CLOUD GOVERNANCE, IDENTITY

MANAGEMENT AND RBAC ROLES

INDEX
1
 SR NO. TABLE OF CONTENT PAGE
NO.
1 INTRODUCTION 3

1.1 PROJECTOVERVIEW………………………………………………………………… 3

1.2 AZURE POLICES……………………………………………………………………….. 3

1.3 AZURE AD CAPABILITIES DIAG………………………………………………… 4

2 CHALLENGES 4

2.1 USER AND GROUPS…………………………………………………………………. 5

2.2 AZURE AD MANAGEMENT………………………………………………………. 5

3 SOLUTION 6

3.1 B2B COLLABORATION……………………………………………………………… 6

3.2 GUEST USER……………………………………………………………………………. 7

4 IMPLEMENTATION 8

4.1 MFA ( Multi-factor authentication)…………………………………………. 9

4.2 SSO (Single sign-Out )…………………………………………………………….. 9

4.3 RBAC FLOWCHART………………………………………………………………….. 9

4.4 RBAC ROLES……………………………………………………………………………. 10

5 CONCLUSION 13

1. INTRODUCTION

2
EY Solution is a leading cloud solution provider for clients and business
Communities throughout India. It manages multi tenants and handles there
resources with great efficiency. AWT PVT LTD. is one of the efficient industrial
firm which handles different users and accounts. This case study explains how EY
solution provides solutions to the client AWT through azure access control and
governance policies with Identity and Access management solutions, security
personnel can track and control user access for both on-premises and cloud-based
system as part of the cloud governance efforts. They can secure users by ensuring
that the right user accounts have the right access to the right systems and detect and
prevent inappropriate access.

1.1 PROJECT OVERVIEW

AWT PVT LTD. wants to work with EY solution for its identity access
management and subscription roles for specific RBAC roles.

1.2 AZURE POLICIES

Efficient Azure governance strategy provides a framework for controlling and
managing Azure resources, policies and access control and will help an
organization achieve cost efficiency Azure Policy delivers a number of key
features that enable us to create, manage and enforce compliance and security
policies in our Azure environment. Some of its key features include:
 Policy definition – An organization can use built-in policies based on best
practices and real use cases. Microsoft maintains these definitions, and
they are available in any subscription.
 Policy enforcement – A policy provides us with the ability to enforce policies
across the entire Azure environment and gives us a centralized view of the
current compliance state of all resources and the entire infrastructure as a
whole.
 Compliance reporting – Once our policies are defined and enforced across
the environment, we can generate compliance reports regarding the state of
our Azure Infrastructure.
3
1.3 AZURE AD NATIVE CAPABILITIES

2.CHALLENGES
Organization around the world is using an identity platform, while some are using
Azure Active Directory and some are using them in a hybrid mode. Without an
identity, and therefore an identity platform, it’s quite hard to access applications
and resources. Therefore the Identity platform must be seen as the control plane
within your organization. Most of the organization struggle with the following
listed issues.

 End user accounts of new employees are still created manually by the IT
department.
 Role based access control isn’t implemented for end user accounts. Roles or
Job Titles within an organization aren’t connected to RBAC which will give
the end user the necessary access to do their daily job when employees

4
 switch job role within an organization they aren’t removed from groups
belonging to their previous role.
 Guest Users (External Identities) have been provided access to information
but access is never revoked.
 IT Administrators has no idea what permissions users have, and this is not
traceable.

2.1 USER AND GROUPS

Managing user and groups permissions is a complex task. However, it must be
accomplished correctly to ensure that the procedure is smooth for the company
using a practical approach, you can execute a seamless procedure that will benefit
organization and help us overcome identity and access management difficulties.
Identifying the users, resources, and services to which each user needs access is
crucial for cloud-native security. It lays the groundwork for enforcing the principle
of least privilege, which aims to reduce risk by granting users the least amount of
access they need to do their job well and maintain high productivity.

