A common point of confusion when learning about Azure and Azure AD is roles and permissions.
- Azure has over 200 services
- Azure AD is one of these services
- To get access to Azure AD, we must have an Azure AD role
- Other services like storage, VMs, etc. have their own roles
- Resource roles (not just Azure AD roles) must be assigned to allow access to resources
Before we begin, it’s important that we clarify the difference between Azure and Azure AD.
I currently live in Dubai – UAE. And the UAE government offers a myriad of online services for residents to facilitate things like paying utility bills, vehicle registration renewals, ID and visa renewals and so on.
Let us give this collection of government services a nickname, like Azure.
Of course, we still need to login to these services. Luckily, we don’t have to create a separate account for each service. But using another service called UAE PASS, we can create a user account that allows us to login to other services and do things like pay bills and renew documents.
Let’s give this UAE PASS a nickname as well, like Azure AD.
So, in essence, what we just nicknamed Azure is a collection of services. UAE PASS (nicknamed Azure AD) is one of these services. It allows us to create a user to login to some of the government services.
So, what is Microsoft Azure?
Microsoft Azure (or Azure for short) is a cloud platform from Microsoft with over 200 products and services. Like the UAE government offerings of different services.
Some of the widely known services for example are virtual machines and blob storage. Here is what it looks like when exploring Azure services.
You can think of Azure Active Directory as one of the 200 services that Azure provides (like the UAE PASS). And what this service provides is an identity solution. In other words, it allows us to create identities (like usernames) that will permit us to login and use other resources and services. Also like the UAE PASS.
This is important to keep in mind for later.
Azure AD roles
We still need to administer this identity solution though. For example, if someone creates a UAE PASS user, will they have the role of a low privileged user or will they have an admin role allowing them to view other users’ information? Will they be able to reset the passwords for other users too like a Helpdesk employee usually would?
This is what Azure AD roles will define. For example, a user that can reset other users’ passwords would have the role of a Helpdesk administrator.
What about Azure services then? Let’s take an example.
Say you want to use the storage service to save some files online and share them with a few colleagues. From Azure Services you can setup your storage account.
But you’d also like to allow access to a few colleagues and keep the access restricted to your organization only. Which means, your colleagues should be able to authenticate, using a valid username/password. Then be authorized to use the storage services.
First step, create a user account. Let’s call ours Some User with email [email protected]
This user can now log in to the Azure portal, but as you can see, has no access to storage accounts. If we search for the storage service and click the link, we’ll be redirected back to the welcome page.
I’m Global admin. Where’s the resource?!
Global admin allows the user to manage to Azure AD and Azure services. It is basically the most powerful account.
So maybe if we assign a Global Admin role then the user will be able to see the storage accounts?
We login as our user.role account and try to view created resources, but it looks like we still can’t see any.
This is because our user has a Global Admin role, an Azure AD role. It is NOT an Azure resource role (RBAC).
In other words, the user has full access to the Azure AD service from the list of 200 Azure services. But still doesn’t have access to the Azure Storage service.
OK that’s not 100% technically correct. But for now, let’s pretend it is. See last section for more details.
Going back to our analogy. This is like the user has full access to the UAE PASS service. But cannot access the utility payment services or the vehicle registration services.
Azure resource roles (RBAC)
To give our user access, we must grant them appropriate permissions to access the desired resource. Using Azure resource roles, we are going to give the user full access to one of the storage accounts.
Notice that we have two storage accounts.
But we want to give the user access to only one. To do that, we’ll assign the Storage Account Contributor role to our user. This is a resource role (RBAC). Not an Azure AD role.
Now if we go back to our user, we can see that the user has access to one of the storage accounts but that’s it.
The user cannot, for example, see other VMs in the subscription, even though there are a few running.
A question for you
You might be wondering, but the Global Admin is the all-powerful admin. Surely, they must be able to see all resources.
There is a way to “self-elevate” access to achieve this from the Azure AD properties. Try to find out more about this on your own.
References (I’m avoiding calling these resources too)
Thanks for @reprise_99 for sharing this by @samilamppu https://samilamppu.com/2020/06/18/monitor-elevated-global-admin-account-usage/