azure:az-104_2024:identity_and_access_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-104_2024:identity_and_access_management [2024/10/16 13:49] mmuzeazure:az-104_2024:identity_and_access_management [2025/11/29 17:48] (current) mmuze
Line 11: Line 11:
       * Expiration policies are only supported for dynamic groups.       * Expiration policies are only supported for dynamic groups.
   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>
 +  * <color :#fff200>There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.</color>
 +    * Using this feature requires a Microsoft Entra ID P1/P2 license.
  
 ====== Azure Organization/Structure/Scoping ====== ====== Azure Organization/Structure/Scoping ======
Line 117: Line 119:
   * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.   * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
   * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.   * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
 +
 +====== Global Admin Elevated Access ======
 +  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
 +  * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
 +   * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
 +   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
 +   * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
 +   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>
 +
 +====== Multi-factor Authentication (MFA) ======
 +  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.
 +
 +====== Conditional Access ======
 +  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]
  
  • azure/az-104_2024/identity_and_access_management.1729086543.txt.gz
  • Last modified: 2024/10/16 13:49
  • by mmuze