Authorization in Azure

Azure roles are used to authorize users, groups, applications, and resources to access the resources in Azure like storage accounts and databases. These roles differ from Microsoft Entra roles because Microsoft Entra roles are used to manage authorization in Microsoft Entra ID resources, like providing permissions for creating or editing users, assigning administrative roles to others, resetting user passwords, etc. However, Azure roles are used to manage authorization to Azure resources. Azure provides robust authorization capabilities, including role-based access control (RBAC) and policy enforcement mechanisms, to ensure the security of resources within Azure. Typically, authorization can be divided into role-based authorization and attribute-based authorization.

• Role-based access control (RBAC): Azure’s RBAC allows organizations to define granular access controls by assigning roles to users, groups, or applications. By using RBAC, organizations can control access to critical resources and restrict unauthorized actions.

• Attribute-based access control (ABAC): Azure‘s ABAC is a form of access control methodology wherein the authorization decisions are based on the various attributes associated with an entity, such as its identity or location. This approach provides more granular resource control than traditional role-based access control. It can be used to develop fine-grained access control that can be applied across multiple systems and services.

Best practices for security

It is essential to implement security best practices when configuring your Azure subscription and resource groups:

• To start, Azure should be configured with the principle of least privilege in mind. This means that every user should only have access to the resources they need and no more.

• Additionally, administrators should consider using role-based access control (RBAC), which allows us to assign different roles to users that dictate what type of access they are permitted for specific resources within a subscription or resource group.

• Next, any sensitive data stored in Azure must be encrypted at rest and in transit. Data can also be backed up regularly to be restored quickly if needed due to an attack or other unforeseen incident.

• Finally, organizations should stay up-to-date on all security patches by regularly deploying them across their Azure environment; this includes patching OS and system images used for virtual machines and other services such as databases or storage accounts. Following these best practices will help ensure the safety of your cloud infrastructure from potential threats and breaches.

Before discussing Azure roles in detail, we must understand the different levels of access control to which roles can be assigned.

Scope

Now, the access control of RBAC roles can be applied to a certain scope in Azure. A scope is a hierarchy of access levels encompassing a set of resources that access applies to. It can be specified at four levels:

• Resource: A resource is an object in Azure that we can create, update, and delete. Azure offers resources like storage accounts, databases, virtual machines, etc.

• Resource group: A resource group is a collection of resources that we want to manage as a group.

• Subscription: It is a collection of resource groups. It also serves as a legal agreement. Each subscription is associated with an Azure offer, like a free trial or pay-as-you-go. Each offer provides a specific rate plan, benefits, and associated terms and conditions

• Management group: It is a collection of subscriptions, the highest level in the scope hierarchy.