Let’s get to know about Azure Active Directory — II Tharala Madhusanka (Foiow } May 10-4 min read hen it comes to an organization, its Employee Hierarchy plays a vital W role, as it defines how an organization is structured, and it predefines the role of employees within the organization setup and also pre-sets the nature of the relationship that employees will share with each other. It defines the responsibilities, permissions of each employees and also it defines what can do and what cannot do in each role. ‘Thus when it comes to the cloud services, the same concept is introduced, So in this article I expect to discuss about the different roles introduced in Azure Active Directory (AAD). Instead of directly jump into AAD Roles, thought to discuss on other different roles in Azure too, in brief.There are different services in Azure, and a service can be considered as a collection of features, so there should be a way to decide ‘what features for what users’. Thus the ‘roles’ comes in to the picture. So let’s start to dig more on this ‘roles’. & hs {a eye eeu EO) Q1. What are the categories of roles in Azure Environment? There are mainly 3 categories of roles can be found in Azure.* Classic subscription administrator roles * Azure roles (RBAC Roles) * Azure Active Directory roles In the early days of the Azure, they introduced these classic subscription administrator roles. But later Microsoft introduced Role Based Access Control (RBAC) role model. Thus Microsoft introduced Azure roles. Both of these Classic Subscription Administrator roles & Azure RBAC roles are related to Azure Billing or Subscriptions. These users are authorized to manage the services in Azure Portal. So these administrators can be called as ‘Subscription Administrators. And next there are next unique set of administrators, as ‘Active Directory Administrators’, to manage the service inside Azure Active Directory. Following illustration shows the main Categories and fundamental Roles in Azure.Azure roles hierarchy Q2. Differentiate Azure Subscription Administrator and Active Directory Administrator. + Azure Subscription Administrator — These users are authorized to manage the services in Azure Portal, these users are completely inherited to a particular subscription and non-related to Azure Active Directory. They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs.* Azure Active Directory Administrator — These roles are exist inside Azure Active Directory, and are completely authorized to manage the services, such as manage users, groups etc. inside the Active Directory. Q3. What are the roles in Azure Classic Subscription? ie om Pamnions Deseiptn ‘Access the Azure Account Cantar ‘Manage al subscriptions nan acount Cresta new subscriptions Cancel subcrgtons ‘Change the ling fora subscription (Change the Service administrator Conceptually, the bling ‘umer ofthe str gto. account 1 per saure Administrator | subscription ‘The Account Administrator has no access to the Azure portal By deta Toranaw subseription, the Account Admanitator la the Service Administrator ‘+ manage services nthe Azure portal service aperasure | + Canclthe subscription ‘Administrator | subscription | Assign userto the Co-adminsteator role “he Service Adminstrator has the equivalent access of ‘user whos aslgned the ‘Owner role at he subscription scope. “The Sevvice Adminstrator has fll acest the Azure portal > Sate aecas prveges asthe Sere Adminstrator buteart change the | 9 cosadmitrator has association of sbsciptionsto azure | ye Co-Adrarrator has cc 2ooper recores Amiirtr | sitsction | + AeigrinerstotheCosdrinsrtor | UAT WhO‘ igned the ‘oe ba cannot ang the sence bat cxrnch ciange eae subscription scope. AdministratorClassic Subscription Roles Q4. What are the Azure (RBAC) roles? ole Parmision Note ‘Owner + Full acesstoaT ‘The sevice AUmaNTaTOX and resources CorAdministators are assigned + Delegate access to others | the Owner rte atthe subscription seope Applies to all resource types ‘antibutor + Greate and manage allot | Applies to al resource types types of Azure resources + Create anew tenantin [Azur Active Directory + Cannot grant access to others Render ‘View Aare resources ‘Apples ta al ezouree pas User Accezs Admanisratar | Manage user access to ure ‘Azure Roles QS. What are the Azure Active Directory Roles (AAD Roles)? Tae Pemaaon Tate Global Administrator | + Manage access to al administrative eaturesin | The parson who signs up ‘Azure Active Directory, as wellas services that | forthe Azure Active federate to Azure Active Directory Directory tenant batomes, Assign administrator roles to others Global Adminstrator, + Rose the password for any user and allother administratorssroune User administrator ‘+ Creste and manage all aspects of users and Manage support tickets Monitor service health “+ Change passwords fr users, Helpdesk administrators, and other User Administrators ‘ling Administrator |» wake purchases + Manage subscriptions fanage suppor iets Monitors service heath Tear Access Tenaga user occas To Azure FeSOUFeSS Adminstrator AAD Roles Q6. Compare Azure Roles & Azure Active Directory Roles. Azure roles Manage secess te Asura Support eustem oles ‘Scope can be specied t mute levels [inanagemant oroup subscrtion resource aru resource) foe information can be accessed in Azure portal ‘Azure CLL Aaure PowerShell Azure Resource Manager templates REST API ‘Azure AD roles [Manage acces to Azure Activa Diectry resources Supports eustem roles Scope iat the tenant evel Role nfermation can be accessed Azure admin portal Microsoft 365 admin center Microsoft Graph, AzuraAD Powershell Source — MicrosoftQ7. Can ‘Global admin manage Azure Subscriptions and Management Groups”? By default, the Global Administrator doesn’t have access to Azure resources. However, if a Global Administrator elevates their access by choosing the Global admin can manage Azure Subscriptions and Management Groups switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. ‘Access management for Azure resources rape decry. er nae Enable Global Subscription Access So guys, that’s all regarding the AAD roles and Azure roles. The expectation is this is to discuss about AAD roles and concepts around. As a note, Ihave to sayis, Do NOT blend Azure roles & Azure Active Directory rolesReaders, if you gained something clap, comment & share. Not only that I really value your comment, ask If you have any questions, correct me if am wrong on something. In the next article I hope to discuss about how to created AAD in Azure Portal and the Architecture behind. So keep in touch. Until, Let's Learn... References 1. https://docs.microsoft.com/en-us/azure/role-based-access- control/rbac-and-directory-admin-roles?context=azure/active- directory/users-groups-roles/context/ugr-context 2. https://docs.microsoft.com/en-us/azure/tole-based-access- control/built-in-roles 3. https://blog.nillsf.com/index.php/2019/09/29/how-to-allow-users-to- create-service-principals-and-the-impact-on-managed-identity/ ‘Azure ActiveDirectory Azure Active Directory MicrosoftDiscover Medium Make Medium yours Become a member Welcove toa place where words ratter. _Followallthetopicsyoucere about,end Get unliritee access tothe best stories on (On Mediu, smart voices ed original icees well celiver the best stories foryou toyour Mecium — are support writers while you're take certer stage -with ro acs in sight. homepage arc inbox. Elo | att Just $5/-ronth, Upgrade Watch About —Help—_Legel