Is Access Control IAM Now Entra ID in Azure Explained

Access control in Azure has undergone significant changes with the introduction of Entra ID, formerly known as Azure Active Directory (Azure AD) B2C.

Entra ID is designed to provide a more streamlined and user-friendly experience for managing access and identity across Azure services.

Entra ID offers a range of features that make it an attractive option for businesses, including support for multi-factor authentication and conditional access policies.

One of the key benefits of Entra ID is its ability to integrate with a wide range of Azure services, including Azure AD, Azure SQL Database, and Azure Storage.

To assign Azure roles, you must have the necessary permissions. This typically involves having Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator.

To get started, sign in to the Azure portal. This will give you access to all the features and tools you need to manage your Azure resources.

You'll then need to search for the scope you want to grant access to in the Search box at the top. This could be a Management group, Subscription, Resource group, or a specific resource.

Once you've found the correct resource, click on it to access its settings. From there, you can navigate to the Access control (IAM) page, which is where you'll manage role assignments.

The Access control (IAM) page is where you'll find the Role assignments tab, which lists all the current role assignments at that scope.

To set up access control in Microsoft Entra ID, you'll first need to select who needs access. This involves choosing the users, groups, or service principals that will be assigned a specific role. You can search for users by display name or email address.

There are two types of roles definitions in Microsoft Entra ID: built-in roles and custom roles. Built-in roles have a fixed set of permissions and cannot be modified, while custom roles allow you to create a collection of permissions that can be assigned to users.

To determine if a user has access to a resource, Microsoft Entra ID uses a two-step process. First, the user acquires a token to the Microsoft Graph endpoint. Then, the user makes an API call to Microsoft Entra ID via Microsoft Graph using the issued token. Microsoft Entra ID checks if the action in the API call is included in the roles the user has for this resource.

You can assign a custom role definition to a user by creating a role assignment. A role assignment grants the user the permissions in a role definition at a specified scope. The most common scope is organization-wide (org-wide) scope, but a custom role can also be assigned at an object scope, such as a single application.

Here's a summary of the steps to select who needs access:

If you selected a role that supports conditions, you'll have the option to add a condition to your role assignment for more fine-grained access control.

The Conditions tab will look different depending on the role you selected, so be sure to check it out.

You can add a condition to constrain the roles and principals this user can assign roles to, which is particularly useful if you're working with sensitive information.

To do this, select the Allow user to only assign selected roles to selected principals (fewer privileges) option on the Conditions tab under What user can do.

Click Select roles and principals to add the condition, and then follow the steps in Delegate Azure role assignment management to others with conditions.

If you're working with one of the privileged roles - Owner, Role Based Access Control Administrator, or User Access Administrator - you'll need to follow a slightly different process, which we'll cover next.

Now that you've set up access control, it's time to think about the next steps. Building a Conditional Access policy piece by piece will help you fine-tune your access control strategy.

To get started, you'll want to break down your policy into smaller, manageable chunks. This will make it easier to test and refine each component before moving on to the next one.

Plan your Conditional Access deployment carefully, considering factors such as user groups, locations, and devices. This will ensure a smooth rollout and minimize disruptions to your users.

Assigning roles is a crucial step in controlling access to Microsoft Entra resources. You can assign roles to users directly, which is the default way to assign roles, or create role-assignable groups and assign roles to these groups.

To assign roles to users, you can use the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API. Azure CLI is not supported for Microsoft Entra role assignments.

A role assignment is a Microsoft Entra resource that attaches a role definition to a security principal at a particular scope to grant access to Microsoft Entra resources. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

A role assignment consists of three elements: security principal, role definition, and scope. Security principal refers to an identity that gets the permissions, which can be a user, group, or service principal. Role definition is a collection of permissions, and scope is a way to constrain where those permissions are applicable.

Here are the different types of role assignments:

Microsoft Entra ID supports two types of role definitions: built-in roles and custom roles. Built-in roles are out-of-the-box roles that have a fixed set of permissions and cannot be modified. Custom roles, on the other hand, allow you to create a collection of permissions that you add from a preset list.

A role definition lists the operations that can be performed on Microsoft Entra resources, such as create, read, update, and delete. There are many built-in roles that Microsoft Entra ID supports, and the list is growing.

Here's an example of a role assignment:

Conditional Access policies can help organizations address common access concerns by requiring multifactor authentication for users with administrative roles, blocking sign-ins for users attempting to use legacy authentication protocols, and more.

Administrators can create policies from scratch or start from a template policy in the portal or using the Microsoft Graph API.

To monitor and control access to Azure resources and Entra ID services, organizations can use Identity Governance, which includes access reviews and Privileged Identity Management (PIM).

Access reviews can be performed for Azure resources and Entra ID roles, and can help ensure compliance, reduce risks, and improve security.

Here are some examples of using Identity Governance:

If you've selected one of the privileged roles, you can follow a specific set of steps to delegate a condition. These roles include Owner, Role Based Access Control Administrator, and User Access Administrator.

To delegate a condition, start by selecting the Allow user to only assign selected roles to selected principals (fewer privileges) option on the Conditions tab under What user can do.

Clicking Select roles and principals will open a new window where you can add a condition that constrains the roles and principals this user can assign roles to.

You can then follow the steps in Delegate Azure role assignment management to others with conditions to complete the process.

The privileged roles that can delegate a condition are listed below:

Identity Governance is a crucial aspect of managing access to your Azure resources and Entra ID services. It's like having a set of tools to monitor and control who has access to what, ensuring that sensitive data is protected.

Access reviews are a key feature of Identity Governance, allowing you to periodically review and verify the access rights of users and groups. This can help you ensure compliance, reduce risks, and improve security.

You can create access reviews for specific resources or roles, such as a resource group containing sensitive data or a custom Entra ID role granting access to a specific service. For example, you can require the owners and members of a resource group to confirm their need for access every 90 days.

Privileged Identity Management (PIM) is another important feature of Identity Governance. It allows you to manage the activation and deactivation of privileged roles for users and groups, reducing the exposure of these roles and enforcing just-in-time access.

With PIM, you can require users who have a privileged role assigned to request activation before they can use it, and set an expiration time for the activation. You can also require approval from another user before a user can activate a privileged role.

Here are some examples of using Identity Governance with PIM: