WEBVTT 1 00:00:00.080 --> 00:00:03.799 Welcome back to the deep dive. So today we're we're 2 00:00:03.879 --> 00:00:07.679 kind of tearing down the walls literally literally. For decades, 3 00:00:08.160 --> 00:00:11.400 it security it was simple geometry, right, You had an office, 4 00:00:11.439 --> 00:00:14.160 you had a firewall, and you know, anyone sitting inside 5 00:00:14.199 --> 00:00:18.199 that perimeter was considered safe. But the cloud has just 6 00:00:18.239 --> 00:00:22.239 completely dissolved that and the source material we're exploring today 7 00:00:22.640 --> 00:00:25.719 it makes us claim that honestly feels like a rallying cry. 8 00:00:25.879 --> 00:00:28.679 It says identity is the new firewall. 9 00:00:28.800 --> 00:00:30.879 It's a massive shift, isn't it. I mean, if you 10 00:00:30.920 --> 00:00:32.759 can't control who the person is, it just doesn't matter 11 00:00:32.799 --> 00:00:34.640 how strong your encryption is or how locked down your 12 00:00:34.679 --> 00:00:37.200 servers are. If I have your identity, I am you, 13 00:00:37.479 --> 00:00:39.439 and once i'm you, the firewall doesn't care. 14 00:00:39.640 --> 00:00:41.679 That is a terrifying thought to kick things off with. 15 00:00:41.840 --> 00:00:44.240 To help us navigate this, we're looking at a very 16 00:00:45.240 --> 00:00:50.640 specific tactical guide Microsoft Ayured Administrator Exam Prep AZ one 17 00:00:50.640 --> 00:00:54.320 O four by Lullett Rawat. We're focusing on the first 18 00:00:54.359 --> 00:00:57.240 three chapters. Now, I know exam Prep can sound a 19 00:00:57.240 --> 00:00:57.679 bit dry. 20 00:00:57.880 --> 00:01:00.520 Oh yeah, flashbacks to late note cramming exactly. 21 00:01:00.640 --> 00:01:03.039 But what stood out to me about Rowlet's approach is 22 00:01:03.039 --> 00:01:07.560 that he treats the exam criteria as a a survival 23 00:01:07.560 --> 00:01:08.799 guide for the actual job. 24 00:01:08.920 --> 00:01:10.480 That's the best way to look at the AZ one 25 00:01:10.519 --> 00:01:13.359 O four. It's widely considered one of the harder associate 26 00:01:13.400 --> 00:01:16.840 exams because it's not just theory, it's asking which button 27 00:01:16.840 --> 00:01:19.200 do you click when the CEO can't get their email? 28 00:01:19.439 --> 00:01:21.799 Or how do you fix this sink error before the 29 00:01:21.879 --> 00:01:22.599 nine am meeting? 30 00:01:22.760 --> 00:01:26.400 Exactly. Rad does a great job balancing that necessary memorization 31 00:01:26.560 --> 00:01:29.120 with the the day to day reality of being an 32 00:01:29.159 --> 00:01:29.840 Azure admin. 33 00:01:30.159 --> 00:01:32.480 So our mission today is to build a mental model 34 00:01:32.519 --> 00:01:34.840 of this identity firewall. We're going to break this down 35 00:01:34.840 --> 00:01:39.439 into three big chunks. First, the population problem. How do 36 00:01:39.519 --> 00:01:42.040 we manage thousands of users without losing our minds? 37 00:01:42.120 --> 00:01:42.760 A classic? 38 00:01:43.079 --> 00:01:46.480 Second, the bridge? How do we connect our dusty old 39 00:01:46.519 --> 00:01:49.640 on prem servers to the shiny new cloud? And finally, 40 00:01:49.719 --> 00:01:52.000 the keys to the kingdom role based access control. 41 00:01:52.079 --> 00:01:53.480 Sounds like a solid roadmap. 42 00:01:53.560 --> 00:01:56.560 Okay, let's start with that population explosion managing users in 43 00:01:56.640 --> 00:01:59.840 groups chapter one. Now, creating a single user in Azure 44 00:01:59.879 --> 00:02:03.519 is is. It's trivial. You click new user, you tad 45 00:02:03.599 --> 00:02:07.680 Bob done. But Rod throws us into a scenario that 46 00:02:07.719 --> 00:02:12.520 I think gives most admin's heartburn bulk operations. 47 00:02:12.120 --> 00:02:15.400 Ah, the summer intern scenario. 