AZ-305 - Design Authorization
1. Authorization Concepts
Authorization determines what an authenticated identity is allowed to do. In Azure, authorization is typically implemented through Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and resource-level access policies. A well-designed authorization strategy follows the principle of least privilege.
Principles of Authorization Design
Least Privilege Principle
Grant users only the minimum permissions they need to perform their tasks. Avoid assigning broad roles like Owner or Contributor at high scopes (subscription or management group) unless absolutely necessary. Start with Reader access and escalate only as needed. Use time-bound access via PIM for elevated permissions.
Defense in Depth
Layer multiple authorization mechanisms to protect resources. Combine Azure RBAC for Azure resource access, Microsoft Entra roles for identity management, resource-specific access controls (e.g., Azure Storage ACLs, Key Vault access policies), and network-level restrictions. No single layer should be the sole line of defense.
Authorization Models in Azure
| Model | How It Works | Use Case |
|---|---|---|
| RBAC (Role-Based) | Roles assigned to identities at specific scopes | Managing Azure resources (VMs, storage, networks) |
| ABAC (Attribute-Based) | Conditions based on resource attributes and principal attributes | Fine-grained storage blob access based on tags |
| ACL (Access Control Lists) | Per-object permissions on data | Azure Data Lake Storage Gen2 file/folder permissions |
| Access Policies | Resource-level policy configurations | Key Vault access policies, Azure SQL firewall rules |
2. Approach to Authorization
When designing authorization for an Azure solution, follow a structured approach that considers the scope of access, the identities involved, and the sensitivity of the resources being protected.
Step-by-Step Authorization Design
1. Identify Users and Workloads
Map out all identities that require access: human users (employees, partners, customers), application identities (service principals, managed identities), and automated processes (CI/CD pipelines, scheduled tasks). Each category may require different authorization approaches.
2. Define Access Requirements
Document what each identity needs to do: which resources they access, what operations they perform (read, write, delete), whether access is temporary or permanent, and whether access should be conditional (location, device, time). Map these requirements to specific Azure RBAC roles.
3. Choose the Right Scope
Assign roles at the narrowest scope possible. Prefer resource-level over resource group-level, and resource group-level over subscription-level. Use management groups only for policies that must span multiple subscriptions. Broader scopes mean broader exposure if a role assignment is compromised.
Azure ABAC (Attribute-Based Access Control)
Azure ABAC builds on RBAC by adding role assignment conditions based on attributes. For example, you can grant a user access to read blobs in a storage account only where the blob index tag matches a specific value. ABAC conditions are added to role assignments and evaluated alongside the role definition. This is currently supported for Azure Blob Storage and Azure Queue Storage operations.
3. Azure AD Groups and Roles
Groups are the recommended way to manage access at scale. Rather than assigning roles to individual users, assign roles to groups and manage group membership. This simplifies administration and ensures consistent access patterns.
Group Types
| Group Type | Membership | Use Case |
|---|---|---|
| Security Group (Assigned) | Manually assigned members | Small teams, specific access grants |
| Security Group (Dynamic) | Auto-populated by rules based on user attributes | Department-based access (e.g., all users where department = "Engineering") |
| Microsoft 365 Group | Collaboration-focused (includes mailbox, SharePoint, Teams) | Team collaboration, not typically for RBAC |
Dynamic Group Membership
Dynamic groups automatically add and remove members based on attribute rules. For example, a rule can include all users where the department attribute equals "Finance" and the country attribute equals "US". Dynamic groups require Azure AD P1 or higher. They ensure access is automatically updated as user attributes change (e.g., department transfer).
