PIM Assignment - Node4-Digital/ris-CloudInfra-ALZ-MS-Bicep GitHub Wiki

PIM Assignment with Azure AD Groups

RBAC roles are scoped at the correct level (Management Group, Subscription or Resource Group) in accordance with the principle of least privilege. Azure AD PIM security groups are used to assign users to the scoped resource. This ensures Azure resources are accessed by the necessary/appropriate individual(s) based on their roles and responsibilities.

Management Groups

Only reader roles are assigned at the management group scope. Following the principle of least privileged access, if roles such as owner or contributor are assigned at a subscription level, then this reduces the blast radius of a compromised account to that of the subscription and no others.

Subscriptions

Azure AD groups are created and assigned built-in roles of Reader, Owner, Contributor and User Access Administrator at the subscription levels. This simplify administration of security through addition or removal of user accounts to groups with appropriate levels of privilege.

Resource Groups

Reader, Owner, and Contributor groups are created at the resource group level to allow granular permissions to be applied as needed at the variety of different levels.

YAML Variables

The PIM YAML deployment has the below variables for the resource group assignment that will need to be updated:

  • MgmtDiagstoreResourceGroupName
  • IdeDiagResourceGroupName
  • ConDiagResourceGroupName
  • PlzDiagResourceGroupName
  • MgmtLoggingResourceGroupName
  • MgmtMonitoringResourceGroupName
  • IdeKvResourceGroupName
  • IdeNetworkingResourceGroupName
  • IdeDiagstoreResourceGroupName
  • IdeMonitoringResourceGroupName
  • ConNetworkingResourceGroupName
  • ConKeyVaultResourceGroupName
  • ConDiagstoreResourceGroupName
  • ConMonitoringResourceGroupName
  • PlzMonitoringResourceGroupName
  • PlzNetworkingResourceGroupName
  • PlzDiagstoreResourceGroupName

YAML Matrix

The yaml pipeline uses a matrix (management subscription example below) to loop through the subscription and resource group deployments to do multiple assignments on the same subscription or resource group. The example below loops through the owners, contributors, readers, and user access administrators roles and requires a lot less code.

  strategy:
      matrix:
        'Owners':
          roleDefinitionId: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
          groupName: 'rbac_sub_mgmt_ownr'
        'Contributors':
          roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
          groupName: 'rbac_sub_mgmt_cont'
        'Readers':
          roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
          groupName: 'rbac_sub_mgmt_read'
        'UserAccessAdmin':
          roleDefinitionId: '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
          groupName: 'rbac_sub_mgmt_uaa'

YAML Stages

The yaml pipeline has been broken up into stages to help with deployment and re-deployments. Each subscription and resource group assignment has it's own stage. When you run the pipeline you can choose which stages you want to run. If for example you've added an additional PIM assignment to the yaml pipeline you can choose to just run the new stage.

YAML Stages