Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7

Video Transcription

00:00
Greetings, Saberi ins.
00:03
Welcome back to the in this 3 65 security administration course
00:07
I am pleasure to be your instructor
00:10
setting the same, right? Can I say that was Highbury
00:13
one plus
00:14
Okay.
00:15
It's my pleasure to be your instructor,
00:17
Jim Daniels.
00:19
And today we're a model to identity and access.
00:22
Lesson three, access management, part three. Role based access control.
00:29
In this lesson, we're gonna go over
00:31
how the planet configure role based access control are back in M s 3 65. The difference between azure or back rolls and azure admin roles
00:41
and monitoring are back usage.
00:45
Access management for cloud race forces is critical function
00:49
least privilege.
00:50
You can do the most damage when you have access to all of the management of those functions
00:55
as our back is an authorization system Built one azure resource manager that provides fine grained access. Management of azure resource is, as there are back, makes life easier
01:07
to use the principle of at least privileged access.
01:11
Charles Barkley.
01:11
He was famous for saying he is not a role model.
01:15
He didn't want kids Look up to him.
01:17
He's an honor role model.
01:19
You know what is a role no,
01:22
as a or back as a or back.
01:25
They have models of roles that you wonder if users to use.
01:29
So where is Charles Barkley? Not a role model? And Rohrback? Yes, definitely. Role models
01:34
worsen things you can do
01:36
with as or back.
01:38
You can allow a user to manage virtual machines and a subscription, and another demands virtual networks.
01:44
You can allow Deviate Group to manage sequel databases and a certain subscription.
01:49
You can allow the user to manners. All resource is in a resource. Stories.
01:52
You can allow an application, access all resources, and you can use as a or back for users for groups as well as application access
02:04
are back rolls on this.
02:06
As Rohrback uses, role is on its to control access.
02:08
Rose on has made a three key elements
02:13
security principal role. Definition scope.
02:15
Security Principle is an object that represents a user group, service principle or managed identity as requested access to resources and azure.
02:25
The user is an individual who has a profound as radi.
02:30
You can also assign roles to users and other tenants.
02:34
Group. A set of users created in as radi
02:38
service principle,
02:38
a security identity used by applications or services to access specific
02:45
as a resource is, think of it as a user identity for an application,
02:50
managed identity
02:52
and identity. And as Brady that's automatically manage. Lazar
02:55
typically managed identities air used with developing cloud applications to major credentials for authenticating to services.
03:04
Role definition.
03:05
It's a collection of permissions.
03:07
Typically, this is called a role.
03:09
A role definition. List. The operations that can be performed.
03:14
What read, write do it
03:16
Rose could be high level like owner or very specific, like a partial machine reader,
03:23
as your includes several building roles that we can use
03:29
some of those roles.
03:30
Owner contributor Raider User access at man
03:34
scope is a set of resource is that the access applies to
03:38
it's the what?
03:40
What do you have a role to control
03:44
When you sign a role, you can father limit the actions
03:47
by the fire in the skirt
03:50
and as your you can specify scope of multiple levels.
03:53
A national group
03:54
situation, resource group, or resource is
03:59
scopes are structured in a parent child relationship.
04:03
Now to exponentially confuse everyone,
04:06
let's look at as Rohrback roles and classic azar 80 administrator roles.
04:14
If it's little stocking cost for it was confusing.
04:16
Yeah, kind of
04:18
from the classic
04:19
subscription administrator roles.
04:21
Can't a man service at me and cut that man? Those were three classic subscription and managerial roles. In Asher.
04:29
There's classic subscription at men's At full access to our subscriptions
04:33
as a rolls
04:35
is the level above that as a rose. The authorizations Remember as her or back? We just talked about it.
04:42
So it's a more refined,
04:45
more detailed and grandeur
04:46
over the whole as your environment
04:49
as Ray D. Rose. That's a subset within Azure. Remember, as Brady is only a small service with an azure as a whole.
04:59
So as a radi rolls, those are the ones that you're probably most familiar with as a relation in that straight 65 global admin at Batman Building at Man,
05:10
those are Andy has Radi 10
05:15
by default as ER and as your 80 rolls do not overlap
05:19
as the global have make and elevate permissions to manage as your A D as a user access admin role
05:27
as your A D and office 3 65 Global Ammons do not have access to as a resource is
05:34
remember azure as a whole was much bigger than just azure 80.
05:39
As Ray D. Is a subset
05:42
of the services that you find within Asher
05:46
to configure, as there are back,
05:49
you could be permission and asked my yourself authorization role assigned that
05:55
role assignments. Dooley.
05:57
User access at man and owner As roles include those
06:00
use the
06:02
access control Azra blade in your eyes or subscription to configure or back roads.
06:09
Here we're actually and access control blade within. After with an as description,
06:14
we see where we have Rolla Sina Weaken do at a role assignment,
06:16
war Echo Administrator, which isn't on the classic role assignments or add a custom role, but we define
06:26
so we're gonna go to roll assignment.
06:28
And here we have the priest alighted roles
06:30
the canned
06:32
out of the box and there are back rolls.
06:34
This one we're into, Reader,
06:38
we're gonna sign access to a user. We have the user down there we've selected,
06:44
and this will add that users who the reader are back role.
06:47
We also can go in and look at the pretty define or custom
06:54
are the rules.
06:56
In this example, we went into the security admin
06:59
and Malouda permissions, So this is a type.
07:02
So this is a list of the permissions
07:05
that make up
07:08
the security admin role.
07:11
Yeah, we'll get analytics partial management
07:14
one down. The worst
07:15
really fine grained stuff
07:18
or about usage is monitored and audited.
07:23
It's in the azure activity log.
07:26
The actions monitored Role Assignment Creator rolled the leader role at a role. Custom role definition.
07:33
Great at a do it. All of those are assigned
07:36
here. We can see an example of an activity law where a role was created
07:42
and it was assigned.
07:45
When we click on the actual
07:47
event. For more information, we could see additional details.
07:53
Time stamps,
07:56
scope, roll everything
08:01
Quis role assignment is made of which three elements
08:07
security, principal role policy, scope,
08:09
security, principal role definition scope
08:13
are back. Principal role definition
08:15
parameter
08:16
or about principal role policy. Scope.
08:20
This was kind of struck me. I'll give you a little bit of time for
08:24
so a B, C or D. Which one is it?
08:31
If you said B, you're correct,
08:35
you win a virtual star
08:37
one. The virtual board
08:39
that is next to your name as an outstanding student
08:43
security principal role definition s scope. Those or three elements that make up a role assignment
08:52
to recap. Today's lesson,
08:54
as there are back, is an authorization system
08:56
bill on Azure resource manager that provides fine grain access. Management of Azure resource is
09:03
role assignments are comprised of security principle,
09:07
role definition and scope.
09:09
The answer. Activity log logic to monitor
09:13
and log as Rohrback activities.
09:16
Thank you for joining me. I hope to see you for the next video.
09:18
Take care.

Up Next

MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor