Azure Basic Chapter 1: Azure Active Directory

Table of Contents

  1. Purpose of document
  2. Pre-requests
  3. Azure AD
  4. Azure AD Versions
  5. Azure Roles/ Permissions
  6. Azure Active Directory (Roles)
    6.1. Azure AD Snapshot
    6.2. Azure AD Roles list
  7. Access Control (IAM) Roles/ RBAC
    7.1. Access Control Snapshot
    7.2. Access Control Roles list (RBAC list)
  8. Subscription
  9. Azure AD and Subscription relationship
  10. End of Document

Azure Active Directory / Tenant

1. Introduction

Purpose of this document is to explain a very first component in Azure (ie Azure Active Directory). Azure AD is also called Directory/ tenant.

2. Pr-requests

Require email address to create Azure AD/ tenant.

3. Azure AD

Azure portal https://portal.azure.com

Azure Active DirectoryAAD/ Tenant

Azure AD is an Identity and access management service. Below are few points mentioned hear which are served by Azure AD.

  • Users and Groups: Add/ Delete/ Modify users and groups and manage them.
  • Invite users from other organizations: Invite users from out of the organization via email.
  • Roles and Administrators: Azure AD Roles
  • Enterprise Applications management: You can add Enterprise applications and manage them. There are more than 3000 Applications available in Azure.
  • Device management: You can see the Devices which are registered and check device compliance etc.
  • Azure AD connect and Federation, Custom Domain Name, License management
  • And many more features.

4. Azure AD Versions

There are below version of Azure AD. You can compare Azure AD versions at https://azure.microsoft.com/en-in/pricing/details/active-directory/ and chose as per your requirements.

  1. Free
  2. Office 365 apps
  3. Premium P1
  4. Premium P2
  5. Azure AD B2C

5. Azure Roles/ Permissions

In Azure permission can be granted at two different levels.

  1. Azure Active Directory (Roles)
  2. Access Control (IAM) at object Level also called RBAC (Role based access control)

6. Azure Active Directory (Roles)

There are around 50 Azure AD roles. There is always a miss conception that providing “Global Administrator” permission means you can perform anything in Azure. This is wrong conception. Until you do not get permission on subscription/ resource group/ on object even you can’t see single object in that subscription. We will talk about subscription/ resource group later in this chapter.

6.1. Azure AD Snapshot

6.2. Azure AD Roles list

Role Description Type
 Application administrator Can create and manage all aspects of app registrations and enterprise apps. Built-in
 Application developer Can create application registrations independent of the ‘Users can register applications’ setting. Built-in
 Authentication administrator Has access to view, set, and reset authentication method information for any non-admin user. Built-in
 Azure DevOps administrator Can manage Azure DevOps organization policy and settings. Built-in
 Azure Information Protection administrator Can manage all aspects of the Azure Information Protection product. Built-in
 B2C IEF Keyset administrator Can manage secrets for federation and encryption in the Identity Experience Framework. Built-in
 B2C IEF Policy administrator Can create and manage trust framework policies in the Identity Experience Framework. Built-in
 B2C user flow administrator Can create and manage all aspects of user flows. Built-in
 B2C user flow attribute administrator Can create and manage the attribute schema available to all user flows. Built-in
 Billing administrator Can perform common billing related tasks like updating payment information. Built-in
 Cloud application administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Built-in
 Cloud device administrator Full access to manage devices in Azure AD. Built-in
 Compliance administrator Can read and manage compliance configuration and reports in Azure AD and Office 365. Built-in
 Compliance data administrator Can create and manage compliance content. Built-in
 Conditional Access administrator Can manage conditional access capabilities. Built-in
 Customer LockBox access approver Can approve Microsoft support requests to access customer organizational data. Built-in
 Desktop Analytics administrator Can access and manage Desktop management tools and services. Built-in
 Directory readers Can read basic directory information. Commonly used to grant directory read access to applications and guests. Built-in
 Dynamics 365 administrator Can manage all aspects of the Dynamics 365 product. Built-in
 Exchange administrator Can manage all aspects of the Exchange product. Built-in
 External Identity Provider administrator Can configure identity providers for use in direct federation. Built-in
 Global administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. Built-in
 Global reader  Can read everything that a global administrator can, but not update anything. Built-in
 Groups administrator  Can manage all aspects of groups and group settings like naming and expiration policies. Built-in
 Guest inviter Can invite guest users independent of the ‘members can invite guests’ setting. Built-in
 Helpdesk administrator Can reset passwords for non-administrators and Helpdesk administrators. Built-in
 Intune administrator Can manage all aspects of the Intune product. Built-in
 Kaizala administrator Can manage settings for Microsoft Kaizala. Built-in
 License administrator Ability to assign, remove and update license assignments. Built-in
 Message center privacy reader Can read Message Center posts, data privacy messages, groups, domains and subscriptions. Built-in
 Message center reader Can read messages and updates for their organization in Office 365 Message Center only. Built-in
 Office apps administrator  Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish “what’s new” feature content to end-user’s devices. Built-in
 Password administrator Can reset passwords for non-administrators and Password administrators. Built-in
 Power BI administrator Can manage all aspects of the Power BI product. Built-in
 Power platform administrator  Can create and manage all aspects of Microsoft Dynamics 365, PowerApps, and Microsoft Flows. Built-in
 Privileged authentication administrator Allowed to view, set and reset authentication method information for any user (admin or non-admin). Built-in
 Privileged role administrator Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. Built-in
 Reports reader Can read sign-in and audit reports. Built-in
 Search administrator Can create and manage all aspects of Microsoft Search settings. Built-in
 Search editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. Built-in
 Security administrator Can read security information and reports, and manage configuration in Azure AD and Office 365. Built-in
 Security operator Can create and manage security events. Built-in
 Security reader Can read security information and reports in Azure AD and Office 365. Built-in
 Service administrator Can read service health information and manage support tickets. Built-in
 SharePoint administrator Can manage all aspects of the SharePoint service. Built-in
 Skype for Business administrator Can manage all aspects of the Skype for Business product. Built-in
 Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service. Built-in
 Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools. Built-in
 Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools. Built-in
 Teams Service Administrator Can manage the Microsoft Teams service. Built-in
 User administrator Can manage all aspects of users and groups, including resetting passwords for limited admins. Built-in

