regions and the data is replicated to all regions.

Question 15

what is azure rbac?

Answer 15

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Question 16

Entra roles

Answer 16

In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.

Question 17

What does the application administer role do?

Answer 17

This is a privileged role. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Microsoft Graph.

Question 18

entra vs azure?

Answer 18

Every Azure subscription has a trust relationship with an Entra ID tenant. This means the subscription relies on the tenant to authenticate and authorize users and devices that access Azure resources.

A subscription can only trust one tenant at a time, but a tenant can be trusted by multiple subscriptions. This allows an organization to manage access to different Azure resources using a single Entra ID
The primary difference between Azure roles and Microsoft Entra ID roles lies in the resources they manage.

Azure roles primarily govern access to resources deployed inside the cloud, including virtual networks, machines, and resource groups, with role assignments possible at various scopes.

On the other hand, Microsoft Entra ID roles operate on identity objects at the tenant level and impact users’ abilities within that specific tenant. Although Microsoft Entra ID roles are typically set at a tenant level, you can make scope adjustments using administrative units. These are used as logical containers that give you more refined control over access permissions.

Question 19

Entra role based controls

Answer 19

Microsoft Entra roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. Microsoft Entra built-in and custom roles operate on concepts similar to those you find in the role-based access control system for Azure resources (Azure roles). The difference between these two role-based access control systems is:

Microsoft Entra roles control access to Microsoft Entra resources such as users, groups, and applications using the Microsoft Graph API
Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management

Question 20

Role assignemnt in entra

Answer 20

Role assignment
A role assignment is a Microsoft Entra resource that attaches a role definition to a security principal at a particular scope to grant access to Microsoft Entra resources. Access is granted by creating a role assignment, and access is revoked by removing a role assignment. At its core, a role assignment consists of three elements:

Security principal - An identity that gets the permissions. It could be a user, group, or a service principal.
Role definition - A collection of permissions.
Scope - A way to constrain where those permissions are applicable.

Question 21

How Microsoft Entra ID determines if a user has access to a resource

Answer 21

A user (or service principal) acquires a token to the Microsoft Graph endpoint.

The user makes an API call to Microsoft Entra ID via Microsoft Graph using the issued token.

Depending on the circumstance, Microsoft Entra ID takes one of the following actions:

Evaluates the user’s role memberships based on the wids claim in the user’s access token.
Retrieves all the role assignments that apply for the user, either directly or via group membership, to the resource on which the action is being taken.
Microsoft Entra ID determines if the action in the API call is included in the roles the user has for this resource.

If the user doesn’t have a role with the action at the requested scope, access is not granted. Otherwise access is granted.

Question 22

Azure Built in Roles

Answer 22

Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don’t meet the specific needs of your organization, you can create your own Azure custom roles

Question 23

List of Built in Azure roles

Answer 23

Built-in role Description
Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Reader View all resources, but does not allow you to make any changes.
Role Based Access Control Administrator Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.
User Access Administrator Lets you manage user access to Azure resources.

Question 24

Microsoft Entra Permissions Management

Answer 24

Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions.

Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure:
Organizations are increasingly adopting multicloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions.
With the growth of identities and cloud services, the number of high-risk cloud permissions is exploding, expanding the attack surface for organizations.
IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant.
The inconsistency of cloud providers’ native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment.

Question 25

Key use Cases of Permissions Management

Answer 25

Permissions Management allows customers to address three key use cases: discover, remediate, and monitor.

Permissions Management is designed in such a way that we recommended you ‘step-through’ each of the below phases in order to gain insights into permissions across the organization. This is because you generally can’t take action on what hasn’t been discovered, likewise you can’t continually evaluate what hasn’t been remediated

Question 26

Implement and manage Microsoft Entra Permissions Management

Answer 26

Configure data collection settings
Use the Data Collectors dashboard in Permissions Management to configure data collection settings for your authorization system.

If the Data Collectors dashboard isn’t displayed when Permissions Management launches:

In the Permissions Management home page, select Settings (the gear icon), then select the Data Collectors subtab.
Select the authorization system you want: AWS, Azure, or GCP.

For information on how to onboard an AWS account, Azure subscription, or GCP project into Permissions Management, select one of the following articles and follow the instructions:

Onboard an AWS account
Onboard an Azure subscription
Onboard a GCP project

Question 27

Zero Trust

Answer 27

Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. In this article, you’ll learn about the guiding principles of Zero Trust and find resources to help you implement Zero Trust.

Guiding principles of Zero Trust
Today, organizations need a new security model that effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located.

To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:

Verify explicitly - Always authenticate and authorize based on all available data points.
Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Question 28

Microsoft Entra Privileged Identity Management

Answer 28

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multifactor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments
Once you set up Privileged Identity Management, you’ll see Tasks, Manage, and Activity options in the left navigation menu. As an administrator, you can choose between options such as managing Microsoft Entra roles, managing Azure resource roles, or PIM for Groups. When you choose what you want to manage, you see the appropriate set of options for that option.