Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Azure AZ-104 > Identity and Access Management (IAM) > Flashcards

Identity and Access Management (IAM) Flashcards

1
Q

Azure Role-Based Access Control (RBAC)

A

Azure Role-Based Access Control (RBAC)

Azure RBAC is a cloud-based access management system provided by Microsoft Azure. Its purpose is to regulate and control access to Azure resources

Implementation=

Security Principal: Who/what is being assigned access?
-Supports: Users, Security Groups, Apps, and Managed Identities.

Role Definition: What are the permissions?
-The permissions being granted, as defined by built-in or custom roles.
- Owner, Contributor, Reader, and Data

Scope: Where will the permissions apply?
-Management Group, Subscription, Resource Group, or Resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Entra ID Roles

A

Access control for Entra ID to our Entra ID Tenant, rather than Azure. An identity within the Tenant managing and working with the objects within the Tenant itself.

Implementation

Security Principal: Who/what is being assigned access?
-Supports: Users, Security Groups (requires P1 license), and Apps

Role Definition: The permissions being granted, as defined by built-in or custom roles.
-Custom Entra ID roles require Premium P1 licenses.
-Role-assignable groups require premium licensing

Scope: Tenant (Directory), Administrative Units, or app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Azure RBAC Custom Roles

A

There may be scenarios where the predefined roles do not meet your specific requirements, and this is where Custom Roles come into play. The way we configure a Custom Role is by creating it with a Role Definition.

Role Definition:
-Metadata: Name, description, ID, etc.

-Permissions: For management/data operations
–Actions: Allowed control plane actions (not data operations) (you don’t have to deny)
–NotActions: Subtracted control plane actions (not denying)
–DataActions: Allowed data plane actions
–NotDataActions: Subtracted data plane actions

-Scope: Defines where the role can be used (AssignableScopes)
–Root: “/*” available to all scopes. Only usable by built-in roles
–Management Groups: “/providers/Microsoft.Management/managementGroups/ID” (For custom)
–Subscriptions: “/subscriptions/ID” (one or more) (For custom)
–Resource Groups: “/subscriptions/ID/resourcegroups/name” (one or more) (For custom)

Considerations:

-Custom Roles are available without any special licensing requirements
-Azure RBAC is not Azure Policy. RBAC is for permissing, Policy is for standards.
-To configure Custom Roles you require Owner, User Access Admin permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Entra ID Custom Roles

A

There are scenarios where we might need to previde specific permissions that aren’t covered by built-in roles.

-Always starts with “microsoft.directory/”

Considerations
-Entra ID Custom Roles require Entra ID Premium P1 licensing at least.
-Using PowerShell or the MS Graph API provides more control over the role definition4
-To create a custom role you must have “Global Admin” or “Privileged Role Admin” permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Azure AZ-104 (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions