SlideShare a Scribd company logo

Azure role based access control (rbac)

Download as PPTX, PDF
Srikanth Kappagantula
Srikanth Kappagantula

Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions

Technology
1 of 41
S5 Cloud Education Role A Role B Management of Azure Roles & RBAC Role C
S5 Cloud Education S5-Cloud-Education-105146271333771 S5 Cloud Education @s5cloudedu srikanth-kappagantula.blogspot.com https://medium.com/@s5cloudeducation https://www.slideshare.net/krishnasrikanthk sites.google.com/view/s5cloudeducation
S5 Cloud Education Srikanth Kappagantula explains Sara the specifics of different types of Azure roles and access management through RBAC, Role Based Access Control  Sara is the owner of the start-up “S5 Enterprise  Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita  Sara hired different professionals to support her in building applications to support her  She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants  Srikanth defines roles, explains role specifics, their scope, access management, etc Context
S5 Cloud Education Sara Owner, S5 Ent Srikanth Azure Administrator SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner Management HR & Accounting Shaila Accounting, S5 Ent Srini User Admin, S5 Ent Nara Administrator JC User Access Administrator Lucky Internal Auditor Development Teams Development Partners Operations Team Managed Services Partners Sailesh Auditor, External
S5 Cloud Education Definition of Role(s) Collection of permissions on objects in a namespace Role Namehas Namespace/Scope Permissions Security Principals Assigned to C R U D S C E N A R I O Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions LEAST PREVILEGE defines ability to perform only specific Actions at mentioned S C O P E N o t M o r e N o t L e s s
S5 Cloud Education What is Scope? Azure Account  A Global Unique Entity  Can be an Individual Account or an Organization Account  Account contains multiple subscriptions & active directory tenants  Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant  Representation of an organization  Unique instance of Azure Active Directory  Tenant has its own identities, and app registrations  Azure Active Directory Tenant can have more than 1 subscription Management Groups  Management groups are containers to manage access, policy, and compliance for multiple subscriptions  subscriptions in a management group automatically inherit the conditions Subscription  Agreement with Microsoft to use Microsoft cloud platforms or services  Billing Relationship between Party and Azure  Can host resource groups (resource containers) & Resources  1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group  Resource Group is logical container for Resources  Subscription can have 1 or more resource groups  1 Resource Group can be allocated only to one subscription  Resource Group stores its metadata in a location Resources  Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases  A Resource can be assigned to only one resource group  Location of a resource can be different from location of a resource group Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource Scope
S5 Cloud Education Relationship between Accounts & other objects Subscription Account Azure Active Directory Tenant Subscription Subscription Resource Group Subscription Resources 1..n 1..n 1..n 1..n 1..n Management Groups 1..n
S5 Cloud Education Types of Roles in Azure, Scope and Relationship Role Types in Azure Classic Subscription Administrator Roles Azure Active Directory Roles Azure Roles (based on RBAC) Role Type Scope Classic Subscription Administrator Roles Azure Account & Subscriptions Azure Active Directory Roles Azure Active Directory Tenant Azure Roles Management Group, Azure Subscriptions. Resource Groups & Resources
S5 Cloud Education What are these different types of roles in Azure? Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Azure Active Directory (Azure AD) roles  Used to manage Azure AD resources in a directory  Perform different functions  User management  License management  Manage domains Azure Roles  Based on Role based access control  Authorization system that provides fine grained access to azure resources  Has 4 fundamental roles and 70 built-in roles  Account Administrator  Service Administrator  Co-Administrator  Global Administrator  User Administrator  Billing Administrator  Owner  Contributor  Reader  User Access Administrator Account & Subscription(s) Management Identity Management Subscription & Resource(s) Management Users/Identities are allocated to roles with LEAST PREVILEGE which allows them to perform or not perform certain Actions
S5 Cloud Education Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources Account Administrator Service Administrator Co-Administrator  Max 1 per Azure Account  Manage (create/cancel) all subscriptions in Account  Manage & Change billing for subscriptions  Can change Service Administrator  Max 1 per Azure Subscription  Manage services in Subscription  Cancel subscription  Assign users to Co-Administrator role  Can associate to a different Active directory tenant  Max 200 per Azure Subscription  Can assign users to Co-Administrator role  Cannot change Service Administrator role  Cannot associate to a different Active directory tenant  Same permissions as Service Administrator but cannot cancel subscription * No other Roles are available at Account level and custom roles cannot be created
S5 Cloud Education Srikanth cautioned Sara with usage of Subscription Administrators Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the following best practices  Assess the need for the role before you assign it to a user  Service Administrator role can  Can change the Active Directory domain or even add new  Can cancel subscriptions  Can order services on subscription  Co-Administrators  Count should not be more than 1 or 2  Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
S5 Cloud Education What happens when Sara creates an Azure Account Sara Azure Account Azure Active Directory Tenant 1 Azure Subscription 1 Account Administrator Service Administrator Owner Global Administrator User Administrator Roles Assigned Azure Account Classic Subscription Administrator Role(s) Account Administrator Service Administrator Azure Active Directory Tenant 1 Azure Active Directory Role(s) Global Administrator User Administrator Azure Subscription 1 Azure Roles Owner • Sara created an Azure account • Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation • AAD is identity management solution. More than 1 AAD tenant instance can be created later • Subscription is the billing relationship between azure and Sara. • More than 1 subscription can be created if you want to segregate billing for different applications • 1 AAD tenant can be linked to many subscriptions • 1 subscription can be linked to only one tenant • An Account can have multiple Active Directory tenants and Subscriptions Account & Subscription(s) Management Subscription & Resource(s) Management AD Identity Management
