cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Midude2000
Newcomer II

Administrative access to Azure Cloud Infrastructure - how to prove

Our auditors are asking IT to show who has access to Azure Infrastructure. IT says that's a very broad ask. What they need to see is: everyone who has the ability administer IT logical access related items on  Azure Cloud Infrastructure. What specific screens, settings should we be specifically asking for to review this kind of ability?

9 Replies
dcontesti
Community Champion

So that is a very broad ask.  I believe they are working from an audit "cheat" sheet on audits.

I personally would push back a little and ask them to clarify their ask.

 

If we look at some of the roles in Azure:  say

 

Contributor........the user is allowed to manage all resources, but does not allow you to assign roles

User access administrator ....allows one to manage user access to Azure resources. 

Disk backup reader ....permission to backup

etc.

 

I think I would go back and ask the following questions?

 

1.  Do you want to know who can create accounts. etc?

2. Do you want to see that users only have access to the resource that are essential to them (think RBAC here) 

3. Are you looking to see how inbound and outbound traffic is controlled?

 

MHOO

 

d

 

denbesten
Community Champion

To Diana-Lynn's point, the auditors need to be clear in their ask, lest they find the answer overwhelming with irrelevant detail.  

 

I would supply them the list of azure built-in roles and ask them to identify those which they would like you to retrieve membership.  Or, perhaps, they could provide a powershell script that extracts the data they desire.  

 

You might also take a look at Azure PIM.  It has reporting they may find useful, but do be aware that it is pricy ($6+ per M365 user per month).

 

And if you want to mess with the auditors (fun, but risky), feel free to point out that I have "Azure Cloud Infrastructure" access and if they want it, they can to.  All one needs to do is sign-up and give them a credit card number.

Early_Adopter
Community Champion

Internal audit or external audit..? Same questions but the stakes are different.

I guess as well as seeing what you have actually set it’s good to be ready to show them your access management process for requests and approvals and how that is governed.
tmekelburg1
Community Champion


@Midude2000 wrote:

What they need to see is: everyone who has the ability administer IT logical access related items on  Azure Cloud Infrastructure. What specific screens, settings should we be specifically asking for to review this kind of ability?


First, ask for clarification but I interpret this as requesting a comprehensive inventory of all individuals/entities with privileged access to Azure (Entra) resources. This includes users, groups, and systems with the ability to manage identities, access permissions, and privileged accounts. The reasoning is to see if anyone/system has unauthorized access to environment.

 

Microsoft Entra --> Identity --> Roles & Admins --> All Roles. You can download all administrative roles into a .CSV file for viewing.  

Midude2000
Newcomer II

Thank you!

Midude2000
Newcomer II

haha! points well taken! especially the last piece of advice. Mess with them just a little bit..
Midude2000
Newcomer II

external audit - SOX auditors
Midude2000
Newcomer II

very helpful thank you!

 

sergeling
Contributor I

It's a very broad ask. If someone is familiar with azure and knows what to ask, they should ask for list of specific roles, such as Global Administrator, User Administrator....etc.

 

Like the Microsoft article suggested, there are many built-in roles. Some are related to Microsoft Entra, some are related to Azure

 

You can access the default Azure roles from Subscription>Access Control(IAM) to see the list of roles and assignment

You can access the default Microsoft Entra roles on the Roles and administrators page and export the list.

 

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles