4/15/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Role-Based Access Control for Azure CDP-B213 4/15/2017 Role-Based Access Control for Azure CDP-B213 Dushyant Gill © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Question Do you consider finer-grained access management for Azure a critical requirement?
Question Have you used the Azure preview portal?
Question Do you know what Azure Active Directory is?
Adoption of IAAS/PAAS in Organizations partner@yahoo.com IT managed identities Owner = ellen@outlook.com Active Directory ellen@company.com aaron@company.com prospectivecustomer@live.com Owner = aaron@hotmail.com Owner = xyz@gmail.com Owner = xyz@yahoo.com
Access to Azure and rest of the cloud: Powered by Azure AD 2000+ Pre-Integrated SAAS Apps IT managed identities Microsoft Online Services Users & Groups Sync Azure Active Directory Owner = ellen@outlookcompany.com Roles and Role Assignments Active Directory ellen@company.com aaron@company.com Owner = aaron@hotmailcompany.com Microsoft Azure IAAS/PAAS joe@partner.com prospectivecustomer@live.com Company In-House Developed Cloud Apps
Demo: Azure RBAC in action Dushyant Gill
Azure RBAC: First Preview Release 3 built-in roles (Owner, Contributor and Reader) available for assignment to Users, Groups and Services on Azure scopes: Subscription, Resource Group and Resources. Access management using Azure preview portal, Command Line Tools & REST API for bulk operations. In the new RBAC model the existing subscription administrators and co-admins become ‘Owners’ of the subscription.
Roles and Roles Assignments Role is a collection of actions Role Assignments Role Subject = Users or Groups or Service Identity Scope = Directory or Subscription or ResourceGroup or Resource Actions Not Actions Owner * Contributor Microsoft.Authorization/* Reader */Read SQL Contributor Microsoft.SQL\* Tier 1 Operator */Read + Microsoft.Compute\VirtualMachine\*
Access Inheritance and Resource Hierarchy RG S R Role Assignment Role = ‘Reader’ Subject = AAD Group Scope = Subscription Role = ‘Owner’ Subject = AAD User Scope = Resource Role = ‘Contributor’ Scope = Resource Group Access Inheritance
Azure AD Authorization Platform Azure Active Directory Azure Preview Portal & APIs (Azure Resource Manager) Roles and Role Assignments Synced to closest geo location Token with group membership claims Access Check SDK Reason over Policy and Audit Policy Audit Users and Groups Sync Active Directory
Demo: Access Management Dushyant Gill
RBAC & Azure Resource Manager Azure Active Directory Azure Events Roles & Role Assignments RBAC RP Events Azure Resource Manager
Demo: Access Change History - RBAC and Events RP Dushyant Gill
Integrate your app’s access with AAD groups Using AAD Groups Directly Using AAD App Roles 1 Ellen (Resource Owner) Grants access to an AAD group ‘Ellen’s Team’ App renders “people picker” using AAD Graph API App persists the group objectId in “permissions table” Publishes App Roles in AAD App Developer 1 App Roles = “Publisher”, “Subscriber” 2 Joe (Member of ‘Ellen’s Team’) Accesses the resource. Token contains groups claim App checks access by comparing groups claim value with persisted objectIds Assigns App Roles to Users, Groups and Client Applications Customer Admin 2 Kim -> “Publisher” Ellen’s Team -> “Subscriber” Accesses the resource. Token contains roles claim roles=“Publisher” 3 Kim App checks access using “IsInRole” 3 Sam (Member of ‘Ellen’s Team’) Accesses the resource. Token contains overage claim App checks access by comparing user’s groups with persisted objectIds App queries AAD Graph API for user’s groups
What’s ahead Custom Roles Access Change History Reporting over Policy and Audit Just-in Time Access Conditional Access Resource tag based Access Control User attribute based Access Control Available to 3rd Party Applications Separation of Duties
For more information Windows Server System Center Azure Pack Windows Server Technical Preview http://technet.microsoft.com/library/dn765472.aspx Windows Server System Center System Center Technical Preview http://technet.microsoft.com/en-us/library/hh546785.aspx Azure Pack http://www.microsoft.com/en-us/server-cloud/products/ windows-azure-pack Microsoft Azure http://azure.microsoft.com/en-us/ Come visit us in the Microsoft Solutions Experience (MSE)! Look for the Cloud and Datacenter Platform area TechExpo Hall 7
Resources Learning TechNet Developer Network 4/15/2017 Resources Sessions on Demand http://channel9.msdn.com/Events/TechEd Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Developer Network http://developer.microsoft.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Exams EXAM 532 Developing Microsoft Azure Solutions Implementing Microsoft Azure Infrastructure Solutions EXAM 533 (Coming soon) Architecting Microsoft Azure Solutions EXAM 534 http://bit.ly/ Azure-Cert + Classroom training (Coming soon) Microsoft Azure Fundamentals MOC 10979 MOC 20532 Developing Microsoft Azure Solutions Implementing Microsoft Azure Infrastructure Solutions MOC 20533 2 5 5 http://bit.ly/ Azure-Train Online training (Coming soon) Microsoft Azure Fundamentals MVA (Coming soon) Architecting Microsoft Azure Solutions MVA http://bit.ly/ Azure-MVA Get certified for 1/2 the price at TechEd Europe 2014! http://bit.ly/ TechEd-CertDeal
Please Complete An Evaluation Form Your input is important! 4/15/2017 Please Complete An Evaluation Form Your input is important! TechEd Mobile app Phone or Tablet QR code TechEd Schedule Builder CommNet station or PC © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session 4/15/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/15/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.