In this Project, Hagital Consulting Ltd has decided to streamline its identity management process by utilizing Microsoft Azure Active Directory (Microsoft Entra ID) to manage its cloud-based identities. As part of this initiative, they want to create a group called the Administrative department and add two new staff members and appoint one as Head of Admin. Additionally, they want to assign a Global Administrator role to the head of the Administrative department to add new users to the Company.
Before going into the creation of users and assigning role, let me explain the differences between Azure AD Roles and Azure Roles.
AZURE ACTIVE DIRECTORY (ENTRA ID) ROLES AND AZURE ROLES (RBAC)
Microsoft Entra ID (formerly known as Microsoft Azure Active Directory or Azure AD) is a cloud-based identity and access management (IAM) solution. It is a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services such as Microsoft 365, Dynamics 365, and Microsoft Azure. Entra ID provides users with single sign-on experience, regardless of whether their applications are cloud-based or on-premises. Entra ID offers many authentication methods, including password-based, multi-factor, smart card, and certificate-based authentication. It also includes several security features, such as Conditional Access policies, risk-based authentication, and identity protection. On July 11, 2023, Microsoft announced the renaming of Azure AD to Microsoft Entra ID to improve consistency with other Microsoft cloud products. The name change took place on July 15, 2023.
When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. Later, Azure role-based access control (Azure RBAC) was added. Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. Azure RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. To manage resources in Microsoft Entra ID, such as users, groups, and domains, there are several Microsoft Entra roles.
Azure AD (ENTRA ID) Roles
Azure AD roles now Microsoft Entra roles are used to manage Microsoft Entra resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. Examples of Azure AD roles include Global Administrator, User Administrator, Application Administrator, and many others.The Azure AD roles include;
Global administrator: The highest level of access, including the ability to grant administrator access to other users and to reset other administrator’s passwords.
User administrator: Can create and manage users and groups, and can reset passwords for users, Helpdesk administrators and User administrators.
Helpdesk administrator: Can change the password for users who don’t have an administrator role and they can invalidate refresh tokens, which forces users to sign back in again.
Billing Administrator: Can make purchases and manage subscriptions.
Azure AD roles are primarily focused on managing access to Azure AD itself and its associated resources.
Azure Roles
Access Management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.. They are used to control what users, groups, or applications can do within specific Azure resources such as virtual machines, storage accounts, databases, etc. Azure roles are applied at the subscription, resource group, or resource level. Examples of Azure roles include Owner, Contributor, Reader, and Custom roles that you can define based on specific resource access requirements.The fundamental Azure roles are;
Owner: Full rights to change the resource and to change the access control to grant permissions to other users.
Contributor: Full rights to change the resource, but not able to change the access control.
Reader: Read-only access to the resource
User Access Administrator: No access to the resource except the ability to change the access control.
Difference Between Azure Roles and Microsoft Entra ID Roles
The primary difference between Azure roles and Microsoft Entra ID roles lies in the resources they manage.
Azure roles primarily govern access to resources deployed inside the cloud, including virtual networks, machines, and resource groups, with role assignments possible at various scopes and are applied at the subscription, resource group, or resource level
On the other hand, Microsoft Entra ID roles operate on identity objects at the tenant level and impact users’ abilities within that specific tenant. Although Microsoft Entra ID roles are typically set at a tenant level, you can make scope adjustments using administrative units. These are used as logical containers that give you more refined control over access permissions.
Now, let us create create a group called the Administrative department and add two new staff members and appoint one as Head of Admin. Additionally, I will assign a global administrator role to the Head of Admin to add new users.
Sign in to Microsoft Azure
Sign in to Azure Portal: To create a group, users and assign roles on Microsoft Entra ID, you will go to the Azure portal (https://portal.azure.com) and sign in with your Azure account (Assuming you already have an account and a subscription, if not you have to create one). After signing in, your screen will display as shown below. You will then click on Microsft Entra ID or search for it in the search bar if not already displayed.
Create a New Group: Click on the Add dropdown to add a group and select Add a new group.
Group type: Select Security as group type.
Group Name: Enter the group name as Administrative Department. You may fill the group description, then “Create”. Then, the Administrative Department Group has been created. Next is to create users.
After creating the group, I will create new user accounts for two newly employed staff who will be assigned groupand roles.
Create new users: Click on the Add dropdown to add a User and select “Create new user”.
Then, fill in the column for User principal name, Mail nickname, Display name, and password. The Mail nickname and password could be auto filledand generated if the ‘tick” column is selected.
Then click “Next: Properties”
Fill the identity and job information of the new user. As we can see I have given the user Head of Department. Then click “Next: Assignment”
Here, I will assign a group to the new user by clicking “Add group”
Then, list of groups already created will appear. Here, I have only the Administrative Department earlier created. Then, Select the “Administrative Department”, and click “Select”
We can see here, that the first user created has been assigned a group.
Next, I will assign the user a role
The role directory will drop down to select appropriate role. Since the Head of Admin is to be assigned the role of Global Administrator, I will scroll until I see the Global Adminstrator. However, if the desired role is not listed, you can add roles by creating “custom role”. This requires premium subscription.
Select the “Global Administrator” then click select
And, click “Create”
Now, we have our first user by name Abimbola, who was assigned a group called “Administrative department” and assigned the “Global Administrator” role.
Next is to create our second user who is also a new staff member. Our second user is Ayoola. We will follow the same step we used in creating the first user to create the second user by filling in the Identity and job information.
Also, add the second staff to the Administrative Department group.
Then, assign role. Here I assigned the second user the role of Service Support Administrator.
Now I have created user accounts for the two newly employed staff, where the fisrt staff has a Global Administrator role, and therefore have access to add new user.
To confirm that the account was successfully created, I will use the first newly created staff member user's account with Global Administrator role to sign into Azure Portal and also add a new user.
First User signing into Azure using the account name and password generated during the account creation as seen below:
New users are prompted to change their password to a preferred choice.
Then click Next to sign in.
Now, the new Head of Department by name “Abimbola”, who is also the Global Adminstrator has successfully sign in to Azure.
The Head of Department, can now access and add new user to the Administrative Department and also assigning a role to the new staff member following the same steps earlier shown.
The name of the new user being created and added to the Adminstrative Department group by the Head of Department is “Chukwuka”
The new staff being added to the Admistrative Department group is being assigned “Security Reader” role.
Back to my account, I can see that a new staff member by name Chukwuka (Chuks) has been added to the company.
To access who added the new user and any other activities. I opened my Audit Logs, where I could see that a new user Chuwuka@ayohassan71gmail.omnicrosoft.com was added by Abimbola@ayohassan71gmail.omnicrosoft.com. Also, I could see that Abimbola@ayohassan71gmail.omnicrosoft.com changed password. Detailed information of these activities could further be explored when clicked.
Top comments (0)