What are RBAC Roles in Azure and How to Use Them

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we review what role-based Access Control roles are and how to use them hello everyone I'm Travis and welcome to my channel in this video we review what ro-based access control or rback roles are and how they're used in enter ID and Azure this is going to be a highlevel video with the goal of helping you understand this fundamental concept of Microsoft cloud services and be sure to stick around to the end where I go over one of the most common mistakes people make with rback roles in Microsoft entra and Azure before we get started please like subscribe and share with your friends it helps support this Channel and is greatly appreciated check out my courses on Azure virtual Desktop Windows 365 and hybrid identities with Windows ad and enter ID and thank you channel members your support is appreciated back to it before we talk about our back roles let's start with the difference between authentication and authorization authentication is the process of proving an identity people and devices and other security principles can be authenticated when we sign into enter ID or Azure we Supply an identity a username for example along with multiple factors like passwords and tokens that prove we are who we say we are authorization grants an authenticated identity permission to do something once we prove who we are we can be authorized to create resources and Azure manage Exchange online or other Cloud tasks when we talk about authorization with enter ID we're talking about arback roles enter ID previously known as Azure ad is the identity platform used by Azure and Microsoft 365 online products like exchange and SharePoint online and InTune each entra ID instance is called a tenant or a directory a tenant represents an organization in the Microsoft cloud services an organization can have multiple tenants but only requires one once we have our identities in place we can give them rights to do things with arback roles there are two types of arback roles Microsoft enter roles and Azure roles a Microsoft enter Ro consists of custom and built-in roles that apply to enter ID and Microsoft 365 products some of these roles include the global admin with rights to do everything in ENT ID and Microsoft 365 exchange administrator for exchange online Administration and the license administrator with the ability to manage product licensing on uses and groups Microsoft enter roles apply at the tenant level they control access to Microsoft enter resources using the graph API roles can be applied to users groups and other security principles for example we can assign a role and enter ID by going to roles and administrators from there we can see our roles all the built-in roles with descriptions for each find the role we're looking for we'll select billing and administrator for this example from there we can add assignments our role is selected as well as the scope Microsoft enter roles are scoped at the directory or the tenant select a member aads user one for this example there's also the option to select a group go next to assignment type I'm using privileged identity management so there's an extra step the user can be eligible for a role meaning they have to perform some action to use the role or we can set it to active so the role is always available once we press assign the user has the role assignment let's talk about Azure roles next Azure roles are custom and built-in roles that apply at an Azure resource an Azure role may be a subscription owner with wrs to do anything on an Azure subscription including manage access backup operators with rights to manage backups or virtual machine contributors with rights to manage virtual machines there are many additional built-in roles available with Azure rbac we apply roles to a security principle at a scope a security principle is a user group service principle or managed identity something that requires access for example we could use a managed identity to allow Azure automation to shut down VMS by giving it the virtual machine contributor role for example we can get very granular with the Scopes when it comes to Azure rback roles every instance of azure starts with a root manager Management Group we can have other management groups but there's always at least one Root Management Group then we have one or more subscriptions in those subscriptions are resource groups and in those resource groups we have resources these are all Scopes we can apply our back roles to if we give our Azure automation managed identity the virtual machine contributor role at a single VM the rights are limited to that VM if we provide the same authorization to a resource Group the r back role applies to all VMS in that Resource Group we can assign the role at the subscription scope now the managed identity has the VM contributor role for all the VMS in the subscription and it works the same for management groups the arback role