Let’s talk about Azure AD RBAC

Welcome to the next installment in our Azure AD series, where we explore the powerful capabilities of Azure AD. In this article, we will take a deep dive into one of the most essential aspects of Azure AD: Role-Based Access Control (RBAC). RBAC is a fundamental component of Azure AD that allows organizations to efficiently manage access to resources by assigning roles to users, groups, and applications. By leveraging RBAC, businesses can implement fine-grained access control and ensure that users have the appropriate permissions to perform their tasks while maintaining a secure and well-organized environment.

Cybersecurity is a critical focus in the age of cloud computing. The principles of Zero Trust and the principle of least privilege are essential concepts that organizations incorporate into their security frameworks. The principle of least privilege guides the configuration of RBAC, advocating for granting users only the minimum privileges necessary to fulfill their tasks. These principles are key components of modern security strategies, aiming to reduce the attack surface and mitigate the potential impact of security breaches.

Understanding RBAC

Azure AD offers two types of role definitions: built-in roles and custom roles. Built-in roles are pre-defined roles that have a predetermined set of permissions and cannot be modified. Examples of built-in roles in Azure AD include “Global Administrator,” which has full access to all Azure AD resources and settings, and “User Administrator,” which focuses on user management tasks such as password resets and user creation. These built-in roles provide a convenient starting point for access management. On the other hand, organizations can tailor their access requirements by creating custom roles to meet specific and intricate needs. Assigning permissions using custom Azure AD roles involves a two-step process: creating a custom role definition and then assigning it through a role assignment. This flexibility allows organizations to precisely configure access controls within their Azure AD environment.

A custom role definition is a collection of permissions selected from a predefined list. These permissions align with the permissions used in the built-in roles. Once you have defined your custom role, or even if you choose to use a built-in role, you can assign it to a user by creating a role assignment. A role assignment grants the user the permissions specified in the role definition, within a defined scope.

The two-step process of custom role creation and role assignment offers flexibility. It enables the use of a single role definition across various scopes. A scope determines the set of Azure AD resources accessible to the role member. The most common scope is organization-wide, where the custom role permissions are applicable to all resources within the organization. Additionally, a custom role can be assigned at an object scope, such as a specific application. This means that the same role can be assigned to one user for all applications in the organization, while another user may have the role with a scope limited to only a particular app.

By leveraging built-in roles and custom roles within Azure AD, organizations can effectively manage access permissions based on their specific requirements, granting users appropriate privileges within defined scopes.

The principle of least privilege is crucial when considering role assignments within Azure AD. Following this principle ensures that users are granted only the minimum privileges necessary to perform their tasks effectively. For instance, it would be inappropriate to assign a helpdesk user the Global Administrator role, which has broad administrative access to all Azure AD resources. Instead, the principle of least privilege dictates that the helpdesk user should be assigned a role that specifically grants permissions for password reset operations, such as the “Password Administrator” role. By adhering to the principle of least privilege, organizations can reduce the risk of accidental or intentional misuse of privileges and enhance overall security within their Azure AD environment.

In addition to RBAC, Azure AD offers an advanced access management feature called Privileged Identity Management (PIM). Let’s explore how PIM enhances access control and security within Azure AD.

Understanding PIM

PIM is a premium feature that comes with Azure AD Premium P2. It provides organizations with enhanced control over privileged access by enabling just-in-time access to administrators. This feature allows users to obtain temporary access to privileged roles for a specific duration, reducing the risks associated with long-term privileged access.

PIM offers several benefits for access management. First, it allows organizations to implement the principle of least privilege more effectively by granting temporary access only when necessary. This minimizes the exposure of privileged roles and reduces the potential impact of security breaches. Second, PIM provides detailed reporting and auditing capabilities, ensuring visibility into privileged role activations and enhancing overall governance and compliance.

With PIM, users can become eligible members of an Azure AD role and activate that role for a limited time when required. Once the predefined timeframe expires, privileged access is automatically revoked. This just-in-time activation process ensures that privileged access is only granted when needed, reducing the attack surface and enhancing overall security.

PIM allows organizations to configure approval workflows for role assignments, ensuring that access to highly privileged roles is properly authorized. This adds an additional layer of control and oversight to the activation process. Furthermore, PIM can be configured to send notification emails when a role assignment is activated. These notifications serve as alerts, providing administrators with visibility and awareness of any changes in privileged access.

