Published
Sep 06 2018 09:09 PM
12.5K
Views
First published on CloudBlogs on Jun, 28 2016
Howdy folks, One of the most frequent pieces of feedback we receive from customers is they love how Azure AD helps them gain visibility into risks impacting their organization's identities and assets. But to do that effectively, they need additional RBAC roles so they can provide access to their administrators and security analysts while maintaining separation of duties. This way they can ensure appropriate control over configuration and security policies. So I'm excited to share that we're adding three new administrative roles to Azure AD that enable finer-grained administration. These three new roles "Privileged Role Administrator", "Security Administrator" and "Security Reader" simplify managing and accessing reports in Azure AD Identity Protection and Azure AD Privileged Identity Management (PIM). Using these new roles, organizations can take advantage of these new security capabilities without having to add additional highly-privileged global administrators. You can try these new roles in your organization and give us feedback in the Azure AD Identity Protection and Azure AD Privileged Identity Management forums.
Howdy folks, One of the most frequent pieces of feedback we receive from customers is they love how Azure AD helps them gain visibility into risks impacting their organization's identities and assets. But to do that effectively, they need additional RBAC roles so they can provide access to their administrators and security analysts while maintaining separation of duties. This way they can ensure appropriate control over configuration and security policies. So I'm excited to share that we're adding three new administrative roles to Azure AD that enable finer-grained administration. These three new roles "Privileged Role Administrator", "Security Administrator" and "Security Reader" simplify managing and accessing reports in Azure AD Identity Protection and Azure AD Privileged Identity Management (PIM). Using these new roles, organizations can take advantage of these new security capabilities without having to add additional highly-privileged global administrators. You can try these new roles in your organization and give us feedback in the Azure AD Identity Protection and Azure AD Privileged Identity Management forums.
Security roles in Azure AD Identity Protection
Azure AD Identity Protection , currently in preview, provides a consolidated view into risk events and potential vulnerabilities affecting your organization's identities.
- A user in the new role Security Reader can view reports and settings in Azure AD Identity Protection. This role is ideal for a security analyst who investigates issues but doesn't necessarily take any action themselves.
- A user in the new role Security Administrator can view reports and manage settings in Azure AD Identity Protection. Unlike global administrators, a security administrator can't reset users' passwords in Azure AD Identity Protection.
Security roles in Privileged Identity Management
Azure AD Privileged Identity Management , also in preview, lets you manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services, including Office 365 or Microsoft Intune.
- A user in the new role Privileged Role Administrator can manage settings and role assignments in Azure AD PIM, and view the Azure AD PIM audit history.
- A user in the any of the Global Administrator , Security Administrator or Security Reader roles can view settings, role assignments, and the Azure AD PIM audit history.
Assigning users to these new roles
The best way to add someone to the Privileged Role Administrator, Security Administrator, or Security Reader roles is through Azure AD PIM. Select the role, click Add, select a user, and click OK. That user will be made eligible to activate the role. The user can then activate the role for a predefined time period, when they need to use Azure AD Identity Protection or Azure AD PIM.
Connect-MsolService
To see who (if anyone) is already permanently assigned to these three new roles in your directory, type:$pra = Get-MsolRole -RoleName "Privileged Role Administrator"
Write-Output "Privileged Role Administrator permanent members"
Get-MsolRoleMember -RoleObjectId $pra.ObjectID | ft EmailAddress,DisplayName
$sa = Get-MsolRole -RoleName "Security Administrator"
Write-Output "Security Administrator permanent members"
Get-MsolRoleMember -RoleObjectId $sa.ObjectID | ft EmailAddress,DisplayName
$sr = Get-MsolRole -RoleName "Security Reader"
Write-Output "Security Reader permanent members"
Get-MsolRoleMember -RoleObjectId $sr.ObjectID | ft EmailAddress,DisplayName
Then, to add a user to a role with a permanent assignment, use the Add-MsolRoleMember command. For instance, to make a user a security administrator, type:Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "user@example.com"
And more good news - these roles will soon light up in other features and applications as well. I'll blog about them when they do. And as always, we'd love to get any feedback suggestions you have. Just head on over to the Azure AD Identity Protection and Azure AD Privileged Identity Management forums and let us know what you think. Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division