Attribute Based Access Control for Azure

Access to Azure resources can be granted to users by assigning the desired role to them on either the subscription or resource group or individual resources. Access can also be granted to a group of users by assigning the role to a an Azure AD security group.

Azure AD premium now allows you to create groups with dynamic membership, based on a user-attribute based criteria. It is now possible to create groups like

  • all users in a department (department equals ‘Content Management Consulting’)
  • all General Managers (jobTitle beginsWith ‘General Manager’)
  • all users in Washington state (state equals ‘WA’), and so on

Azure RBAC roles can be granted to Azure AD groups with criteria-based membership – effectively achieving user attribute based access control for Azure management.

Create a criteria-based membership group in Azure AD

Sign-in to the Azure management portal as the global administrator or the user account administrator of the directory. Navigate to the directory and create a new group under the ‘Groups’ tab. Open the newly created group and navigate to the ‘Configure’ tab, and enable automatic memberships. Select the attribute on the basis of which you would like the group membership to be populated, and provide the attribute value.

Create Criteria-Based Membership Group in Azure AD Premium

As soon as you save the criteria, Azure AD starts populating the membership of the group with users that match the criteria. On an on-going basis, users get added and removed from the group as and when their attribute changes and they come within the purview of the criteria or fall out of it. Membership of the group is re-built if the criteria changes.

Criteria-Based Membership Group in Azure AD Premium

Grant access to the criteria-based membership group in Azure

Granting access to a criteria-based group inAzure is no different from granting access to any other security group of Azure AD: assign the desired RBAC role to it on the desired scope.

Grant Access to Criteria-Based Membership Group in Azure

There you have it – in the example, any user who joins the ‘Engineering Operations’ department will automatically become a Contributor of the Resource Group, and any user who leaves the department will lose that access to the Resource Group in Azure.

5 thoughts on “Attribute Based Access Control for Azure

    1. dushyantgill Post author

      Hi Arnold, the implementation (in this case “dynamic groups”) achieves the requirement of being able to authorize access in cloud apps per attributes of users (my understanding of ABAC) – I care little about other stuff :-)

      1. Arnold Villeneuve

        Thank you for the reply. I believe with a full ABAC solution you should also be able to base access on the object’s attributes and not just the user’s. For example, the ability to restrict access to a Document that has an attribute of Confidential and the user is not a member of a group called Confidential. The two attributes have to align in an “and/or” combination.

  1. Eric

    I can do this via the new attribute based groups by using criteria of (user.accountEnabled -eq “true”)
    Is this the best approach for something like this?
    P.S. LOVE attribute based groups. Awesome feature.

  2. Eric

    Hey, just found the “Dedicated Groups” feature. That should do the trick for me.
    Sorry for not finding this before posting to you Dushyant
    E.R.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>