SOLVED

AAD Conditional Access policies vs Control Access RBAC

%3CLINGO-SUB%20id%3D%22lingo-sub-2872928%22%20slang%3D%22en-US%22%3EAAD%20Conditional%20Access%20policies%20vs%20Control%20Access%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2872928%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community.%3C%2FP%3E%3CP%3ECould%20someone%20explain%20me%20the%20difference%20between%20Conditional%20Access%20and%20Control%20Access%20RBAC%20policies%3F%3C%2FP%3E%3CP%3EIf%20I%20understood%2C%20with%20conditional%20access%20I%20configure%20how%20a%20user%20(internal%2Fexternal)%20could%20login%20in%20Azure%20environment%20and%2For%20Apps%2C%20for%20example%20by%20enabling%20the%20MFA%20or%20geographical%20location%2C%20and%20so%20on.%3C%2FP%3E%3CP%3EInstead%2C%20with%20conditional%20access%20(RBAC)%20policies%20I%20could%20specify%20what%20users%2Fgroups%20(internals%2Fexternals)%20can%20do%3A%20for%20example%20I%20can%20enable%20read%20only%20privileges%20for%20a%20group%20for%20Azure%20vNet%20access%2C%20or%20admin%20privileges%20for%20Azure%20Sentinel.%3C%2FP%3E%3CP%3EIs%20it%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20all%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2872928%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERBAC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2873188%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Conditional%20Access%20policies%20vs%20Control%20Access%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2873188%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1192223%22%20target%3D%22_blank%22%3E%40f0cus_13%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EYou%20are%20right.%20Azure%20and%20Azure%20AD%20are%20mixed%20to%20each%20other%20every%20now%20and%20then.%20Azure%20AD%20is%20a%20directory%20with%20users%2C%20groups%2C%20devices%2C%20applications%20and%20etc.%20It%20has%20for%20example%20capabilities%20to%20manage%20user%20access%20to%20different%20applications%20as%20Azure%20Management%20or%20Office%20365%20applications%20with%20Conditional%20Access%20policies.%20If%20we%20think%20access%20control%20overall%20this%20affects%20to%20the%20%3CSTRONG%3Eauthentication%3C%2FSTRONG%3E%20part%20of%20access%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20RBAC%20is%20Azure's%20capability%20to%20make%20more%20granual%20access%20control%20to%20resources%2C%20resource%20groups%2C%20subscriptions%20etc.%20Azure%20RBAC%20connects%20Azure%20AD%20users%20(who%20has%20access)%20to%20roles%20(what%20access%20they%20have)%20to%20the%20scope%20(where%20they%20have%20access%20to).%20If%20we%20think%20access%20control%20overall%20this%20affects%20to%20the%20%3CSTRONG%3Eauthorization%3C%2FSTRONG%3E%20part%20of%20access%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20your%20case%20you%20can%20give%20access%20to%20VNET%20or%20Sentinel%20with%20Azure%20RBAC%2C%20not%20with%20Conditional%20Access.%20You%20can%20require%20MFA%20or%20managed%20device%20or%20whatever%20from%20user%20to%20access%20to%20application%20Azure%20Management%20with%20Conditional%20Access.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2FMarkus%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi community.

Could someone explain me the difference between Conditional Access and Control Access RBAC policies?

If I understood, with conditional access I configure how a user (internal/external) could login in Azure environment and/or Apps, for example by enabling the MFA or geographical location, and so on.

Instead, with conditional access (RBAC) policies I could specify what users/groups (internals/externals) can do: for example I can enable read only privileges for a group for Azure vNet access, or admin privileges for Azure Sentinel.

Is it correct?

 

Thank you all

1 Reply
best response confirmed by f0cus_13 (Occasional Visitor)
Solution

Hi @f0cus_13,


You are right. Azure and Azure AD are mixed to each other every now and then. Azure AD is a directory with users, groups, devices, applications and etc. It has for example capabilities to manage user access to different applications as Azure Management or Office 365 applications with Conditional Access policies. If we think access control overall this affects to the authentication part of access process.

 

Azure RBAC is Azure's capability to make more granual access control to resources, resource groups, subscriptions etc. Azure RBAC connects Azure AD users (who has access) to roles (what access they have) to the scope (where they have access to). If we think access control overall this affects to the authorization part of access process.

 

For your case you can give access to VNET or Sentinel with Azure RBAC, not with Conditional Access. You can require MFA or managed device or whatever from user to access to application Azure Management with Conditional Access. 

 

/Markus