You're reading from Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond

Product typeBook

Published inJul 2021

PublisherPackt

ISBN-139781800566934

Edition1st Edition

Tools

Azure Azure

Concepts

Cloud Computing

Author (1)

Brett Hargreaves

Chapter 4: Managing User Authorization

In the previous chapter, we covered how users are authenticated in solutions; this is the act of proving who you are. Once they have access, you must continually ensure that authenticated users can only access what they should – this is known as authorization.

At its simplest, some users may need administrative access to do everything within the Azure portal. In contrast, some users may only want to be able to read or view a specific resource.

In reality, you will have a vast mix of requirements everywhere between those two extremes – and of course, it's not just access to the Azure portal you will want to control, but all the apps and services you created in it.

In this chapter, we will examine how access control is performed using Active Directory (AD) roles and Azure roles.

Then, we'll look at how to manage the flow of access, using AD groups, management groups, subscriptions, and resource groups.

We'll...

Technical requirements

This chapter requires internet access to the Azure portal and an Azure subscription:

https://portal.azure.com

Understanding Azure roles

There are three distinct ways of managing user access in Azure, classic roles, Azure roles, and Azure AD roles. Each controls a different aspect of the platform and is used in different ways. We will examine the three types, how they are different, and how you use them.

Classic roles

When Azure was first introduced, access to resources was controlled using just three roles, which are discussed in the following sections.

Account Administrator

Only one per Azure account. This role grants access to the Azure Account Center for managing all subscriptions within an account. When you sign up for your Azure account, you are granted this role, and it enables you to create, cancel, and manage billing for subscriptions. It also allows you to change the Service Administrator role.

Service Administrator

Only one per subscription. This role allows you to manage the services in your Azure subscription, including canceling it. It is also the only role that will...

Managing users with hierarchies

A core principle for any system should be Least Privileged Access – that is, only allow access to something if it is required. Or, to put it another way, don't just give every user full owner access to everything! If a user only needs to manage storage accounts, only provide access to storage accounts.

To help manage access, a strategy of how these roles can be applied must be considered and designed.

After all, if you have thousands of users, granting access to each user on a per resource type basis would be unmanageable!

Management groups, subscriptions, and resource groups

We can assign user access to the resources they need at different scopes – management groups, subscriptions, resource groups, or individual resources. As we can see in the following figure, the relationships between these scopes are hierarchical, and permissions or roles set at the highest management group scope flow down to the child levels:

Figure...

Controlling access with PIM

The traditional security model defines policies such as least privileged access, meaning you should always assign the least amount of rights to any one user. However, you still need to assign administrator rights to some users.

With PIM, you can control when and for how long those rights are granted. In other words, users have to request elevated access as they need it explicitly, and this access can then be time-boxed to be automatically removed after a defined period.

This way, even if an individual account were compromised, an attacker would still not have high levels of access.

Specifically, PIM can help you by doing the following:

Providing just-in-time elevated access to Azure AD and resources
Assigning accounts with time-boxed start and end dates/times
Requiring an additional approval step for elevated access
Enforcing MFA
Requesting justification for why access is required
You getting notified when privileged roles are granted...

Managing risk with Identity Protection

To further support security for users, Microsoft employs an AI-based system for monitoring risky sign-ins. Known as Identity Protection, it continually monitors your users for known and new vulnerabilities and patterns that might indicate a compromised account.

Identity Protection monitors for two specific types of risk – User risk and Sign-in risk.

User risk

User risk is the probability that a user's account has been compromised. A risk score is calculated based on Microsoft's internal and external threat intelligence systems, such as security researchers, Microsoft's security teams, and other trusted services.

These types of risks are calculated offline – that is, they are based on information obtained from the above sources.

An example of the kind of threat it looks for are leaked credentials – when cybercriminals compromise a user's details, they are often shared on the dark web and traded...

Summary

In this chapter, we have covered authorization in Azure and how to manage user access, and introduced tools that will help you scale your user base without it becoming unmanageable.

We have covered the different types of roles available – Classic, Azure, and Azure AD, what the differences are, and how to create custom roles. We then looked at how to use management groups, subscriptions, and resource groups to manage the assignment of roles and, in particular, how rights flow down through hierarchies.

Using PIM, we saw how you can manage and grant time-boxed access to roles and run regular reports to ensure that the least privileged principle is adhered to.

Finally, we looked at advanced tooling for detecting and responding to common threats using Identity Protection.

With what you have learned in this chapter, you can now decide on the best authorization and security options for your own solutions.

In the next chapter, we will learn another complementary set...

Exam solution

The solutions to the exam scenarios can be found at the end of this book.

Mega Corp is a global company with a head office in the US and satellite offices in Europe. They have separate IT teams for the US and Europe, responsible for their regions in general, but ultimately the US IT Team has overall accountability.