Understanding scope

Scope refers to the specific set of resources to which access permissions apply. When assigning a role, it is crucial to consider the scope to ensure that the access granted aligns with what is truly necessary. By carefully defining the scope, you can limit the potential risk to resources if the access of a security principal is compromised. In other words, restricting the scope ensures that only the essential resources are accessible, reducing the potential impact of any security breaches or unauthorized access. This approach helps maintain a higher level of security by minimizing the potential exposure of sensitive resources in case of a compromise.

Scope level

Azure RBAC offers flexible access management by providing four distinct scope levels: management group, subscription, resource group, and resource. Each scope level allows you to assign roles and permissions to users, groups, or applications based on the desired level of granularity and control. These scope levels enable organizations to effectively manage access to Azure resources by defining access permissions at different hierarchical levels. Let’s explore each of these scope levels in more detail.

Image Source: Azure

Management Group Scope: At the highest level, Azure RBAC supports role assignments at the management group scope. Management groups allow you to organize and manage resources across multiple Azure subscriptions. By assigning a role at the management group scope, you can apply the permissions to all the subscriptions and resources within that management group. This enables centralized access management and consistent control across multiple subscriptions. Management Group supports more complex hierarchies. You can read more about Manage Group here.
Subscription Scope: The subscription scope focuses on individual Azure subscriptions. Roles assigned at the subscription scope apply to all resources within that specific subscription. This scope allows you to control access to resources within a single subscription, granting permissions to users, groups, or applications for managing resources at that level.
Resource Group Scope: Within a subscription, resource groups serve as logical containers for organizing and managing related resources. RBAC roles assigned at the resource group scope apply to all resources within that particular resource group. This allows you to define access control for a set of resources within a specific resource group, providing permissions to manage and operate those resources collectively.
Resource Scope: The resource scope offers the most granular level of RBAC assignments. Roles assigned at the resource scope apply to a specific resource within a subscription, such as a virtual machine, storage account, or an individual Azure service. This scope allows you to grant permissions to users or applications for managing and interacting with that specific resource only.

Role assignment options

In Azure AD, there are multiple ways to assign roles to users based on your access requirements. The default method is to assign roles directly to individual users. Both built-in and custom Azure AD roles can be assigned to users, providing the necessary permissions for their designated responsibilities.

With Azure AD Premium P1, you have the capability to create role-assignable groups and assign roles to these groups. Assigning roles to groups offers the advantage of easy addition or removal of users from a role, ensuring consistent permissions for all group members.

For advanced access management, Azure AD Premium P2 offers Azure AD Privileged Identity Management (PIM). This feature enables just-in-time access to roles, allowing you to grant time-limited access to users who require it, rather than providing permanent access. Azure AD PIM also provides detailed reporting and auditing capabilities.

*Keep in mind that utilizing built-in roles in Azure AD comes at no additional cost. However, utilizing custom roles requires an Azure AD Premium P1 license for each user with a custom role assignment.

On top of the different options for role assignment, there are also multiple ways to assign roles and scopes in Azure RBAC, providing flexibility and options to suit different needs. The Azure portal offers a user-friendly interface that allows you to navigate to the desired resource, and assign roles or scopes to users, groups, or applications. This graphical interface simplifies the process of managing access permissions. Additionally, Azure PowerShell and Azure CLI (Command-Line Interface) provide command-line tools that enable automation and scripting for role assignments. With PowerShell cmdlets or CLI commands, you can programmatically assign roles and scopes, allowing for more streamlined and repeatable processes. Lastly, the Microsoft Graph API provides a RESTful interface that allows developers to integrate RBAC role assignment functionality into their custom applications and workflows. This approach offers programmatic control and customization over the role assignment process. Whether using the Azure portal, PowerShell, CLI, or the Microsoft Graph API, these various methods provide flexibility in assigning roles and scopes based on individual preferences and automation requirements.

