Question
-
Topic
-
Optimizing Role Assignments in Azure
LockedWe have 10 people in our department that have all sorts of administrator roles in Azure, such as Groups Administrator, Exchange Administrator, etc. It has never been clear exactly what groups our admins need to be a part of in order to access different things, as there is much overlap between roles.
Is there any sort of log or report that shows, for example, “Admin A was able to access resource B because Role Assignment C allowed them though”? I feel like we kind of added a bunch of role assignments to admin until we had enough for them to do their jobs, but it was a trial-and-error approach. We would like to see if there is a way to where we can cut down their roles to only what they need, and nothing more.
I would also like to do the following. Let us say that Role R has permissions a-e and role S has permissions a-g, but the admin assigned to those roles only needs permissions a-e and not f-g. Without having to go through group by group and look at each role’s permissions individually, would there be a way to determine that someone only needs to be in R and not S?