Quyền hạn Global Admin trong Active Directory trên hệ thống Cloud Azure
Microsoft are continuing to break out the roles in Azure Active Directory to help isolate “roles” and grant least privilege access. Although they aren’t quite there yet, it should be rare that you would need to grant global admin rights to an account.
Microsoft recommend that you limit GAs as much as you can and instead look to use designated roles. This excludes the two emergency accounts which should be setup should AAD fail.
Recently, I’ve seen an increase in posts and tweets about some misconception around Global Admins and Azure RBAC. Two main topics being:
- Thinking that Azure Active Directory Roles are the same as Azure RBAC (Infra).
- Comparing Global Admins to Domain Admins
Thinking that Azure Active Directory Roles are the same as Azure RBAC…
Let’s start with the two role-based access controls.
- Azure AD Roles: Manage all your O365 suite and Azure AD integrated application/services. Think Sharepoint…
View original post 721 more words