Mastering Azure Roles and Governance

Azure has five built-in roles: Owner, Contributor, Reader, User Access Administrator, and Global Administrator.

Each role has its own set of permissions, with Owner having the broadest access and Reader having the most restrictive.

The Owner role can manage all resources, including assigning roles to users, while the Reader role can only view resources but not make any changes.

Azure also allows you to create custom roles, which can be tailored to specific needs and permissions.

Azure roles are a crucial part of managing access and permissions in Azure. You can create a custom RBAC role by creating a role document and a custom role in Azure.

To create a custom role, you can use the `az role definition create` command or the `New-AzureRmRoleDefinition` cmdlet, specifying the path to the permissions file. Once created, the new role should appear in the Roles tab in Subscriptions > Access Control (IAM) in the Azure portal.

You can also assign Azure roles using the Azure portal, which involves reviewing the role assignment settings and clicking Review + assign to assign the role.

Azure Roles provide a way to manage access to resources in a controlled and secure manner. The Privileged Role Administrator is a built-in role that allows users to manage role assignments in Microsoft Entra ID and Privileged Identity Management.

This role grants the ability to manage assignments for all Microsoft Entra roles, including the Global Administrator role. It also allows management of all aspects of Privileged Identity Management and administrative units.

The Privileged Role Administrator role includes permissions such as creating and managing groups that can be assigned to Microsoft Entra roles, as well as managing all aspects of authorization policy and directory roles.

Here are some key actions associated with the Privileged Role Administrator role:

Compute is a crucial aspect of Azure Roles, and it's essential to understand the different compute options available. Azure Virtual Machines (VMs) provide a flexible and scalable way to deploy and manage virtual machines in the cloud.

You can choose from a range of Linux and Windows operating systems, including Ubuntu and CentOS. Azure VMs offer high-performance and cost-effective solutions for a variety of workloads.

The Azure Cloud Services model provides a platform for deploying and managing cloud-based applications. It includes a range of features such as load balancing, autoscaling, and monitoring.

Azure Functions is a serverless compute service that allows you to run small code snippets in response to events. It's perfect for handling tasks like image processing or data integration.

Azure Container Instances (ACI) provides a fast and easy way to run containers in the cloud. You can deploy and manage containers with a few clicks, making it a great option for development and testing environments.

Azure Batch is a cloud-based service that enables you to run large-scale parallel workloads. It's ideal for tasks like data processing, scientific simulations, and media encoding.

To delegate a condition, you need to select one of the following privileged roles: Owner, Role Based Access Control Administrator, or User Access Administrator.

If you've selected one of these roles, you'll need to follow some specific steps. First, on the Conditions tab, select the Allow user to only assign selected roles to selected principals (fewer privileges) option.

This option will open up a new window where you can select roles and principals to add a condition that constrains the roles and principals this user can assign roles to.

You can follow the steps in Delegate Azure role assignment management to others with conditions to complete the process.

Here are the privileged roles that require these specific steps:

The AI Administrator role is a crucial part of managing Microsoft 365 Copilot and AI-related enterprise services. Assigning this role to users allows them to manage all aspects of Microsoft 365 Copilot.

Users with the AI Administrator role can manage AI-related enterprise services, extensibility, and copilot agents from the Integrated apps page in the Microsoft 365 admin center. They can also approve and publish line-of-business copilot agents.

To understand the specific actions and permissions granted to AI Administrators, let's take a look at the actions listed in the article:

These actions demonstrate the comprehensive permissions granted to AI Administrators, allowing them to manage various aspects of Microsoft 365 Copilot and AI-related enterprise services.

As an Azure user, you'll likely encounter various roles and permissions. Let's dive into the Application aspect of Azure roles.

The Cloud Application Administrator role grants the ability to create and manage all aspects of enterprise applications and application registrations. This includes creating all types of applications, updating authentication on all types of applications, and updating exposed permissions and required permissions on all types of applications.

