Microsoft Azure functions as both the infrastructure and platform that lets companies operate their business-critical application servers, backups, websites, and other hardware and software business applications virtually.

Microsoft Azure Portal is a web-based application that allows users to create, manage, monitor, and delete resources on the Azure platform. Security to the Azure portal is role-based, meaning that access to subscriptions, accounts, applications, and data as a function of the role assigned to that user (also known as Role-Based Access Control or RBAC).

The Azure Security Model

Role Permissions

Roles are granted permissions based on Actions and DataActions:

• Actions – determine what the role can do to securable objects in the system.
• DataActions – determine what the role can do to the data stored within an Action object.

Figure 1 – Example Azure role definition showing Actions and DataActions

Role Assignment

Roles can be assigned to:

• Users – refer to Azure Active Directory (AAD) Users
• Groups – refer to AAD Groups which in turn can contain AAD groups and AAD Users
• Service Principals / Managed Identities – refer to applications or other non-users that can still be assigned security in Azure (for example, automated services)

Figure 2 – Role assignments: User, Group, Service Principal/Managed Identity

Assignment Scope

User roles and role definitions can be further defined to only be applicable at a particular scope. This feature allows for a cleaner role setup as you do not require duplicate roles that have the same object access but to different areas of your Azure environment. Instead you can have one role and assign it at different scopes.

In Azure, you can specify a scope at four levels: management group, subscription, resource group, and resource. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope and the level you select determines how widely the role is applied.

For example, if Alice has been assigned the Reader role at the subscription scope (e.g., for the ABC Subscription), she will also have Reader role access to the underlying resource groups and resources within the ABC Subscription, but she would not have access to other Subscriptions in the tenant.

Figure 3 – Assignment scope: management group, subscription, resource group, and resource

Challenges of Understanding User Access Risk Management on Azure Portal

Role-based access is a powerful technique that helps maintain the security of your Microsoft Azure environment. It helps prevent unauthorized access to your business-critical applications, an important element for audit compliance. RBAC also helps maintain the principle of least privilege, where access is only granted to the individuals required to have it, to reduce unauthorized access and data manipulation.

However, as your enterprise needs grow, your Azure administration becomes much more complicated—the number of roles and permissions grow each time departments, accounts, subscriptions, apps, and resource groups are added.

Eventually, it becomes difficult to identify which users should be assigned the proper roles and permissions. Administrators get overwhelmed reviewing page after page of user permissions to specific securable objects for each application. To make matters worse, it is typically the business process owner of the business application, not the system administrator, who truly knows which users should have access and the level of access that should be granted to those users.

Ultimately, the challenge of Azure Portal security is the ability for those responsible for enterprise information security (CIOs, CTOs, CSOs, CISOs, system administrators, DevOps, etc.) to be able to answer these questions:

• Who has critical access to your Azure accounts?
• Are there security gaps in your user provisioning for Azure applications?
• Can you audit the users and the security objects they can access?

How Fastpath Can Help with User Access Management on Microsoft Azure

Users with the ability to create and make changes to Azure resources and provisioning can affect not only the security of your Azure environment but also make changes that significantly increase the financial cost of your Azure deployment.

Fastpath offers native integration with Microsoft Azure Portal. This integration allows you to capture the security data within Azure Portal and analyze the results for user and role access, giving you a better understanding of who has access, how they are getting access, and what critical access exists within your organization.

Now your system administrators can conveniently consolidate the data from Azure Portal and get a broad view your company’s entire security profile.

Fastpath lets you:

• Understand who has critical access to all securable objects across all your Azure-based business applications (including administrator access, access to the key vault, authority to make changes to or create new subscriptions, and more).
• Create auditable workflows to automate user access reviews and access certifications.
• Maintain sound management of your resources to help you and your administrators save money and increase security.
• Capture data security privileges to the permission and securable object level.
• Define rulesets and enforce separation of duties for critical applications and secure your financial, operational, and technical assets.
• Augment Azure Portal reporting to improve user access management and security.
• Generate SOC reports to audit and validate internal controls.

Schedule a demonstration and see how Fastpath can help you manage your Azure security, compliance, and risk management needs.