Forum Discussion
Azure Active Directory Functions Vs Azure Functions (RBAC)
In the Azure active Directory functions we have:
Global Administrator - is responsible for managing the active directory infrastructure
User Administrator - is responsible for managing User, Groups… etc
Invoice Administrator - this takes care of invoices, Billing… etc.
In Azure functions (RBAC) we have:
Owner: Has almost the same capabilities as the main user of the Azure portal, the owner can create users, give permissions, delete user ... etc
Contributor: It has almost the same capabilities as the owner, but he cannot give permissions to users. Reader: has the momentary permission to read.
My doubt is as follows:
Does the Global Administrator have the ability to create resource groups?
Does the owner have the ability to create Users, more than these users? Are they active directory users?
I did a test, created a user and put him as an owner, but she was unable to create users in the Active Directory.
Hi, fotine
Azure AD (AAD) Global Administrators by default do not have privileges over Azure resources. Their role scope is only the AAD itself. However, a Global Administrator can elevate her/himself and become User Access Administrator at the Azure root Management Group - with this privilege, this user can then added her/himself other Azure roles, such as Owner, at any Azure scope. More details here. As you see, AAD Global Admin is the most powerful role in Azure and at least these identities should be very well protected (strong password, MFA, etc.). Answering your question: an AAD Global Administrator can't by default create Azure Resource Groups but has the means to do so by elevating access.
Azure Owners (or other Azure roles) have privileges over the Azure scope only (management groups, subscriptions, resource groups, or resources). Their privileges are inherited down the hierarchy. Therefore, a Management Group Owner has privileges down to all the MGs, subscriptions, resource groups, etc. in the MG hierarchy. Having said that, an Azure Owner does not have privileges over Azure AD, unless this user is also granted an AAD privilege (Global Admin, User Admin, etc.).
1 Reply
- hspinto
Microsoft
Hi, fotine
Azure AD (AAD) Global Administrators by default do not have privileges over Azure resources. Their role scope is only the AAD itself. However, a Global Administrator can elevate her/himself and become User Access Administrator at the Azure root Management Group - with this privilege, this user can then added her/himself other Azure roles, such as Owner, at any Azure scope. More details here. As you see, AAD Global Admin is the most powerful role in Azure and at least these identities should be very well protected (strong password, MFA, etc.). Answering your question: an AAD Global Administrator can't by default create Azure Resource Groups but has the means to do so by elevating access.
Azure Owners (or other Azure roles) have privileges over the Azure scope only (management groups, subscriptions, resource groups, or resources). Their privileges are inherited down the hierarchy. Therefore, a Management Group Owner has privileges down to all the MGs, subscriptions, resource groups, etc. in the MG hierarchy. Having said that, an Azure Owner does not have privileges over Azure AD, unless this user is also granted an AAD privilege (Global Admin, User Admin, etc.).