Users assigned to this role can also update the owner property of application policies, update the audience property for applications, and update the basic properties for applications.

In terms of permissions, Cloud Application Administrators have the ability to read and configure Azure Service Health, create and manage Azure support tickets, and read all properties on audit logs, excluding custom security attributes audit logs.

Here's a summary of the key actions associated with the Cloud Application Administrator role:

In addition to the Cloud Application Administrator role, there's also the Cloud App Security Administrator role. This role has full permissions in Defender for Cloud Apps and can add administrators, add Microsoft Defender for Cloud Apps policies and settings, upload logs, and perform governance actions.

The Application Developer role is a privileged one, granting users the ability to create application registrations even when the "Users can register applications" setting is set to No.

This role also allows users to consent on their own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations.

With the Application Developer role, users have the ability to create all types of applications, and the creator is added as the first owner. This is thanks to the "microsoft.directory/applications/createAsOwner" action.

Here are the specific actions that users with the Application Developer role can perform:

By having the Application Developer role, users can create and manage various applications, including those that require OAuth 2.0 permission grants and service principals.

As you navigate the world of Azure Roles, you'll eventually come to a point where you need to return to a specific state or allow users to perform certain actions. In the context of Attribute Assignment Readers, this means being able to read custom security attribute keys and values for supported Microsoft Entra objects.

One key aspect of returning to a specific state is the ability to read all properties of attribute sets, which is granted by the microsoft.directory/attributeSets/allProperties/read permission.

You can also return to a state where you can read custom security attribute values for devices, which is allowed by the microsoft.directory/devices/customSecurityAttributes/read permission.

Here's a quick rundown of the permissions that allow Attribute Assignment Readers to return to a specific state:

These permissions give Attribute Assignment Readers the ability to read custom security attribute values for various Microsoft Entra objects, including devices, users, and more.

In Azure, knowledge management is a crucial aspect of maintaining a well-structured and up-to-date knowledge base. Users with the Knowledge Manager role can create and manage content, like topics, acronyms, and learning content.

This role is primarily responsible for the quality and structure of knowledge. Users in this role have full rights to topic management actions, including confirming a topic, approving edits, or deleting a topic. They can also manage taxonomies as part of the term store management tool and create content centers.

To give you a better idea of the responsibilities associated with this role, here are some of the actions that users with the Knowledge Manager role can perform:

These actions demonstrate the breadth of responsibilities associated with the Knowledge Manager role, from managing security groups to creating and managing content in Microsoft 365.

As you explore Azure roles, you'll come across Cloud Device Administrator, a role that allows users to manage devices in Microsoft Entra ID.

This role grants users the ability to enable, disable, and delete devices, as well as read Windows 10 BitLocker keys in the Azure portal. But that's not all - they can also read and configure Azure Service Health.

With this role, users can read all properties on audit logs, excluding custom security attributes audit logs. They can also read standard properties of authorization policy, and read bitlocker metadata and key on devices.

Here's a breakdown of the actions this role allows:

This role also allows users to read all properties on sign-in reports, including privileged properties. They can even read and configure Service Health in the Microsoft 365 admin center.

The Lockbox Access Approver role is a crucial part in managing Microsoft Purview Customer Lockbox requests.

They receive email notifications for these requests and can approve or deny them from the Microsoft 365 admin center.

They can also turn the Customer Lockbox feature on or off, giving them fine-grained control over access.

Only Global Administrators can reset the passwords of people assigned to this role, highlighting the importance of their position.

The Lockbox Access Approver has two key actions: managing all aspects of Customer Lockbox and reading basic properties on all resources in the Microsoft 365 admin center.

Here are the specific actions and their descriptions:

Dynamics 365 is a powerful tool that allows administrators to manage all aspects of the service.

Users with the Dynamics 365 Administrator role have global permissions within Microsoft Dynamics 365 Online, and can manage support tickets and monitor service health.

This role is also known as Dynamics 365 Service Administrator in the Microsoft Graph API and Microsoft Graph PowerShell, and Dynamics 365 Administrator in the Azure portal.