48 00:02:15.159 --> 00:02:19.360 Or the we just acquired a competitor scenario. HR sends 49 00:02:19.400 --> 00:02:21.919 you a spreadsheet with two hundred names on Monday morning 50 00:02:21.960 --> 00:02:23.639 and says these need to be live by. 51 00:02:23.599 --> 00:02:26.280 Lunch, right, and you are not clicking new user two 52 00:02:26.400 --> 00:02:29.039 hundred times railway and if you do, you're not only 53 00:02:29.080 --> 00:02:31.599 gonna make mistakes, you're gonna hate your job by noon. 54 00:02:32.520 --> 00:02:35.240 This is where the bulk create feature comes in. Okay, 55 00:02:35.479 --> 00:02:38.360 it sounds simple. You just upload a CSV file, but 56 00:02:38.560 --> 00:02:41.840 Rowat points out some very specific gotchas in that file 57 00:02:41.919 --> 00:02:43.159 that you really need to know. 58 00:02:43.520 --> 00:02:45.840 This is the kind of detail I love. You'd assume 59 00:02:45.840 --> 00:02:48.319 a CSV just needs what name and email. 60 00:02:48.439 --> 00:02:51.680 That's what you'd think, But there are mandatory fields that 61 00:02:51.759 --> 00:02:54.080 really catch people off guard. The one that always trips 62 00:02:54.120 --> 00:02:56.520 people up is the block sign in column. 63 00:02:56.280 --> 00:02:59.319 Block sign in. Why would that be mandatory? Wouldn't you 64 00:02:59.360 --> 00:03:00.879 just want them to sign in right away? 65 00:03:01.120 --> 00:03:04.919 Well, think about the workflow. You might be provisioning accounts 66 00:03:04.919 --> 00:03:07.960 for employees who don't start for another two weeks. You 67 00:03:07.960 --> 00:03:10.599 need the account to exist so you can assign a license, 68 00:03:10.879 --> 00:03:13.879 set up their mailbox, maybe grant them access to a 69 00:03:13.919 --> 00:03:16.199 SharePoint site. So it's already for day one. 70 00:03:16.120 --> 00:03:18.599 But you definitely don't want that account to be active yet. 71 00:03:18.719 --> 00:03:21.719 Exactly, you don't want someone guessing the temporary password before 72 00:03:21.759 --> 00:03:23.199 the employee even walks in the door. 73 00:03:23.360 --> 00:03:26.840 So the system forces you to make a security decision 74 00:03:27.280 --> 00:03:32.599 before the user even exists. I like that. So we've 75 00:03:32.599 --> 00:03:35.639 got our two hundred users, but we can't manage two 76 00:03:35.719 --> 00:03:37.560 hundred individuals. We need groups. 77 00:03:37.719 --> 00:03:41.439 And this is where azure AD or you know, Microsoft 78 00:03:41.680 --> 00:03:44.319 entra ID as it's often called, now gets a little 79 00:03:44.319 --> 00:03:46.800 more nuanced than the old active directory people might be 80 00:03:46.879 --> 00:03:50.919 used to. 'watt distinguishes heavily between security groups and Office 81 00:03:50.960 --> 00:03:52.199 three sixty five groups. 82 00:03:52.360 --> 00:03:54.360 I feel like this is a distinction that gets blurred 83 00:03:54.400 --> 00:03:56.759 a lot in practice, but for the exam it's black 84 00:03:56.759 --> 00:03:58.280 and white. How should we think about them? 85 00:03:58.360 --> 00:04:00.479 It really just comes down to intent. Are you trying 86 00:04:00.520 --> 00:04:02.960 to control access or are you trying to help people 87 00:04:03.000 --> 00:04:05.919 work together? Okay, if you need to lock down a firewall, 88 00:04:06.039 --> 00:04:08.360 roll or give permissions to a database, you use a 89 00:04:08.400 --> 00:04:11.280 security group. It's a boundary. Think of it like a 90 00:04:11.360 --> 00:04:13.639 key card to a specific floor of a building. 91 00:04:13.879 --> 00:04:16.920 Right, security equals boundaries and the other one. 92 00:04:17.079 --> 00:04:19.959 If the goal is, hey, we need a shared calendar, 93 00:04:20.079 --> 00:04:22.439 a shared inbox, and a place to dump files for 94 00:04:22.480 --> 00:04:25.319 the marketing team, that's an office three sixty five group. 