Authorization, Roles & PIM
Source: Azure Master Class v3 - Part 2 - Identity by John Savill
Timestamps:01:13:40-01:35:00
Authorization Overview
📺 Video Reference: 01:13:40
Authentication proves who you are.
Authorization determines what you can do.
In the Entra ecosystem, authorization is handled through:
- Entra ID Roles (manage identity plane)
- Azure RBAC Roles (manage resource plane)
The Two Role Systems
📺 Video Reference: 01:14:24
Key Distinction
| Role System | Scope | What It Manages |
|---|---|---|
| Entra ID Roles | Tenant-wide | Users, groups, apps, policies |
| Azure RBAC Roles | Subscription hierarchy | VMs, storage, networking |
These Are DIFFERENT!
Global Administrator in Entra ID does NOT automatically have access to Azure subscriptions. These are separate role systems that must be explicitly connected.
Entra ID Roles Deep Dive
📺 Video Reference: 01:15:24
Global Administrator
The "god role" of Entra ID:
- Full access to all Entra features
- Can manage all aspects of the tenant
- Should be limited to 2-4 people maximum
Global Admin Risk
Global Admin can:
- Reset any password (including other admins)
- Manage conditional access (can exclude themselves)
- Delete the tenant
Protect this role with your life! 🛡️
Common Entra Roles
| Role | Purpose |
|---|---|
| Global Administrator | Full tenant access |
| Global Reader | Read everything, change nothing |
| User Administrator | Manage users and groups |
| Groups Administrator | Manage groups only |
| Application Administrator | Manage app registrations |
| Cloud Application Administrator | Manage enterprise apps |
| Authentication Administrator | Manage authentication methods |
| Privileged Authentication Administrator | Reset MFA for any user |
| Security Administrator | Security settings and policies |
| Conditional Access Administrator | Manage CA policies |
| Billing Administrator | Purchases and subscriptions |
| Helpdesk Administrator | Reset passwords, limited scope |
Role Comparison: Cloud vs Regular
| Role | Difference |
|---|---|
| Application Administrator | Can manage app credentials (secrets/certs) |
| Cloud Application Administrator | Cannot manage app credentials |
Administrative Units
📺 Video Reference: 01:18:34
Administrative Units (AUs) provide scoped delegation of Entra roles.
What Can Be in an Administrative Unit?
| Object Type | Supported |
|---|---|
| Users | ✅ |
| Groups | ✅ |
| Devices | ✅ |
| Applications | ❌ |
| Service Principals | ❌ |
Restricted Management AUs
A more secure flavor:
| Type | Behavior |
|---|---|
| Standard AU | AU admins + Global Admins can manage |
| Restricted Management AU | ONLY AU admins can manage (even GA blocked) |
Use Case: Sensitive Accounts
Put executive accounts in a Restricted Management AU. Even if an attacker compromises a Global Admin, they cannot touch those accounts.
Least Privilege Principle
📺 Video Reference: 01:20:06
The Problem
If I give you permanent Global Admin:
- You're always vulnerable to attack
- Token theft = full tenant compromise
- No audit trail of when elevation happens
The Solution: Just-in-Time Access
Only have elevated permissions when you need them, for as long as you need them.
Privileged Identity Management (PIM)
📺 Video Reference: 01:20:51
PIM provides just-in-time privileged access with auditing and approval workflows.
PIM Concepts
| Term | Meaning |
|---|---|
| Eligible | User CAN activate the role |
| Active | User HAS the role right now |
| Activate | Transition from eligible to active |
PIM Workflow
PIM Settings
| Setting | Options |
|---|---|
| Activation duration | 30 min - 24 hours |
| Require justification | Yes/No |
| Require approval | Yes/No + Who approves |
| Require MFA | Yes/No |
| Require Conditional Access | Yes/No |
| Notifications | Email on activation |
Eligible vs Active Assignments
| Type | Use Case |
|---|---|
| Eligible | User must activate when needed (recommended) |
| Active | Always has the role (use sparingly) |
Best Practice
- Make most assignments eligible
- Set short activation windows
- Require justification
- Enable notifications
- Consider approval for critical roles
PIM for Azure RBAC
📺 Video Reference: 01:24:19
PIM also works for Azure resource roles:
| Scope | Example |
|---|---|
| Management Group | Eligible Owner at tenant root |
| Subscription | Eligible Contributor on Production |
| Resource Group | Eligible VM Contributor on specific RG |
| Resource | Eligible Key Vault Administrator |
Same workflow: Eligible → Activate → Time-limited → Reverts
Emergency Access (Break Glass)
📺 Video Reference: 01:25:41
What If Everything Breaks?
Scenarios where normal admin access fails:
- PIM is down
- Conditional Access misconfiguration locks everyone out
- MFA provider outage
- Last Global Admin leaves company
Break Glass Accounts
Dedicated emergency accounts excluded from normal security controls:
| Property | Configuration |
|---|---|
| Type | Cloud-only (no sync dependency) |
| MFA | Different from normal (hardware FIDO2 in safe) |
| Conditional Access | Excluded from all policies |
| Password | Very long, complex, stored securely |
| Monitoring | Alert on ANY use |
Never Use Normally
Break glass accounts should:
- Never be used for daily work
- Be tested quarterly (with documented process)
- Trigger immediate alerts when used
- Have password split between multiple people
Access Reviews
📺 Video Reference: 01:28:30
Automated review of access assignments.
What Can Be Reviewed?
| Target | Example |
|---|---|
| Group membership | "Do these users still need access to this group?" |
| App assignments | "Should these users still have this app?" |
| Entra roles | "Should John still be User Administrator?" |
| Azure roles | "Should this service principal still be Contributor?" |
Review Workflow
Reviewer Options
| Reviewer Type | Use Case |
|---|---|
| Manager | Review their direct reports |
| Self | Users justify their own access |
| Specific users | Designated administrators |
| Group owners | Review their own groups |
Auto-Actions
| Setting | Behavior |
|---|---|
| If reviewer doesn't respond | Remove access / Keep access / No change |
| Apply results automatically | Yes / No |
| Recurrence | One-time / Weekly / Monthly / Quarterly |
Entra Permissions Management
📺 Video Reference: 01:31:00
A multi-cloud permissions governance solution (part of CIEM - Cloud Infrastructure Entitlement Management).
The Problem
Organizations have thousands of identities with permissions across:
- Azure
- AWS
- GCP
How do you know:
- What permissions do they have?
- What permissions do they actually USE?
- Are there overprivileged identities?
Permissions Creep Index (PCI)
High PCI = Identity has many permissions it doesn't use = Risk
Key Capabilities
| Feature | Description |
|---|---|
| Discovery | Find all identities and permissions |
| Analytics | Identify overprivileged identities |
| Right-sizing | Recommend minimal permissions |
| Monitoring | Alert on anomalous behavior |
| Remediation | Auto-adjust permissions |
Multi-Cloud Coverage
| Cloud | What's Analyzed |
|---|---|
| Azure | RBAC roles, Entra roles |
| AWS | IAM policies, roles |
| GCP | IAM bindings, service accounts |
Quick Reference
Role Assignment Decision Tree
PIM Best Practices Checklist
- [ ] Use eligible (not active) assignments
- [ ] Set maximum activation duration (4-8 hours)
- [ ] Require justification for all activations
- [ ] Enable notifications for role activations
- [ ] Require approval for Global Admin and Security Admin
- [ ] Conduct quarterly access reviews
- [ ] Configure break glass accounts
- [ ] Test break glass accounts quarterly
- [ ] Monitor for PCI creep