Microsoft Offers New Tool for Cleaning Up Azure IT Role Permissions
The tool can also help organizations meet a service deprecation date in 2024.
Microsoft this week announced a new query tool for IT departments to clean up their Azure role-based access control (RBAC) permissions.
The tool is an "AuthorizationResources table" that's available via Azure Resource Graph, which Microsoft abbreviates as "ARG." It lets organizations determine the number of roles issued for overseeing Azure services, as well as the number of people assigned to a particular role.
Microsoft permits "up to 4,000 role assignments" per Azure subscription and "up to 5,000 custom roles in a directory." These limits, and more, are listed in this document.
Another use of AuthorizationResources ARG queries is to find how many issued roles are actually being used by organizations. With that information, organizations can "act on the results to clean up unused role definitions, remove redundant role assignments, or optimize your existing role assignments using AAD [Entra ID] Groups," the announcement explained.
Azure Cloud Services 2024 Retirement
The announcement also mentioned another rationale for cleaning up RBAC assignments, besides it being a good security practice. Namely, Microsoft has deprecation plans for "Azure Cloud Services" on Aug. 31, 2024 and suggested organizations would want use ARG to "convert Classic Admins to Role Assignments":
With Classic Admins set to be deprecated in August 2024, you can leverage ARG to convert Classic Admins to Role Assignments. We've shared scenarios and queries below to get started! You can try these queries out in the Azure Portal via the Resource Graph Explorer (tutorial).
Microsoft's explanation about roles can be a bit confusing because Azure Cloud Services Classic uses compute roles, and not the security roles enabled with RBAC, according to Rob Sanfilippo, an analyst with Directions on Microsoft, a Kirkland, Wash.-based independent consultancy.
"Azure Cloud Services (classic) supports classic admin (no security roles, but yes compute roles), whereas Azure Cloud Services (extended support) supports RBAC (yes security roles, and yes compute roles)," Sanfilippo clarified.
Orgs Can Switch to Azure Cloud Services (Extended Support)
Microsoft gave notice a couple of years ago that it planned to "retire" Azure Cloud Services Classic on Aug. 31, 2024 in this announcement. IT departments should switch to "Cloud Services (extended support)" instead of continuing to use the Classic version, Microsoft advised:
To continue to use your cloud services that were deployed using Cloud Services (classic), migrate them to Cloud Services (extended support) in [Azure] Resource Manager before 31 August 2024.
The "extended support" term may sound like the kind of lifecycle terminology that Microsoft uses with its server products, but it's unrelated, according to Sanfilippo.
Even the Azure Cloud Services term is bound to be confusing. Sanfilippo explained via e-mail that Azure Cloud Services is just the name of an early Azure service.
Azure Cloud Services is one Azure service (that is, resource type), despite the confusing name that makes it sound like it refers to all of Azure. It's one of the original services offered in Azure since the platform's debut. It's a PaaS compute service that hosts worker and web roles that can be used to build Web applications.
Microsoft Commits to Azure Resource Manager
What Microsoft essentially means by its Azure Cloud Services (extended support) terminology is that the service is Azure Resource Manager (ARM) based, vs. an older management approach. Here's how Sanfilippo explained it:
The extended support version is ARM-based, unlike the original (now called classic) version, which is Azure Service Manager (ASM)-based. (ASM is the original Azure deployment model, the predecessor to ARM.)
Even though organizations currently can use the Classic Azure Cloud Services, "it's not a good choice for customers building new applications," he added. It has hung on mainly because "it underpins several other Azure services," but it "continues on with Cloud Services (extended support)."
Aug. 31, 2024 will be the end date for these Classic services, including Classic virtual machines. "At that time, all Azure services will be ARM-based only," Sanfilippo noted.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.