Microsoft Broadens Azure Active Directory Role-Based Controls for IT Pros -- Redmondmag.com

Microsoft Broadens Azure Active Directory Role-Based Controls for IT Pros

By Kurt Mackie
06/29/2016

Microsoft has added greater flexibility to its role-based access controls for IT pros using the Azure Active Directory service.

The added flexibility is for the Azure AD Identity Protection service, which was released as a preview in March, and for the Azure AD Privileged Identity Management service, which was first released as a preview in May of 2015 but updated three months later. Azure AD Identity Protection uses Microsoft machine learning technology to check for potentially compromised user accounts. Azure AD Privileged Identity Management, on the other hand, is a tool for global administrators to set access permissions among IT staff and also check for improper security configurations.

Both tools are getting three new roles via an Azure AD service update. The new roles are "Privileged Role Administrator," "Security Administrator" and "Security Reader," according to Microsoft's announcement this week.

These new roles can be used to better address organizational needs, especially when there's a requirement to provide viewing access to security reports but the IT department doesn't want to create more "highly-privileged global administrators" to do so, according to Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement.

For instance, IT pros previously needed to be a global administrator to have access to the Azure AD Identity Protection service, but "these new roles eliminate that requirement," Simons explained. Being a global administrator is still a requirement, though, to have control over the Azure AD Privileged Identity Management service, he added.

Here's how the new roles work for Azure AD Identity Protection, per Microsoft's announcement:

A Security Reader can "view reports and settings," but can't take actions
A Security Administrator can "view reports and manage settings," but can't reset user passwords

For those using Azure AD Privileged Identity Management, here's how the new roles work:

A Privileged Role Administrator can "manage settings and role assignments" and view the audit history
A Security Administrator or Security Reader can "view settings, role assignments," and the audit history

The new roles can be assigned using the Azure AD Privileged Identity Management service. The roles can be set for a specified time period or the assignments can be made permanent. Alternatively, PowerShell scripts can be used to check role status and assign users, as illustrated in Microsoft's announcement.

These new roles will be coming to other Microsoft products, too, according to Simons. They will "soon light up in other features and applications," he promised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.