S5 Cloud Education Assignment/Transfer of Account Administration specific Roles to SaanV and Gita SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and created 1 subscriptions each  “S5 Retail” with SaanV  “S5 Pharma” with Gita Sara asked Srikanth to assign following roles  Make SaanV “Service Administrator” to subscription “S5 Retail”  Make Gita “Co-Administrator” to Subscription “S5 Pharma”  Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily) Can you suggest why She assigned SaanV, a Service Administrator while Gita a Co-Administrator?
S5 Cloud Education Srikanth details Azure Active Directory Roles  Used to manage Azure AD resources in a directory. Different functions include  User management  License management  Manage domains Global Administrator • Person who signup for azure Account • Manage access to admin features in Active Directory • Assign admin roles to others • Reset password for any user User Administrator • Create & Manage users • Manage support tickets • Manage service health • Change password for users Billing Administrator • Make Purchases • Manage Subscriptions • Manage support tickets • Manage service health Azure Active Directory Roles are specifically related to management of Active Directory objects and support different functions that can be set at directory level
S5 Cloud Education Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator  Azure AD and Azure resources are secured independently from each other  Global Administrator for AD may not have access to all management groups & subscriptions  There may be to elevate Global Administrator access to  Regain access / grant access to users or self on management groups & subscriptions  Allow apps to access the same  After access is elevated to Global Administrator, User access Administrator role is assigned  Toggle the elevated access once purpose is served  Elevation of access is mainly to allow Global Administrator act as User Access Administrator for management groups/subscriptions
S5 Cloud Education Do we have any other Azure Active Directory Roles? Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage  External Resources  Microsoft 365,  The Azure portal,  Other SaaS applications  Internal resources  Apps on your corporate network  Apps on intranet  Cloud apps developed by your own organization Different roles are available with Azure Active Directory to enable users to perform different functions on different objects Azure Active Directory roles are managed by Azure and custom roles for Azure Active Directory can be created only if you have Azure AD Premium P1 or P2 Azure AD Types Azure AD Free Azure AD Premium P1 Azure AD Premium P2 Pay As you Go
S5 Cloud Education Detailed list of other Azure Active Directory Administrator Roles List of Azure Active Directory Administrator Roles
S5 Cloud Education S5Ent Roles on Azure Active Directory AD Sara sees a need to • Manage Billing centrally • Create/Drop Users to a single AD domain • Administrator to manage AD end to end Sara asked Srikanth to assign following roles  Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator What is the Rationale behind Sara’s thought process? Shaila Accounting, S5 Ent Srini User Admin, S5 Ent
S5 Cloud Education What are Azure Roles Owner • Full Access to Resources • Delegate Access to Others Contributor • Create & Manage Azure Resources • Create new tenant in Azure Active Directory • Cannot grant access to resources Reader • Can view all the resources for a scope User Access Administrator • Manage user access to resources Based on Role based access control (RBAC) mechanism Are these the only roles we can use to manage Azure Subscription resources? Obviously No. Some of the other built-in roles include We have other roles created by Azure to perform different functions on Azure Services/Resources. Virtual Machine Contributor Storage Account Reader Network Contributor Backup Operator App Configuration Data Owner Custom Roles can be created in only Azure Roles
S5 Cloud Education Detailed list of other Azure built-in roles (based on RBAC) Click The Button Below List of Azure Roles
S5 Cloud Education What is Azure Role based access control (RBAC) Azure Role based access control (RBAC) in Azure manages access control for cloud resources. 3 QUESTIONS TO ANSWER Azure Role based access control (RBAC) is an authorization system built on Azure Resource Manager (ARM) which provides fine grained access to azure resources Who has access to an azure resource? What can they do with those resources? What specific areas they have access to? EXAMPLES DBA Group to manage SQL and NOSQL databases Network administrator to manage Virtual Networks and Application Administrator to manage App Services Project Administrator to manage resources in a resource group Storage Admin to manage storage accounts
S5 Cloud Education How Access Management is controlled in Azure RBAC Role based access control is enabled through - Role Definition Role Assignment Deny Assignment Custom Roles role definition (typically a role) is a collection of permissions. Supports operations like create, view, update and delete Manage Access to different azure resources at a specific scope is enabled by role assignment. Deny Access to different azure resources at a specific scope is enabled by deny assignment. Custom Roles are created when built- in roles cannot fulfill the purpose
S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
S5 Cloud Education Revisit “Role Definition” aka Role Role Definition is collection of permissions has Name and Description. Besides, Role Definition/Permission has 5 Components Actions Management operations that the role allows to be performed NotActions Management operations that are excluded from the allowed Actions DataActions Data operations that the role allows to be performed to your data within that object NotDataActions Data operations that are excluded from the allowed DataActions AssignableScope Scope the role is available for assignment. Management Operations control access to resources for e.g. access storage account, create, update and delete blob container, delete resource group & its resources Data Operations control access to data underlying resources for e.g. read log files in blob container, delete a message in a queue, write data into text file in a container Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. This role allows you to read the blob container and also the underlying blob data Storage Blob Reader role definition, which includes operations in the Actions properties. This role allows you to read the blob container. It is not allowed to read underlying data
