azure:az-104_2024:identity_and_access_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-104_2024:identity_and_access_management [2024/10/11 19:08] – [Azure Roles] mmuzeazure:az-104_2024:identity_and_access_management [2025/11/29 17:48] (current) mmuze
Line 11: Line 11:
       * Expiration policies are only supported for dynamic groups.       * Expiration policies are only supported for dynamic groups.
   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>
 +  * <color :#fff200>There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.</color>
 +    * Using this feature requires a Microsoft Entra ID P1/P2 license.
  
 ====== Azure Organization/Structure/Scoping ====== ====== Azure Organization/Structure/Scoping ======
Line 56: Line 58:
   * Examples of Entra ID roles:   * Examples of Entra ID roles:
     * Global Admin     * Global Admin
 +      * When you create a new Microsoft Entra tenant, you are automatically assigned the Global Administrator role
     * Application Admin     * Application Admin
     * Application Developer     * Application Developer
Line 112: Line 115:
   * Devices: Attributes like device type, operating system, serial number, etc.   * Devices: Attributes like device type, operating system, serial number, etc.
   * Service Principals: Attributes like display name, description, application ID, etc.   * Service Principals: Attributes like display name, description, application ID, etc.
 +
 +====== Licensing ======
 +  * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
 +  * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
 +
 +====== Global Admin Elevated Access ======
 +  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
 +  * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
 +   * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
 +   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
 +   * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
 +   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>
 +
 +====== Multi-factor Authentication (MFA) ======
 +  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.
 +
 +====== Conditional Access ======
 +  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]
 +
  • azure/az-104_2024/identity_and_access_management.1728673706.txt.gz
  • Last modified: 2024/10/11 19:08
  • by mmuze