Managing directory roles

There are two different sets of roles in Azure – one reflects permissions defined by different services, while the other is designed to operate on Azure AD directory and give you the possibility to decide who can perform a specific management task (such as access audit logs or register an application).

In this section, you will learn how to use that functionality and assign different users to different directory roles.

To get started, you will have to access your Azure AD tenant in the Azure portal. To do so, search for Azure Active Directory in the search box located at the top of the portal:

Figure 4.28 – Searching for the Azure Active Directory blade

Now, you will have to find the Roles and administrators blade:

Figure 4.29 – Roles and administrators blade

On the next screen, you should be able to see all the available roles and your current role. From here, you will be able to check who has a particular role assigned and its description.

When browsing the available roles, you will see that there’s plenty of them available to you (including some that, initially, may not be self-explanatory). In fact, they cover Azure and other services (such as Office 365 or Power BI) as well:

Figure 4.30 – Available directory roles

A role, which has a little ribbon next to its name, is a recently introduced or updated role that you may want to check out in order to understand it better.

Note that these particular roles reflect your Azure AD directory – you cannot use them for better control over your provisioned resources, but you can use them for easy assignment of permissions when it comes to performing tasks such as application registrations, auditing, or user management. To check what permissions are assigned to the role, click on it and go to the Description blade:

Figure 4.31 – The description of the Global administrator role

When we know what a specific role grants to a user, we can learn how to assign it to a directory entity.

Remember that assigning a directory role to a specific user often means that it has granted extended permissions. Always take into consideration the possible damage that can be done via this particular set of functionalities and ensure that the user’s credentials cannot be stolen.

Let’s assume that we want to assign a user to a role named Application developer so that we can register applications even if a global administrator will turn off that possibility globally. To do so, we need to go to the specific role and click on the + Add member button:

Figure 4.32 – The + Add member button

Now, I only need to search for a specific user and click on the Select button to finish the setup process:

Figure 4.33 – Selecting a member

Once a user has been added, you should be able to see them on the list of members of this particular role. Once this role is assigned to the user, you will be able to see it when you access the user’s Directory role blade.

Directory roles are one of the most useful features when you want to quickly set up proper roles within your Azure tenant. Thanks to them, you can easily assign different users to different sets of permissions and allow them to perform proper management tasks.

The important thing here is to always make sure that you have implemented proper security policies when it comes to passwords and user credentials. By assigning an important role (such as the global administrator role) to a person, which then loses its account, you may lose access to the whole directory.

Depending on the characteristics of your company, you may or may not need custom roles in your directory. For many scenarios, the extensive list of available roles in Azure is everything an administrator needs, but you still may face a situation where it is not enough. Apart from your case, remember that directory roles cover a separate set of permissions than resource roles and do not affect effective permissions a user has when accessing a resource. The next section will help you understand the actual behavior of users by helping you learn how to monitor their actions.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

eleven − eleven =