This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |
| azure:qnd:azure_iam [2022/09/01 21:07] – [Azure IAM] mgupton | azure:qnd:azure_iam [2022/09/03 13:00] (current) – [Azure IAM] mgupton |
|---|
| * Azure has two separate/distinct scopes of access control — one for Azure AD and one for Azure resources. | * Azure has two separate/distinct scopes of access control — one for Azure AD and one for Azure resources. |
| * A user with the //Global Administrator// role in AAD can elevate themselves to have the RBAC //User Administrator// role at the root (''/'') level over all subscriptions and management groups. This allows them to assign RBAC roles to themselves and others. | * A user with the //Global Administrator// role in AAD can elevate themselves to have the RBAC //User Administrator// role at the root (''/'') level over all subscriptions and management groups. This allows them to assign RBAC roles to themselves and others. |
| | |
| | > **Azure AD roles** – Sometimes referred to as directory roles, Azure AD roles include built-in and custom roles to manage Azure AD and other Microsoft 365 online services. |
| | |
| | > **Azure roles** – The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources. |
| | |
| | [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan|reference]] |
| ====== Misc Tools/Commands ====== | ====== Misc Tools/Commands ====== |
| * Windows command ''dsregcmd /status'' can be used to check if machine is AAD joined | * Windows command ''dsregcmd /status'' can be used to check if machine is AAD joined |