95 00:04:25.560 --> 00:04:28.000 It creates that whole collaboration workspace for you. 96 00:04:28.399 --> 00:04:31.199 Got it. So security groups are for the admins to 97 00:04:31.199 --> 00:04:33.920 manage control Both three sixty five groups are for the 98 00:04:34.000 --> 00:04:35.399 users to get work done. 99 00:04:35.720 --> 00:04:39.639 Broadly speaking, Yeah, but the real magic isn't the group type. 100 00:04:39.639 --> 00:04:42.720 It's how people get into the group. If you're manually 101 00:04:42.759 --> 00:04:45.800 adding Bob to the marketing group, you're probably doing it wrong. 102 00:04:45.920 --> 00:04:48.800 This has to be dynamic membership. I found this fascinating. 103 00:04:48.839 --> 00:04:50.879 You're basically writing a logic statement for your. 104 00:04:50.839 --> 00:04:54.720 User list exactly if department equals it add to the 105 00:04:54.759 --> 00:04:57.800 it security group. And it sounds great because it's set 106 00:04:57.839 --> 00:05:01.279 it and forget it. Yeah, but rewat hindset a risk here. 107 00:05:01.600 --> 00:05:03.560 This kind of automation relies on. 108 00:05:03.639 --> 00:05:05.680 Clean data, garbage in garbage. 109 00:05:05.319 --> 00:05:10.079 At Precisely, If HR spells information technology as it on 110 00:05:10.079 --> 00:05:12.800 one form and I don't know infotech on another, your 111 00:05:12.879 --> 00:05:14.480 dynamic rule breaks. 112 00:05:14.199 --> 00:05:15.319 And Bob can't do his job. 113 00:05:15.560 --> 00:05:18.519 He's calling you, right, so while dynamic groups are a 114 00:05:18.600 --> 00:05:21.720 huge time saver, they actually force you to be much 115 00:05:21.720 --> 00:05:24.279 more disciplined about your data entry standards. 116 00:05:24.399 --> 00:05:27.920 That's a great insight. Automation doesn't fix messiness, it just 117 00:05:28.120 --> 00:05:32.160 scales it. Okay, before we leave users, we have to 118 00:05:32.199 --> 00:05:35.680 talk about the people who don't work for you, the guests. 119 00:05:35.439 --> 00:05:37.319 B to B business to business. 120 00:05:37.480 --> 00:05:42.399 The modern workplace is so fluid, isn't it. You've got consultants, vendors, partners. 121 00:05:42.839 --> 00:05:44.480 In the older days, you just make them a fake 122 00:05:44.519 --> 00:05:45.800 employee account. 123 00:05:45.399 --> 00:05:47.519 With a complex password written on a post. 124 00:05:47.360 --> 00:05:50.879 It note exactly. But Azure handles this differently. 125 00:05:50.560 --> 00:05:54.560 Much differently. You're inviting their existing identity, if they have 126 00:05:54.600 --> 00:05:57.279 a Gmail account or a corporate Outlook account from their 127 00:05:57.279 --> 00:06:00.800 own company. You invite that. You're not managed their password. 128 00:06:00.839 --> 00:06:03.399 You're just managing their access to your stuff. 129 00:06:03.879 --> 00:06:06.680 But there is a gatekeeper the source mentions. Not just 130 00:06:06.759 --> 00:06:08.079 anyone can send these. 131 00:06:07.879 --> 00:06:11.839 Invites correct by default. You need the user administrator role, 132 00:06:12.000 --> 00:06:15.399 and this is important. Inviting a guest is essentially punching 133 00:06:15.480 --> 00:06:17.759 a hole in your perimeter. You're letting an outsider in. 134 00:06:17.800 --> 00:06:20.399 So you want someone with an administrative oversight making that call. 135 00:06:20.639 --> 00:06:23.079 You do not just a random user who wants to 136 00:06:23.079 --> 00:06:24.360 share a doc with their friend. 137 00:06:24.879 --> 00:06:28.120 Let's move on to our second bucket, quality of life, 138 00:06:28.480 --> 00:06:31.560 because let's be honest, and admin's life is mostly dealing 139 00:06:31.600 --> 00:06:34.920 with tickets, and the number one ticket is always I 140 00:06:34.959 --> 00:06:37.000 forgot my password every single time. 141 00:06:37.120 --> 00:06:40.759 It's the bane of every IT department. It just consumes 142 00:06:40.839 --> 00:06:44.040 so much time that could be spent on actual engineering. 