applies to a security principle a user group service principle or managed identity at a scope and is inherited to all resources under that scope to assign a role we go into Azure and find the scope we want to apply the role to if we search for management groups we can go into the management group and assign an rback role at that scope we can also scope to subscriptions resource groups and individual resources let's go to a subscription next we'll open access control I am from here we have a few options for access management we can view our access and check access we can also view existing role assignments to add a ro assignment go to add and select add rooll assignment select the role we'll search for and select virtual machine contributor next add the user group service principle or managed identity I'll select the same user go next to review and assign and assign that assigns the virtual machine contributor role to the user at the subscription scope there's an option for a deny assignment so we can block our back rooll inheritance along the way a deny assignment attaches a set of deny actions to a security principle at the resource scope as promise I'm going to give you one of the most common arback roll problems I've seen and it's something we've already covered so I'll use it to recap what we just went over in the Microsoft entos scope that's enter ID and all the Microsoft SAS services like exchange online teams and Power Platform the role with the highest level of access including rights to modify permission in enter ID is the global admin that's the rback role with unlimited rights in Microsoft entra but not Azure azure is a different scope the account with the highest level of access in Azure is the subscription owner the subscription owner has rights to do everything including modify access the mistake I see people make is providing Global admin rights to Grant access into Azure subscriptions if a consultant needs access to an Azure subscription and they get Global admin rights they may not have access to the subscription but will get a lot of access to enter ID that they don't need and that could become a security risk one reason for this confusion is that if we spin up a new Azure subscription and a new Anri ID tenant the default is to give the account that created the subscription both Global admin and ENT ID and subscription owner in the Azure subscription that can make it seem like the global admin has elevated rights to the Azure subscription there's a little bit more to this an account with the global admin arback rooll does have the ability to give itself subscription owner rights from enter ID if the global admin goes to properties and sets the access management for Azure resources to yes the account that's Global admin can now go into a scope in Azure rot Management Group or subscription for example and give themselves the owner role this is a good example of why the global admin account should be tightly controlled in any case both Microsoft entra and Azure use similar role definitions but Microsoft entra are back rolls can't be used with Azure and Azure rback rolls can't be used with Microsoft entra that's an overview of rback rolls I hope this helps you better manage your Microsoft entra and Azure environment thanks for watching
Info
Channel: Travis Roberts
Views: 1,375
Rating: undefined out of 5
Keywords: RBAC, Role Based Access Control, Access Control, IAM, Entra ID, Entra, Entra Domain Services, Entra Connect Sync, Azure, Azure AD, Azure Management, free tutorial, Azure Free, sysadmin, cloud computing, cloud, Azure Active Directory, Microsoft Entra ID, Microsoft
Id: qLRFjLsNl7s
Channel Id: undefined
Length: 8min 44sec (524 seconds)
Published: Sun Dec 24 2023
Related Videos
What is Entra ID, Entra Domain Services, and Windows AD?
Travis Roberts
8.3K
Advanced Conditional Access Policies for AVD
Travis Roberts
870
Build Anything with Llama 3 Agents, Here’s How
David Ondrej
3.2K
Azure Update Manager with Azure Policies
Travis Roberts
6.4K
Azure Private DNS Resolver
Patrik's Tech Lightning
2.9K
How to Configure Intune Clients with Configuration Profiles
Travis Roberts
4.9K
How to Add an EXE App to Intune and Deploy to Windows
Travis Roberts
7.1K
How to Add an MSI Application to Intune and Deploy to Windows
Travis Roberts
4.5K
Bare Metal Install Windows Server and Hyper-V
Travis Roberts
3.8K
Migrate AVD Insights to the New Azure Monitor Agent
Travis Roberts
1.5K
How to Create a Static Website in Azure Storage
Travis Roberts
1.6K
Create a Virtual Switch and Virtual Machine in Hyper-V
Travis Roberts
2.8K
Lessons from 1,000+ YC startups: Resilience, tar pit ideas, pivoting, more | Dalton Caldwell (YC)
Lenny's Podcast
16K
Getting Started With AVD Insights and the Azure Monitor Agent
Travis Roberts
1.3K
Everything I Learned at Stanford Business School in 28 Minutes
jayhoovy
16K
The latest developments in fusion energy - with the UKAEA
The Royal Institution
45K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.