Azure Identity Premier Fast Start Optional Module

Azure Role-Based Access Control Terminology List   Abbreviations/Acronyms Expansion AD Active Directory Domain services SQL Structured Query Language API Application Programming Interfaces

What Is RBAC? In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users Microsoft Azure RBAC It is the capability to control cloud resources access between employees at resource level and which actions they can perform Subscription is no longer access management boundary Access is granted to users and groups Supported on Azure Preview Portal only To enforce RBAC, user cannot be granted co-administrator of the subscription from the current management portal Microsoft Azure RBAC was introduced to Azure because of its highly recommended feature and was finally introduced into the product. In the past, employees got access to resources only at subscription level, which means that for many organizations it was not enough because a single subscription could be a huge environment, where a more granular access control is needed. For more information, see: http://weblogs.asp.net/scottgu/azure-sql-databases-api- management-media-services-websites-role-based-access-control-and-more

Before RBAC Basic Azure Administrative roles (works on current and preview portals) Account Administrator (one per Azure account) Authorized to access the Account Center (create subscriptions, cancel subscriptions, change billing for a subscription, change Service Administrator, etc.). For more information, see: https://account.windowsazure.com/Home/Index Service Administrator (one per Azure subscription) Authorized to access Azure Management Portal for all subscriptions in the account. By default, same as the Account Administrator when a subscription is created. For more information, see: https://manage.windowsazure.com/ Co-administrator (200 per subscription in addition to Service Administrator) Same as Service Administrator but can not change the association of subscriptions to Azure directories. Crucial differences between the service administrator and co-administrators Co-administrators can not delete the Service Administrator from the Azure Management Portal. Only the Account Administrator can change this assignment at the Account Center. The Service Administrator is the only user authorized to change a subscription’s association with a directory in the Azure Management Portal. For more information on Manage Accounts, Subscriptions, and Administrative Roles, see: https://msdn.microsoft.com/en-us/library/azure/hh531793.aspx

RBAC and Azure Active Directory RBAC depends on Azure Active Directory to provide authentication and authorization Subscription RG R Authentication and Authorization Users Every Azure subscription is associated with an Azure Active Directory. Users and services that access resources of the subscription using the Microsoft Azure Management Portal or Azure Resource Manager API first need to authenticate with that Azure Active Directory. Azure role-based access control (RBAC) allows you to grant appropriate access to Azure AD users, groups, and services, by assigning roles to them on a subscription or resource group, or individual resource level. The assigned role defines the level of access that the users, groups, or services have on the Azure resource. Since RBAC depends on Azure Active Directory, you can create users or groups in Azure AD and grant granular access to Resource Groups or individual resources. External users that use Microsoft accounts (formally Live ID) can also be used, although we recommend to create those users in Azure AD and keep using them instead of individual Microsoft account. Groups Service Principals Azure Active Directory Azure Resources in Resources Groups

Basic Definitions Role Role Assignment Azure AD Security Principals Collection of actions that can be performed Basic Definitions Role Assignment Process of assigning a role to the user on an Azure Resource Azure AD Security Principals Users (organizational and external) Groups Service principals Role A role is a collection of actions that can be performed on Azure resources. A user or a service is allowed to perform an action on an Azure resource, if they have been assigned a role that contains that action. For a list of built-in roles and their actions and not actions properties, see: http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ Role Assignment Access is granted to Azure AD users and services by assigning the appropriate role to them on an Azure resource. Roles can be assigned to a Resource Group or to an individual resource directly. The first option would scale better because the idea of resource groups is to gather resources that belongs to a particular application or environment and a group of individuals generally manages these resources. For more information on using the Azure Preview Portal to manage your Azure resources, see: http://azure.microsoft.com/en-us/documentation/articles/resource-group-portal Resources User managed entity, like virtual machines, website, database, etc. Resource Group It is a lifecycle boundary group for resources contained on it 7

Scope and Access Inheritance Example: Virtual Machine RG Example: Cloud Service Scope and Access Inheritance R Subscription R RG R Roles can be assigned at three levels: Subscription Resource Groups Resources If a role is assigned at a higher level, this assignment flows through inheritance to all child items. It is not mandatory to assign roles at subscription to get access to a specific Resource. It can be granted as required. If a user, group, or service is granted access to only a resource group within a subscription, they will be able to access only that resource group and resources within it, and not the other resources groups within the subscription. As another example, a security group can be added to the Reader role for a resource group but it can be added to the Contributor role for a database within that resource group. It is important to note that not every resource is yet available on preview portal and not every service supports RBAC. In this case, the user will need to be granted co-administrator rights at subscription level on current management portal. RG R R Access Inheritance RG: Resource Groups, R: Resources

Basic Process for Adding Access Create user on Azure AD Grant user read access to subscription level Browse for Resource or Resource group and add role to it Add user to role For more information, see: http://azure.microsoft.com/en-us/documentation/articles/role-based- access-control-configure/#add-access

Built-in Roles Basic built-in roles (created with first preview) In total, there are 21 roles For details on built-in roles section, see: http://azure.microsoft.com/en-us/documentation/articles/role-based- access-control-configure/ Role Description Owner Can perform all management operations for a resource and its child resources including access management Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others Reader Has read-only access to a resource and its child resources. A Reader cannot read secrets For more information, see: http://azure.microsoft.com/en-us/documentation/articles/role-based- access-control-configure/#api-management-service-contributor

Limiting External Users Add or remove access for external user The Configure tab of a directory includes options to control access for external users. These options can be changed only in the UI (there is no Windows PowerShell or API method) in the full Azure portal by a directory global administrator. To open the Configure tab in the Azure portal, click Active Directory, and then click the name of the directory. By default, guests cannot enumerate the contents of the directory. So, they do not see any users or groups in the Member List. They can search for a user by typing the user's full email address, and then grant access. The set of default restrictions for guests are: They cannot enumerate users and groups in the directory. They can see limited details of a user if they know the user's email address. They can see limited details of a group when they know the group name. The ability for guests to see limited details of a user or group allows them to invite other people and see some details of people with whom they are collaborating. Let us step through the process to add access for an external user. We will add an external user to the same Reader role for TestDB resource group so that user can help debug an error. Open the resource group blade, click Reader > Add > Invite and type the email address of the user you want to add.

Full Scenario In a full scenario, we can have on-premises Active Diretory being synchronized against Azure Active Directory that can be shared amongst Microsoft Office 365 and Azure subscriptions. Within Azure AD, we can assign software as a service (SaaS) applications to users and finally from Azure Preview portal, we can add access roles to specific subscriptions, resource groups, and resources. For more information, see: Azure: SQL Databases, API Management, Media Services, Websites, Role-Based Access Control, etc. http://weblogs.asp.net/scottgu/azure-sql-databases-api-management-media-services-websites- role-based-access-control-and-more Role-based access control in the Microsoft Azure portal http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ Using the Azure Preview Portal to manage your Azure resources http://azure.microsoft.com/en-us/documentation/articles/resource-group-portal/ Manage Accounts, Subscriptions, and Administrative Roles https://msdn.microsoft.com/en-us/library/azure/hh531793.aspx