Tutorial / Cram Notes
Azure AD includes several built-in roles that can be assigned to users, groups, service principals, and managed identities. These roles are broadly categorized into three types:
- Global Roles: These roles provide access across all Azure AD assets within a directory and are typically assigned to administrators who need broad access.
- Application Roles: These are used to manage specific applications in Azure AD.
- Directory Roles: These roles are scoped to administrative tasks within Azure AD itself.
Some of the most commonly used built-in Azure AD roles include:
- Global Administrator: This role has access to all administrative features in Azure AD, as well as services that federate to Azure AD, such as Office 365.
- User Administrator: This role can manage all aspects of users and groups, including support tickets, but cannot manage assignments in Azure AD roles or other administrative groups.
- Security Administrator: This role can read all information in the Azure AD and Microsoft 365 security and compliance centers, and help manage security and compliance features.
- Application Administrator: This role can manage all aspects of applications and application registrations.
Assigning Azure AD Roles
To assign a role to a user or group, you need to have either the Privileged Role Administrator or the Global Administrator role. The process of assigning roles in Azure AD consists of the following steps:
- Access Azure AD: Sign in to the Azure portal with an account that has the role required to assign roles.
- Select Azure AD: In the portal, navigate to Azure Active Directory from the list of services to manage the directory for your organization.
- Choose Roles and administrators: From Azure AD, click on “Roles and administrators” to list all the available roles.
- Pick the role: Select the role you wish to assign from the list.
- Assign the role: Click the “Add assignments” or “Add member” button to start the assignment process.
- Select user or group: Search for and select the user or group to whom the role will be assigned.
- Complete the assignment: Confirm the assignment by clicking the appropriate button, usually labeled ‘Assign’.
Example: Assigning a Security Administrator role
Imagine you want to assign the Security Administrator role to a user named Mia Wallace in your organization. Follow these steps:
- Sign into the Azure portal with an account that is a Privileged Role Administrator or Global Administrator.
- Navigate to Azure Active Directory > Roles and administrators.
- In the roles list, click on “Security Administrator.”
- Click “Add assignments.”
- Search for Mia Wallace and select her account.
- Click ‘Assign’ to add Mia as a Security Administrator.
Best Practices in Role Assignment
- Least Privilege: Assign roles that provide the minimum level of access required for users to perform their tasks.
- Role Assignment Reviews: Regularly review role assignments to ensure that user permissions still align with their job functions.
- Use Role-based Access Control (RBAC): Where applicable, use Azure RBAC to assign permissions more granularly at the Azure resource level.
- Audit Role Assignments: Utilize Azure AD’s audit logs to monitor role assignments and ensure that changes are authorized.
Conclusion
Effectively managing Azure AD role assignments is vital for maintaining a secure and efficient environment. Understanding the built-in roles and the process of assigning them to users or groups is fundamental for any Azure administrator. By following best practices, organizations can ensure that they minimize the risks associated with permissions while enabling their workforce to accomplish necessary tasks.
Practice Test with Explanation
True or False: The “Global Administrator” role in Azure AD gives the user full access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Answer: True
The Global Administrator role in Azure AD has access to all administrative features in Azure AD, including the ability to assign roles in Azure AD, and is the only role that can assign other administrative roles.
Which of the following roles is primarily responsible for managing identity governance in Azure AD?
- A) Compliance Administrator
- B) Privileged Role Administrator
- C) User Administrator
- D) Global Reader
Answer: B) Privileged Role Administrator
The Privileged Role Administrator can manage role assignments in Azure AD, manage access reviews, manage all aspects of Privileged Identity Management (PIM), and more.
True or False: Users assigned the “Security Administrator” role can manage security settings in Azure AD, but cannot assign roles or manage licenses.
- Answer: True
The Security Administrator role in Azure AD is focused on security settings and can manage security policies, alerts, and recommendations, but cannot assign roles or manage licenses.
Which of the following Azure AD roles should you assign to a user who needs to manage app registrations and enterprise applications but should not have any other administrative permissions?
- A) Cloud Application Administrator
- B) Application Administrator
- C) Global Administrator
- D) Security Reader
Answer: B) Application Administrator
The Application Administrator role is designed to allow users to manage app registrations and enterprise applications without granting broad administrative permissions.
True or False: The “User Administrator” role also grants the ability to manage all aspects of Azure AD and Office 365 services.
- Answer: False
The User Administrator role allows the user to manage users and groups, including password resets, but does not include broader administrative privileges over Azure AD or Office 365 services.