143 00:06:44.519 --> 00:06:48.800 So rollbot highlights self service Password Reset SSPR as the solution, 144 00:06:49.160 --> 00:06:51.439 but he knows it's not just to switch you flip. 145 00:06:51.639 --> 00:06:54.879 No, there's a configuration journey. First, you need global admin 146 00:06:54.959 --> 00:06:57.480 rights just to turn it on. But the real configuration 147 00:06:57.560 --> 00:07:01.000 is about the challenge when Bob forgets his word, how 148 00:07:01.000 --> 00:07:02.639 does he prove he's really bobbed right? 149 00:07:02.680 --> 00:07:08.560 The authentication methods the book lists things like the mobile app, email, SMS. 150 00:07:08.160 --> 00:07:11.800 The usual suspects, But the gotcha that always catches people 151 00:07:11.920 --> 00:07:13.439 is the registration requirement. 152 00:07:13.600 --> 00:07:16.519 This is where the human element fails. The technology isn't. 153 00:07:16.319 --> 00:07:19.279 It It is? You can enable SSPR today, but if 154 00:07:19.360 --> 00:07:21.639 your users haven't logged in and set up their security 155 00:07:21.720 --> 00:07:24.680 questions or linked their mobile phone, the feature is useless. 156 00:07:24.959 --> 00:07:27.319 They get locked out, They click reset and the system 157 00:07:27.319 --> 00:07:27.879 says sorry, I. 158 00:07:27.839 --> 00:07:30.199 Don't know who you are exactly, which is why SSPR 159 00:07:30.279 --> 00:07:32.839 isn't just a technical rollout, it's a communication rollout. You 160 00:07:32.879 --> 00:07:36.040 have to pester your users to register before they need it. 161 00:07:36.120 --> 00:07:38.040 You can enforce it right, which. 162 00:07:37.800 --> 00:07:40.399 Is what most smart admins do. You make it mandatory. 163 00:07:40.639 --> 00:07:42.759 You cannot check your email until you set up your 164 00:07:42.759 --> 00:07:43.759 recovery phone number. 165 00:07:44.040 --> 00:07:49.399 Smart. Now, alongside user identity, we have device identity. The 166 00:07:49.399 --> 00:07:53.319 book talks about as your ad join, why does the 167 00:07:53.399 --> 00:07:55.480 cloud care about my laptop? 168 00:07:55.839 --> 00:07:58.879 Well, it goes back to that identity is the firewall idea. 169 00:07:59.519 --> 00:08:02.439 Knowing who you are is step one. Knowing what device 170 00:08:02.480 --> 00:08:05.240 you are using is step two. If you're logging in 171 00:08:05.279 --> 00:08:08.560 from a managed corporate laptop with all the latest antivirus, 172 00:08:08.560 --> 00:08:10.480 maybe I let you in. If you're logging in from 173 00:08:10.480 --> 00:08:13.360 some unknown iPad at an airport, maybe I block you. 174 00:08:13.600 --> 00:08:16.600 So we join devices to azure ad so the cloud 175 00:08:16.600 --> 00:08:19.399 can trust the hardware precisely. And there was a specific 176 00:08:19.480 --> 00:08:23.360 note about licensing here that seemed like a classic exam trap, the. 177 00:08:23.279 --> 00:08:26.120 P two license. Yeah, if you want to do the 178 00:08:26.279 --> 00:08:29.480 advanced stuff like auto and rolling devices into Microsoft Intune 179 00:08:29.480 --> 00:08:32.200 for management as soon as they sign in. Rabot points 180 00:08:32.200 --> 00:08:34.679 out that you often need the Azure ad Premium P 181 00:08:34.799 --> 00:08:37.720 two license. The basic free tier just won't cut it. 182 00:08:38.200 --> 00:08:41.120 Always check the licensing. Okay, let's get into the heavyweight 183 00:08:41.159 --> 00:08:45.320 section of this deep dive segment three Hybrid. Most companies 184 00:08:45.320 --> 00:08:48.080 aren't born in the cloud. They've got servers in a basement. 