-
📝 Steps (through either PowerShell or Azure CLI)
- Determine the permissions you need
- Add in
ActionsandNotActionsfor data operations useDataActionsandNotDataActions. - You can see all operations through
az provider operation list.
- Add in
- Create the custom role
az role definition create- You need to have
Microsoft.Authorization/roleDefinitions/writepermissions on allAssignableScopessuch as Owner or User Access Administrator
- Determine the permissions you need
-
❗ Limitations
- Azure supports up to 2000 role assignments per subscription.
- When you transfer a subscription to a different tenant, all role assignments are permanently deleted. You must re-create your role assignments in the target tenant.
-
📝 Example:
{ "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/subscriptions/{subscriptionId3}" ] }
- Through a resource
- Modify in Access control (IAM) in any Azure object.
- In Check Access tab you can check access level of individual user, group, service principal or managed identity.
- Add a role assignment
- Access control (IAM) -> Add role assignment
- Select Role e.g. Virtual Machine Contributor.
- In the Select list, select a user, group, service principal, or managed identity.
- For built-in global roles such as Contributor:
- AD -> Users -> Select user -> Directory role -> +Add role
- Assign roles to licenses: Azure Active Directory > Licenses
- Assign roles to devices: Azure Active Directory -> Devices
- When this happens -> then do this
- You also set Users the users performing an access attempt (who).
- Cloud apps: The targets of an access attempt (what).
- Controls (when this happens)
- Grant controls
- Support AND and OR operators.
- Compliant device: Azure AD registered devices, Azure AD joined devices, Hybrid Azure AD joined devices
- Hybrid Azure AD joined devices: Windows desktops, laptops, and enterprise tablets that are joined to an on-premises Active Directory
- Approved client app through Intune app protection policies
- Enforce acceptance of Terms of Use
- Custom controls: Validation through custom APIs.
- Session controls
- Use app enforced restrictions: The device information enables the cloud apps to know whether a connection is initiated from a compliant or domain-joined device.
- Grant controls
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Detecting vulnerabilities and risky accounts
- Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
- Calculating sign-in risk levels
- Calculating user risk levels
- Investigating risk events
- Sending notifications for risk events
- Investigating risk events using relevant and contextual information
- Providing basic workflows to track investigations
- Providing easy access to remediation actions such as password reset
- Risk-based conditional access policies
- Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
- Policy to block or secure risky user accounts
- Policy to require users to register for multi-factor authentication
- Securing privileged access requires changes to
- Processes, administrative practices, and knowledge management
- Technical components such as host defenses, account protections, and identity management
- Turn on Azure AD Privileged Identity Management that allows you to
- Identify and categorize accounts that are in highly privileged roles
- E.g. Global administrator, Privileged role administrator, Exchange administrator, SharePoint administrator
- Remove any accounts that are no longer needed in those roles.
- Define at least two emergency access accounts
- E.g. if on-prem AD DS goes down.
- Highly privileged and are not assigned to specific individuals.
- Turn on multi-factor authentication and register all other highly-privileged single-user non-federated admin accounts
- Conduct an inventory of services, owners, and admins
- Identify the users who have administrative roles and the services where they can manage.
- Use Azure AD PIM to find out which users in your organization have admin access to Azure AD, including additional roles beyond those listed in Stage 1.
- Ensure that your admin accounts have working email addresses attached to them and have registered for Azure MFA or use MFA on-premises.
- Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts
- Ensure separate user accounts and mail forwarding for global administrator accounts
- Ensure the passwords of administrative accounts have recently changed
- Turn on password hash synchronization
- Require multi-factor authentication (MFA) for users in all privileged roles as well as exposed users
- Configure Identity Protection) (= ML to asses risks)
- Monitor Azure Activity Log
- Establish incident/emergency response plan owners
- Secure on-premises privileged administrative accounts, if not already done
- Additional steps
- Complete an inventory of subscriptions using Enterprise Portal
- Remove Microsoft accounts from admin roles
- Monitor Azure activity with Azure Activity Log and notifications
- If you have built apps on Azure with on-prem access: Configure Conditional Access policies
- Complete an access review of users in administrator roles
- Continue rollout of stronger authentication for all users
- E.g. enforce MFA and Windows Hello for high-level managers
- Use dedicated workstations for administration for Azure AD
- Privileged Access Workstations (PAWs)
- Provides a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors
- Privileged Access Workstations (PAWs)
- Establish integrated monitoring
- The Azure Security Center
- Provides integrated security monitoring and policy management
- Across subscriptions
- Helps detect threats that may otherwise go unnoticed
- Integrates with a broad ecosystem of security solutions.
- The Azure Security Center
- Review NIST standards and recommendations
- Inventory your privileged accounts within hosted Virtual Machines
- Grant only the amount of access to users who need to perform specific jobs
- Integrate information protection
- Microsoft Cloud App Security (MCAS) scans & classifies based on policies using Azure Information Protection classification labels.
- E.g. confidentiality levels
- Microsoft Cloud App Security (MCAS) scans & classifies based on policies using Azure Information Protection classification labels.
- Implement PIM for Azure AD administrator roles
- Use Azure log integrations to send relevant Azure logs
- To e.g. Azure Sentinel or other SIEM systems
- Review admin roles in Azure AD
- Review users who have administration of Azure AD joined devices
- Review members of built-in Microsoft 365 admin roles
- Validate incident response plan
- Additional steps for organizations managing access to Azure