S5 Cloud Education Role Definition (in terms of Syntax) { "Name": "", "Description": "", "Actions": [], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [] } { "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] }
S5 Cloud Education What are Role Assignments? Control access to resources using Role based access control (RBAC) in Azure by creating ROLE ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to ROLE ASSIGNMENT has 3 Elements
S5 Cloud Education 1. Who is Security Principal? A security principal is azure object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources User individual who has a profile in Azure Active Directory Group set of users created in Azure Active Directory Service Principal security identity used by applications/services to access specific Azure resources Managed Identity identity in Azure Active Directory that is automatically managed by Azure
S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
S5 Cloud Education 3. Define Scope Scope is the set of resources that the access applies to. Assign a role, and limit the actions allowed by defining a scope Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources Management Group Subscription (s) Resource Group (s) Resource(s) Each Management Group can have 1 or more subscriptions Each Subscription can have 1 or more resource groups Each Resource Group can have 1 or more resources and resource types Resource is smallest unit in the scope
S5 Cloud Education Definitions of objects in Scope Management Groups Management groups are containers to manage access, policy, and compliance across multiple subscriptions. Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC Controls. All subscriptions in a management group automatically inherit the conditions applied to the management group Subscriptions A subscription logically associates user accounts and the resources that were created by them. Organizations use subscriptions to manage costs and the resources that are created by users, teams, or projects. Resource Groups Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage accounts are deployed and managed. Resources Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage Accounts Inherit
S5 Cloud Education What are Deny Assignments? Set of Deny Actions to a Security Principal at a particular scope is DENY ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to DENY ASSIGNMENT has 3 Elements Deny Assignments prevents security principals to prevent performing actions at a scope even Role assignments are defined at one level above * Azure Blueprints and Azure managed apps are the only way to create deny assignments
S5 Cloud Education Sara interrupted Srikanth with a question At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will take precedence when both Role Assignment and Deny Assignment are defined Srikanth advised that RBAC always works with a role with limited access to perform a function At a Scope, Deny Assignment always precedes over Role Assignment
S5 Cloud Education Sara and Srikanth are assigning roles  Srikanth to oversee and manage administration across both subscriptions  Nara need to be able to create and drop services  JC to handle User Access for services for both subscriptions and Storage Management  Lucky and Sailesh need to address Auditing  Implementation of Services outsourced to Development Partners  Operations outsourced to Manage Services partners  Srikanth is assigned owner role  Nara is assigned Contributor role  JC is assigned User Access Administrator, Storage Account Contributor  Lucky & Sailesh are give Reader role Nara Administrator JC User Access Administrator Lucky Internal Auditor Sailesh Auditor, External
S5 Cloud Education Srikanth re-iterated about using resource specific roles  When permissions need to be granted to specific resource types in any scope, use resource specific roles  For e.g. for Storage you have role to support Actions and Data Actions  Storage Account Types and specific roles defined in diagram –  Blob  File  Queue
S5 Cloud Education Sara and Srikanth are assigning roles Problem  Implementation Services Team will have to access multiple services like storage, Virtual Machines, administration, monitoring, management  Operations team need to monitor and manage different services and even need to perform fixes and other support activities Solution  Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific scope  Create Groups and assign CUSTOM Roles which span across multiple services
S5 Cloud Education What are Custom Roles and Why?  Sometimes Azure Built-in roles does not serve the specific needs of your organization. Create custom roles to address the specific requirement  Custom Roles are user define roles with specific Actions, Data Actions, NotActions and Not Data Actions at a defined scope  Custom roles can be shared between subscriptions that trust the same Azure AD directory  Custom Roles can be created using Azure Powershell, Azure Portal, Azure CLI or Rest API It is easy to clone a role and edit the JSON document and assign permissions
S5 Cloud Education Custom Roles created to fulfil Sara azure RBAC requirements S5RetailAppDeveloper Subscription Retail Storage VM MySQL ELB Disk Disk Logs S5PharmaAppDeveloper S5EntLogViewer S5RetailStorageContributor S5EntDataAdmin S5EntSecretsManager S5RetailAppLogViewer S5PharmalStorageContributor Data
S5 Cloud Education Sara pointed one concern about subscription and Active Directory I understand that multiple subscriptions can be assigned to an Active Directory Tenant. • What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2. • She raised the concern if there may be a need to separate one of the subscriptions under a new domain Azure Active Directory Tenant 1 Subscription 1 Azure Active Directory Tenant 2 Subscription 1 Impacted RBAC Services Role Assignments Custom Roles  Roles Assignments are permanently deleted  Map Security Principals to corresponding objects in new AD Tenant  Recreate Role Assignments  Custom Roles are permanently deleted  Recreate custom roles and role assignments
S5 Cloud Education Sara has concerns on tracking changes in Azure RBAC To track changes with respect to auditing, especially  Create role assignment  Delete role assignment  Create or update custom role definition  Delete custom role definition Activity Log logs all the activities to support auditing and troubleshooting purposes  Changes in role assignments, custom role definitions and activities are tracked  Hosts the log data for 90 days
S5 Cloud Education Let us Check our Understanding
S5 Cloud Education Happy RBACing

