Azure Admin Roles, Permissions, and Access Control Explained

Azure admin roles are a crucial part of managing your Azure resources, and understanding how they work is essential for securing your environment. There are four main types of admin roles: Global Admin, Service Admin, Company Administrator, and User.

Each admin role has its own unique set of permissions, which determine what actions can be performed on Azure resources. For example, a Global Admin has full control over all Azure resources, including the ability to manage user accounts and permissions.

In Azure, permissions are managed through a concept called Role-Based Access Control (RBAC). This allows you to grant specific permissions to users or groups, rather than giving them full access to all resources. For instance, you can grant a user the "Contributor" role, which allows them to create and manage resources, but not delete them.

RBAC is a powerful tool for controlling access to your Azure resources, and it's essential to understand how it works when managing admin roles. By using RBAC, you can ensure that only authorized users have access to sensitive resources and data.

Azure Admin Roles are a crucial part of managing and deploying Azure solutions. They are responsible for managing and deploying Azure solutions, troubleshooting and resolving Azure services-related issues, and configuring Azure services to meet the needs of the organization.

There are five fundamental Azure roles: Owner, Contributor, Reader, Role Based Access Control Administrator, and User Access Administrator. These roles apply to all resource types and are used to manage access to Azure resources.

Azure administrators are also responsible for managing and deploying Azure solutions, which includes designing and managing swap space in the cloud environment, maintaining Azure profiles and subscriptions, setting up private and public cloud environments, balancing and deploying workloads, and implementing and managing cost-effective cloud systems.

Azure administrators can manage identities and governance, maintain Azure resources, create file storage, implement and maintain storage, deploy compute resources, implement a load balancer, and manage virtual networking.

Here are some of the key skills covered in Azure Administrator roles:

Azure administrators are also responsible for monitoring and backing up Azure resources, which is an important part of their job. They need to ensure that Azure resources are secure and running smoothly.

Azure administrators can choose from a variety of certifications, including the Azure Administrator certification, which covers skills such as managing identities and governance, maintaining Azure resources, creating file storage, implementing and maintaining storage, deploying compute resources, implementing a load balancer, and managing virtual networking.

Azure AD Domain Services can be managed by users with the Domain Services Contributor role, who have the ability to create, read, update, and delete user-assigned identity.

The Identity role in Azure has several built-in roles, including Domain Services Contributor, Domain Services Reader, Managed Identity Contributor, and Managed Identity Operator.

Here are some key actions associated with the Identity role:

Conditional Access policies can be managed by users with the Conditional Access Administrator role, who have the ability to update basic properties, create, and delete policies.

Authentication is a crucial aspect of Azure Identity and Access, ensuring that only authorized users can access your organization's resources.

Conditional Access policies can be created and managed by users with the Conditional Access Administrator role, allowing them to control access to resources based on conditions such as location, device, and user risk.

Hybrid Identity Administrators can manage hybrid authentication policy in Microsoft Entra ID, which enables seamless single sign-on (seamless SSO) and federation settings.

Azure Active Directory B2C organizations can add external identity providers, such as Facebook or Google, to enable single sign-on for users. However, this requires the External Identity Provider Administrator role and may impact end-user flows.

Here are some key authentication actions and their descriptions:

Conditional Access Administrators can update basic properties for Conditional Access policies, while Hybrid Identity Administrators can update hybrid authentication policy settings.

Identity Governance is a crucial aspect of Azure Identity and Access. It ensures that users have the right level of access to resources and that access is approved and reviewed regularly.

In Azure, Identity Governance Administrators can manage access packages, access reviews, catalogs, and policies to maintain access control. They can create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Microsoft Entra ID.

Here are some specific actions that Identity Governance Administrators can perform:

Identity Governance Administrators can also update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, by using the microsoft.directory/groups/members/update action. This ensures that access is up-to-date and accurate.

By managing access reviews and entitlements, Identity Governance Administrators can reduce the risk of unauthorized access and ensure that users have the right level of access to resources.

Azure Identity and Access is a powerful tool that allows you to manage who has access to your Azure resources. One important aspect of this is understanding assigned identities.

