Differences

This shows you the differences between two versions of the page.

--- azure:azure_iam [2025/04/03 18:44] – mmuze
+++ azure:azure_iam [2025/10/02 20:52] (current) – [Working With Roles] mmuze
@@ Line 1: / Line 1: @@
 ====== Azure IAM ======
+  * [[Microsoft Entra]]
+  * [[microsoft:Privileged Access Management]]
   * //AzureAD// vs. //AzureRM// roles
@@ Line 7: / Line 11: @@
   * [[https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task|Least privileged role for certain tasks]]
   * [[azure:Lighthouse]]
+  * [[https://docs.azure.cn/en-us/entra/identity/role-based-access-control/best-practices|Entra Role Best Practices]]
-====== Azure Administrator Roles (Azure AD Roles) vs. Azure Roles (Azure RBAC Roles) ======
+====== Azure Administrator Roles (Entra ID Roles) vs. Azure Roles (Azure RBAC Roles) ======
   * Entra roles/directory (scope) roles, administrator roles
-  * Azure roles, Azure RBAC roles, Azure resource manager roles
+  * Azure roles, Azure RBAC roles, Azure resource roles
+  * There are some built-in roles for Entra ID and Azure that have the same name, for example, //Reader// and //Security Reader//.
 ====== Tenant/Root Managment Group Level Access ======
@@ Line 31: / Line 37: @@
   * To assign a user, group or service principle a role the scope is specified. The scope can be at the level of Management Group, Subscription, Resource Group, or Resource.
 {{:azure:scope-levels.png|}}
+  * Control plane actions can have a Management Group scope, but data plane actions cannot. Data plan actions can be at the subscription level.
+  * Example of a control plane action is, ''Microsoft.Storage/storageAccounts/listKeys/action''.
+  * Example of a data plane action is, ''Microsoft.KeyVault/vaults/keys/get/action''
+====== Service Accounts ======
+Microsoft’s guidance is to avoid using regular user accounts as service accounts when possible. Instead:
+  * Use App Registrations + Service Principals with client secret or certificate auth.
+  * Use Managed Identities if the service runs in Azure, so you don’t manage credentials at all.
 ====== Security Principles ======
@@ Line 54: / Line 68: @@
 ====== Conditional Access ======
   * [[https://github.com/aollivierre/ConditionalAccess]], Baseline Conditional Access Policies
-====== App Registrations/Enterprise Applications ======
 ====== To Explore ======
@@ Line 61: / Line 73: @@
   * [[https://idpowertoys.merill.net/]], Conditional Access Policy Visualizer
+====== Roles ======
+  * //User Access Administrator//
+From CIS Azure Foundations Benchmark:
+>The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks.
+====== Working With Roles ======
+Get the Azure Roles assigned to a user.
+<code>
+Get-AzRoleAssignment -SigninName "Michael.Gupton@xyz.org" | select RoleDefinitionName, Scope
+</code>
+<code>
+az role assignment list --assignee "Michael.Gupton@xyz.org"
+</code>
+=== Get Roles that have a permission ===
+<code>
+Get-AzRoleDefinition | Where-Object {
+    $_.Actions -match "Microsoft.Authorization/policyAssignments"
+}
+</code>
 ====== Related ======
   * [[azure:service_principles|Service Principles]]
   * [[azure:Authentication and Authorization Examples]]