Delegate role assignment management with conditions in Microsoft Azure

The Owner and User Access Administrator roles let you set up who can do what in your subscription. Basically, if you’re in one of these roles, you can decide who gets to change, see, or delete stuff. Want to hand over these powers to someone else? Just make them an Owner or User Access Administrator.

The Delegate role gives someone total access within its scope, which goes against the “least privilege” rule. This can increase your risk because it opens more ways for attacks to happen.
A safer approach than giving someone the Owner or User Access Administrator roles is to limit how much power a delegate must create role assignments.

This is where the new feature in Microsoft Azure comes in called “Delegating role assignment management with conditions”. Using this feature, you can

  • You can limit the types of role assignments a delegate can make.
  • You can stop a delegate from giving another user the power to assign roles.
  • You can make sure your organization’s least privilege policies are followed.
  • You can handle Azure resources automatically without giving a service account complete permission.

To give an example. This means that I can configure a service principal with a custom role that allows it to be able to delegate other custom roles to other accounts/groups without having owner or user access administrator.

So how do I configure this? Let’s look at an example, where I want to delegate to a co-worker the ability to delegate Key Vault access to other users or groups.

Firstly, we need to assign the role “Role Based Access Control Administrator” to a scope for instance a subscription or a resource group.

Next, define which user or service principal that should have the permission to delegate.

Then under conditions we need to define which roles the user is allowed to delegate to others, this is done by selecting “Select roles and principals”

As part of feature, we can define the roles but also the principals the user will be allowed to delegate access to.

Here I use Constrain role, meaning that the account will be allowed to delegate the role to any user/group or SPN

Once I then assign this role I can see this in Access Control under the subscription I then look after Role Based Access Control Administrator

If you look at the JSON description of the role, it will look pretty basic

"properties": {
"roleName": "Role Based Access Control Administrator",
"description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"/read", "Microsoft.Support/"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}

However you can define quite granuarly what kind of permissions and actions that the user is allowed to delegate further

Leave a Reply

Scroll to Top