Learn some of the Azure Active Directory roles that can used to manage user access to the directory and then demonstrate the procedure using the Azure portal.
- [Instructor] Azure Active Directory can also be secured by assigning specific roles to users. There are several roles that you can assign to users, but I'm only going to cover a few here. First we have the global or company Azure Active Directory administrator. This user can do everything and it will be assigned to the person who signed up for the Azure service, and this will also be the Azure account administrator. Next we have the Azure Active Directory billing administrator. This user can view company information, view user information, they can manage billing and purchasing for Office SKUs, and they can also manage support tickets, but that's it, they don't have any access to resources.
Next we have the password Azure Active Directory administrator. Just like the billing admin, they can view company info, they can view user info, they can manage support tickets, and they can reset user passwords. Next we have the service Azure Active Directory administrator. The user assigned to this role can view company information, view user info, and the service administrator can also manage the support tickets. Finally we have the user Azure Active Directory administrator.
This user can view company information, as well as view user information. They can manage the support tickets, but they cannot reset billing, or the global, or service administrator passwords. They can create, delete, and edit users and groups and they have limited management of licenses, meaning they cannot delete a global administrator and they cannot create a global administrator. Let's flip over to Azure and take a look at this in action. I've logged into Azure and we're going to go ahead and pop into Azure Active Directory.
You may be wondering right off the top, where are the roles? Well, they're kind of hidden. You'll have to click in Users and Groups and then click All Users, and then you'll pick a user. In this example, I'm going to select Lucy. Now I can click on the Directory Role. From here, I can assign Lucy a specific role. She can be a User, she can be a Global Administrator, or she can be a Limited Administrator.
From here, we can pick the specific roles for Lucy. We may want her to be a Password Administrator and maybe just a Billing Administrator. I can go ahead and click Save and Lucy now has the right to reset passwords, and to manage support tickets, and view user information. In order to keep Azure Active Directory secure, I would highly recommend you spend some time in the directory roles and assign the proper roles to the appropriate users.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles