Azure AD - Directory Role Test

Azure AD roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege.

Azure AD supports 2 types of roles definitions: Built-in roles and Custom roles.

Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. To round off the edges and meet your sophisticated requirements, Azure AD also supports custom roles. Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.

Azure AD built-in roles differ in where they can be used, which fall into the following three broad categories.

  • Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.

  • Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have built service-specific roles that grant permissions to manage all features within the service. For example, Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles can manage features within their respective services.

  • Cross-service roles: There are some roles that span services. We have two global roles - Global Administrator and Global Reader. All Microsoft 365 services honor these two roles. Also, there are some security-related roles like Security Administrator and Security Reader that grant access across multiple security services within Microsoft 365. Similarly, in the Compliance Administrator role you can manage Compliance-related settings in Compliance portal, Exchange, and so on.

In large cloud deployments, it is good practice for administrators to periodically audit the role assignments, so they can spot inconsistencies early. Inadvertent/careless mistakes in role assignments can seriously harm the security and integrity of the Azure cloud organization. For instance, if the critical Security Administrator role is assigned to a user who is ignorant of the security policies in place, it can cause that user to knowingly/unknowingly toggle security flags, which can put the entire cloud organization at risk. To avoid this, administrators are advised to run the Azure AD - Directory Role test at configured intervals! 

This test reports the count of AD roles, and the number of roles that are assigned and yet to be assigned to users. Detailed diagnostics (if enabled) reveal what role has been assigned to which member, thus enabling administrators to verify the legitimacy and correctness of the assignments.

Target of the Test: A Microsoft Azure Active Directory

Agent deploying the test: A remote agent

Output of the test: One set of results for the Azure AD tenant being monitored

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API

Client ID, Client Password, and Confirm Password

To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Show Assigned Directory DD

By default, this flag is set to false. This means that, by default, the test will not report detailed diagnostics for the Assigned directory role measure. This default setting ensures that the detailed metrics for the Assigned directory role measure does not hog space in the eG database, where roles are assigned to numerous Azure users.

If you have a well-tuned and well-sized eG database, then set this flag to true. In this case, the test will collect and store detailed metrics for the Assigned directory role measure.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Total directory role

Indicates the total number of roles available in Azure AD.

Number

Use the detailed diagnosis of this measure to know the ID and name of rach role that is available, and a brief description of what every role will permit a user to do.

Assigned directory role

Indicates the number of roles that are currently assigned to users.

Number

Use the detailed diagnosis of this measure to know which user has been assigned which role.

This will help administrators identify users whose role assignments do not align with their organizational duties/responsibilities.

Note that detailed diagnostics will be reported for this measure only if the Show Assigned Directory DD flag of this test is set to true.

Unassigned directory role

Indicates the number of roles that are yet to be assigned to users.

Number

Use the detailed diagnosis of this measure to know which roles are still to be assigned to users.

Use the detailed diagnosis of the Total directory role measure to know the ID and name of each role that is available, and a brief description of what every role will permit a user to do.

Figure 1 : The detailed diagosis of the Total directory role measure

Use the detailed diagnosis of the Unassigned directory role measure to know which roles are still to be assigned to users.

Figure 2 : The detailed diagnosis of the Unassigned directory role measure