II. Azure Resource & Resource Groups
Account Administrator
The billing owner of the subscription Has NO access to the Azure Portal.
Dynamic User
Uses dynamic membership rules to automatically add and remove members according to rule requirements.
What is an Azure Policy?
a governance mechanism which allows you to create policies which enforce and control the properties of a resource group & subscriptions. They enforce different rules and effects over your resources, so those resources stay compliant with your IT governance standards and SLAs. evaluates state by exam properties on resources that are represented in Resource Manager & properties of some Resource Providers *doesn't restrict actions/operations *even if an individual has access to perform an action, IF the result is a non-compliant resource, Azure Policy still blocks the CREATE/UPDATE
What is an Azure Resource Group?
a way of organizing resources in a subscription.
Azure Resource Lock flavors
a. read-only - authorized users will not be able to modify the resource. b. delete - authorized user will be able to read and modify, but NOT delete.
guest user
able to invite other users of other tenants which is a much better concept than using the Federation Service. Federated Services being the act of joining active directories together.
External Identities
allow ppl outside your org to access internal apps and resources, while letting them sign in using whatever identity they prefer ... i.e., partners, distriutors, sppliers, vendors, and other guests can "bring their own identities". supports Logins from Google and Facebook *share apps with external users (B2B collaboration) *develop apps inteded for other AAD tenants (single/multi) * develop white-labeled apps for consumers and customers (AAD B2C)
User
an individual who has a profile in Azure Active Directory
security principal
an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
Azure Resource Group Policies
can be assigned to different groups
Role Assignments
consists of three elements: - security principal - role definition - scope
SSPR (Self Service Password Reset)
gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement.
Access Controls (IAM)
iDentity Access Management (IAM) allows you to create and assign roles to users Azure Roles (RBAC system) Roles restrict access to reources actions (also know as operations). There are two types of roles: 1. BuiltinRole -- Managed MS roles are ready only pre-created roles for you to use. 2. CustomRole -- A role created by you with your own custom logic Role Assignment: - is when you apply a role to a service principle, group, user. Deny Assignments: block users from performing specific actions even if a role assignment grants them access. The only way to apply Deny assignments is through Azure BluePrints.
administrative units
is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices. restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.
Classic Administrators
is the original role system. **You Should Use the New RBAC System when possible. has three types of roles: 1. Account Administrator 2. Service Administrator 3. Co-Administrator
Azure Resource Group Lock
provide a way for administrators to lock down Azure resources to prevent deletion or changing of a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and when applied will place the restriction on the resource for all users.
Azure RBAC
role-based access control is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to
Service Administrator
same access of a user assigned the Owner role at subscription scope. Full access to the Azure portal.
Co-Administrator
same access of a user who is assigned the Owner role at the subscription scope.
Azure Resource Manager
the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.
Azure Resource Types
*Primary: 1. VMs or virtual machines 2. Web Apps 3. Storage Accounts **Secondary 4. Public IP addresses 5. NICs 6. NSGs
Azure Resource Group Characteristics
- a folder structure - all resources must ONLY belong to ONE resource group -a way of separating out projects - resource groups can be deleted (which will delete ALL resources in that group)
What is an Azure Resource?
- a resource is any entity managed by MS Azure
scope
- is the set of resources that the access applies to In Azure, you can specify a scope at four levels: - management group - subscription - resource group/resource
role definition
- typically just called a role - a collection of permissions - lists the actions that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader
Assigning resource access rights
4 Ways - direct assignment: resource owner directly assigns user to resource. - group assignment: resource owner assigns a group to the resource which automatically gives all group members access to the resource - rule-based assignment: resource owner creates a group and uses a rule to define which users are assigned to a specific resource. - external authority assignment: access comes from an external source, such as an on-prem directory or a SaaS app.
Role assignments
A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access.
AZ AD Roles vs. AZ Roles (RBAC)
Azure AD Roles used to control access of AD resources Examples of AD resources: Users, Groups, Billing, Licensing, App Registration Azure Roles used to control access to AZ resources Examples: VMs, Databases, Cloud Storage, Cloud Networking *by default AZ Roles DO NOT span Azure and AAD *by default, the Global Administrator DOESN'T have access to AZ resources
Multiple Role Assignments
Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. Example: a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. Therefore, in this case, the Reader role assignment has no impact.
Azure AD Roles
Built-In Azure Roles: a. Global Administrator -- full access to everything b. User Administrator -- full access to create & manage users c. Billing Administrator -- Make purchases, manage subscriptions and support tickets
Azure Resource Manager Templates
JSON files that define the infrastructure and configuration of resources in Azure you want to provision and services you want to configure. IaC (Infrastructure as Code) the process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools. IaCs can either be - Declarative -- You define exactly what your want - Imperative -- You define what you generally want and the service will guess what you want You can: - define exactly what you want - stand-up, tear down, or share entire architectures in minutes - reduce configuration mistakes - know exactly what you have defined for a stack to establish an architecture baseline for compliance. - Modularity Break up your achitecture in multipel files and reuse them - Testing You can use the ARM temp tool kit (arm-ttk) - Preview Changes b4 you create infrastructure via template, see what it will create - Built-in Validation will only deploy your template if it passes - Tracked Deployments Keep track of changes to architecture over time. - Policy as Code apply AZ policies to ensure you remain compliant - MS Blueprints (establishes relationships b/w resources and the template) - CI/CD integration Exportable Code Authoring Tools VS Code has advanced features for authoring ARM templates.
MFA
Multi-Factor Authentication works by requiring two or more of the following authentication methods: The Three Somethings: - you know, typically a password. - you have, such as a trusted device that's not easily duplicated, like a phone or hardware key. - you are - biometrics like a fingerprint or face scan.
RBAC
Previously, Azure RBAC was an allow-only model with no deny, but now Azure RBAC supports deny assignments in a limited way. helps you manage who has access to Azure resources, what they can do with those resources, and what they have access to. Role Assignments - consists of 3 elements a. security principal b. role definition c. scope *there are 4 fundamental Azure roles attributable permissions Read/Grant/Create, Update, & Delete a: Owner r/g/c,u,d b: Contributor r/c,u,d c: Reader r/ d: User Access Administrator g/
Groups
Role assignments are transitive for groups which means that if a user is a member of a group and that group is a member of another group that has a role assignment, the user will have the permissions in the role assignment.