question

ABITBOLIlan-2056 avatar image
0 Votes"
ABITBOLIlan-2056 asked JamesTran-MSFT answered

Roles to be requested for a security assessment

I'm trying to figure out the exact privileges to ask for when a customer needs to create an account on their Azure AD tenant during a security audit.
I have identified the roles:

  • "Security Reader" which allows access to the CSA ;

  • "Global Reader" which allows to read the administration information.

But this doesn't seem to be enough, if I want to access the user password policies is a less privileged role than the "Authentication Policy Administrator" role usable?
Concerning the access to the keys, secrets and certificates definitions of the Vault in order to see for example if expiration is in place, I have identified the roles "Key Vault Reader" and "Key Vault Secrets User".
Finally for the storage accounts, which role allows to read everything without being able to modify or assign roles?






azure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@ABITBOLIlan-2056
Thank you for your post and I apologize for the delayed response!

If I want to access the user password policies is a less privileged role than the "Authentication Policy Administrator" role usable?
- Based off our documentation, it looks like the Authentication Policy Administrator, would be the least privileged role to manage auth method and password protection policies.

For the storage accounts, which role allows to read everything without being able to modify or assign roles?
- Any type of reader role should allow you to read everything without being able to modify or assign roles.
Storage Roles
Storage Blob Data Reader
Storage File Data SMB Share Reader
Storage Queue Data Reader


If the built-in AzureAD and RBAC roles don't meet your specific needs, I'd also recommend looking into creating custom roles.
Create or update Azure custom roles using the Azure portal
Create and assign a custom role in Azure Active Directory



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.