New Training: Manage Access Control

In this 8-video skill, CBT Nuggets trainer Daniel Sasse guides you through the minefield of ensuring appropriate Azure access for users, devices, and applications. Watch this new Azure training.

Watch the full course: Microsoft Certified: Azure Security Engineer Associate

This training includes:

• 8 videos

• 52 minutes of training

You’ll learn these topics in this skill:

• Configure Custom RBAC Roles

• Identify the Appropriate Role

• Apply Principle of Least Privilege

• Interpret Permissions

• Create App Registrations

• Configure App Registration Permission Scopes

• Manage App Registration Permission Consent

• Manage API Access to Azure Subscriptions and Resources

How to Apply the Principle of Least Privilege in Azure

The principle of least privilege (POLP) is an important means in preventing computer security attacks. By granting only the permissions necessary to complete a set of tasks, you can limit the surface of attacks. Microsoft Azure allows you to apply POLP through its role-based access control (Azure RBAC) found in Azure Management Groups, Azure Active Directory (now known as Entra) Groups and Azure Privileged Identity Management.

At the heart of Azure RBAC lies three components: security principals, role definitions and scope.

A security principal is an entity requiring permissions, such as a user, a group, a Service Principal or a Managed Identity. You apply permissions to them using Azure Active Directory Groups.

A role definition is the set of permissions that you apply to a defined security principal. You can define this through Azure Resource Roles and Azure Active Directory Administrator Roles.

Finally, a scope defines what Azure resources applies to a particular role definition. You can define this through Azure Management Groups.