185 00:08:47.720 --> 00:08:51.120 Somewhere, racks and racks of them running old school active directory, 186 00:08:51.279 --> 00:08:53.919 and they will for a long long time. The bridge 187 00:08:53.919 --> 00:08:58.200 between those two worlds is a tool called Azure ad Connect. 188 00:08:57.759 --> 00:09:00.039 And the goal here is single sign on, right. I 189 00:09:00.039 --> 00:09:02.120 don't want a password for the basement and a different 190 00:09:02.120 --> 00:09:03.039 password for the cloud. 191 00:09:03.159 --> 00:09:07.360 That's the holy grail. But getting there is surprisingly technical. 192 00:09:07.799 --> 00:09:11.080 Rawa outlines three distinct architectures for this, and it's really 193 00:09:11.080 --> 00:09:13.559 crucial we separate them. The exam loves to try and 194 00:09:13.559 --> 00:09:14.399 confuse you on these. 195 00:09:14.519 --> 00:09:19.279 Let's walk through them. First up, Password hash synchronization PHS. 196 00:09:19.480 --> 00:09:22.440 This is the most common and probably the most robust. 197 00:09:23.159 --> 00:09:25.799 You take the user's password on your local server, you 198 00:09:25.919 --> 00:09:29.440 hash it, which basically means putting it through a mathematical blender, 199 00:09:29.480 --> 00:09:31.919 so it's just gibberish, okay, and you send that string 200 00:09:31.919 --> 00:09:35.840 of gibberish up to Azure. When the user logs into 201 00:09:36.000 --> 00:09:40.279 Office three sixty five, Azure checks their password against that 202 00:09:40.440 --> 00:09:41.440 stored hash. 203 00:09:41.519 --> 00:09:44.480 So, in this case, the authentication actually happens in the cloud. 204 00:09:45.000 --> 00:09:46.240 Azure has a copy of the. 205 00:09:46.200 --> 00:09:48.919 Answer key, a mathematical copy yes, correct. 206 00:09:48.720 --> 00:09:52.399 Yeah, okay, next pass through authentication. How's that different? 207 00:09:52.720 --> 00:09:55.480 This is for the paranoid or the highly regulated. Some 208 00:09:55.679 --> 00:09:59.440 organizations have policies that say password data, even hashed, can 209 00:09:59.480 --> 00:10:00.879 never leave physical building. 210 00:10:01.000 --> 00:10:01.919 Okay, so what do they do? 211 00:10:02.279 --> 00:10:04.679 Well? When the user types their password into the cloud 212 00:10:04.720 --> 00:10:07.840 login page, Azure puts it in a secure envelope and 213 00:10:07.919 --> 00:10:10.120 sends it down to a little software agent running on 214 00:10:10.159 --> 00:10:12.879 your local server. Your local server checks the password and 215 00:10:12.879 --> 00:10:14.840 just sends back a simple yes or no. 216 00:10:15.159 --> 00:10:17.279 So the cloud never sees the key. It just asks 217 00:10:17.320 --> 00:10:19.159 the local server to unlock the door for it. 218 00:10:19.440 --> 00:10:23.279 Exactly. But think about the risk there. If your internet 219 00:10:23.279 --> 00:10:24.720 connection to the office goes. 220 00:10:24.559 --> 00:10:27.320 Down, nobody can log into the cloud bingo. 221 00:10:27.200 --> 00:10:30.600 With password hash sync. If your office loses power, people 222 00:10:30.639 --> 00:10:33.440 can still get their email from Starbucks because the cloud 223 00:10:33.519 --> 00:10:37.000 has the hash with pass through. If the office goes dark, 224 00:10:37.159 --> 00:10:38.399 the cloud goes dark. 225 00:10:38.519 --> 00:10:43.120 That is a critical distinction for disaster recovery okay. And 226 00:10:43.159 --> 00:10:45.480 the third one federation. 227 00:10:45.240 --> 00:10:50.039 That's the big iron ADFS Active Directory Federation Services. That's 228 00:10:50.080 --> 00:10:52.879 for when you have really complex needs, like using smart 229 00:10:52.879 --> 00:10:56.480 cards or integrating with other identity providers. It requires you 230 00:10:56.559 --> 00:10:59.360 to build and manage a whole farm of servers. 