Microsoft Entra ID / Azure Active Directory Roles

Microsoft Entra ID / Azure Active Directory Roles

Table of contents

In this article we will be working on the following project bellow;

Project 1: Explain the difference between Azure AD Roles and Azure Roles

Project 2: Create Admin Department and add two users to it

Project 3: Assign Global Administrator Role to User A

Project 4: Show all the steps it took the Global Admin to Log in into the Azure Portal with his new credentials

Project 5:Let the Global Administrator create/onboard a new member to the Admin Department

Project 1: Explain the difference between Azure AD Roles and Azure Roles

Sometimes, we may confuse Azure AD roles and Azure roles for each other, that’s role-based access control in Azure. In this article, I will explain some of the core differentiation between these two terms;

Azure AD Roles:

Azure AD is an identity store in Azure or cloud. which can define users, groups, applications, and service principles. These users can authenticate onto Azure and they can access resources that are part of Azure subscription. We can assign Azure AD roles to a user and these permissions are normally given to manage the various aspects of Azure AD. Example; Let’s say we want to give a user the ability to register applications in Azure, then we can assign the user as application administrator role or let's say we want to give the ability for a user to manage groups, then we can assign the user group's administrator role.

The Azure AD roles include the following:

Global administrator – the highest level of access, including the ability to grant administrator access to other users and to reset other administrator’s passwords.
User administrator – can create and manage users and groups, and can reset passwords for users, Helpdesk administrators and User administrators.
Helpdesk administrator – can change the password for users who don’t have an administrator role and they can invalidate refresh tokens, which forces users to sign back in again.
Billing Administrator – can make purchases and manage subscriptions.

Azure Roles:

This involves access and utilization of azure resources base on assigned role, A role is made up of a name and a set of permissions. Each resource contains an Access Control ( that’s Identity and Access Management) which lists who ( that’s user or group, service principal or managed identity) has been assigned to, which role for that resource. Resources can also inherit these role-based access control settings from their parent resource group, subscription, management group, Azure policy or blueprint.

The four fundamental roles are:
Owner – Full rights to change the resource and to change the access control to grant permissions to other users.
Contributor – Full rights to change the resource, but not able to change the access control.
Reader – Read-only access to the resource
User Access Administrator – No access to the resource except the ability to change the access control.

For more information visit;

https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-roles-and-azure-ad-roles/ba-p/2363647

https://learn.microsoft.com/en-gb/entra/identity/role-based-access-control/permissions-reference?WT.mc_id=modinfra-28824-socuff

https://learn.microsoft.com/en-gb/azure/role-based-access-control/built-in-roles?WT.mc_id=modinfra-28824

Project 2: Create Admin Department and add two users to it

for us to create an Admin Department and add two users we need to sing in to Azure and click on the search bar, search for “Microsoft Entra ID” and click on it, first we be creating users and proceed to create a group that will represent the admin department:

Creating users;

Step 1: click on user as displayed below;

Step 2: select create new user as seen on the image below;

Step 3: Basic; under basic proceed to identity and give your user “User principal name”

Step 4: Proceed to display name and password; input your preferred name, it can be same as your user principal name or different, however for this article I will be using the same name I chose as my user name and next is password you can use the auto-generated password in as much you can remember it or save it adequately for reference purposes or you can crate a personalized password.

Step 5: let other settings be at there default state and click on “review+create” and create

Creating group;

In order to create the admin department we need to create a group that’s assigned the admin department role, follow the steps below to create a group:

Step 1: sign in to Azure and search for “Microsoft Entra ID” proceed by clicking on Group as seen on the image below;

Step 2: click on New Group

Step 3: Group Type should be at its default setting “security”

Step 4: Group Name; assigned group name

Step 5: Group Description this can be left empty or assigned

Step 6: Membership Type is defaultly assigned

Step 7: Members add member by clicking on "No members selected" and click on users to select the user you prefer to add to the group/department for this project/article we will be adding user A and User B as seen in the image below;

Step 8: click on Create to complete the process

Project 3: Assign the Global Administrator Role to User A

assigning "User A" Global Administrator Role;

Step 1: from the default directory or “Microsoft Entra ID” click on “user”

Step 2: click on the preferred user in this case is “User A”

Step 3: click on assigned roles as seen in the image below

Step 4: click on add assignments

Step 5: search for Global Administrator Role and select the role and add it.

Project 4: Show all the steps it took the Global Admin to Log in into the Azure Portal with his new credentials

the Global Administrator can access is recourse by log in to azure portal using the credentials (that’s the user-email and password that was selected when the user was created) that was used during the creation process.

Step 1: go to azure portal or website at https://portal.azure.com/ and sign in with the user-email and password that was used to create the Global Admin

Step 2: update your password to gain access

the image below show that User A has successful gain access with the credentials that was used to create it;

Project 5:Let the Global Administrator create/onboard a new member to the Admin Department

creating users;

Step 1: click on user as displayed below

Step 2: select create new user as seen

Step 3:Basic; under basic proceed to identity and give your user “User principal name”

Step 4:Proceed to display name and password; input your preferred name, it can be same as your user principal name or different, however for this article I will be using the same name I chose as my user name and next is password you can use the autogenerated password in as much you can remember it or save it adequately for reference purposes or you can crate a personalized password.

Step 5: Move to "Assignments" and click on "add group"

Step 7: click on add group and select your preference, for the purpose of this article we will selected admin department.

Step 8: click on "review+create" and create.

the image below show the new user as been added to the member list and under the admin department;

thanks for your time and i hope you find this article useful......................