Azure AD Roles vs Azure RBAC Roles
Two Separate Role Systems
Azure AD roles manage access to Azure AD resources: users, groups, applications, directory settings. Examples include Global Administrator, User Administrator, Application Administrator. Azure RBAC roles manage access to Azure resources: VMs, storage, networking. Examples include Owner, Contributor, Reader, custom roles. These are separate systems that work at different levels.
| Aspect | Azure AD Roles | Azure RBAC Roles |
|---|---|---|
| Scope | Azure AD tenant level | Management group, subscription, resource group, resource |
| Manages | Identity objects (users, groups, apps) | Azure resources (VMs, storage, networks) |
| Custom Roles | Supported (P1 required) | Supported |
| API | Microsoft Graph API | Azure Resource Manager API |
| Assignment | Azure AD portal, Microsoft Graph | Azure portal, CLI, PowerShell, ARM templates |
4. Just In Time (JIT) Access
JIT access ensures that elevated permissions are granted only when needed and only for a defined period. This reduces the attack surface by minimizing the time window during which privileged access is active.
PIM for JIT Role Activation
Eligible vs Active Assignments
Active assignments give the user permanent access to the role with no activation required. Eligible assignments mean the user can activate the role when needed. Activation can require MFA, justification, approval from designated approvers, and is limited to a configurable time window (e.g., 1-8 hours). After the time expires, access is automatically revoked.
JIT VM Access
Microsoft Defender for Cloud - JIT VM Access
JIT VM access is a separate feature from PIM that locks down inbound traffic to Azure VMs by modifying Network Security Group (NSG) rules. When a user requests access, Defender for Cloud validates their permissions and automatically opens the required ports for a specified time period. When the time expires, the ports are closed again. This protects VMs from brute-force and port scanning attacks.
JIT Design Considerations
When designing JIT access, consider the following: which roles require JIT (start with highest privilege), maximum activation duration (shorter is more secure), who approves activation requests (separate from the requesters), notification settings for activations and approvals, audit and compliance requirements for privileged operations, and emergency access (break-glass) accounts that bypass JIT for disaster recovery.
5. Azure Resource Graph
Azure Resource Graph is a service that enables efficient exploration and querying of your Azure resources across subscriptions. It uses KQL (Kusto Query Language) to query resources at scale with complex filtering, grouping, and sorting.
Resource Graph Capabilities
Azure Resource Graph Overview
Resource Graph provides fast, indexed access to resource properties across all subscriptions without requiring individual calls to each resource provider. It supports querying across subscriptions and management groups, making it ideal for governance, compliance reporting, and resource inventory at scale. Queries return results in near real-time as they work against an indexed cache.
Resource Graph for Authorization Auditing
Use Resource Graph to audit your authorization posture: query for role assignments across subscriptions, find orphaned role assignments (for deleted users/groups), identify resources without proper tagging, detect overly permissive access patterns, and report on compliance across your environment. Resource Graph queries can be saved, shared, and pinned to Azure dashboards.
Resource Graph Query Examples
authorizationresources
| where type == "microsoft.authorization/roleassignments"
| extend principalId = properties.principalId
| extend roleDefinitionId = properties.roleDefinitionId
| extend scope = properties.scope
| project principalId, roleDefinitionId, scope
Resource Graph integrates with Azure Policy, Azure portal dashboards, Azure CLI, PowerShell, and SDKs. It supports change tracking to show how resources changed over the last 14 days, which is useful for investigating unauthorized changes to access configurations.
Key Terms
| Term | Definition |
|---|---|
| RBAC | Role-Based Access Control - assigns permissions based on predefined roles at specific scopes. |
| ABAC | Attribute-Based Access Control - adds conditions based on attributes to RBAC role assignments. |
| Least Privilege | Principle of granting only the minimum permissions needed for a task. |
| Dynamic Group | An Azure AD group whose membership is automatically managed by attribute-based rules. |
| JIT Access | Just In Time access that grants elevated permissions only when needed and for a limited duration. |
| Resource Graph | Azure service for fast, cross-subscription querying and exploration of resource properties. |
| Eligible Assignment | A PIM role assignment that requires activation before use, supporting time-bound and approval-based access. |
Exam Tips
- Assign roles to groups, not individuals: Always prefer group-based role assignments for manageability and consistency. Use dynamic groups to automate membership based on user attributes.
