azure:azure_iam

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:azure_iam [2025/06/26 20:27] – [RBAC/Roles] mmuzeazure:azure_iam [2025/10/02 20:52] (current) – [Working With Roles] mmuze
Line 1: Line 1:
 ====== Azure IAM ====== ====== Azure IAM ======
 +
 +  * [[Microsoft Entra]]
 +  * [[microsoft:Privileged Access Management]]
 +
   * //AzureAD// vs. //AzureRM// roles   * //AzureAD// vs. //AzureRM// roles
  
Line 36: Line 40:
   * Example of a control plane action is, ''Microsoft.Storage/storageAccounts/listKeys/action''.   * Example of a control plane action is, ''Microsoft.Storage/storageAccounts/listKeys/action''.
   * Example of a data plane action is, ''Microsoft.KeyVault/vaults/keys/get/action''   * Example of a data plane action is, ''Microsoft.KeyVault/vaults/keys/get/action''
 +
 +====== Service Accounts ======
 +Microsoft’s guidance is to avoid using regular user accounts as service accounts when possible. Instead:
 +  * Use App Registrations + Service Principals with client secret or certificate auth.
 +  * Use Managed Identities if the service runs in Azure, so you don’t manage credentials at all.
  
 ====== Security Principles ====== ====== Security Principles ======
Line 63: Line 72:
   * [[https://www.azadvertizer.net/]]   * [[https://www.azadvertizer.net/]]
   * [[https://idpowertoys.merill.net/]], Conditional Access Policy Visualizer   * [[https://idpowertoys.merill.net/]], Conditional Access Policy Visualizer
- 
-====== Related ====== 
-  * [[azure:service_principles|Service Principles]] 
-  * [[azure:Authentication and Authorization Examples]] 
  
 ====== Roles ====== ====== Roles ======
Line 74: Line 79:
  
 >The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks. >The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks.
 +
 +====== Working With Roles ======
 +
 +Get the Azure Roles assigned to a user.
 +<code>
 +Get-AzRoleAssignment -SigninName "Michael.Gupton@xyz.org" | select RoleDefinitionName, Scope
 +</code>
 +
 +<code>
 +az role assignment list --assignee "Michael.Gupton@xyz.org"
 +</code>
 +
 +=== Get Roles that have a permission ===
 +
 +<code>
 +Get-AzRoleDefinition | Where-Object {
 +    $_.Actions -match "Microsoft.Authorization/policyAssignments"
 +}
 +</code>
 +====== Related ======
 +  * [[azure:service_principles|Service Principles]]
 +  * [[azure:Authentication and Authorization Examples]]
  
  • azure/azure_iam.1750969634.txt.gz
  • Last modified: 2025/06/26 20:27
  • by mmuze