Each region has a Sales, Marketing, and HR department, and each has its own IT Champions who support them by having the ability to create and manage resources and assign rights to other users.

The company is risk-averse and therefore demands that administrative roles be granted on the least privileged principle. They are also looking at automation options for responding to any external threats to their user accounts.

The rest of the chapter is locked

You have been reading a chapter from

Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond

Published in: Jul 2021Publisher: PacktISBN-13: 9781800566934

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Author (1)

Brett Hargreaves

Brett Hargreaves is a principal Azure consultant for Iridium Consulting, who has worked with some of the world's biggest companies, helping them design and build cutting-edge solutions. With a career spanning infrastructure, development, consulting, and architecture, he's been involved in projects covering the entire solution stack using Microsoft technologies. He loves passing on his knowledge to others through books, blogging, and his online training courses.
Read more about Brett Hargreaves

Other recommended products

Related to this chapter

Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

Microsoft Azure Architect - Exam Guide AZ-303 is a complete guide to mastering topics related to Azure Architect practices. With detailed coverage of concepts and techniques, you’ll gain the knowledge and skills required to take and pass the AZ-303 exam and become a Microsoft Azure Architect expert.

BookDec 2020548 pages

Microsoft Azure Architect Technologies: Exam Guide AZ-300

Microsoft Azure Architect Technologies: Exam Guide AZ-300 is a complete guide that will help you master topics related to Azure architect practices. Using this guide, you will have all the information required to take the AZ-300 exam and become a Microsoft Azure Architect expert.

BookJan 2020540 pages

Microsoft Azure Administrator ‚Äì Exam Guide AZ-103

Microsoft Azure Administrator- Exam Guide AZ-103 is a complete guide that will help you master topics related to Azure administrator practices. Using this guide, you will have all the information required to ace the AZ-103 exam and become a Microsoft Azure administrator expert.

BookMay 2019452 pages

Mastering Azure Security

Mastering Azure Security enables you to implement top-level security in your Azure tenant. With a focus on cloud security, this book will look at the architectural approach on how to design your Azure solutions to keep and enforce resources secure.

BookMay 2020262 pages

Implementing DevOps with Microsoft Azure

This book will walk you through all the concepts and tools that Microsoft Azure has to offer and how these can be used in the DevOps environment. You will be introduced to use and management of Visual Studio Team Services (VSTS), so that you can understand the structure of the application that we will use as a sample throughout the book. You will understand the nitty gritty of Continuous Integration and Continuous Development with Microsoft Azure Apps. You will not only learn how to create App Service Environment (ASE) but also how you can provide detailed comparison on Azure Web Apps and ASE to enhance security.

BookApr 2017422 pages

Microsoft 365 Security Administration: MS-500 Exam Guide

MS-500: Microsoft 365 Security Administration offers complete, up-to-date coverage of the MS-500 exam so you can take it with confidence, fully equipped to pass the first time.

BookJun 2020672 pages

Learning Microsoft Azure Storage

Microsoft Azure Storage is the bedrock of Microsoft's core storage solution offering in Azure. No matter what solution you are building for the cloud, you'll find a compelling use for Azure Storage. This book will help you get up-to-speed quickly on Microsoft Azure Storage by teaching you how to use the different storage services. You will be able to leverage secure design patterns based on real-world scenarios and develop a strong storage foundation for Azure virtual machines.

BookNov 2017276 pages

Learn Microsoft Azure

Microsoft Azure is a cloud computing platform that helps you build, deploy, and manage applications to overcome your business challenges. This book covers the commonly used Azure services and also explains how you effectively integrate and utilize them.

BookDec 2018354 pages

Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

This book focuses on skills and knowledge for provisioning and managing services in Microsoft Azure. This includes implementing infrastructure components such as virtual networks, virtual machines, containers, web and mobile apps, storage, planning and managing Azure AD and configuring Azure AD integration with on-premises Active Directory domains.

BookAug 2018516 pages

Implementing Hybrid Cloud with Azure Arc

Azure Arc helps in simplifying the governance and monitoring of your infrastructure and gives you a single pane view across hybrid architectures deployed over multiple clouds or on-premises. If you are new to multi-cloud or cloud with Edge infrastructure, this book will provide a comprehensive introduction and get you up-to-speed in no time.

BookJul 2021242 pages

Hands-On Networking with Azure

Customizing networks and controlling the traffic flow is becoming a must for all the modern solutions, even if these solutions exist on Azure, on-premises or a combination of both. In this book, you will learn all Azure networking solutions and spanning them across Azure and On-premises, and how to build a highly available environment by them.

BookMar 2018276 pages

Professional Azure SQL Managed Database Administration

Whether it is learning different techniques to monitor and tune an Azure SQL database or improving performance using in-memory technology, this book will enable you to make the most out of Azure SQL database features and functionality for data management solutions.

BookMar 2021724 pages

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2