Design a role-based access control strategy

Role Based Access Control (RBAC) allows management of access to resources at scale.

  • Groups allow access rights to be defined for a set of users
  • Roles define a set of permissions to be assigned to a User or Group
  • RBAC and claims work well with identity providers providing role claims to relying parties to verify role assignments of the user
  • Multifactor authentication i.e. something you are, you know or you have combined

Azure supports 3 tiers of access rights assignment:

  • Subscription
  • Resource Group
  • Resource

There are 3 built-in roles that can be assigned, in addition to more complex roles assignments:

  • Owner – full control (assigned to subscription admins and co-admins)
  • Contributor – all operations excluding access management
  • Reader – can view resources only

External users, e.g. a user in another Azure AD can also be granted access rights to resources where required.

Self-service password reset is available with Azure AD Basic and Premium and supports the following options.

  • Users Enabled For Password Reset
  • Restrict Access To Password Reset (only permitted for a group of users)
  • Authentication Methods Available To Users (challenges permitted for reset)
  • Number of Authentication Methods Required (1 or 2)

Self-service group management, available in Azure AD Premium, allows users to manage group membership and request to join groups.

The Azure AD Access Panel provides a web portal for users to access SaaS applications configured by an AD administrator. Federation and SSO support simplified user access. Login credentials can be configured to allow users access to applications without sharing said credentials. This allows user access rights to be easily assigned and revoked without worrying about credentials being compromised.

Cloud App Discovery tracks usage of SaaS services by collecting data via an agent deployed to enterprise devices.

The Azure AD Registration Service allows personal devices to use Workplace Join to join an Azure AD domain and access resources.

Azure AD provides audit reports showing activity including user and group role assignment changes and password resets.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s