Best practices

Least privilege

One of the fundamental best practices in access control is managing to the principle of least privilege. This means granting administrators only the precise permissions they require to fulfill their responsibilities. When assigning a role to administrators, consider three key aspects: a specific set of permissions, a defined scope, and a specific duration. It is advisable to avoid assigning broad roles with wide scopes, even if it may seem more convenient initially. By limiting the roles and scopes, you minimize the potential impact on resources in case of a security breach. Azure RBAC offers a comprehensive range of over 65 built-in roles, including roles for managing directory objects such as users, groups, and applications, as well as roles for managing Microsoft 365 services like Exchange, SharePoint, and Intune. You can read more about built-in roles and their permission here. If a built-in role doesn’t meet your specific requirements, you have the option to create custom roles to tailor access permissions accordingly.

Just-in-time access (PIM)

An effective approach to implementing the principle of least privilege is to utilize Azure AD Privileged Identity Management (PIM) for granting just-in-time access to administrators. PIM allows you to provide temporary access to privileged roles for a specific duration. Microsoft strongly recommends enabling PIM in Azure AD to enhance security. With PIM, users can become eligible members of an Azure AD role and activate that role for a limited time when necessary. Once the timeframe expires, privileged access is automatically revoked. PIM settings can also be configured to require approval or trigger notification emails when a role assignment is activated. These notifications serve as alerts when new users are added to highly privileged roles, ensuring better control and oversight of access privileges. By leveraging Azure AD Privileged Identity Management, organizations can reduce the potential risks associated with long-term privileged access and enhance overall security posture.

MFA

Multi-Factor Authentication (MFA) adds an additional layer of protection by requiring users to provide multiple forms of authentication, such as a password and a verification code sent to a mobile device, before accessing Azure resources. This significantly enhances security by mitigating the risk of unauthorized access, even in the event of compromised credentials. Enforcing MFA for RBAC ensures that user identities are verified through multiple factors, making it significantly more difficult for attackers to gain unauthorized access to sensitive resources. By implementing MFA, organizations can greatly enhance their overall security posture, reducing the likelihood of successful authentication attacks and protecting valuable assets and data. It is essential to incorporate MFA as a fundamental security control when configuring Azure RBAC to strengthen access security and safeguard against emerging threats.

Access review

Regularly auditing administrators’ access is crucial for organizations due to several reasons. It helps mitigate the risk of a compromised account by promptly detecting any unauthorized access or suspicious activity. By identifying potential security breaches, organizations can take immediate action to protect their systems and data. Secondly, auditing is essential when managing transitions within a company. As individuals move between teams or roles, auditing ensures that access privileges are adjusted accordingly, preventing the accumulation of unnecessary access rights over time. By conducting access reviews and regular audits, organizations can maintain a secure and controlled environment, ensuring that only authorized individuals have continued access to resources.

Limit the number of Global Administrators

Microsoft strongly advises assigning the Global Administrator role to a limited number of individuals in your organization, preferably fewer than five. Global Administrators have significant administrative privileges and serve as gatekeepers to critical system settings. It is crucial to minimize the attack surface by restricting the number of Global Administrators. As mentioned earlier, it is essential to apply multi-factor authentication (MFA) to all Global Administrator accounts to enhance their security.

When a user signs up for a Microsoft cloud service, they are automatically assigned the Global Administrator role within the Azure AD tenant. Global Administrators possess extensive read and modify permissions for administrative settings within Azure AD, and with a few exceptions, they can also manage configuration settings within Microsoft 365. Additionally, Global Administrators can elevate their access to read data when necessary.

To ensure emergency access, Microsoft recommends maintaining two “break glass” accounts permanently assigned to the Global Administrator role. These “break glass” accounts should be excluded from phone-basaed MFA, should be closely monitored and validated regularly. In terms of storing the credentials, organizations employ various authentication methods based on their specific needs. For Windows Server AD, some customers utilize smartcards, while others opt for a FIDO2 security key for Azure AD. Additionally, passwords continue to be commonly used. In the case of an emergency access account, it is common practice to divide the password into two or three parts, each written on separate pieces of paper. These pieces of paper are stored in secure, fireproof safes located in separate secure locations. This approach enhances the security of emergency access and ensures that access to critical systems can be obtained securely when necessary.

Use groups instead

To simplify role assignment management, it is recommended to assign roles to groups rather than directly to individual users. By assigning roles to groups, the number of role assignments is minimized, making it easier to manage access permissions. It is important to note that Azure has limitations on the total number of role assignments per subscription.