We recently made Azure Roles-Based Access Control generally available. Over the past year we’ve worked with many large enterprise customers of Azure in designing their IaaS/PaaS access model. Using this overview post and the linked drill downs I shall capture best practices for access management for Azure that we have gathered from these customer deployments.
1. Extend your identity system to the cloud using Azure AD and use work accounts to sign-up and manage Azure. Do not use Microsoft Accounts (formerly known as LiveId): once your company extends their identity system to the cloud using Azure AD, employees can use their work accounts (existing corporate identities) to sign-up for Azure subscriptions. These subscriptions automatically connect with your company’s Azure AD for single sign-on and access management. Then, when employees leave your company and their work account gets disabled – they automatically lose access to all Azure subscriptions.
When you sign-up for Azure subscription using a Microsoft Account (formerly LiveId), the subscription is connected with a lightweight Azure AD created for your Microsoft Account. This setup might suffice for a small startup company, but shouldn’t be used by medium/large enterprises. If your company’s Azure AD gets setup after you have signed-up for Azure subscriptions using Microsoft Accounts, you should transfer your company’s Azure subscriptions to your company’s Azure AD.
2. Connect your Azure AD with your on-premises Active Directory: and enable single-sign on, and provisioning and de-provisioning of users and groups for Azure management: If your company is already using Active Directory on-premises you should leverage on-premises users and groups identities for access management for Azure. This way when AD accounts get disabled they automatically lose access to Azure. And when group membership changes in AD, the user automatically gains/loses access to the Azure resources.
3. Enable Strong Authentication for Azure Management: enable Azure AD multi-factor authentication for users that manage Azure. You can also use on-premises strong authentication solutions that integrate with ADFS.
4. Manage Access using AD Groups: and integrate access management for Azure with existing access control processes in your organization. Users gain and lose access to Azure resources automatically when they’re added and removed from AD groups.
Enable Self-Service Access Management: assign Azure RBAC access to groups in combination with self-service group management in Azure AD Premium. This allows delegated admins to manage access to only specific type of Azure resources and within only specific resource groups. It also enables other users in your organization to request access to those resources
Enable Attribute-Based Access Control: assign Azure RBAC access to groups in combination with dynamic membership of groups in Azure AD premium. This controls access to Azure resources per users’ directory attributes like manager, department, jobTitle etc. Users automatically get access to the Azure resources they need to manage.
5. Use Azure Resource Groups for Access Control: to segregate workloads and environments that require different access settings. You no longer need to use Azure subscriptions as access control boundaries. Further, some Azure resources like VMs are composites of multiple individual resources (Virtual Machines, Storage Disks, Domain Names, etc.). Users often need access to the linked resources also, to meaningfully manage such composite resources. So, instead of assigning access to individual resources, assign access at resource group level, to grant the right access on linked resources too.
Using tags on Azure resource groups, you can group billing and usage data in Azure per workloads running in those resource groups.
6. Monitor Access Change History: Azure Resource Manager writes all changes to RBAC settings (including changes to the classic service admins and co-admins) in Azure Events Log. Review these events regularly to keep a tab on access changes in your Azure subscriptions.
7. Least Privilege: pick the right role for the job. Prefer using contributor role over the owner role. Model your organizational roles like server admins, network admins, DBAs and web masters, using resource-specific RBAC roles like Virtual Machine Contributor, Virtual Network Contributor, SQL Server Contributor, Websites Contributor etc.