Question

  • Creator
    Topic
  • #4209983

    Optimizing Role Assignments in Azure

    Locked

    by JesusIsLORD588 ·

    We have 10 people in our department that have all sorts of administrator roles in Azure, such as Groups Administrator, Exchange Administrator, etc. It has never been clear exactly what groups our admins need to be a part of in order to access different things, as there is much overlap between roles.

    Is there any sort of log or report that shows, for example, “Admin A was able to access resource B because Role Assignment C allowed them though”? I feel like we kind of added a bunch of role assignments to admin until we had enough for them to do their jobs, but it was a trial-and-error approach. We would like to see if there is a way to where we can cut down their roles to only what they need, and nothing more.

    I would also like to do the following. Let us say that Role R has permissions a-e and role S has permissions a-g, but the admin assigned to those roles only needs permissions a-e and not f-g. Without having to go through group by group and look at each role’s permissions individually, would there be a way to determine that someone only needs to be in R and not S?

All Answers

  • Author
    Replies
    • #4210011
      Avatar photo

      Never seen.

      by rproffitt ·

      In reply to Optimizing Role Assignments in Azure

      While it would be nice to see, what you are asking would be questions for your Azure admin. If they don’t know, send them to more training as well as hand them the company CC to call Microsoft Support.

    • #4228305

      Optimizing Role Assignments in Azure

      by cassharper030 ·

      In reply to Optimizing Role Assignments in Azure

      It sounds like you’re dealing with over-provisioned admin roles in Azure. This is a common challenge! There isn’t a single log showing specific user-to-resource access through roles, but there are ways to optimize.

      Firstly, leverage Azure Active Directory (AAD) reporting tools. These can help identify which groups your admins belong to and their assigned roles.
      Secondly, consider Azure Monitor for logging activity. While it won’t pinpoint exact role-based access, it can show admin actions on resources.

      Key takeaway: Focus on the principle of least privilege. We can help you review admin roles and permissions, ensuring each user has only the access they need. This simplifies management and enhances security.

    • #4228385

      I Resolved This Using Just in Time Access

      by JesusIsLORD588 ·

      In reply to Optimizing Role Assignments in Azure

      So, while I did not find a report that told me which roles were being actively used to allow access to each item, I did find that you can set up users to be “Eligible” for a certain privileged role, and then you can give them just-in-time access for a short period of time upon request. This allows them to have temporary access to certain privileged roles without having them permanently assigned, thus resolving the security concerns. Here is a link to an article about Just In Time Access for Microsoft Intune, for example: You 3/4/2024 3:49 PM • I am looking at this: https://techcommunity.microsoft.com/t5/intune-customer-success/configuring-microsoft-intune-just-in-time-admin-access-with/ba-p/3843972

      • #4228387

        Reply To: Optimizing Role Assignments in Azure

        by JesusIsLORD588 ·

        In reply to I Resolved This Using Just in Time Access

        I had completely forgotten about this thread LOL. Thanks for getting back to me! I was able to get this resolved using Just In Time access.

Viewing 2 reply threads