To list all assigned Azure Administrator Roles for all identities, you can use a script that formats the output with the "real" Role name instead of the Guid. This will give you a clear picture of who has what role.

You can also view built-in roles and their descriptions in Azure AD. For example, the Domain Services Contributor role allows you to manage Azure AD Domain Services and related network configurations.

Here are some built-in roles and their descriptions:

These roles are essential for managing Azure AD and related resources. By understanding what each role can do, you can better manage your Azure Identity and Access.

Azure management and governance is a critical aspect of an Azure administrator's role. They must manage storage to store application data, user data, and database files.

Azure administrators must configure long-term archival storage to ensure data is secure and compliant with corporate policies. This includes maintaining corporate compliance.

Securing data from unauthorized access is also a key responsibility, and administrators must know how to backup data in case of a disaster. The data should be backed up in a way that enables easy and quick restoration after a disaster.

In Azure, identity governance is crucial for managing access to resources. Users with the Identity Governance Administrator role can manage Microsoft Entra ID Governance configuration, including access packages, access reviews, catalogs, and policies.

This role is essential for ensuring that access is approved and reviewed, and guest users who no longer need access are removed. You can create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Microsoft Entra ID.

To manage access reviews, you can use the following actions: ActionDescriptionmicrosoft.directory/accessReviews/definitions.applications/allProperties/allTasksManage access reviews of application role assignments in Microsoft Entra IDmicrosoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasksManage access reviews for access package assignments in entitlement managementmicrosoft.directory/accessReviews/definitions.groups/allProperties/readRead all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups.

Additionally, you can create and delete resources, and read and update all properties in Microsoft Entra entitlement management. This is useful for setting up and managing access packages and resources in your organization.

With the Identity Governance Administrator role, you can also update members of Security groups and Microsoft 365 groups, excluding role-assignable groups. This ensures that access is properly managed and up-to-date.

In a hybrid multicloud setup, you'll want to understand the various roles that come into play. Azure Resource Bridge Deployment Role is a built-in role that enables you to manage Azure Resource Bridge.

The Azure Stack HCI Administrator role grants full access to the cluster and its resources. This includes the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader.

Azure Stack HCI Device Management Role is another important role, which is essentially Microsoft.AzureStackHCI Device Management Role.

You can also assign the Azure Stack HCI VM Contributor role to grant permissions to perform all VM actions. This is a crucial role for those who need to manage virtual machines.

On the other hand, the Azure Stack HCI VM Reader role grants permissions to view VMs only.

To manage Azure Stack registrations, you'll need the Azure Stack Registration Owner role. This role lets you manage Azure Stack registrations.

Lastly, the Hybrid Server Resource Administrator role can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider.

Azure administrators with the Compliance Administrator or Compliance Data Administrator role can manage Azure Service Health, including reading and configuring it.

These roles also have the ability to create and manage Azure support tickets, making it easier to get help when needed.

Users with these roles can view all Intune audit data and have read-only permissions in Microsoft Defender for Cloud Apps, allowing them to manage alerts and create file policies.

In addition, these roles can read and configure Service Health in the Microsoft 365 admin center, making it easier to stay on top of Azure security and compliance.

Compliance is a critical aspect of Azure Security, and it's essential to understand the roles and permissions involved. The Compliance Administrator role has permissions to manage compliance-related features in the Microsoft Purview compliance portal, Microsoft 365 admin center, Azure, and Microsoft 365 Defender portal.

Users with this role can protect and manage their organization's data across Microsoft 365 services, manage compliance alerts, and track, assign, and verify regulatory compliance activities. They can also view all Intune audit data and have read-only permissions in Microsoft Defender for Cloud Apps.

The Compliance Data Administrator role has similar permissions, but with a focus on tracking data and compliance-related policies. They can monitor compliance-related policies across Microsoft 365 services, manage compliance alerts, and track regulatory compliance activities.

Here are the key actions and permissions for each role:

These roles and permissions are critical for maintaining compliance and security in Azure. By understanding the capabilities and limitations of each role, you can ensure that your organization is meeting its compliance requirements.