With this role, administrators can read and configure Azure Service Health, create and manage Azure support tickets, and manage all aspects of Dynamics 365.

Here are some specific actions that Dynamics 365 Administrators can perform:

Dynamics 365 Administrators can also read and configure Service Health in the Microsoft 365 admin center, and create and manage Microsoft 365 service requests.

Fabric is a powerful tool within Azure that allows users to manage and monitor their services. Users with the Fabric Administrator role have global permissions within Microsoft Fabric and Power BI.

This role grants them the ability to manage support tickets and monitor service health. They can also configure Azure Service Health and create and manage Azure support tickets.

With the Fabric Administrator role, users can read and configure Service Health in the Microsoft 365 admin center. They can also create and manage Microsoft 365 service requests.

Here are some specific actions that users with the Fabric Administrator role can perform:

Users can also read basic properties on all resources in the Microsoft 365 admin center with the Fabric Administrator role.

The Global Administrator role is a privileged position that grants access to all administrative features in Microsoft Entra ID. This includes services that use Microsoft Entra identities like the Microsoft 365 Defender portal and the Microsoft Purview compliance portal.

One of the key benefits of being a Global Administrator is the ability to elevate access to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Microsoft Entra tenant.

As a Global Administrator, you can reset the password for any user and all other administrators. However, you cannot remove your own Global Administrator assignment, which is a security measure to prevent an organization from having zero Global Administrators.

Microsoft recommends assigning the Global Administrator role to fewer than five people in your organization. This is a best practice to ensure that sensitive administrative tasks are not delegated to too many individuals.

Here are some key actions that Global Administrators can perform:

* ActionDescriptionmicrosoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support ticketsmicrosoft.office365.serviceHealth/allEntities/allTasksRead and configure Service Health in the Microsoft 365 admin centermicrosoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requestsmicrosoft.powerApps.powerBI/allEntities/allTasksManage all aspects of Fabric and Power BI

Note that Global Administrators cannot access the Purchase Services area in the Microsoft 365 admin center.

The Helpdesk role is a privileged one, allowing users to change passwords, invalidate refresh tokens, and manage support requests for Azure and Microsoft 365 services.

Helpdesk Administrators can reset passwords for users who have access to sensitive or private information, such as Application Registration and Enterprise Application owners, Azure subscription owners, and Security Group and Microsoft 365 group owners.

This role is crucial for managing access to sensitive information, and it's essential to understand its limitations. Helpdesk Administrators cannot change the credentials or reset MFA for members and owners of a role-assignable group.

To give you a better idea of the actions a Helpdesk Administrator can perform, here are some examples:

This role is not just about resetting passwords; it's also about managing access to sensitive information and ensuring that users can't assume the identity of others.

As you delve into the world of Azure Roles, you'll come across the Insights Administrator role, which grants users access to the full set of administrative capabilities in the Microsoft Viva Insights app.

This role allows users to read directory information, monitor service health, file support tickets, and access the Insights Administrator settings aspects.

With the Insights Administrator role, users can read and configure Azure Service Health, giving them visibility into the health of their Azure services.

To create and manage Azure support tickets, users can utilize the microsoft.azure.supportTickets/allEntities/allTasks capability.

The Insights Administrator role also enables users to manage all aspects of the Insights app, thanks to the microsoft.insights/allEntities/allProperties/allTasks capability.

Users can also read and configure Service Health in the Microsoft 365 admin center using the microsoft.office365.serviceHealth/allEntities/allTasks capability.

In addition, they can create and manage Microsoft 365 service requests using the microsoft.office365.supportTickets/allEntities/allTasks capability.

Here's a summary of the key actions and descriptions for the Insights Administrator role:

As a Teams Administrator, you can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules.

You can read and configure Azure Service Health, create and manage Azure support tickets, and monitor service health.

The Teams Administrator role grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.