2.2 AZURE AD MANAGEMENT

The native Microsoft 365 portal allows administrators to perform all operations
relating to Azure AD management. However, the Microsoft 365 portal has
limitations that cannot be discounted, like when it comes to modifying the
attributes of multiple users or groups simultaneously. Many administrative actions
like restoring multiple deleted users or changing the manager attribute for multiple
users become a chore because bulk management is not an option. Administrators
need a tool that not only performs all Azure AD management tasks, but will also
perform bulk modifications. M365 Manager Plus makes Azure Active Directory
management effortless.

3.SOLUTION

5
 Access management for cloud resources is critical for any organization that uses
the cloud. Azure role-based access control (Azure RBAC) is a system that provides
fine-grained access management of Azure resources.

 Azure Identity management and access systems enable organizations to

manage employees without logging into each app as an administrator.
Identity and access management systems enable organizations to manage a
range of identities including people, software, and hardware. It manages user
authorization single sign on, data management, security and manages users
role based identity.

 Role-based access control covers among others role permissions, user roles,
and can be used to address multiple needs of organizations, from security
and compliance to efficiency and cost control.
 With role-based access control, organizations reduce both the complexity of
assigning user access rights and the associated costs. It provides the
possibility of reviewing the access rights to ensure compliance with various
regulations, as well as optimizing processes so that new employees can be
up and running from day one, as it is predefined which systems the new
employee should have access to, all based on his or her role in the
organization.
 Thus azure governance policies and RBAC roles provide complete solution
to AWT (client) in managing its resources efficiently by the cloud service
provider.

3.1 B2B COLLABORATION

6
 B2B collaboration is a feature that lets us invite guest users to collaborate with
our organization. With B2B collaboration, we can securely share company's
applications and services with external users, while maintaining control over
your own corporate data. Work safely and securely with external partners, large
or small, even if they don't have Microsoft Entra ID or an IT department.

3.2 GUEST USER

Microsoft Entra B2B collaboration, we can invite anyone to collaborate with
your organization. an Azure Guest User refers to an individual who has been
granted limited access to a Microsoft Azure environment but is not a member of
the organization's tenant. This access is typically provided to external partners
or vendors who need to interact with resources within the organization's Azure
environment.

7
8
4. IMPLEMENTATION
The tools needed to implement IAM include password-management tools,
provisioning software, security-policy enforcement applications, reporting and
monitoring apps and identity repositories. IAM tools can include

4.1 MFA
Multi-factor authentication means that your IAM provider requires more than one
type of proof. example is requiring both a password and a fingerprint. Other MFA
choices include facial recognition, iris scans, and physical tokens.

4.2 SSO
SSO stands for single sign-on. If your IAM solution provides single sign-on, that
means your users can sign in only once and then treat the identity and access
9
management tool as a "portal" to the other software suites they have access to, all
without signing in to each one role definitions, role assignments, and deny
assignments are stored globally to ensure that you have access to your resources
regardless of the region you created the resource. when a role assignment or any
other Azure RBAC data is deleted, the data is globally deleted. Principals that had
access to a resource via Azure RBAC data will lose their access.

10
4.3 RBAC FLOWCHART

4.4 RBAC
Azure role based access control (RBAC) has several Azure built-in roles that can
be assigned to users, groups, service principals, and managed identities. Role
assignment to control access to Azure resources. If the built-in roles don't meet the
specific needs of AWT organization, then EY Org. can also custom azure roles
information.
There are seven different groups under EY. All the below groups are register under
EY domains.

 CNR- Cloud network engineer (5 employee)

 CDO- Cloud Devops Operator(5 employee)

 ADMIN-(1 employee)
 CME-Cloud monitoring engineers(2 employee)

11
  CMT-Cloud Migration Team(5 employee)
 CTO-Cloud Technology Operation Manager(5 employee)
 Stakeholders(5 employee)
All the users under this groups need to work for AWT Org. The infrastructure
under AWT Org would be accessed by the above users.

