With Azure Roles-Based Access Control now available, customers can dole out access to Azure's cloud resources based on their roles within their organizations.
One of the most sought-after user management and security features for Microsoft Azure has officially launched, the company said today.
Azure Roles-Based Access Control (RBAC) is out of beta and is now generally available, said Alex Simons, director of program management at Microsoft's Identity Division, in an Oct. 12 announcement. RBAC is the top request for customers evaluating Azure as the foundation for their enterprise cloud environments, the noted.
As its name suggests, Azure Roles-Based Access Control allows administrators to selectively grant their users access to cloud services and production workloads. "Until now, to give people the ability to manage Azure you had to give them full control of an entire Azure subscription," explained Dushyant Gill, a Microsoft Azure Active Directory program manager, in a blog post.
"Now, using RBAC, you can grant people only the amount of access that they need to perform their jobs," continued Gill. RBAC interfaces with Azure Active Directory (AD), Microsoft's cloud-based identity management platform, to map users to their assigned Azure resources.
"Once you extend your Active Directory to the cloud, using Azure AD—your employees can purchase and manage Azure subscriptions using their existing work identity," said Gill. "These Azure subscriptions automatically connect to your Azure AD for single sign-on and access management."
If an AD account is disabled, access to all Azure subscriptions is automatically cut off, enhancing security. In addition, RBAC can provide teams and departments with a level of independence while remaining compliant with an organization's IT policies.
"Using Azure RBAC, you can enable self-service management of cloud resources for your project teams while retaining central control over security sensitive infrastructure," Gill noted. "For example, a common setup is to allow project teams to create and manage their own virtual machines and storage accounts, but only allow them to connect to networks managed by a central team."
RBAC is currently available with several preset roles, but Microsoft is getting ready to flip the switch on custom roles within the coming weeks. According to Microsoft's online documentation, they include API Management Service Contributor, SQL Security Manager and Virtual Machine Contributor, among several others.
"If none of the built-in RBAC roles addresses your specific access need, you will be able to create a custom RBAC role composing the exact operations to which you wish to grant access," teased Gill.
Administrators can configure RBAC via command-line management tools for Azure PowerShell or the Azure Management Portal, currently in preview. However, not all capabilities are supported across both toolsets. For instance, authorizing external users involves using Azure's management user interface (UI), said Microsoft.
"The Configure tab of a directory includes options to control access for external users. These options can be changed only in the UI (there is no Windows PowerShell or API method) in the full Azure portal by a directory global administrator," states RBAC's support documentation.