7. Access Control (IAM) Roles/ RBAC

There are around 150 Access Control (BuiltInRoles) at Object Level also called Role based access control (RBAC). Azure keeps updating these BuiltInRoles time to time. Azure Object could be any object like Subscription, Resource Groups, Virtual Machine, Storage account, Virtual network etc). These objects will be explained later in this chapter.

7.1. Access Control Snapshot

Snapshot of Access Control (IAM) / RBAC on Object (Ex: NSIT-RG01 is a “Resource Group” object)

7.2. Access Control Roles list (RBAC list)

Name Type
Owner BuiltInRole
Contributor BuiltInRole
Reader BuiltInRole
AcrDelete BuiltInRole
AcrImageSigner BuiltInRole
AcrPull BuiltInRole
AcrPush BuiltInRole
AcrQuarantineReader BuiltInRole
AcrQuarantineWriter BuiltInRole
API Management Service Contributor BuiltInRole
API Management Service Operator Role BuiltInRole
API Management Service Reader Role BuiltInRole
App Configuration Data Owner BuiltInRole
App Configuration Data Reader BuiltInRole
Application Insights Component Contributor BuiltInRole
Application Insights Snapshot Debugger BuiltInRole
Attestation Contributor BuiltInRole
Attestation Reader BuiltInRole
Automation Job Operator BuiltInRole
Automation Operator BuiltInRole
Automation Runbook Operator BuiltInRole
Avere Contributor BuiltInRole
Avere Operator BuiltInRole
Azure Connected Machine Onboarding BuiltInRole
Azure Connected Machine Resource Administrator BuiltInRole
Azure Event Hubs Data Owner BuiltInRole
Azure Event Hubs Data Receiver BuiltInRole
Azure Event Hubs Data Sender BuiltInRole
Azure Kubernetes Service Cluster Admin Role BuiltInRole
Azure Kubernetes Service Cluster User Role BuiltInRole
Azure Maps Data Reader (Preview) BuiltInRole
Azure Sentinel Contributor BuiltInRole
Azure Sentinel Reader BuiltInRole
Azure Sentinel Responder BuiltInRole
Azure Service Bus Data Owner BuiltInRole
Azure Service Bus Data Receiver BuiltInRole
Azure Service Bus Data Sender BuiltInRole
Azure Stack Registration Owner BuiltInRole
Backup Contributor BuiltInRole
Backup Operator BuiltInRole
Backup Reader BuiltInRole
Billing Reader BuiltInRole
BizTalk Contributor BuiltInRole
Blockchain Member Node Access (Preview) BuiltInRole
Blueprint Contributor BuiltInRole
Blueprint Operator BuiltInRole
CDN Endpoint Contributor BuiltInRole
CDN Endpoint Reader BuiltInRole
CDN Profile Contributor BuiltInRole
CDN Profile Reader BuiltInRole
Classic Network Contributor BuiltInRole
Classic Storage Account Contributor BuiltInRole
Classic Storage Account Key Operator Service Role BuiltInRole
Classic Virtual Machine Contributor BuiltInRole
ClearDB MySQL DB Contributor BuiltInRole
Cognitive Services Contributor BuiltInRole
Cognitive Services Data Reader (Preview) BuiltInRole
Cognitive Services User BuiltInRole
Cosmos DB Account Reader Role BuiltInRole
Cosmos DB Operator BuiltInRole
CosmosBackupOperator BuiltInRole
Cost Management Contributor BuiltInRole
Cost Management Reader BuiltInRole
Data Box Contributor BuiltInRole
Data Box Reader BuiltInRole
Data Factory Contributor BuiltInRole
Data Lake Analytics Developer BuiltInRole
Data Purger BuiltInRole
Desktop Virtualization User BuiltInRole
DevTest Labs User BuiltInRole
DNS Zone Contributor BuiltInRole
DocumentDB Account Contributor BuiltInRole
EventGrid EventSubscription Contributor BuiltInRole
EventGrid EventSubscription Reader BuiltInRole