Recommended

Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy☁ Hicham KADIRI ☁
 

Recommended

Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy☁ Hicham KADIRI ☁
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0Marcos Oikawa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Microsoft Azure Overview
Microsoft Azure OverviewMicrosoft Azure Overview
Microsoft Azure OverviewDavid J Rosenthal
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Deep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech TalksDeep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech TalksAmazon Web Services
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyMicrosoft Tech Community
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelKarl Ots
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Azure Governance
Azure GovernanceAzure Governance
Azure GovernanceBenjamin Hüpeden
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureKarim Vaes
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Shawn Ismail
 

More Related Content

What's hot

Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0Marcos Oikawa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Deep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech TalksDeep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech TalksAmazon Web Services
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyMicrosoft Tech Community
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelKarl Ots
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 

What's hot (20)

Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Microsoft Azure Overview
Microsoft Azure OverviewMicrosoft Azure Overview
Microsoft Azure Overview
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
Deep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech TalksDeep Dive on AWS Migration Hub - AWS Online Tech Talks
Deep Dive on AWS Migration Hub - AWS Online Tech Talks
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
 

Similar to Azure role based access control (rbac)

Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureKarim Vaes
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Shawn Ismail
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Marius Zaharia
 
Azure subscription management with EA and CSP
Azure subscription management with EA and CSPAzure subscription management with EA and CSP
Azure subscription management with EA and CSPDaichi Isami
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptxmasbulosoke
 
1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_AccessCrishantha Nanayakkara
 
Microsoft azure infrastructure essentials course manual
Microsoft azure infrastructure essentials course manualMicrosoft azure infrastructure essentials course manual
Microsoft azure infrastructure essentials course manualmichaeldejene4
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfMicrosoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfSkillCertProExams
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKPeter Selch Dahl
 
Hitchhiker's Guide to Azure AD - SPSKC
Hitchhiker's Guide to Azure AD - SPSKCHitchhiker's Guide to Azure AD - SPSKC
Hitchhiker's Guide to Azure AD - SPSKCMax Fritz
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptxKareemBullard1
 
Leverage your application architecture with azure services
Leverage your application architecture with azure servicesLeverage your application architecture with azure services
Leverage your application architecture with azure servicesSammani Palansuriya
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!Karl Ots
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
Swivel Secure, ADFS and Office 365
Swivel Secure, ADFS and Office 365Swivel Secure, ADFS and Office 365
Swivel Secure, ADFS and Office 365Icomm Technologies
 

Similar to Azure role based access control (rbac) (20)

Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
 
Azure subscription management with EA and CSP
Azure subscription management with EA and CSPAzure subscription management with EA and CSP
Azure subscription management with EA and CSP
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control Policy
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptx
 
1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access
 
Microsoft azure infrastructure essentials course manual
Microsoft azure infrastructure essentials course manualMicrosoft azure infrastructure essentials course manual
Microsoft azure infrastructure essentials course manual
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfMicrosoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 
Hitchhiker's Guide to Azure AD - SPSKC
Hitchhiker's Guide to Azure AD - SPSKCHitchhiker's Guide to Azure AD - SPSKC
Hitchhiker's Guide to Azure AD - SPSKC
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
 
Leverage your application architecture with azure services
Leverage your application architecture with azure servicesLeverage your application architecture with azure services
Leverage your application architecture with azure services
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
Swivel Secure, ADFS and Office 365
Swivel Secure, ADFS and Office 365Swivel Secure, ADFS and Office 365
Swivel Secure, ADFS and Office 365
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Azure role based access control (rbac)

