Access to Azure resources can be granted to users by assigning the desired role to them on either the subscription or resource group or individual resources. Access can also be granted to a group of users by assigning the role to a an Azure AD security group.
Azure AD premium now allows you to create groups with dynamic membership, based on a user-attribute based criteria. It is now possible to create groups like
- all users in a department (department equals ‘Content Management Consulting’)
- all General Managers (jobTitle beginsWith ‘General Manager’)
- all users in Washington state (state equals ‘WA’), and so on
Azure RBAC roles can be granted to Azure AD groups with criteria-based membership – effectively achieving user attribute based access control for Azure management.
Create a criteria-based membership group in Azure AD
Sign-in to the Azure management portal as the global administrator or the user account administrator of the directory. Navigate to the directory and create a new group under the ‘Groups’ tab. Open the newly created group and navigate to the ‘Configure’ tab, and enable automatic memberships. Select the attribute on the basis of which you would like the group membership to be populated, and provide the attribute value.
As soon as you save the criteria, Azure AD starts populating the membership of the group with users that match the criteria. On an on-going basis, users get added and removed from the group as and when their attribute changes and they come within the purview of the criteria or fall out of it. Membership of the group is re-built if the criteria changes.
Grant access to the criteria-based membership group in Azure
Granting access to a criteria-based group inAzure is no different from granting access to any other security group of Azure AD: assign the desired RBAC role to it on the desired scope.
There you have it – in the example, any user who joins the ‘Engineering Operations’ department will automatically become a Contributor of the Resource Group, and any user who leaves the department will lose that access to the Resource Group in Azure.