Experimentation Administrator BuiltInRole
Experimentation Contributor BuiltInRole
Graph Owner BuiltInRole
HDInsight Cluster Operator BuiltInRole
HDInsight Domain Services Contributor BuiltInRole
Hybrid Server Onboarding BuiltInRole
Hybrid Server Resource Administrator BuiltInRole
Intelligent Systems Account Contributor BuiltInRole
Key Vault Contributor BuiltInRole
Knowledge Consumer BuiltInRole
Kubernetes Cluster – Azure Arc Onborading BuiltInRole
Lab Creator BuiltInRole
Log Analytics Contributor BuiltInRole
Log Analytics Reader BuiltInRole
Logic App Contributor BuiltInRole
Logic App Operator BuiltInRole
Managed Application Operator Role BuiltInRole
Managed Applications Reader BuiltInRole
Managed Identity Contributor BuiltInRole
Managed Identity Operator BuiltInRole
Managed Services Registration assignment Delete Role BuiltInRole
Management Group Contributor BuiltInRole
Management Group Reader BuiltInRole
MLC Service Role BuiltInRole
Monitoring Contributor BuiltInRole
Monitoring Metrics Publisher BuiltInRole
Monitoring Reader BuiltInRole
Network Contributor BuiltInRole
New Relic APM Account Contributor BuiltInRole
Policy Insights Data Writer (Preview) BuiltInRole
Private DNS Zone Contributor BuiltInRole
QnA Maker Editor BuiltInRole
QnA Maker Reader BuiltInRole
Reader and Data Access BuiltInRole
Redis Cache Contributor BuiltInRole
Resource Policy Contributor BuiltInRole
Scheduler Job Collections Contributor BuiltInRole
Search Service Contributor BuiltInRole
Security Admin BuiltInRole
Security Manager (Legacy) BuiltInRole
Security Reader BuiltInRole
SignalR AccessKey Reader BuiltInRole
SignalR Contributor BuiltInRole
Site Recovery Contributor BuiltInRole
Site Recovery Operator BuiltInRole
Site Recovery Reader BuiltInRole
Spatial Anchors Account Contributor BuiltInRole
Spatial Anchors Account Owner BuiltInRole
Spatial Anchors Account Reader BuiltInRole
SQL DB Contributor BuiltInRole
SQL Managed Instance Contributor BuiltInRole
SQL Security Manager BuiltInRole
SQL Server Contributor BuiltInRole
Storage Account Contributor BuiltInRole
Storage Account Key Operator Service Role BuiltInRole
Storage Blob Data Contributor BuiltInRole
Storage Blob Data Owner BuiltInRole
Storage Blob Data Reader BuiltInRole
Storage Blob Delegator BuiltInRole
Storage File Data SMB Share Contributor BuiltInRole
Storage File Data SMB Share Elevated Contributor BuiltInRole
Storage File Data SMB Share Reader BuiltInRole
Storage Queue Data Contributor BuiltInRole
Storage Queue Data Message Processor BuiltInRole
Storage Queue Data Message Sender BuiltInRole
Storage Queue Data Reader BuiltInRole
Support Request Contributor BuiltInRole
Traffic Manager Contributor BuiltInRole
User Access Administrator BuiltInRole
Virtual Machine Administrator Login BuiltInRole
Virtual Machine Contributor BuiltInRole
Virtual Machine User Login BuiltInRole
Web Plan Contributor BuiltInRole
Website Contributor BuiltInRole
Workbook Contributor BuiltInRole
Workbook Reader BuiltInRole

8.     Subscription

Now Second component is subscription.

Top Level Subscription

9. Azure AD and Subscription relationship

One AAD/tenant can have multiple Subscriptions. Tenant Azure AD and Subscription relationship

See post Azure Basic Chapter 2: Create custom Azure Active Directory.

See post Azure Basic Chapter 3: Azure Subscription.

10.End of Document

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *