Introduction
AIAM (Azure Identity and Access Management) is one of the services of Azure security and access control for managing one’s user identity. The global admin of Azure account has the authority to find out which user has what type of access, and what actions can the user perform on that particular access by using IAM.
The aim of IAM is to identify, manage, and control the users by providing required access to the users.
Challenges
- In the cloud environment there is a challenge of providing identity and access management for cloud and hybrid environments.
- Another major problem is consumer IAM in the cloud environment. What if we want to join virtual machines in Azure to a domain without deploying domain controllers?
- Other issues includes those of assigning licenses, provisioning identities to applications in Azure AD, troubleshooting, and remediate license assignment errors.
Solutions
- It is easier to preserve access to the services with the help of Azure IAM solutions. Applications can be secured in the initial stages using Azure IAM solutions.
- Provide protection from invalid login hits and secure credentials from uncertainty. One can make use of the identity protection tools, risk-based access controls and better authentication options to secure credentials without disturbing productivity.
Description
1. Assigning roles using the Azure portal:
Azure role-based access control is an authorized system which is used to manage access to the Azure resources. Here, roles are mainly the combination of multiple permissions.
In Azure RBAC, the user who wants to provide access to an Azure resource should have ‘write’ permission, should know who needs access and what type of access they need.
Generally, Roles can be assigned to service principal, users, managed identity, and groups. In the managed identity, the user who is trying to provide access needs to check for the user assigned managed identity and system assigned managed identity.
The user needs to find out the scope, which has different levels like resources, resource groups, subscription, and management groups, which is structured like a parent-child relationship.
Roles can be assigned at different levels of the scope. The role will be applied according to the level of scope that has been selected. The child levels can inherit the roles assigned to the parent level. The roles which are assigned in managed groups can be applied to all the inherited levels like resource, subscription, and resource groups. Assigning the roles can be done not only in the portal but also through Azure CLI, Azure PowerShell, and Rest APIs.
Each subscription allows to have 2000 role assignments, including custom roles and built-in roles.
Each level scope allows to have up to 500 roles. It is better to avoid assigning roles at higher levels of scope to avoid risk for the resources
Download Whitepaper to read more