You can also read and configure Service Health in the Microsoft 365 admin center, manage all aspects of Skype for Business Online, and create and manage Microsoft 365 service requests.

The Teams Telephony Administrator role allows users to manage voice and telephony, including calling policies, phone number management and assignment, and voice applications.

You can read all data in the Call Quality Dashboard (CQD) and manage voice including calling policies and phone number inventory and assignment.

Here are some of the actions you can perform as a Teams Administrator:

As a Teams Administrator, you can also read and configure Service Health in the Microsoft 365 admin center and manage all aspects of Skype for Business Online.

You can read Office 365 usage reports and read basic properties on all resources in the Microsoft 365 admin center.

The Teams Telephony Administrator role also allows users to access only Public Switched Telephone Network (PSTN) usage reports from Teams admin center and view user profile page.

Here are some of the actions you can perform as a Teams Telephony Administrator:

As a Teams Administrator, you can create and manage Microsoft 365 groups, manage support tickets, and monitor service health.

You can also read and configure Service Health in the Microsoft 365 admin center, manage all aspects of Skype for Business Online, and create and manage Microsoft 365 service requests.

As a Global Administrator, you may need to grant certain users the ability to create new tenants in Microsoft Entra ID. This is where the Tenant Creator role comes in.

The Tenant Creator role is assigned to users who need to create both Microsoft Entra and Azure Active Directory B2C tenants. This is particularly useful when the tenant creation toggle is turned off in the user settings.

These users will have the power to create new tenants, and as a result, they will be automatically assigned the Global Administrator role on those new tenants.

If you're wondering what specific actions a Tenant Creator can perform, here's the lowdown: they can create new tenants in Microsoft Entra ID, as indicated by the action "microsoft.directory/tenantManagement/tenants/create".

Azure offers a wide range of services that cater to different needs, from cloud computing to artificial intelligence.

Azure Storage is a key service that provides a highly available and durable storage solution for data.

Azure Active Directory (Azure AD) is a cloud-based identity and access management service that helps organizations manage user identities and access to resources.

Azure provides a scalable and secure platform for businesses to build and deploy applications, making it an ideal choice for modern enterprises.

Networking is a crucial aspect of Azure Services, allowing you to manage and configure various components of your network infrastructure.

Azure Front Door offers several built-in roles that grant specific permissions to users. These roles include Azure Front Door Domain Contributor, Azure Front Door Domain Reader, Azure Front Door Profile Reader, Azure Front Door Secret Contributor, and Azure Front Door Secret Reader.

These roles are designed for internal use within Azure and have distinct permissions. For instance, the Azure Front Door Domain Contributor role can manage Azure Front Door domains, but cannot grant access to other users.

Azure Front Door also offers a range of roles that grant read-only access to specific components of the service. These roles include Azure Front Door Profile Reader and Azure Front Door Secret Reader.

In addition to Azure Front Door, Azure Services also offer roles for managing Content Delivery Network (CDN) endpoints and profiles. These roles include CDN Endpoint Contributor, CDN Endpoint Reader, CDN Profile Contributor, and CDN Profile Reader.

Here are the Azure Front Door and CDN roles in a table for easy reference:

Storage in Azure Services is a robust and scalable solution that allows you to store and manage large amounts of data with ease.

Azure Blob Storage offers a highly available and durable storage solution for unstructured data such as images, videos, and documents.

You can store up to 5 TB of data in a single blob, making it ideal for large files.

Azure File Storage provides a file system that can be accessed from anywhere, making it easy to share files between applications and services.

Azure Disk Storage offers persistent storage for virtual machines, allowing you to store data even after a VM is shut down.

Azure Storage offers a range of data transfer options, including the Azure Data Factory, which can transfer up to 100 TB of data per day.

With Azure Storage, you can also set up data redundancy across multiple locations, ensuring that your data is always available.

Azure Services offers a range of roles for Web and Mobile applications, allowing for fine-grained control over access and permissions. These roles are essential for ensuring the security and scalability of your applications.

