Give out subscription level permissions for only a specific set of users.
Microsoft recently released the new administrative units feature for Azure Active Directory (AD). Good folks over at Microsoft were so excited about the new feature that they instantly added it as a section in the AZ-500 cloud security exam. However, we at CyberMSI believe that this feature needs a better explanation.
In this blog, we discuss what administrative units are and what they are used for. We will also use an example scenario to demonstrate a situation where administrative units are useful to an organization.
What an Administrative Unit is
An administrative unit is a way of giving out subscription level permissions to users that only apply to groups and users within an administrative unit. Subscription level permissions are the permissions that are one level above the RBAC roles used in Azure. Some examples of subscription level permissions include security administrator and user administrator roles.
Administrative Unit Requirements
To set up an administrative unit, a user with either privileged role administrator or global administrator is required. Once a user with one of these roles is found they can create administrative units based on what the organization believes is the permissions that admins in each administrative unit need.
Administrative Unit Example Scenario
If Admin-A only needs to have subscription level permissions for marketing team members, the marketing group would be added to the administrative unit, then Admin-A would have the subscription-level role assigned to them within the administrative unit so that they can only use their permissions within the administrative unit they were assigned to.
When to Use AUs in Your Organization
Administrative units are designed to help with enforcing the principal of least privilege. An organization should use administrative units if they would like to reduce their attack surface area by limiting admins to only administrate what they need to perform their job functions, nothing more.
Administrative Unit Limitations
At the time of writing there are only 6 administrative roles available for administrative units. Over time the other 30-40 administrative roles will likely be added, but for now there is only a limited set of roles that are available.
We will continue to share best practices and lessons learned in future posts on administrating identity in Azure. New technologies in Azure like administrative units will help security administrators continue to make cloud environments more secure.
In closing, consider these three questions when using administrative units in your organization:
- Do our subscription-level admins have administrative privileges in areas where they do not need it to do their job?
- How should we design and set up our administrative units?
- Are we going to add administrative unit access to our existing access reviews?