EY architecture users are created under on premises active directory of EY.They

have to work for AWT Org using global azure active directory.

EY and AWT Org domain, tenant and AD should be configure to achieve above
requirements and need to assign RBAC role for all the above groups.

12
 Microsoft Entra roles
Group Role Description

The Account Administrator is the person who signs up for the Azure AWT
Account-Admin account,Manage billing for all subscriptions in the account,Create new subscriptions
Global-Admin Can manage all aspects of AWT Entra ID and AWT services that use Microsoft Entra

AWT-EntraID Global Reader Can read everything that a Global Administrator can, but not update anything.

Dynamic Group for all Guest Users in Microsoft Entra.

Group Membership Types

SG-EY-Architect-Team

SG-EY-Devops-Team

Dynamic Users
SG-EY-Monitor-Team

SG-EY-Networking -Team

SG-EY-Stakeholders -Team

Management Group Subscriptions Roles for Operational ,Development,Testing,Production Departments

Users Role Description Scope

Grants full access to manage all resources, but does not allow you to assign roles in
SG-EY-ManagmentGroup Contributor Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Subscriptions

The Reader role allows viewing all resources within a subscription but does not
permit making any changes. It’s useful for auditing purposes or providing read-only
SG-EY-ManagmentGroup Reader access. Subscriptions

This role lets you manage user access to Azure resources. If you need to control user
SG-EY-ManagmentGroup User Access Administrator permissions, this role is appropriate Subscriptions

13
Group Role Description
Contributors can create and manage all types of Azure resources Such Virtual Machines,Storage
Contributor Accounts,Virtual Networks,Web Apps,Databases as but cannot grant access to others. They have the power
SG-EY-Architect-Team to perform various actions related to resource management.
Readers can view existing Azure resources and view security-related operations in Azure, such as security
Reader
alerts and recommendations,but cannot make any changes
Contributor/Azure DevOps This role is suitable for managing CI/CD pipeline tools and required infrastructure in Azure. This role can
SG-EY-Devops-Team
Administrator manage Azure DevOps policies troubleshooting technics and fixing codes bug and settings. In Addition to this
This role is responisible for monitoring the health, performance, and reliability of client apps and
infrastructure continuously as it flows through the developer, production, and customers it Also involves
SG-EY-Monitor-Team Reader monitoring the day-to-day usage of the system and spotting trends that might lead to problems if they’re not
addressed.and also involves generating reports on the usage of the system and the performance of the
applications and infrastructure.
This role is responsible for designing and managing network solutions on the Azure platform. They can
manage all virtual networks in Azure. Their responsibilities include:
SG-EY-Networking -Team Network Contributor Configuring and managing virtual networks in Azure.
Implementing network security and access controls in Azure.
Optimizing network performance to troubleshoot network issues.
This role allows the user to view resources, but not make any changes to them as Stakeholders Their
responsibilities include:

Providing information, estimates and feedback to the PM during project planning.

Providing business and/or technical expertise to execute project tasks (work).
Liaising with stakeholders to ensure the project meets business needs.
SG-EY-Stakeholders -Team Reader Analyzing and documenting current and future processes and systems (functional and technical).
Providing a framework for the project’s activities.
Identifying needed resources.
Negotiating with higher authorities.
Recruiting effective participants.
Setting milestones.
Coordinating activities.

5. CONCLUSION
Identity Governance and Administration (IGA) enables security administrators to
efficiently manage user identities and access across the enterprise. It improves their
visibility into identities and access privileges and helps them implement the
necessary controls to prevent inappropriate or risky access. RBAC role gives
access to only users with their respective scope. Thus, IGA combines Identity
Governance and Identity Administration. Identity Governance is about visibility,
segregation of duties, role management, attestation, analytics and reporting, while
Identity Administration is related to account administration, credentials
administration, user and device provisioning and managing entitlements.

14
15
16