Azure Maps Data Contributor grants access to read, write, and delete access to map-related data from an Azure maps account. This role is ideal for developers who need to update and manage map data.

Azure Maps Data Reader, on the other hand, grants access to read map-related data from an Azure maps account. This role is suitable for applications that only need to retrieve map data.

Azure Maps Search and Render Data Reader grants access to a very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs.

Azure Spring Apps Application Configuration Service Config File Pattern Reader Role allows you to read the content of config file patterns for Application Configuration Service in Azure Spring Apps.

Azure Spring Apps Application Configuration Service Log Reader Role enables you to read real-time logs for Application Configuration Service in Azure Spring Apps.

Azure Spring Apps Connect Role is a role that allows for Azure Spring Apps Connect functionality.

Azure Spring Apps Job Log Reader Role allows you to read real-time logs for jobs in Azure Spring Apps.

Azure Spring Apps Remote Debugging Role is a role that enables remote debugging in Azure Spring Apps.

Azure Spring Apps Spring Cloud Gateway Log Reader Role allows you to read real-time logs for Spring Cloud Gateway in Azure Spring Apps.

Azure Spring Cloud Config Server Contributor allows you to read, write, and delete access to Azure Spring Cloud Config Server.

Azure Spring Cloud Config Server Reader allows you to read access to Azure Spring Cloud Config Server.

Azure Spring Cloud Data Reader allows you to read access to Azure Spring Cloud Data.

Azure Spring Cloud Service Registry Contributor allows you to read, write, and delete access to Azure Spring Cloud Service Registry.

Azure Spring Cloud Service Registry Reader allows you to read access to Azure Spring Cloud Service Registry.

Here is a summary of the Web and Mobile roles in Azure Services:

Azure offers a range of database services, each with its own unique role and permissions.

The Azure Connected SQL Server Onboarding role allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. This is useful for managing and integrating SQL Server databases with Azure services.

The Cosmos DB Account Reader Role can read Azure Cosmos DB account data, making it essential for monitoring and troubleshooting issues. This role is separate from the Cosmos DB Operator role, which lets you manage Azure Cosmos DB accounts but not access data in them.

Cosmos DB Operator is a critical role for managing Azure Cosmos DB accounts, but it prevents access to account keys and connection strings. This is a deliberate design choice to ensure security and prevent unauthorized access.

The CosmosBackupOperator role can submit restore requests for a Cosmos DB database or a container for an account. This is a key feature for disaster recovery and data backup.

Here's a list of some of the key database roles in Azure:

The DocumentDB Account Contributor role can manage Azure Cosmos DB accounts, including Azure Cosmos DB, which is formerly known as DocumentDB. This role is essential for setting up and managing Cosmos DB accounts.

The PostgreSQL Flexible Server Long Term Retention Backup Role allows backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. This is a critical feature for data backup and disaster recovery.

The SQL DB Contributor role lets you manage SQL databases, but not access to them. This is a deliberate design choice to ensure security and prevent unauthorized access.

The SQL Managed Instance Contributor role lets you manage SQL Managed Instances and required network configuration, but can't give access to others. This is a key feature for managing and integrating SQL databases with Azure services.

The SQL Security Manager role lets you manage the security-related policies of SQL servers and databases, but not access to them. This is essential for ensuring the security and compliance of SQL databases.

The SQL Server Contributor role lets you manage SQL servers and databases, but not access to them, and not their security-related policies. This is a key feature for managing and integrating SQL databases with Azure services.

As you explore Azure Services, you'll come across DevOps, a crucial component for managing and deploying applications. DevOps provides built-in roles that grant specific permissions to users.

One such role is the Deployment Environments Reader, which gives users read access to environment resources. Another role is the Deployment Environments User, which provides access to manage environment resources. These roles are essential for teams working together on projects.

Let's take a look at some of the built-in DevOps roles:

These roles are designed to help teams work efficiently and securely. By assigning the right roles to users, you can control access to resources and ensure that projects are completed successfully.

