Managing User Permissions in Azure Workflows

Imagine a user is granted Reader role on a resource group in Azure. Seems safe? No write/delete permissions, right? Now here's the twist: The same user also has Contributor rights on an Azure Automation Account in a different subscription. Using a runbook, they trigger a script that calls a REST API - targeting resources in the first subscription using a Managed Identity with elevated rights. Result? They indirectly modify or even delete production resources they supposedly had only read access to. Lesson: IAM isn't just about what a user can do directly. It’s also about what they can control indirectly - through automation, identities, and chained access. In Azure, permissions + pathways = power. Always audit the full graph - not just roles, but context.

Understanding the flow of identity and access management in Azure Kubernetes Service (AKS) is crucial for ensuring secure and efficient operations. Here’s a step-by-step breakdown of the process: 1. **Terraform → Azure Active Directory (AAD)** Terraform provisions Azure resources by: - Creating the AKS cluster - Connecting AKS with Azure AD - Setting up Azure RBAC and Kubernetes RBAC mappings Terraform acts as the automation engine that builds everything. 2. **Azure Active Directory (AAD) → AKS** Azure AD manages authentication by: - Allowing users to sign in using AAD credentials (AAD Login) - Enabling AKS to validate identities through AAD This setup ensures there are no local Kubernetes users; all identities are sourced from AAD. 3. **AKS → Azure CLI** Once authenticated, AKS provides role-based access: - The Azure CLI (using `az aks get-credentials`) utilizes Azure RBAC to determine user permissions at the cluster level. 4. **Admin → RBAC** An administrator is responsible for managing permissions: - Admin assigns roles such as ClusterAdmin, DevOps, Developer, etc. - Permissions adhere to the principle of least privilege. 5. **RBAC → Pod/Node Access** After roles are assigned: - Kubernetes RBAC defines user capabilities within the cluster, including access to pods, listing deployments, and managing workloads. 6. **Pod/Node Access → Azure CLI** Users interact with the cluster (pods, nodes, resources) through: - `kubectl` (via Azure CLI authentication) - Identity validation is conducted by AAD and authorization is handled by RBAC. **End Result** This flow guarantees: - Centralized identity management through AAD - Secure cluster access via Azure RBAC and Kubernetes RBAC - Automated provisioning with Terraform - Proper governance and audit capabilities

🔘 Microsoft Entra ID (Azure AD) – Built-in Roles & Their Uses ▪️Global Administrator : Full control over all Azure AD & Microsoft services (highest privilege). Can manage roles, users, groups, licenses, billing, security. ▪️Privileged Role Administrator :Manages role assignments, activates/deactivates PIM, controls who can elevate roles.           ▪️User Administrator :Creates, manages, and deletes users. Resets passwords, manages groups, limited to user lifecycle tasks. ▪️Groups Administrator :Creates, updates, and deletes security and M365 groups. Cannot manage roles. ▪️Security Administrator :Manages security-related features (Identity Protection, Conditional Access, MFA). Reads security reports. ▪️Security Reader :Read-only access to security-related features and reports. ▪️Compliance Administrator :Manages compliance settings, policies, DLP, retention, and eDiscovery. ▪️Compliance Data Administrator :Manages audit logs, reports, and monitoring data. ▪️Authentication Administrator :Manages authentication methods (MFA, FIDO keys, password reset). Cannot assign roles. ▪️Password Administrator :Resets passwords for non-admins and some limited admin accounts. ▪️Cloud Application Administrator :Manages app registrations, enterprise apps, consent, and SSO. ▪️Application Administrator :Full control over app registrations and service principals. ▪️Exchange Administrator :Manages mailboxes, distribution groups, mail flow in Exchange Online. ▪️SharePoint Administrator :Manages SharePoint sites, sharing settings, site collections. ▪️Teams Administrator :Manages Teams policies, meetings, calling, and chat settings. ▪️Intune Administrator (Endpoint Admin) :Manages device compliance, mobile app management, and endpoint security policies. ▪️Power Platform Admins (Power BI / Power Apps / Power Automate) :Manage respective environments, workspaces, and apps. ▪️Billing Administrator :Manages subscriptions, licenses, billing details. ▪️License Administrator :Assigns and removes licenses for users. ▪️Reports Reader :Can view usage, audit, and security reports. ▪️Helpdesk Administrator (Service Support Admin) :Basic support tasks like password reset, limited user management. ✅ Quick Notes: ▪️Global Admin = “God mode” → should be limited to very few users. ▪️PIM (Privileged Identity Management) is recommended to assign roles  Just-in-Time (JIT) instead of permanently. ▪️Always apply least privilege (e.g., don’t give Global Admin if only license assignment is needed → use License Administrator). #AzureAD #AD #IAM #MFA #SSO #IdentityProtection #EntraID #RBAC  #IdentityGovernance #SAML #OIDC #OAuth #M365 #Security #Admin #CloudIdentity #CAP #DLP #FIDOkeys #Password #Sharepoint #Roles #PIM #Intune

Most “Azure access issues” are not actually security problems. They are model confusion problems. If your teams struggle with permissions, the root cause is often that we keep assuming there is one permission system in Azure. There are actually three, and mixing them creates silent governance failures. Azure has three distinct authorization planes: 1) First, Microsoft Entra ID roles for identity and directory level control. 2) Second, Azure RBAC for managing access to Azure resources. 3) Third, Azure Billing and Commerce roles for cost, subscriptions, and financial governance. They are intentionally separate, and that separation is where most enterprise designs break down. In real environments, I repeatedly see incidents where engineers have “Contributor” access but still cannot perform actions due to Entra conditional access, or where finance teams can see costs but cannot trace them back to resource ownership. Even more common, platform teams accidentally over-permission users because they assume RBAC also covers billing or identity boundaries. The practical takeaway is simple. You need to design access as a layered system, not a flat role assignment model. Start by mapping responsibilities across identity, resource control, and financial governance. Then enforce separation of duties explicitly across those planes instead of trying to solve everything with RBAC alone. How are you handling separation of identity, resource, and billing governance in your Azure environments today? https://lnkd.in/eQT9CS5z #Azure #CloudGovernance #AzureRBAC #EntraID #CloudArchitecture