Let’s get to know about Azure
Active Directory — II
Tharala Madhusanka (Foiow }
May 10-4 min read
hen it comes to an organization, its Employee Hierarchy plays a vital
W role, as it defines how an organization is structured, and it
predefines the role of employees within the organization setup and also
pre-sets the nature of the relationship that employees will share with each
other. It defines the responsibilities, permissions of each employees and
also it defines what can do and what cannot do in each role. ‘Thus when it
comes to the cloud services, the same concept is introduced,
So in this article I expect to discuss about the different roles introduced in
Azure Active Directory (AAD). Instead of directly jump into AAD Roles,
thought to discuss on other different roles in Azure too, in brief.There are different services in Azure, and a service can be considered as a
collection of features, so there should be a way to decide ‘what features for
what users’. Thus the ‘roles’ comes in to the picture.
So let’s start to dig more on this ‘roles’.
&
hs
{a
eye
eeu EO)
Q1. What are the categories of roles in Azure Environment?
There are mainly 3 categories of roles can be found in Azure.* Classic subscription administrator roles
* Azure roles (RBAC Roles)
* Azure Active Directory roles
In the early days of the Azure, they introduced these classic subscription
administrator roles. But later Microsoft introduced Role Based Access Control
(RBAC) role model. Thus Microsoft introduced Azure roles. Both of these
Classic Subscription Administrator roles & Azure RBAC roles are related to
Azure Billing or Subscriptions. These users are authorized to manage the
services in Azure Portal. So these administrators can be called as
‘Subscription Administrators.
And next there are next unique set of administrators, as ‘Active Directory
Administrators’, to manage the service inside Azure Active Directory.
Following illustration shows the main Categories and fundamental Roles in
Azure.Azure roles hierarchy
Q2. Differentiate Azure Subscription Administrator and Active Directory
Administrator.
+ Azure Subscription Administrator — These users are authorized to
manage the services in Azure Portal, these users are completely
inherited to a particular subscription and non-related to Azure Active
Directory. They can manage resources using the Azure portal, Azure
Resource Manager APIs, and the classic deployment model APIs.* Azure Active Directory Administrator — These roles are exist inside Azure
Active Directory, and are completely authorized to manage the services,
such as manage users, groups etc. inside the Active Directory.
Q3. What are the roles in Azure Classic Subscription?
ie om Pamnions Deseiptn
‘Access the Azure Account Cantar
‘Manage al subscriptions nan acount
Cresta new subscriptions
Cancel subcrgtons
‘Change the ling fora subscription
(Change the Service administrator
Conceptually, the bling
‘umer ofthe str gto.
account 1 per saure
Administrator | subscription ‘The Account Administrator
has no access to the Azure
portal
By deta Toranaw
subseription, the Account
Admanitator la the
Service Administrator
‘+ manage services nthe Azure portal
service aperasure | + Canclthe subscription
‘Administrator | subscription | Assign userto the Co-adminsteator role
“he Service Adminstrator
has the equivalent access of
‘user whos aslgned the
‘Owner role at he
subscription scope.
“The Sevvice Adminstrator
has fll acest the Azure
portal
> Sate aecas prveges asthe Sere
Adminstrator buteart change the | 9 cosadmitrator has
association of sbsciptionsto azure | ye Co-Adrarrator has
cc 2ooper recores
Amiirtr | sitsction | + AeigrinerstotheCosdrinsrtor | UAT WhO‘ igned the
‘oe ba cannot ang the sence
bat cxrnch ciange eae subscription scope.
AdministratorClassic Subscription Roles
Q4. What are the Azure (RBAC) roles?
ole Parmision Note
‘Owner + Full acesstoaT ‘The sevice AUmaNTaTOX and
resources CorAdministators are assigned
+ Delegate access to others | the Owner rte atthe
subscription seope
Applies to all resource types
‘antibutor + Greate and manage allot | Applies to al resource types
types of Azure resources
+ Create anew tenantin
[Azur Active Directory
+ Cannot grant access to
others
Render ‘View Aare resources ‘Apples ta al ezouree pas
User Accezs Admanisratar | Manage user access to ure
‘Azure Roles
QS. What are the Azure Active Directory Roles (AAD Roles)?
Tae Pemaaon Tate
Global Administrator | + Manage access to al administrative eaturesin | The parson who signs up
‘Azure Active Directory, as wellas services that | forthe Azure Active
federate to Azure Active Directory Directory tenant batomes,
Assign administrator roles to others Global Adminstrator,
+ Rose the password for any user and allother
administratorssroune
User administrator ‘+ Creste and manage all aspects of users and
Manage support tickets
Monitor service health
“+ Change passwords fr users, Helpdesk
administrators, and other User Administrators
‘ling Administrator |» wake purchases
+ Manage subscriptions
fanage suppor iets
Monitors service heath
Tear Access Tenaga user occas To Azure FeSOUFeSS
Adminstrator
AAD Roles
Q6. Compare Azure Roles & Azure Active Directory Roles.
Azure roles
Manage secess te Asura
Support eustem oles
‘Scope can be specied t mute levels
[inanagemant oroup subscrtion resource aru
resource)
foe information can be accessed in Azure portal
‘Azure CLL Aaure PowerShell Azure Resource
Manager templates REST API
‘Azure AD roles
[Manage acces to Azure Activa Diectry resources
Supports eustem roles
Scope iat the tenant evel
Role nfermation can be accessed Azure admin
portal Microsoft 365 admin center Microsoft
Graph, AzuraAD Powershell
Source — MicrosoftQ7. Can ‘Global admin manage Azure Subscriptions and Management
Groups”?
By default, the Global Administrator doesn’t have access to Azure resources.
However, if a Global Administrator elevates their access by choosing the
Global admin can manage Azure Subscriptions and Management Groups
switch in the Azure portal, the Global Administrator will be granted the
User Access Administrator role (an Azure role) on all subscriptions for a
particular tenant.
‘Access management for Azure resources
rape decry. er nae
Enable Global Subscription Access
So guys, that’s all regarding the AAD roles and Azure roles. The expectation
is this is to discuss about AAD roles and concepts around. As a note, Ihave
to sayis,
Do NOT blend Azure roles & Azure Active Directory rolesReaders, if you gained something clap, comment & share. Not only that I
really value your comment, ask If you have any questions, correct me if am
wrong on something. In the next article I hope to discuss about how to
created AAD in Azure Portal and the Architecture behind. So keep in touch.
Until,
Let's Learn...
References
1. https://docs.microsoft.com/en-us/azure/role-based-access-
control/rbac-and-directory-admin-roles?context=azure/active-
directory/users-groups-roles/context/ugr-context
2. https://docs.microsoft.com/en-us/azure/tole-based-access-
control/built-in-roles
3. https://blog.nillsf.com/index.php/2019/09/29/how-to-allow-users-to-
create-service-principals-and-the-impact-on-managed-identity/
‘Azure ActiveDirectory Azure Active Directory MicrosoftDiscover Medium Make Medium yours Become a member
Welcove toa place where words ratter. _Followallthetopicsyoucere about,end Get unliritee access tothe best stories on
(On Mediu, smart voices ed original icees well celiver the best stories foryou toyour Mecium — are support writers while you're
take certer stage -with ro acs in sight. homepage arc inbox. Elo | att Just $5/-ronth, Upgrade
Watch
About —Help—_Legel