As you navigate the vast world of Azure Services, you'll likely come across the term "Cloud Application." But what exactly does it entail? Simply put, a Cloud Application is a software application that's hosted on a cloud computing platform, such as Azure.

To create and manage all aspects of enterprise applications and application registrations, you'll need to assign users to the Cloud Application Administrator role. This role grants the ability to create and manage all types of applications, including their basic properties, authentication, and permissions.

Here are some key actions that Cloud Application Administrators can perform:

Cloud Application Administrators can also manage application policies, including their standard properties, owners, and permissions. They can update the appRoles property on all types of applications, as well as their audience and authentication properties. Additionally, they can create and manage application templates, instantiate gallery applications, and read all properties on audit logs.

In the event of a deleted application, Cloud Application Administrators can permanently delete it, which can no longer be restored. They can also restore soft deleted applications to their original state.

As a Service Support Administrator, you have the ability to create and manage support requests with Microsoft for Azure and Microsoft 365 services. You can view the service dashboard and message center in the Azure portal and Microsoft 365 admin center.

This role was previously named Service Administrator, but was renamed to Service Support Administrator to align with the existing name in the Microsoft Graph API and Microsoft Graph PowerShell.

You can perform various actions as a Service Support Administrator, including reading and configuring Azure Service Health, creating and managing Azure support tickets, and reading all network performance properties in the Microsoft 365 admin center.

Here are some specific actions you can take as a Service Support Administrator:

As a Service Support Administrator, you can also create and manage Microsoft 365 service requests, and read basic properties on all resources in the Microsoft 365 admin center.

SharePoint is a powerful tool for managing and collaborating on files and documents. It's an essential part of Microsoft 365, and as a SharePoint Administrator, you have global permissions within Microsoft SharePoint Online.

You can create and manage all Microsoft 365 groups, which is a crucial aspect of SharePoint. With this role, you also have the ability to manage support tickets and monitor service health.

One of the key features of SharePoint is its integration with other Microsoft tools, such as OneDrive. As a SharePoint Administrator, you can create and manage OneDrive protection policies in Microsoft 365 Backup, which helps protect user data.

You can also manage all restore points associated with selected SharePoint sites in M365 Backup, ensuring that your data is always up-to-date and secure.

Here are some specific actions you can perform as a SharePoint Administrator:

These actions demonstrate the level of control and flexibility you have as a SharePoint Administrator. With this role, you can manage various aspects of SharePoint, including service health, support tickets, and data protection.

Skype for Business is a powerful tool within Azure Services, allowing administrators to manage global permissions and user attributes. It's essential to have a licensed account for Teams to run Teams PowerShell cmdlets.

This role grants the ability to manage support tickets and monitor service health, which is crucial for maintaining a smooth user experience. You can read and configure Azure Service Health, as well as create and manage Azure support tickets.

In the Microsoft Graph API and Microsoft Graph PowerShell, this role is named Lync Service Administrator. In the Azure portal, it's named Skype for Business Administrator.

Here are some key actions that can be performed with the Skype for Business Administrator role:

You can also manage all aspects of Skype for Business Online, which includes monitoring service health and creating support tickets.

Teams Telephony is a crucial aspect of Azure Services, allowing administrators to manage voice and telephony features. This includes calling policies, phone number management and assignment, and voice applications.

The Teams Telephony Administrator role grants users access to manage these features. They can view user profile pages and create and manage support tickets in Azure and the Microsoft 365 admin center.

One of the key features of Teams Telephony is the ability to read all data in the Call Quality Dashboard (CQD). This provides administrators with valuable insights into call quality issues.

To manage voice features, Teams Telephony Administrators can use the Microsoft Teams API to manage voice, including calling policies and phone number inventory and assignment. This allows for streamlined management of voice services.

Here are some key actions that Teams Telephony Administrators can perform:

These actions demonstrate the breadth of control that Teams Telephony Administrators have over voice and telephony features in Azure Services.