Software Engineering Life

Nov 05, 20244 min read

Up:: Microsoft Azure Developer Associate AZ-204 2023

Azure Roles

Azure Roles

  • 06:56:11 Azure Roles
    • 3 Types of Roles in Azure
      • Classic Subscription administrator roles - original system
      • Azure Roles - auth system known as RBAC built on top of Azure Resource Manager
      • Azure Active Directory (Azure AD) roles - AD roles used to manage resources in a directory
    • IAM Access Controls
      • Azure Roles (RBAC system)
        • BuiltInRole - Managed by Microsoft - read only - pre-created for you to use
        • CustomRole - Created by you with own custom logic
      • Role Assignment
        • When you apply a role to a
          • Service principle
          • user group
          • user
      • Deny Assignments
        • Block users from performing actions even if role assignments grant them access.
        • Only to way apply Deny assignments is through Azure BluePrints
    • Classic Administrator
      • original role system
      • 3 types of roles
        • Account Administrator - Billing Owner of subscription. No access to Azure Portal
        • Service Administrator - Same access of a user assigned the Owner role at subscription scope - Full access to Azure Portal
        • Co-Administrator - same access of a user who is assigned the Owner role at the subscription scope
      • Should be using RBAC
    • Role-based Access Control
      • Helps manage who has access to Azure resources, what they can do with those resources and what areas they have access to.
      • Role Assignments - the way you control access to resources
        • Three elements
          • security principal
          • role definition
          • scope
      • There are four (4) fundamental Azure Roles
      • Azure RBAC includes over 70 built-in roles
      • Security Principal represents the identities requesting access to an Azure resource
        • User - Individual who has a profile in Azure AD
        • Group - Set of users in Azure AD
        • Service Principal - security identity used by applications or services to access specific Azure resources
        • Managed Identity - Identity in Azure ID managed by Azure
      • Scope is a set of resources that access for the Role Assignment applies to
        • Scope Access Controls at the Management, Subscription or Resource Group level
      • Role Definition is a collection of permissions
        • lists the operations that can be performed, such as read, write and delete
        • Roles can be high-level, like owner, or specific, like virtual machine reader.
      • Built In Fundamental Azure Roles
        • Owner - Read, Grant, Create, Update, Delete
        • Contributor - Read, Create, Update, Delete
        • Reader - Read
        • User Access Administrator - Grant
    • Azure AD Roles
      • Used to manage Azure AD resources in a directory
        • create or edit users
        • assign administrative roles to others
        • reset user password
        • manage user licenses
        • manage domains
      • Important Built-In Azure AD Roles
        • Global Administrator - Full access to everything
        • User Administrator - Full access to create and manage users
        • Billing Administrator - Make purchases, manage subscriptions and support tickets
      • Can create custom roles but you need to purchase either
        • Azure AD Premium P1 or P2
    • Azure Roles
      • Anatomy of an Azure Role
        • 07:05:04 Azure Roles Anatomy
        • * Wildcard permissions - matches all actions
    • Policies vs RBAC
      • Azure Policies
        • Used to ensure compliance of resource
        • Evaluates state by examining properties on resources that are represented in Resource Management and properties of some Resource Provider
        • doesn’t restrict actions (aka operations)
        • ensures resource state is compliant to your business rules without concern for who made the change or who has permission to make the change
        • Even if individual has permission to perform an action, policy will block the creation of resource if it is non-compliant.
      • Azure Roles
        • Used to control access to Azure Resource
    • Azure AD Roles vs RBAC
      • Azure AD Roles
        • Controls access to AD resources
      • Azure Roles
        • Controls access to Azure resources
      • Azure Roles and Azure AD Roles do not span Azure and Azure AD
      • By default, the Global Administrator does not have access to Azure Resources
        • Can gain access if granted the User Access Administrator role (Azure Role)

Additional Metadata

Graph View

Backlinks