πŸ”‘

Managing Microsoft Entra Roles Overview

Feb 5, 2025

Configure and Manage Microsoft Entra Roles

Introduction to Microsoft Entra ID

  • A cloud-based identity and access management service by Microsoft.
  • Helps employees sign in and access resources such as:
    • External resources (e.g., Microsoft 365, Azure portal, SaaS apps)
    • Internal resources (e.g., corporate network apps, cloud apps developed by your organization)

Users of Microsoft Entra ID

  • IT Admins
    • Control app access based on business requirements.
    • Automate user provisioning between Windows Server AD and cloud apps.
    • Tools for protecting user identities and credentials.
  • App Developers
    • Use for adding single sign-on (SSO) to apps.
    • Available APIs for building personalized app experiences.
  • Subscribers of Microsoft 365, Office 365, Azure, Dynamics CRM Online
    • Already using Microsoft Entra ID as their tenant is automatically a Microsoft Entra tenant.

Role Assignments in Microsoft Entra ID

  • Assign roles to users to manage Microsoft Entra resources.
  • Roles include Classic subscription administrator roles, Azure roles, and Microsoft Entra roles.

Microsoft Entra Roles

  • Used to manage resources in a directory.
  • Important roles include:
    • Global Administrator: Manage access to all features, assign roles, reset passwords.
    • User Administrator: Manage users and groups, support tickets, service health.
    • Billing Administrator: Manage purchases, subscriptions, support tickets.
  • Roles can be viewed in the Azure portal under Roles and administrators screen.

Differences Between Azure Roles and Microsoft Entra Roles

  • Azure Roles: Control access to Azure resources.
  • Microsoft Entra Roles: Control access to Microsoft Entra resources.
  • Scope:
    • Azure roles can be specified at multiple levels (e.g., management group, resource group).
    • Microsoft Entra roles are at the tenant level or Administrative Unit.
  • Access methods differ between Azure and Microsoft Entra roles.

Overlapping Roles

  • By default, Azure roles and Microsoft Entra roles don’t overlap.
  • Global Administrator can elevate access to User Access Administrator (an Azure role).
  • Some Entra roles (e.g., Global Administrator, User Administrator) span Microsoft Entra ID and Microsoft 365.

Assigning Roles

  • Multiple methods for role assignment:
    • Assign to a user/group via Roles and administration.
    • Use Access control (IAM) for broader scopes.
    • Use PowerShell or Microsoft Graph API.
    • Use Privileged Identity Management (PIM) for just-in-time elevation.
  • Proper identity governance is crucial.

Example: Using PIM

  • Configure user eligibility for just-in-time role elevation.
  • Limitations: One role assignment at a time, requires Entra ID Premium P2.

Creating and Assigning Custom Roles

  • Custom roles can be created in the Roles and administrators tab in the Azure portal.
  • Steps to create a custom role:
    1. Basics: Provide name and description.
    2. Permissions: Select necessary permissions (e.g., credentials update, basic update).
    3. Review + Create: Finalize and create the role.
  • Newly created custom roles become available for assignment.

View note sourcehttps://learn.microsoft.com/en-us/training/modules/implement-initial-configuration-of-azure-active-directory/3-configure-manage-roles