231 00:10:59.200 --> 00:11:01.320 So unless you have a very specific reason. 232 00:11:01.279 --> 00:11:03.200 You usually try to avoid that complexity. 233 00:11:03.240 --> 00:11:06.159 Now, Rawat gives a really specific warning about setting up 234 00:11:06.200 --> 00:11:09.200 Azure ad connect. He talks about the upn suffix. It 235 00:11:09.279 --> 00:11:11.759 sounds super technical, but he says it breaks everything if 236 00:11:11.759 --> 00:11:12.399 you ignore it. 237 00:11:12.399 --> 00:11:16.039 It's the classic dot local problem. So many older internal 238 00:11:16.080 --> 00:11:19.519 networks were named something like company dot local, but dot 239 00:11:19.559 --> 00:11:22.080 local isn't a valid domain on the public Internet. You 240 00:11:22.120 --> 00:11:23.679 can't route email to it. 241 00:11:23.879 --> 00:11:26.559 So if my username is Bob at company dot local 242 00:11:26.720 --> 00:11:27.639 and I sink that to. 243 00:11:27.600 --> 00:11:29.799 The cloud, Azure just looks at it and says I 244 00:11:29.799 --> 00:11:32.399 can't use this, so it renames you to something like 245 00:11:32.720 --> 00:11:37.679 Bob at company dot on Microsoft dot com. It works technically, 246 00:11:37.960 --> 00:11:40.559 but it's ugly and Bob is confused because his login 247 00:11:40.679 --> 00:11:41.519 name just changed. 248 00:11:41.919 --> 00:11:45.200 So the fix is to add your real public domain 249 00:11:45.519 --> 00:11:48.519 DASH like company dot com dash to your local server 250 00:11:48.759 --> 00:11:49.799 before you sink. 251 00:11:49.759 --> 00:11:52.799 Exactly align the names before you build the bridge. 252 00:11:52.840 --> 00:11:55.519 Speaking of the bridge, there's a feature called password right back. 253 00:11:56.159 --> 00:11:57.720 It sounds like it reverses the flow. 254 00:11:57.960 --> 00:12:02.799 It closes the loop, rememberspr if Bob resets his password 255 00:12:02.799 --> 00:12:05.320 in the cloud on Sunday night, his computer in the 256 00:12:05.360 --> 00:12:08.120 office needs to know about that new password on Monday morning. 257 00:12:08.240 --> 00:12:11.159 Right right back pushes that change from Azure down to 258 00:12:11.200 --> 00:12:11.879 the local server. 259 00:12:12.480 --> 00:12:15.679 And the source mentioned a really specific security benefit with 260 00:12:15.759 --> 00:12:19.399 firewalls here. Usually security teams hate letting the cloud push 261 00:12:19.519 --> 00:12:20.639 things into their network. 262 00:12:20.720 --> 00:12:23.679 They do because that usually means opening an inbound port 263 00:12:23.720 --> 00:12:25.879 on the firewall, which is a security risk. It's like 264 00:12:25.960 --> 00:12:27.000 leaving a window open. 265 00:12:27.639 --> 00:12:28.840 But right back is different. 266 00:12:29.200 --> 00:12:32.159 Right Rowatt points out that password right back uses an 267 00:12:32.159 --> 00:12:35.759 outbound connection on port four four three. The local server 268 00:12:35.879 --> 00:12:39.159 reaches out to the cloud every few seconds and just asks, hey, any. 269 00:12:39.039 --> 00:12:42.000 Updates for me some no open holes in the firewall. 270 00:12:42.080 --> 00:12:45.960 Correct, it's firewall friendly. It pulls the changes down. Nothing 271 00:12:46.039 --> 00:12:47.440 is pushed in without permission. 272 00:12:47.480 --> 00:12:51.000 That's a really elegant solution. Okay, populated or users, we've 273 00:12:51.039 --> 00:12:55.039 synced our hybrid identity. Now the final piece who gets 274 00:12:55.039 --> 00:12:59.919 to do what? Second four role based access control or RBA. 275 00:13:00.559 --> 00:13:02.559 This is the keys to the Kingdom part and the 276 00:13:02.600 --> 00:13:06.919 golden rule here which route really hammers home is least privilege, 277 00:13:07.039 --> 00:13:09.759 which means give people exactly enough permission to do their 278 00:13:09.879 --> 00:13:12.480 job and not one inch more. You do not make 279 00:13:12.480 --> 00:13:15.000 everyone a global admin just because it's easier. That is 280 00:13:15.080 --> 00:13:16.399 just asking for a disaster. 