Azure CDPB213 Dushyant Gill Question Do you consider finergrained access management for Azure a critical requirement Question Have you used the Azure preview portal Question Do you know what Azure Active Directory is ID: 705438
Download Presentation The PPT/PDF document "Role-Based Access Control for" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Role-Based Access Control for AzureCDP-B213
Dushyant GillSlide3
QuestionDo you consider finer-grained access management for Azure a critical requirement? Slide4
QuestionHave you used the Azure preview portal? Slide5
QuestionDo you know what Azure Active Directory is? Slide6
Adoption of IAAS/PAAS in Organizations
Owner = ellen@outlook.com
Owner = aaron@hotmail.com
Owner = xyz@yahoo.com
Owner = xyz@gmail.com
IT
managed identities
Active Directory
ellen@company.com
aaron@company.com
partner@yahoo.com
prospectivecustomer@live.comSlide7
Access to Azure and rest of the cloud: Powered by Azure AD
joe@partner.com
prospectivecustomer@live.com
Roles and Role Assignments
Owner = ellen@
outlook
company
.com
Owner = aaron@
hotmail
company
.com
Azure Active Directory
Users & Groups
Sync
2000+ Pre-Integrated SAAS Apps
Microsoft Online Services
Microsoft Azure IAAS/PAAS
Company In-House Developed Cloud Apps
IT
managed identities
Active Directory
ellen@company.com
aaron@company.comSlide8
Demo:Azure RBAC in actionDushyant GillSlide9
Azure RBAC: First Preview Release
3 built-in roles (Owner, Contributor and Reader) available for assignment to Users, Groups and Services on Azure scopes: Subscription, Resource Group and Resources.
Access management using Azure preview portal, Command Line Tools & REST API for bulk operations.
In
the new RBAC model
the existing subscription administrators and co-admins become ‘Owners’ of the subscription.Slide10
Roles and Roles Assignments
Role is a collection of actions
Role Assignments
Role
Subject
=
Users or Groups or Service Identity
Scope = Directory or Subscription or
ResourceGroup
or Resource
Actions
Not Actions
Owner
*
Contributor
*
Microsoft.Authorization
/*
Reader
*/Read
SQL Contributor
Microsoft.SQL
\*
Microsoft.Authorization
/*
Tier 1 Operator
*/Read +
Microsoft.Compute
\
VirtualMachine
\*Slide11
Access Inheritance and Resource Hierarchy
RG
S
RG
RG
R
R
R
R
R
R
Role Assignment
Role = ‘
Reader
’
Subject = AAD Group
Scope =
Subscription
Role Assignment
Role = ‘
Owner
’
Subject = AAD User
Scope =
Resource
Role Assignment
Role = ‘
Contributor
’
Subject = AAD User
Scope =
Resource Group
Access InheritanceSlide12
Azure AD Authorization Platform
Azure Active Directory
Azure Preview Portal & APIs (Azure Resource Manager)
Roles and Role Assignments
Roles and Role Assignments
Synced to closest geo location
Token with group membership claims
Access Check
SDK
Reason over Policy and Audit
Policy
Audit
Users and Groups
Sync
Active
DirectorySlide13
Demo: Access Management
Dushyant GillSlide14
RBAC & Azure Resource Manager
Azure Events
Roles & Role Assignments
RBAC
RP
Events
RP
Azure Resource Manager
Azure Active DirectorySlide15
Demo: Access Change History - RBAC and Events RP
Dushyant GillSlide16
Integrate your app’s access with AAD groups
Using AAD Groups Directly
1
Ellen
(Resource Owner)
Grants access to an AAD group ‘Ellen’s Team’
App renders “people picker” using AAD Graph API
App persists the group
objectId
in “permissions table”
2
Joe
(Member of ‘Ellen’s Team’)
Accesses the resource. Token contains groups claim
App checks access by comparing groups claim value with persisted
objectIds
3
Sam
(Member of ‘Ellen’s Team’)
Accesses the resource. Token contains
overage
claim
App checks access by comparing user’s groups with persisted
objectIds
App queries AAD Graph API for user’s groups
Using AAD App Roles
Publishes App Roles in AAD
App Developer
1
App Roles = “Publisher”, “Subscriber”
Assigns App Roles to Users, Groups and Client Applications
Customer Admin
2
Kim -> “Publisher”
Ellen’s Team -> “Subscriber”
Accesses the resource. Token contains roles claim
roles=“Publisher”
3
Kim
App checks access using “
IsInRole
”Slide17
What’s ahead
Custom Roles
Access Change History
Reporting over Policy and Audit
Just-in Time Access
Conditional Access
Resource tag based Access Control
User attribute based Access Control
Available to 3
rd
Party Applications
Separation
o
f DutiesSlide18
Come
visit us
in the Microsoft Solutions Experience (MSE)!
Look for the
Cloud and Datacenter Platform
area
TechExpo
Hall 7
For
more information
Windows Server Technical Preview
http://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center Technical Preview
http://
technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack
Azure Pack
http://
www.microsoft.com/en-us/server-cloud/products/
windows-azure-packSlide19
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http
://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide20
Azure
Implementing
Microsoft Azure Infrastructure Solutions
Classroom
training
Exams
+
(Coming soon)
Microsoft Azure Fundamentals
Developing Microsoft Azure Solutions
MOC
10979
Implementing
Microsoft Azure Infrastructure Solutions
Online
training
(Coming soon)
Architecting Microsoft Azure Solutions
(Coming soon)
Architecting Microsoft Azure Solutions
Developing Microsoft Azure Solutions
(Coming soon)
Microsoft Azure Fundamentals
http://bit.ly
/
Azure-Cert
http://bit.ly
/
Azure-MVA
http://bit.ly
/
Azure-Train
Get
certified for
1/2 the price at TechEd Europe 2014!
http://bit.ly
/
TechEd-
CertDeal
2
5
5
MOC
20532
MOC
20533
EXAM
532
EXAM
533
EXAM
534
MVA
MVASlide21
Please Complete An Evaluation FormYour input is important!
TechEd Schedule Builder
CommNet
station
or PC
TechEd Mobile
app
Phone or Tablet
QR codeSlide22
Evaluate this sessionSlide23
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.