  • 1. S5 Cloud Education Role A Role B Management of Azure Roles & RBAC Role C
  • 2. S5 Cloud Education S5-Cloud-Education-105146271333771 S5 Cloud Education @s5cloudedu srikanth-kappagantula.blogspot.com https://medium.com/@s5cloudeducation https://www.slideshare.net/krishnasrikanthk sites.google.com/view/s5cloudeducation
  • 3. S5 Cloud Education Srikanth Kappagantula explains Sara the specifics of different types of Azure roles and access management through RBAC, Role Based Access Control  Sara is the owner of the start-up “S5 Enterprise  Sara launch 2 business applications “S5 Retail” and “S5 Pharma” on Azure partnering with SaanV and Gita  Sara hired different professionals to support her in building applications to support her  She is conversing with Srikanth K, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants  Srikanth defines roles, explains role specifics, their scope, access management, etc Context
  • 4. S5 Cloud Education Sara Owner, S5 Ent Srikanth Azure Administrator SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner Management HR & Accounting Shaila Accounting, S5 Ent Srini User Admin, S5 Ent Nara Administrator JC User Access Administrator Lucky Internal Auditor Development Teams Development Partners Operations Team Managed Services Partners Sailesh Auditor, External
  • 5. S5 Cloud Education Definition of Role(s) Collection of permissions on objects in a namespace Role Namehas Namespace/Scope Permissions Security Principals Assigned to C R U D S C E N A R I O Users/Identities are allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions LEAST PREVILEGE defines ability to perform only specific Actions at mentioned S C O P E N o t M o r e N o t L e s s
  • 6. S5 Cloud Education What is Scope? Azure Account  A Global Unique Entity  Can be an Individual Account or an Organization Account  Account contains multiple subscriptions & active directory tenants  Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant  Representation of an organization  Unique instance of Azure Active Directory  Tenant has its own identities, and app registrations  Azure Active Directory Tenant can have more than 1 subscription Management Groups  Management groups are containers to manage access, policy, and compliance for multiple subscriptions  subscriptions in a management group automatically inherit the conditions Subscription  Agreement with Microsoft to use Microsoft cloud platforms or services  Billing Relationship between Party and Azure  Can host resource groups (resource containers) & Resources  1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group  Resource Group is logical container for Resources  Subscription can have 1 or more resource groups  1 Resource Group can be allocated only to one subscription  Resource Group stores its metadata in a location Resources  Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases  A Resource can be assigned to only one resource group  Location of a resource can be different from location of a resource group Account Azure Active Directory Tenant Management Groups Subscription Resource Group Resource Scope
  • 7. S5 Cloud Education Relationship between Accounts & other objects Subscription Account Azure Active Directory Tenant Subscription Subscription Resource Group Subscription Resources 1..n 1..n 1..n 1..n 1..n Management Groups 1..n
  • 8. S5 Cloud Education Types of Roles in Azure, Scope and Relationship Role Types in Azure Classic Subscription Administrator Roles Azure Active Directory Roles Azure Roles (based on RBAC) Role Type Scope Classic Subscription Administrator Roles Azure Account & Subscriptions Azure Active Directory Roles Azure Active Directory Tenant Azure Roles Management Group, Azure Subscriptions. Resource Groups & Resources
  • 9. S5 Cloud Education What are these different types of roles in Azure? Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Azure Active Directory (Azure AD) roles  Used to manage Azure AD resources in a directory  Perform different functions  User management  License management  Manage domains Azure Roles  Based on Role based access control  Authorization system that provides fine grained access to azure resources  Has 4 fundamental roles and 70 built-in roles  Account Administrator  Service Administrator  Co-Administrator  Global Administrator  User Administrator  Billing Administrator  Owner  Contributor  Reader  User Access Administrator Account & Subscription(s) Management Identity Management Subscription & Resource(s) Management Users/Identities are allocated to roles with LEAST PREVILEGE which allows them to perform or not perform certain Actions
  • 10. S5 Cloud Education Classic Subscription Administrator Roles  Have full access to the Azure subscription & Account  Can manage resources using Portal & ARM API’s  Created when Azure Account is created Purpose Manage Account & Subscriptions (new/existing). * Should not be used to manage azure resources Account Administrator Service Administrator Co-Administrator  Max 1 per Azure Account  Manage (create/cancel) all subscriptions in Account  Manage & Change billing for subscriptions  Can change Service Administrator  Max 1 per Azure Subscription  Manage services in Subscription  Cancel subscription  Assign users to Co-Administrator role  Can associate to a different Active directory tenant  Max 200 per Azure Subscription  Can assign users to Co-Administrator role  Cannot change Service Administrator role  Cannot associate to a different Active directory tenant  Same permissions as Service Administrator but cannot cancel subscription * No other Roles are available at Account level and custom roles cannot be created
  • 11. S5 Cloud Education Srikanth cautioned Sara with usage of Subscription Administrators Classic Administrator Roles comes with unlimited access to accounts and subscriptions and suggested the following best practices  Assess the need for the role before you assign it to a user  Service Administrator role can  Can change the Active Directory domain or even add new  Can cancel subscriptions  Can order services on subscription  Co-Administrators  Count should not be more than 1 or 2  Limit the permissions on specific subscription resources through Deny Assignments on Subscriptions
  • 12. S5 Cloud Education What happens when Sara creates an Azure Account Sara Azure Account Azure Active Directory Tenant 1 Azure Subscription 1 Account Administrator Service Administrator Owner Global Administrator User Administrator Roles Assigned Azure Account Classic Subscription Administrator Role(s) Account Administrator Service Administrator Azure Active Directory Tenant 1 Azure Active Directory Role(s) Global Administrator User Administrator Azure Subscription 1 Azure Roles Owner • Sara created an Azure account • Azure Active Directory (AAD) tenant 1 and a subscription 1 created post account creation • AAD is identity management solution. More than 1 AAD tenant instance can be created later • Subscription is the billing relationship between azure and Sara. • More than 1 subscription can be created if you want to segregate billing for different applications • 1 AAD tenant can be linked to many subscriptions • 1 subscription can be linked to only one tenant • An Account can have multiple Active Directory tenants and Subscriptions Account & Subscription(s) Management Subscription & Resource(s) Management AD Identity Management
