Table of Contents
Azure AD includes several built-in roles that can be assigned to users, groups, service principals, and managed identities. These roles are broadly categorized into three types:
Some of the most commonly used built-in Azure AD roles include:
To assign a role to a user or group, you need to have either the Privileged Role Administrator or the Global Administrator role. The process of assigning roles in Azure AD consists of the following steps:
Imagine you want to assign the Security Administrator role to a user named Mia Wallace in your organization. Follow these steps:
Effectively managing Azure AD role assignments is vital for maintaining a secure and efficient environment. Understanding the built-in roles and the process of assigning them to users or groups is fundamental for any Azure administrator. By following best practices, organizations can ensure that they minimize the risks associated with permissions while enabling their workforce to accomplish necessary tasks.
The Global Administrator role in Azure AD has access to all administrative features in Azure AD, including the ability to assign roles in Azure AD, and is the only role that can assign other administrative roles.
Answer: B) Privileged Role Administrator
The Privileged Role Administrator can manage role assignments in Azure AD, manage access reviews, manage all aspects of Privileged Identity Management (PIM), and more.
The Security Administrator role in Azure AD is focused on security settings and can manage security policies, alerts, and recommendations, but cannot assign roles or manage licenses.
Answer: B) Application Administrator
The Application Administrator role is designed to allow users to manage app registrations and enterprise applications without granting broad administrative permissions.
The User Administrator role allows the user to manage users and groups, including password resets, but does not include broader administrative privileges over Azure AD or Office 365 services.
Answers: A) Reset passwords for non-administrators, D) Read user information and sign-in activity
A Helpdesk Administrator can reset passwords for non-admins and read basic directory information, but cannot manage user licenses or Azure AD PIM.
The Billing Administrator role enables users to perform tasks related to billing, such as making purchases, managing subscriptions, handling support tickets, and monitoring service health.
Answer: B) Security Reader
The Security Reader role allows a user to view security policies, logs, and reports but does not allow the user to change security settings or manage user identities.
The Exchange Administrator role in Azure AD is specifically targeted at managing Exchange Online features, including mailboxes and security policies for spam and malware protection.
Answer: B) Global Reader
The Global Reader role provides the ability to view all administrative settings and configurations across Azure AD and Azure services but does not allow any changes.
Azure AD Privileged Identity Management (PIM) is a service that allows organizations to manage, control, and monitor privileged access to Azure resources.
You can add a role to a user in PIM by navigating to the PIM portal, selecting the role you want to add the user to, and then selecting the user from the list of eligible users.
The steps to add a role to a user in PIM are Navigate to the PIM portal. >> Select the role you want to add the user to. >> Select the user from the list of eligible users. >> Choose the assignment type and duration. >> Review and confirm the request.
You can view the assignments for a role in Azure AD by navigating to the Azure AD portal, selecting the role you want to view assignments for, and then selecting the “Assigned” tab.
The steps to view the assignments for a role in Azure AD are Navigate to the Azure AD portal. >> Select the role you want to view assignments for. >> Select the “Assigned” tab.
A group in Azure AD is a collection of users, devices, or other groups that can be used to assign permissions to resources.
You can view the assignments for a group in Azure AD by navigating to the Azure AD portal, selecting the group you want to view assignments for, and then selecting the “Members” tab.
The steps to view the assignments for a group in Azure AD are Navigate to the Azure AD portal. >> Select the group you want to view assignments for. >> Select the “Members” tab.
An eligible role is a role that a user is eligible to request access to in PIM, while an active role is a role that a user is currently assigned to.
The benefits of using PIM include increased security, improved compliance, and better control over privileged access to Azure resources.
A built-in role is a pre-defined role that provides a set of permissions for a specific task, while a custom role is a role that you can define and customize to meet the specific needs of your organization.
You can create a custom role in Azure AD by using the Azure portal, PowerShell, or the Azure AD Graph API.
You can assign a role to a group in Azure AD by using the Azure portal or PowerShell.
The best practices for managing Azure AD roles include using role-based access control (RBAC), limiting the number of people who have access to privileged roles, and regularly reviewing and removing unnecessary role assignments.
If this material is helpful, please leave a comment and support us to continue.