|
Measures reported by AzrADDrctryRlTest
Azure AD roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege.
Azure AD supports 2 types of roles definitions: Built-in roles and Custom roles.
Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. To round off the edges and meet your sophisticated requirements, Azure AD also supports custom roles. Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.
Azure AD built-in roles differ in where they can be used, which fall into the following three broad categories.
Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD. Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have built service-specific roles that grant permissions to manage all features within the service. For example, Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles can manage features within their respective services. Cross-service roles: There are some roles that span services. We have two global roles - Global Administrator and Global Reader. All Microsoft 365 services honor these two roles. Also, there are some security-related roles like Security Administrator and Security Reader that grant access across multiple security services within Microsoft 365. Similarly, in the Compliance Administrator role you can manage Compliance-related settings in Compliance portal, Exchange, and so on.
In large cloud deployments, it is good practice for administrators to periodically audit the role assignments, so they can spot inconsistencies early. Inadvertent/careless mistakes in role assignments can seriously harm the security and integrity of the Azure cloud organization. For instance, if the critical Security Administrator role is assigned to a user who is ignorant of the security policies in place, it can cause that user to knowingly/unknowingly toggle security flags, which can put the entire cloud organization at risk. To avoid this, administrators are advised to run the AzrADDrctryRlTest at configured intervals!
This test reports the count of AD roles, and the number of roles that are assigned and yet to be assigned to users. Detailed diagnostics (if enabled) reveal what role has been assigned to which member, thus enabling administrators to verify the legitimacy and correctness of the assignments.
Outputs of the test : One set of results for the Azure AD tenant being monitored
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Total_drctry_role |
Indicates the total number of roles available in Azure AD. |
Number |
Use the detailed diagnosis of this measure to know the ID and name of rach role that is available, and a brief description of what every role will permit a user to do. |
| Assigned_role |
Indicates the number of roles that are currently assigned to users. |
Number |
Use the detailed diagnosis of this measure to know which user has been assigned which role.
This will help administrators identify users whose role assignments do not align with their organizational duties/responsibilities.
Note that detailed diagnostics will be reported for this measure only if the Show Assigned Directory DD flag of this test is set to true. |
| Unassigned_role |
Indicates the number of roles that are yet to be assigned to users. |
Number |
Use the detailed diagnosis of this measure to know which roles are still to be assigned to users. |
|