Multiple select: Which of the following tasks can a “Helpdesk Administrator” perform in Azure AD? (Select all that apply)
- A) Reset passwords for non-administrators
- B) Manage user licenses
- C) Manage all aspects of Azure AD PIM
- D) Read user information and sign-in activity
Answers: A) Reset passwords for non-administrators, D) Read user information and sign-in activity
A Helpdesk Administrator can reset passwords for non-admins and read basic directory information, but cannot manage user licenses or Azure AD PIM.
True or False: Users in the “Billing Administrator” role can make purchases, manage subscriptions, manage support tickets, and monitor service health.
- Answer: True
The Billing Administrator role enables users to perform tasks related to billing, such as making purchases, managing subscriptions, handling support tickets, and monitoring service health.
Which of the following Azure AD roles is designed for users who need to manage security policies and view security data, but not manage user identities or assignments?
- A) Security Administrator
- B) Security Reader
- C) Compliance Administrator
- D) Global Administrator
Answer: B) Security Reader
The Security Reader role allows a user to view security policies, logs, and reports but does not allow the user to change security settings or manage user identities.
True or False: The “Exchange Administrator” role in Azure AD is sufficient for managing mailboxes, anti-spam and anti-malware policies in Exchange Online.
- Answer: True
The Exchange Administrator role in Azure AD is specifically targeted at managing Exchange Online features, including mailboxes and security policies for spam and malware protection.
Which role should you assign to a user who needs to read all administrative settings in Azure AD without the ability to change them?
- A) User Access Administrator
- B) Global Reader
- C) Privileged Role Administrator
- D) Compliance Administrator
Answer: B) Global Reader
The Global Reader role provides the ability to view all administrative settings and configurations across Azure AD and Azure services but does not allow any changes.
Interview Questions
What is Azure AD Privileged Identity Management (PIM)?
Azure AD Privileged Identity Management (PIM) is a service that allows organizations to manage, control, and monitor privileged access to Azure resources.
How can you add a role to a user in PIM?
You can add a role to a user in PIM by navigating to the PIM portal, selecting the role you want to add the user to, and then selecting the user from the list of eligible users.
What are the steps to add a role to a user in PIM?
The steps to add a role to a user in PIM are Navigate to the PIM portal. >> Select the role you want to add the user to. >> Select the user from the list of eligible users. >> Choose the assignment type and duration. >> Review and confirm the request.
How can you view the assignments for a role in Azure AD?
You can view the assignments for a role in Azure AD by navigating to the Azure AD portal, selecting the role you want to view assignments for, and then selecting the “Assigned” tab.
What are the steps to view the assignments for a role in Azure AD?
The steps to view the assignments for a role in Azure AD are Navigate to the Azure AD portal. >> Select the role you want to view assignments for. >> Select the “Assigned” tab.
What is a group in Azure AD?
A group in Azure AD is a collection of users, devices, or other groups that can be used to assign permissions to resources.
How can you view the assignments for a group in Azure AD?
You can view the assignments for a group in Azure AD by navigating to the Azure AD portal, selecting the group you want to view assignments for, and then selecting the “Members” tab.
What are the steps to view the assignments for a group in Azure AD?
The steps to view the assignments for a group in Azure AD are Navigate to the Azure AD portal. >> Select the group you want to view assignments for. >> Select the “Members” tab.
What is the difference between an eligible role and an active role in PIM?
An eligible role is a role that a user is eligible to request access to in PIM, while an active role is a role that a user is currently assigned to.
What are the benefits of using PIM?
The benefits of using PIM include increased security, improved compliance, and better control over privileged access to Azure resources.
What is the difference between a built-in role and a custom role in Azure AD?
A built-in role is a pre-defined role that provides a set of permissions for a specific task, while a custom role is a role that you can define and customize to meet the specific needs of your organization.
How can you create a custom role in Azure AD?
You can create a custom role in Azure AD by using the Azure portal, PowerShell, or the Azure AD Graph API.
How can you assign a role to a group in Azure AD?
You can assign a role to a group in Azure AD by using the Azure portal or PowerShell.
What are the best practices for managing Azure AD roles?
The best practices for managing Azure AD roles include using role-based access control (RBAC), limiting the number of people who have access to privileged roles, and regularly reviewing and removing unnecessary role assignments.
I found the process of assigning built-in Azure AD roles quite straightforward. The GUI in Azure makes it quite intuitive.
Does anyone know if we can automate the assignment of these roles using PowerShell?
Is it possible to assign custom roles in Azure AD?
Thanks for the informative post!
Can someone explain the difference between Azure AD roles and Azure RBAC roles in a practical scenario?
Appreciate the detailed guide. Helped me a lot!
I think some steps were not clear enough. It would be great if you could add more screenshots to the post.
Does anyone have any tips for managing role assignments for a large number of users?