Delegated and secured management of Azure environments with Azure AD
Most organizations have implemented (internal or customer) Azure workloads in the same Azure AD tenant environment as their corporate production environment for Office 365 and other SaaS solutions. Delegate access and managing separated Azure environments in a single-tenant environment could be challenging.
In this context, various other questions come to mind:
Which aspects should be considered in securing identities or access as part of privileged DevOps pipeline and assigned permissions to Azure Resources? How can I delegate or separate objects such as service principals or test users within one Azure AD tenant? When should I start to isolate my resources in multiple tenants and what are the disadvantages?
Microsoft implemented new features and published white papers that address this need recently. In my session we will go into details about the subjects:
- Azure AD Tenant Boundary and multi tenant scenarios
- Limitations and differences of Azure and Azure AD RBAC delegation
- Custom Azure RABC roles and scopes (UX and RBAC-as-Code)
- Delegated permissions on level of Azure AD Administrative Units
- Approval process to gain scoped access to Azure AD objects
- Azure PIM Privileged Access Groups for Azure DevOps roles
Level 300 session
Microsoft MVP | Cloud Security Architect @glueckkanja-gab AG