News

Azure Roles Based Access Control Service Now Available

• By Kurt Mackie
• 10/13/2015

Microsoft this week has made its Roles Based Access Control (RBAC) Azure service generally available.

The service lets organizations set up access privileges to Azure resources based on the use of Microsoft's Azure Active Directory service. The overall idea is to permit groups within organizations to set up and manage their own storage accounts and virtual machines. At the same time, traditional IT controls aren't necessarily relinquished. To that end, the service comes with predefined built-in roles. However, Microsoft plans to provide a means for organizations to create their own custom roles "in the next few months," according to an Azure library article description.

The basic role privileges include "owner," "contributor" and "reader." Owners have full access to resources. Contributors have management privileges, but they can't grant others access to the resource. Readers can just view the Azure resources.

Microsoft's best-practices advice to organizations is to bestow the least privilege. They should prefer the "contributor role over the owner role," for instance. The service comes with some model configurations in the form of built-in roles, which further narrow access. Examples of built-in roles include "automation operator" or "SQL database contributor."

The RBAC service was at the preview stage for about one year before commercial release. It's been the No. 1 request of Microsoft's customers wanting to tap Azure, according to Alex Simons, director of program management at the Microsoft Identity Division.

Even though the RBAC service is commercially available today, organizations must use the Azure "management portal preview" to get access to some its finer grained controls. The current "classic management portal" (as Microsoft calls it) doesn't support those controls, according to the Azure library article. The article adds that there are a few restrictions on controlling "blobs or tables within the Storage Account" as well as "SQL tables within the DB" (database).

Additionally, carrying out some operations, such as designating access management for subnets, requires using the Azure command-line tool and PowerShell.

Organizations that currently use Active Directory on premises should connect it with Azure Active Directory when enabling group access, according to Microsoft. The idea is that access to Azure resources will automatically get changed when Active Directory accounts are modified. Deleting a user from Active Directory eliminates that person's access to Azure resources.

In addition to the RBAC service, Microsoft has a more specific Azure Active Directory Privileged Identity Management service that was introduced as a preview back in August. The Privileged Identity Management service is specifically designed for IT organizations, allowing access restrictions to be set for specific IT personnel.