- Know the difference between Azure AD roles and Azure RBAC roles: Azure AD roles manage identity objects (users, groups, apps). Azure RBAC roles manage Azure resources (VMs, storage, networks). They are separate systems.
- ABAC is for fine-grained data access: Currently supported for Blob Storage and Queue Storage. It adds conditions to role assignments based on resource tags or other attributes.
- JIT VM access is different from PIM: JIT VM access (Defender for Cloud) manages NSG port rules. PIM JIT manages role activations. Both reduce the attack surface but at different levels.
- Resource Graph queries are fast because they use an indexed cache: They do not query resource providers directly. Results are near real-time but may have slight delays for recently changed resources.
- Break-glass accounts should bypass JIT: Always maintain emergency access accounts with permanent active assignments that bypass PIM, MFA, and Conditional Access for disaster recovery scenarios.
Practice Questions
Question 1
Your organization has 500 engineers who need Contributor access to resources in the "Engineering" resource group. New engineers should automatically receive access when they join the engineering department. What should you implement?
A. Assign Contributor role to each engineer individually at the resource group scope
B. Create a dynamic security group based on the department attribute and assign Contributor role to the group
C. Create a Microsoft 365 group for engineering and assign Contributor role
D. Use Azure Policy to automatically grant Contributor access
Answer: B
A dynamic security group with a rule based on the department attribute (e.g., department equals "Engineering") automatically adds/removes users. Assigning the Contributor role to this group ensures all current and future engineering staff receive access without manual management.
Question 2
A security auditor needs to quickly identify all role assignments across 50 Azure subscriptions and report on any overly permissive access. What should you recommend?
A. Review the Access Control (IAM) blade for each subscription individually
B. Use Azure Resource Graph to query authorization resources across all subscriptions
C. Export Azure AD audit logs and filter for role assignment events
D. Run an Azure Policy compliance scan with a custom policy definition
Answer: B
Azure Resource Graph supports cross-subscription queries against indexed resource data including authorization resources (role assignments). It can query all 50 subscriptions in a single query and return results quickly, making it ideal for large-scale auditing.
Question 3
You need to grant a data analyst read access to blobs in an Azure Storage account, but only to blobs tagged with "department=finance". Standard RBAC roles grant access to all blobs. What should you use?
A. Create a custom RBAC role that filters by tag
B. Use ABAC by adding a role assignment condition based on blob index tags
C. Use Azure Storage ACLs to restrict access by folder
D. Create separate storage accounts per department
Answer: B
Azure ABAC allows adding conditions to role assignments based on attributes such as blob index tags. You can assign the Storage Blob Data Reader role with a condition that the blob index tag "department" equals "finance", providing fine-grained access without custom roles or separate storage accounts.
Question 4
Your security policy requires that VMs can only be accessed via SSH when explicitly requested and approved. SSH access should expire after 3 hours. What should you implement?
A. Azure Bastion with session time limits
B. Conditional Access policy for SSH access
C. Microsoft Defender for Cloud JIT VM access
D. Azure Firewall with time-based rules
Answer: C
JIT VM access in Microsoft Defender for Cloud locks down inbound ports (including SSH) by configuring NSG rules. Users request access, and after validation, the port is opened for the specified duration (up to 3 hours). When the time expires, the port is automatically closed again.
Question 5
You need to ensure that the Global Administrator role in your Entra ID tenant is only active when an admin explicitly activates it, requires MFA and a justification, and automatically expires after 2 hours. What should you configure?
A. Conditional Access policy requiring MFA for the Azure portal
B. PIM eligible assignment for Global Administrator with activation requirements
C. Custom Azure AD role with time-limited permissions
D. Access reviews for the Global Administrator role
Answer: B
PIM eligible assignments require admins to activate the role when needed. PIM settings can enforce MFA, require justification text, limit activation duration (2 hours), and optionally require approval. After the activation period expires, the role is automatically deactivated.
AZ-305 Designing Azure Infrastructure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.