  • 13. S5 Cloud Education Assignment/Transfer of Account Administration specific Roles to SaanV and Gita SaanV Partner, S5 Retail Gita Partner, S5 Pharma Partner ManagementSara partnered with SaanV and Gita to manage 2 Business Applications and created 1 subscriptions each  “S5 Retail” with SaanV  “S5 Pharma” with Gita Sara asked Srikanth to assign following roles  Make SaanV “Service Administrator” to subscription “S5 Retail”  Make Gita “Co-Administrator” to Subscription “S5 Pharma”  Make Srikanth a Co-Administrator to both Subscriptions, Temporarily (to manage subscriptions temporarily) Can you suggest why She assigned SaanV, a Service Administrator while Gita a Co-Administrator?
  • 14. S5 Cloud Education Srikanth details Azure Active Directory Roles  Used to manage Azure AD resources in a directory. Different functions include  User management  License management  Manage domains Global Administrator • Person who signup for azure Account • Manage access to admin features in Active Directory • Assign admin roles to others • Reset password for any user User Administrator • Create & Manage users • Manage support tickets • Manage service health • Change password for users Billing Administrator • Make Purchases • Manage Subscriptions • Manage support tickets • Manage service health Azure Active Directory Roles are specifically related to management of Active Directory objects and support different functions that can be set at directory level
  • 15. S5 Cloud Education Srikanth asserts the Power of Elevated Access of Azure AD Global Administrator  Azure AD and Azure resources are secured independently from each other  Global Administrator for AD may not have access to all management groups & subscriptions  There may be to elevate Global Administrator access to  Regain access / grant access to users or self on management groups & subscriptions  Allow apps to access the same  After access is elevated to Global Administrator, User access Administrator role is assigned  Toggle the elevated access once purpose is served  Elevation of access is mainly to allow Global Administrator act as User Access Administrator for management groups/subscriptions
  • 16. S5 Cloud Education Do we have any other Azure Active Directory Roles? Yes, we do. Azure Active Directory is Microsoft’s cloud-based identity and access management service to manage  External Resources  Microsoft 365,  The Azure portal,  Other SaaS applications  Internal resources  Apps on your corporate network  Apps on intranet  Cloud apps developed by your own organization Different roles are available with Azure Active Directory to enable users to perform different functions on different objects Azure Active Directory roles are managed by Azure and custom roles for Azure Active Directory can be created only if you have Azure AD Premium P1 or P2 Azure AD Types Azure AD Free Azure AD Premium P1 Azure AD Premium P2 Pay As you Go
  • 17. S5 Cloud Education Detailed list of other Azure Active Directory Administrator Roles List of Azure Active Directory Administrator Roles
  • 18. S5 Cloud Education S5Ent Roles on Azure Active Directory AD Sara sees a need to • Manage Billing centrally • Create/Drop Users to a single AD domain • Administrator to manage AD end to end Sara asked Srikanth to assign following roles  Make Srini the User Administrator, Shaila, the Billing Administrator and Srikanth the Global Administrator What is the Rationale behind Sara’s thought process? Shaila Accounting, S5 Ent Srini User Admin, S5 Ent
  • 19. S5 Cloud Education What are Azure Roles Owner • Full Access to Resources • Delegate Access to Others Contributor • Create & Manage Azure Resources • Create new tenant in Azure Active Directory • Cannot grant access to resources Reader • Can view all the resources for a scope User Access Administrator • Manage user access to resources Based on Role based access control (RBAC) mechanism Are these the only roles we can use to manage Azure Subscription resources? Obviously No. Some of the other built-in roles include We have other roles created by Azure to perform different functions on Azure Services/Resources. Virtual Machine Contributor Storage Account Reader Network Contributor Backup Operator App Configuration Data Owner Custom Roles can be created in only Azure Roles
  • 20. S5 Cloud Education Detailed list of other Azure built-in roles (based on RBAC) Click The Button Below List of Azure Roles
  • 21. S5 Cloud Education What is Azure Role based access control (RBAC) Azure Role based access control (RBAC) in Azure manages access control for cloud resources. 3 QUESTIONS TO ANSWER Azure Role based access control (RBAC) is an authorization system built on Azure Resource Manager (ARM) which provides fine grained access to azure resources Who has access to an azure resource? What can they do with those resources? What specific areas they have access to? EXAMPLES DBA Group to manage SQL and NOSQL databases Network administrator to manage Virtual Networks and Application Administrator to manage App Services Project Administrator to manage resources in a resource group Storage Admin to manage storage accounts
  • 22. S5 Cloud Education How Access Management is controlled in Azure RBAC Role based access control is enabled through - Role Definition Role Assignment Deny Assignment Custom Roles role definition (typically a role) is a collection of permissions. Supports operations like create, view, update and delete Manage Access to different azure resources at a specific scope is enabled by role assignment. Deny Access to different azure resources at a specific scope is enabled by deny assignment. Custom Roles are created when built- in roles cannot fulfill the purpose
  • 23. S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
  • 24. S5 Cloud Education Revisit “Role Definition” aka Role Role Definition is collection of permissions has Name and Description. Besides, Role Definition/Permission has 5 Components Actions Management operations that the role allows to be performed NotActions Management operations that are excluded from the allowed Actions DataActions Data operations that the role allows to be performed to your data within that object NotDataActions Data operations that are excluded from the allowed DataActions AssignableScope Scope the role is available for assignment. Management Operations control access to resources for e.g. access storage account, create, update and delete blob container, delete resource group & its resources Data Operations control access to data underlying resources for e.g. read log files in blob container, delete a message in a queue, write data into text file in a container Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. This role allows you to read the blob container and also the underlying blob data Storage Blob Reader role definition, which includes operations in the Actions properties. This role allows you to read the blob container. It is not allowed to read underlying data
  • 25. S5 Cloud Education Role Definition (in terms of Syntax) { "Name": "", "Description": "", "Actions": [], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [] } { "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] }