281 00:13:16.720 --> 00:13:20.519 The book highlights the big three built in roles, owner, contributor, 282 00:13:20.559 --> 00:13:24.000 and reader. Reader's obvious look but don't touch right. But 283 00:13:24.080 --> 00:13:26.840 the owner versus contributor battle is where the exam in 284 00:13:26.840 --> 00:13:28.480 real life gets tricky. 285 00:13:28.759 --> 00:13:31.679 It is the most common point of confusion. A contributor 286 00:13:31.720 --> 00:13:36.159 is extremely powerful. They can build virtual machines, delete databases, 287 00:13:36.279 --> 00:13:38.960 wipe storage accounts. I mean, they can do almost anything 288 00:13:39.039 --> 00:13:40.320 to the technology itself. 289 00:13:40.440 --> 00:13:41.679 But there's one thing they can't do. 290 00:13:42.440 --> 00:13:45.720 They cannot give anyone else access. They cannot hand out keys. 291 00:13:46.519 --> 00:13:47.759 Only the owner can do that. 292 00:13:48.200 --> 00:13:51.080 I like the analogy of a contractor renovating a house. 293 00:13:51.679 --> 00:13:55.440 The contractor the contributor can tear down the kitchen wall, 294 00:13:55.759 --> 00:13:57.919 install a new sink, paint the ceiling. 295 00:13:58.120 --> 00:14:00.559 Yeah, that's perfect. They can do all the work inside 296 00:14:00.559 --> 00:14:01.240 the house. 297 00:14:01.120 --> 00:14:03.039 But they can't just give a copy of the front 298 00:14:03.080 --> 00:14:03.720 door key. 299 00:14:03.600 --> 00:14:07.279 To their friend exactly, and that separation is vital. You 300 00:14:07.320 --> 00:14:09.360 want your developers to be able to build fast, but 301 00:14:09.399 --> 00:14:12.200 you don't want them bypassing your security governance, by just 302 00:14:12.279 --> 00:14:14.679 granting access to unauthorized people. 303 00:14:15.039 --> 00:14:17.840 And these roles don't just exist in a vacuum. Rawat 304 00:14:17.840 --> 00:14:20.639 talks about scope. It's not just what role you have, 305 00:14:20.759 --> 00:14:21.679 but where you have it. 306 00:14:22.159 --> 00:14:25.159 Think of scope like a set of nesting dolls. You 307 00:14:25.200 --> 00:14:27.559 have the subscription on the outside, that's the big container. 308 00:14:27.720 --> 00:14:30.960 Then you've got resource groups inside that, and then individual 309 00:14:31.000 --> 00:14:33.600 resources like a specific VM inside that. 310 00:14:34.039 --> 00:14:36.600 So if I'm an owner at the top, at the. 311 00:14:36.519 --> 00:14:40.200 Subscription level, you are the god of everything inside that subscription. Yeah, 312 00:14:40.240 --> 00:14:43.399 every resource group, every database. But if I only make 313 00:14:43.440 --> 00:14:46.559 you an owner of one specific resource group, you can't 314 00:14:46.600 --> 00:14:47.559 touch the one next to it. 315 00:14:47.639 --> 00:14:49.720 So permissions flow down, yes. 316 00:14:49.919 --> 00:14:52.919 Which is why you should always assign permissions as low 317 00:14:53.039 --> 00:14:57.039 down the hierarchy as possible. Don't give subscription level access 318 00:14:57.080 --> 00:14:59.840 if someone only needs to manage one database. 319 00:15:00.639 --> 00:15:04.159 Finally, what happens when the built in roles just aren't enough? 320 00:15:04.720 --> 00:15:06.720 The source mentions custom roles. 321 00:15:07.000 --> 00:15:09.720 Sometimes you have a weird requirement like I need a 322 00:15:09.799 --> 00:15:12.720 user who can restart a virtual machine, but cannot delete it. 323 00:15:12.879 --> 00:15:14.360 There's no built in role. 324 00:15:14.200 --> 00:15:15.559 For that, so you have to make your own. 325 00:15:15.720 --> 00:15:18.759 Exactly, you write a custom role using JSON. It lets 326 00:15:18.759 --> 00:15:21.919 you pick and choose specific actions from the Azure library. 