Information Protection is a crucial aspect of Azure Security and Compliance. Users with the Azure Information Protection Administrator role have all permissions in the Azure Information Protection service, allowing them to configure labels for the Azure Information Protection policy and manage protection templates.

This role enables administrators to manage all aspects of Azure Information Protection, including protection templates, labels, and activation. Specifically, administrators can perform actions such as "microsoft.azure.informationProtection/allEntities/allTasks".

To give you a better idea of the capabilities of the Azure Information Protection Administrator role, here are some specific actions that can be performed:

Azure Information Protection Administrator role does not grant any permissions in Microsoft Entra ID Protection, Privileged Identity Management, Monitor Microsoft 365 Service Health, Microsoft 365 Defender portal, or Microsoft Purview compliance portal. This is an important consideration when assigning this role to users.

Conditional Access is a crucial aspect of Azure Security and Compliance. It allows administrators to control user access to company resources based on conditions such as location, device, and user identity.

Conditional Access Administrator is a privileged role that enables users to manage Microsoft Entra Conditional Access settings. This includes creating, updating, and deleting Conditional Access policies.

Here are the specific actions that a Conditional Access Administrator can perform:

Conditional Access also involves custom rules that define network locations, which can be managed by the Conditional Access Administrator role. These rules can be created, updated, or deleted as needed.

Azure offers a vast array of services and features to support various administrative roles.

Azure Active Directory (Azure AD) is a cloud-based identity and access management solution that provides users with secure access to cloud and on-premises resources.

Azure AD B2C allows organizations to provide a seamless user experience across multiple applications and services, while also ensuring robust security and compliance.

Azure Functions is a serverless compute service that enables developers to build scalable and event-driven applications.

Azure Storage provides a highly available and durable object store for storing and serving large amounts of data.

Cloud Application is a powerful feature in Azure that allows you to create, manage, and govern enterprise applications and application registrations.

Users with the Cloud Application Administrator role have full permissions to create and manage all aspects of enterprise applications and application registrations. They can create and delete all types of applications, update authentication, and manage application credentials.

This role also grants the ability to manage application proxy, which is not allowed in the Application Administrator role. Additionally, users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

Some of the key actions that users with the Cloud Application Administrator role can perform include:

The Application Developer role is another important role that allows users to create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No.

Users assigned to this role are added as owners when creating new application registrations. They can create all types of applications and are added as the first owner, create OAuth 2.0 permission grants with the creator as the first owner, and create service principals with the creator as the first owner.

In summary, the Cloud Application feature in Azure provides a robust way to manage enterprise applications and application registrations. With the right roles and permissions, users can create, manage, and govern their applications with ease.

Azure administrators are responsible for running virtual machines on cloud, which is only possible with a full working knowledge of popular Hypervisor platforms like Microsoft Hyper-V and VMware vSphere.

Deploying virtual machines into virtual networks, configuring them for optimal performance, and backing them up are all key responsibilities.

Azure administrators need to optimize virtual machines for optimum cost and security.

Having a recovery plan in place is crucial when a virtual machine fails, as it ensures minimal downtime and data loss.

Azure has several built-in roles for managing networking features, including Azure Front Door and CDN. These roles have specific permissions and responsibilities.

Azure Front Door Domain Contributor can manage Azure Front Door domains, but can't grant access to other users. They have a unique ID of 0ab34830-df19-4f8c-b84e-aa85b8afa6e8.

CDN Profile Contributor can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. They have an ID of ec156ff8-a8d1-4d15-830c-5b80698ca432.

Azure administrators have to manage public and private IP addresses, which is a crucial part of networking. Their responsibilities also include deploying and configuring virtual networks.

Here are some of the key networking roles in Azure:

Storage is a critical aspect of Azure services, and administrators must take it seriously. They have to ensure that data is backed up at regular intervals to prevent losses.

Azure administrators are responsible for managing storage, which includes storing application data, user data, and database files. This requires expertise in configuring long-term archival storage.

To maintain corporate compliance, Azure administrators must secure data from unauthorized access. They should also backup data in a way that enables easy and quick restoration after a disaster.