  • 26. S5 Cloud Education What are Role Assignments? Control access to resources using Role based access control (RBAC) in Azure by creating ROLE ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to ROLE ASSIGNMENT has 3 Elements
  • 27. S5 Cloud Education 1. Who is Security Principal? A security principal is azure object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources User individual who has a profile in Azure Active Directory Group set of users created in Azure Active Directory Service Principal security identity used by applications/services to access specific Azure resources Managed Identity identity in Azure Active Directory that is automatically managed by Azure
  • 28. S5 Cloud Education What is Role Definition A role definition (typically a role) is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete 2 Types of Roles Built-in Roles (Defined by Azure) Custom Roles (defined by implementation team) High Level Resource Specific Type Custom Roles are user defined roles which define different access mechanisms to different Resource Specific Types * Segregation into high level and resource specific types is only for our understanding
  • 29. S5 Cloud Education 3. Define Scope Scope is the set of resources that the access applies to. Assign a role, and limit the actions allowed by defining a scope Scope is additive, for e.g. access granted at subscription flows down to resource group and thereby to resources Management Group Subscription (s) Resource Group (s) Resource(s) Each Management Group can have 1 or more subscriptions Each Subscription can have 1 or more resource groups Each Resource Group can have 1 or more resources and resource types Resource is smallest unit in the scope
  • 30. S5 Cloud Education Definitions of objects in Scope Management Groups Management groups are containers to manage access, policy, and compliance across multiple subscriptions. Management Groups enable an effective and efficient hierarchy that can be used with Azure Policy and RBAC Controls. All subscriptions in a management group automatically inherit the conditions applied to the management group Subscriptions A subscription logically associates user accounts and the resources that were created by them. Organizations use subscriptions to manage costs and the resources that are created by users, teams, or projects. Resource Groups Resource group is a logical container into which Azure resources like Services, databases, web apps, and storage accounts are deployed and managed. Resources Resources are different services that we create in azure. For e.g. Containers, SQL Databases, Web Apps, Storage Accounts Inherit
  • 31. S5 Cloud Education What are Deny Assignments? Set of Deny Actions to a Security Principal at a particular scope is DENY ASSIGNMENTS Security Principal Role Definition Scope Identity that requests access to an azure resource collection of permissions set of resources that the access applies to DENY ASSIGNMENT has 3 Elements Deny Assignments prevents security principals to prevent performing actions at a scope even Role assignments are defined at one level above * Azure Blueprints and Azure managed apps are the only way to create deny assignments
  • 32. S5 Cloud Education Sara interrupted Srikanth with a question At a Specific Scope (Management Groups/Subscriptions/Resource Groups/Resources), what will take precedence when both Role Assignment and Deny Assignment are defined Srikanth advised that RBAC always works with a role with limited access to perform a function At a Scope, Deny Assignment always precedes over Role Assignment
  • 33. S5 Cloud Education Sara and Srikanth are assigning roles  Srikanth to oversee and manage administration across both subscriptions  Nara need to be able to create and drop services  JC to handle User Access for services for both subscriptions and Storage Management  Lucky and Sailesh need to address Auditing  Implementation of Services outsourced to Development Partners  Operations outsourced to Manage Services partners  Srikanth is assigned owner role  Nara is assigned Contributor role  JC is assigned User Access Administrator, Storage Account Contributor  Lucky & Sailesh are give Reader role Nara Administrator JC User Access Administrator Lucky Internal Auditor Sailesh Auditor, External
  • 34. S5 Cloud Education Srikanth re-iterated about using resource specific roles  When permissions need to be granted to specific resource types in any scope, use resource specific roles  For e.g. for Storage you have role to support Actions and Data Actions  Storage Account Types and specific roles defined in diagram –  Blob  File  Queue
  • 35. S5 Cloud Education Sara and Srikanth are assigning roles Problem  Implementation Services Team will have to access multiple services like storage, Virtual Machines, administration, monitoring, management  Operations team need to monitor and manage different services and even need to perform fixes and other support activities Solution  Create Groups of Users and assign multiple roles which provides Data Actions and Actions at a specific scope  Create Groups and assign CUSTOM Roles which span across multiple services
  • 36. S5 Cloud Education What are Custom Roles and Why?  Sometimes Azure Built-in roles does not serve the specific needs of your organization. Create custom roles to address the specific requirement  Custom Roles are user define roles with specific Actions, Data Actions, NotActions and Not Data Actions at a defined scope  Custom roles can be shared between subscriptions that trust the same Azure AD directory  Custom Roles can be created using Azure Powershell, Azure Portal, Azure CLI or Rest API It is easy to clone a role and edit the JSON document and assign permissions
  • 37. S5 Cloud Education Custom Roles created to fulfil Sara azure RBAC requirements S5RetailAppDeveloper Subscription Retail Storage VM MySQL ELB Disk Disk Logs S5PharmaAppDeveloper S5EntLogViewer S5RetailStorageContributor S5EntDataAdmin S5EntSecretsManager S5RetailAppLogViewer S5PharmalStorageContributor Data
  • 38. S5 Cloud Education Sara pointed one concern about subscription and Active Directory I understand that multiple subscriptions can be assigned to an Active Directory Tenant. • What happens when one subscription is moved from Active Directory Tenant 1 to Active Directory Tenant 2. • She raised the concern if there may be a need to separate one of the subscriptions under a new domain Azure Active Directory Tenant 1 Subscription 1 Azure Active Directory Tenant 2 Subscription 1 Impacted RBAC Services Role Assignments Custom Roles  Roles Assignments are permanently deleted  Map Security Principals to corresponding objects in new AD Tenant  Recreate Role Assignments  Custom Roles are permanently deleted  Recreate custom roles and role assignments
  • 39. S5 Cloud Education Sara has concerns on tracking changes in Azure RBAC To track changes with respect to auditing, especially  Create role assignment  Delete role assignment  Create or update custom role definition  Delete custom role definition Activity Log logs all the activities to support auditing and troubleshooting purposes  Changes in role assignments, custom role definitions and activities are tracked  Hosts the log data for 90 days
  • 40. S5 Cloud Education Let us Check our Understanding