327 00:15:22.080 --> 00:15:24.159 And there was a piece of trivia here that felt important, 328 00:15:24.440 --> 00:15:26.200 a hard limit on how many of these you can make. 329 00:15:26.360 --> 00:15:30.200 Five thousand. You can create five thousand custom roles per tenant. 330 00:15:30.399 --> 00:15:31.480 That sounds like a lot. 331 00:15:31.639 --> 00:15:33.960 It is. If you need five thousand custom roles, you 332 00:15:33.960 --> 00:15:36.360 probably have a management problem, not a technical one. 333 00:15:36.559 --> 00:15:38.799 You're making things too complicated, right. 334 00:15:39.120 --> 00:15:43.720 But interestingly, Rowat notes that for sovereign clouds like Azure 335 00:15:43.799 --> 00:15:47.879 China or Azure Germany, that limit drops to two thousand. 336 00:15:48.200 --> 00:15:50.000 Just a little detail to keep in the back of 337 00:15:50.039 --> 00:15:51.960 your mind if you're working globally. 338 00:15:52.120 --> 00:15:55.519 It shows that even the cloud has physical limits and 339 00:15:55.639 --> 00:15:57.440 different rules based on the region. 340 00:15:57.919 --> 00:16:00.240 So let's bring this all together. We've gone from a 341 00:16:00.240 --> 00:16:04.039 blank CSV file, populated it with users, sink them across 342 00:16:04.080 --> 00:16:07.480 a hybrid bridge, and finally lock them down with RBAC policies. 343 00:16:07.559 --> 00:16:10.480 It's the full life cycle of identity. And what I 344 00:16:10.559 --> 00:16:13.200 like about this source material is that it really emphasizes 345 00:16:13.240 --> 00:16:15.879 these aren't just exam topics. This is the daily bread 346 00:16:15.919 --> 00:16:17.559 and butter of an admin. This is what keeps the 347 00:16:17.600 --> 00:16:18.080 lights on. 348 00:16:18.360 --> 00:16:21.519 It really reinforces that idea we started with in twenty 349 00:16:21.559 --> 00:16:24.519 twenty six. You aren't configuring ports and switches as much 350 00:16:24.519 --> 00:16:26.399 as you're configuring people and permissions. 351 00:16:26.399 --> 00:16:28.519 Absolutely, the identity is the perimeter. 352 00:16:28.759 --> 00:16:30.559 Now, before we sign off, I want to leave the 353 00:16:30.559 --> 00:16:33.320 listener with the thought. We talked a lot about automation today, 354 00:16:33.600 --> 00:16:36.360 dynamic roots, self service, password resets. 355 00:16:36.759 --> 00:16:39.279 It's all about speed, speed versus security. 356 00:16:39.639 --> 00:16:42.759 Exactly if you automate access, say you set up a 357 00:16:42.840 --> 00:16:46.720 dynamic rule where everyone in the engineering department automatically gets 358 00:16:46.879 --> 00:16:51.120 contributor access to your production environment. What happens when HR 359 00:16:51.279 --> 00:16:54.039 types the wrong department into a new hires file. 360 00:16:54.200 --> 00:16:57.679 You've just automated a security breach. You've given the keys 361 00:16:57.879 --> 00:17:00.960 to the kingdom to the wrong person instead without a 362 00:17:01.039 --> 00:17:02.159 human double checking it. 363 00:17:02.240 --> 00:17:05.519 Right. As we automate more, the blast radius of a 364 00:17:05.559 --> 00:17:08.559 simple typo just gets bigger and bigger. It's something to 365 00:17:08.640 --> 00:17:11.559 chew on as you build out your own policies. Trust, 366 00:17:11.880 --> 00:17:13.559 but you know, verify. 367 00:17:13.279 --> 00:17:15.079 Your automation couldn't a set a better myself. 368 00:17:15.400 --> 00:17:17.720 That's it for this deep dive into the gatekeepers of 369 00:17:17.759 --> 00:17:19.799 the cloud. Thanks for listening, and we'll catch you on 370 00:17:19.799 --> 00:17:20.279 the next one. 371 00:17:20.440 --> 00:17:21.200 Goodbye everyone,