Azure Active Directory Role-Based Controls Expanded
Microsoft outlined some increased flexibility IT pros will have when it comes to Azure Active Directory's role-based access.
The added flexibility is for the Azure AD Identity Protection service, which was released as a preview in March, and for the Azure AD Privileged Identity Management service, which was first released as a preview in May of 2015 but updated three months later. Azure AD Identity Protection uses Microsoft machine learning technology to check for potentially compromised user accounts. Azure AD Privileged Identity Management, on the other hand, is a tool for global administrators to set access permissions among IT staff and also check for improper security configurations.
Both tools are getting three new roles via an Azure AD service update. The new roles are "Privileged Role Administrator," "Security Administrator" and "Security Reader," according to Microsoft's announcement this week.
These new roles can be used to better address organizational needs, especially when there's a requirement to provide viewing access to security reports but the IT department doesn't want to create more "highly-privileged global administrators" to do so, according to Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement.
For instance, IT pros previously needed to be a global administrator to have access to the Azure AD Identity Protection service, but "these new roles eliminate that requirement," Simons explained. Being a global administrator is still a requirement, though, to have control over the Azure AD Privileged Identity Management service, he added.
Here's how the new roles work for Azure AD Identity Protection, per Microsoft's announcement:
- A Security Reader can "view reports and settings," but can't take actions
- A Security Administrator can "view reports and manage settings," but can't reset user passwords
For those using Azure AD Privileged Identity Management, here's how the new roles work:
- A Privileged Role Administrator can "manage settings and role assignments" and view the audit history
- A Security Administrator or Security Reader can "view settings, role assignments," and the audit history
The new roles can be assigned using the Azure AD Privileged Identity Management service. The roles can be set for a specified time period or the assignments can be made permanent. Alternatively, PowerShell scripts can be used to check role status and assign users, as illustrated in Microsoft's announcement.
These new roles will be coming to other Microsoft products, too, according to Simons. They will "soon light up in other features and applications," he promised.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.