Editor's Notes

  1. Sara, a young entrepreneur running “S5 Enterprise”. Sara is planning to launch 2 business applications “S5 Retail” and “S5 Pharma” partnering with SaanV and Gita respectively. With the cloud revolution in place, Sara is planning to host applications on Azure. Sara hired different professionals to support her in building applications to support her Sara believes in understanding things before she applies. Besides Sara had gone through fundamentals of Azure before she decided to launch application. Sara understand that users need to be given least privilege to perform their functions. She wants to implement Best practices while building their solution on Azure. Sara converses with Srikanth Kappagantula, an Azure Administrator to understand Azure specifics in terms of Accounts, Subscriptions, and Tenants while setting up Azure Account
  2. The Team includes Business Partners SaanV, Partner “S5 Retail” Gita, , Partner “S5 Pharma” Internal Team Srikanth Kappagantula, Azure Administrator Srini, User Admin Shaila, Accounting Nara, Administrator JC, User Access Administrator Lucky, Internal Auditor External Teams Sailesh, External Auditor Development Team, Development Partners Operations Team, Managed Services Partners
  3. Role is collection of permissions on objects in a namespace. Generally a Role has a unique name and a description with collection of permissions. Roles are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace. Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions. Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less
  4. Scope is the set of resources that the access applies to and when a role is assigned, we can further limit the actions allowed by defining a scope. To understand scope, let us define some common terms we use across the solution. Azure Account A Global Unique Entity Can be an Individual Account or an Organization Account Account contains multiple subscriptions & active directory tenants Organization is Business Entity and identified by one/more public DNS domain names Azure Active Directory Tenant Representation of an organization Unique instance of Azure Active Directory Tenant has its own identities, and app registrations Azure Active Directory Tenant can have more than 1 subscription Management Groups Management groups are containers to manage access, policy, and compliance for multiple subscriptions Subscriptions in a management group automatically inherit the conditions Subscription Agreement with Microsoft to use Microsoft cloud platforms or services Billing Relationship between Party and Azure Can host resource groups (resource containers) & Resources 1 Subscription can be allocated to only 1 Active Directory Tenant Resource Group Resource Group is logical container for Resources Subscription can have 1 or more resource groups 1 Resource Group can be allocated only to one subscription Resource Group stores its metadata in a location Resource Resources are instances of azure services for e.g. virtual machines, storage, or SQL databases A Resource can be assigned to only one resource group Location of a resource can be different from location of a resource group Roles are defined at a pre-defined scope or roles will be allocated at a specific scope
  5. Each Account can have 1 or more Azure Active Directory Tenant and subscriptions Each Azure Active Directory Tenant can be linked to more than 1 subscription while converse is not true Every Organization can have multiple Management Groups Every Management Group can have more than 1 subscription Every subscription can have more than 1 resource group Every resource group can have more than 1 resource
  6. Types of Roles in Azure There are 3 types of roles in Azure that can be assigned at a scope Classic Subscription Administrator roles Classic Subscription roles are applied at Azure account level. These roles deal with management of Account and configuration of their Active Directory Tenant(s) and Subscription(s). Mostly these roles are managed by user/organization who creates the account. They nominate other users to manage the account to handle specific functions. These roles comes with unlimited access. Be very cautious when you assign this role to a user These roles are built and only managed by Microsoft. We can create custom role(s) at this level. Azure Active Directory Tenant roles Azure Active Directory Tenant roles as name suggests, are related to Azure Active Directory Tenant. These roles have full/unlimited access to AD objects and properties tagged to role identified. Mostly 2-3 roles are mostly used if we are dealing only with Azure. In case, we are even opting for Microsoft 365, then more number of roles need to be used to manage functions. At Active Directory Tenant level, you can create custom roles that span across multiple objects. Only Active Directory P1 and Active Directory P2 supports creating custom roles Azure roles These roles are based on Role based access control (RBAC). These can be applied to Management Group(s) -> Subscription(s) -> Resource Group(s) -> Resource(s). The roles exhibit inheritance in relation to scope and when applied at a scope, the role access automatically applies the same to child scope. The role at a scope carries additive nature to child scope(s). Custom roles can be created to address specific needs at this level
  7. Classic subscription administrators have full access to the Azure subscription Service Administrator & Co-Administrator roles are assigned to the Account who signup Subscription with Azure Service Administrator & Co-Administrator roles are equivalent to Azure Role “Owner” at Subscription scope
  8. Role/Role definition is collection of permissions on objects in a namespace. Generally a Role has a unique name and a description with collection of permissions. A role definition are assigned to Security Principals (Users, Groups, Service Principals, and Managed Identities) allowing them to perform the operations such as read, write, and delete on objects in a namespace. Every security principal is allocated to ROLES with LEAST PREVILEGE which allows them to perform or not perform certain Actions. Besides, LEAST PREVILEGE defines ability to perform/not perform specific Actions at mentioned SCOPE. Not More Not Less