Azure Classroom Series – 03/Aug/2020

Multiple role assignments

  • Azure RBAC ia an additive model, so your effective permissions will be sum of your role assignments.
  • Ex: User is granted a contributor role at subscription scope and the Reader role on a resource group. Sum of contributor + Reader will be applied to resource group, so Reader role will not have any impact
  • Ground principle: Give necessary roles with write permissions at lower scope levels
  • Refer here

Deny Assignments

  • Azure RBAC was allow-only, but now azure supports deny assignments in a limited way using Azure Blueprints.

How Azure RBAC determines if user has access to a resource

  1. A user acquires a token for Azure Resource Manager.
  2. The user makes a REST API call to ARM with the token attached
  3. ARM retrieves all the role assignments & deny assignments that apply to the resource
  4. ARM narrows down the role assignments to the user & determines what roles user has for this resource
  5. ARM determines if the action in the API call is included in the role that user has
  6. If user has access to action it will allow.

Azure Policy

  • Azure Policy is used to enforce Standards and assess compliance at-scale.
  • Azure Policy evaluates resources in Azure by comparing the properties of resources to business rules. These business rules are defined in Json format using Azure Policy Definitions
  • Azure gives you lot of inbuilt policies Preview
  • Azure Policy Definitions can be created using Json Structure Mentioned over here

Azure Policy Assignment

  1. Launch Azure Policy from all services Preview Preview Preview Preview Preview Preview Preview Preview

Azure Management Groups

  • If an organization has many subscriptions, we need to effective manage access policies and compliance for subscriptions. Azure management group provides a new level of scope above your subscriptions. Preview Preview Preview

Next Steps

  1. Azure AD & ADFS (Next saturday & sunday)
  2. Azure Compute

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin