Azure Governance, Privacy, and Compliance include things like role-based access control, resource locks, tags, Azure policy, Azure blueprints, and more. In addition to these, we’ll look at the purpose of the Microsoft Privacy Statement, Online Services Terms, and Data Protection Amendment policies. Regarding privacy and compliance, Microsoft has the Azure Sovereign Regions which include Government cloud services and Azure China cloud services. Protecting the data that’s entrusted to Microsoft by using strong encryption and access controls is a core tenant in Azure Governance, Privacy, And Compliance.
Azure Role-Based Access Control
Role-Based Access Control helps you manage who has access to Azure resources, what they can do with those resources, and which resources and areas they have access to. This is built on Azure Resource Manager which provides fine-grained access management of Azure resources. Administrative roles are used for granting access to privileged actions in Azure AD. We recommend using these built-in roles for delegating access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration. Here is a list of Built-In Administrative Roles in Azure:
- Application administrator – Can create and manage all aspects of app registrations and enterprise apps.
- Application developer – Can create application registrations independent of the ‘Users can register applications’ setting.
- Attack payload author – Can create attack payloads that an administrator can initiate later.
- Attack simulation administrator – Can create and manage all aspects of attack simulation campaigns.
- Attribute assignment administrator – Can assign attribute keys and values to Azure AD objects.
- Attribute assignment reader – Reads attribute keys and values to Azure AD objects.
- Attribute definition administrator – Can define and manage the definition of security attributes for the tenant.
- Attribute definition reader – Read the definition of security attributes for the tenant.
- Authentication administrator – Has access to view, set, and reset authentication method information for any non-admin user.
- Authentication policy administrator – Can create and manage all aspects of authentication methods and password protection policies.
- Azure AD joined device local administrator – Users assigned to this role are added to the local administrators group on Azure AD-joined devices.
- Azure DevOps administrator – Can manage Azure DevOps organization policy and settings.
- Azure Information Protection administrator – Can manage all aspects of the Azure Information Protection product.
- B2C IEF Keyset administrator – Can manage secrets for federation and encryption in the Identity Experience Framework.
- B2C IEF Policy administrator – Can create and manage trust framework policies in the Identity Experience Framework.
- Billing administrator – Can perform common billing related tasks like updating payment information.
- Cloud App Security Administrator – Can manage all aspects of the Cloud App Security product.
- Cloud application administrator – Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
- Cloud device administrator – Full access to manage devices in Azure AD.
- Compliance administrator – Can read and manage compliance configuration and reports in Azure AD and Office 365.
- Compliance data administrator – Can create and manage compliance content.
- Conditional Access administrator – Can manage Conditional Access capabilities.
- Customer LockBox access approver – Can approve Microsoft support requests to access customer organizational data.
- Desktop Analytics administrator – Can access and manage Desktop management tools and services.
- Directory readers – Can read basic directory information. Commonly used to grant directory read access to applications and guests.
- Directory writers -Can read and write basic directory information. For granting access to applications, not intended for users.
- Domain name administrator – Can manage domain names in cloud and on-premises.
- Dynamics 365 administrator – Can manage all aspects of the Dynamics 365 product.
- Edge administrator – Can create and manage Edge EMIE Site Lists.
- Exchange administrator – Can manage all aspects of the Exchange product.
- Exchange recipient administrator – Can create or update Exchange Online recipients within the Exchange Online organization.
- External ID user flow administrator – Can create and manage all aspects of user flows.
- External ID user flow attribute administrator – Can create and manage the attribute schema available to all user flows.
- External Identity Provider administrator – Can configure identity providers for use in direct federation.
- Global administrator – Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
- Global reader – Can read everything that a global administrator can, but not update anything.
- Groups administrator – Can manage all aspects of groups and group settings like naming and expiration policies.
- Guest inviter – Can invite guest users independent of the ‘members can invite guests’ setting.
- Helpdesk administrator – Can reset passwords for non-administrators and Helpdesk administrators.
- Hybrid identity administrator – Can manage AD to Azure AD cloud sync and federation settings.
- Identity Governance Administrator – Manage access using Azure AD for identity governance scenarios.
- Insights administrator – Has administrative access in the Insights app.
- Insights business leader – Can view and share dashboards and insights via the M365 Insights app.
- Intune administrator – Can manage all aspects of the Intune product.
- Kaizala administrator – Can manage settings for Microsoft Kaizala.
- Knowledge administrator – Can configure knowledge, learning and other intelligent features.
- Knowledge manager – Has access to topic management dashboard and can manage content.
- License administrator – Ability to assign, remove and update license assignments.
- Message center privacy reader – Can read Message Center posts, data privacy messages, groups, domains and subscriptions.
- Message center reader – Can read messages and updates for their organization in Office 365 Message Center only.
- Network administrator – Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.
- Office apps administrator – Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish “what’s new” feature content to end-user’s devices.
- Password administrator – Can reset passwords for non-administrators and Password administrators.
- Power BI administrator – Can manage all aspects of the Power BI product.
- Power platform administrator – Can create and manage all aspects of Microsoft Dynamics 365, PowerApps, and Microsoft Flows.
- Printer administrator – Can manage all aspects of printers and printer connectors.
- Printer technician – Can register and unregister printers and update printer status.
- Privileged authentication administrator – Allowed to view, set and reset authentication method information for any user (admin or non-admin).
- Privileged role administrator – Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
- Reports reader – Can read sign-in and audit reports.
- Search administrator – Can create and manage all aspects of Microsoft Search settings.
- Search editor – Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
- Security administrator – Can read security information and reports, and manage configuration in Azure AD and Office 365.
- Security operator – Can create and manage security events.
- Security reader – Can read security information and reports in Azure AD and Office 365.
- Service support administrator – Can read service health information and manage support tickets.
- SharePoint administrator – Can manage all aspects of the SharePoint service.
- Skype for Business administrator – Can manage all aspects of the Skype for Business product.
- Teams administrator – Can manage the Microsoft Teams service.
- Teams communications administrator – Can manage calling and meetings features within the Microsoft Teams service.
- Teams Communications Support Engineer – Can troubleshoot communications issues within Teams using advanced tools.
- Teams Communications Support Specialist – Can troubleshoot communications issues within Teams using basic tools.
- Teams devices administrator – Can perform management related tasks on Teams certified devices.
- Usage summary reports reader – Can see only tenant level aggregates in M365 Usage Analytics and Productivity Score.
- User administrator – Can manage all aspects of users and groups, including resetting passwords for limited admins.
- Windows 365 Administrator – Can provision and manage all aspects of Cloud PCs.
- Windows update deployment administrator – Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service.
Azure Resource Locks
Azure Resource Locks are a great safety mechanism in Azure. Resource Locks prevent other users in the company from accidentally deleting or modifying mission critical resources. The lock overrides any permissions the user might have. They are a good idea when it is better to be safe than sorry.
The definition of the conditions which you want to control or govern. We use Azure Policy to help enforce our standards such as ensuring virtual machines are only deployed in certain sizes or with strict naming conventions.
Azure Initiative is a collection of Azure policy definitions that are grouped together towards a specific goal. Management groups are a common boundary to enforce policy across multiple subscriptions at the same time. It’s how we can provide consistency at scale.
A container for composing sets of standards, patterns, and requirements for implementation of Azure cloud services, security, and design. Blueprints are often used in the same sentence as the phrase “New Environments”.
Azure Tags can be the basis for applying business policies or tracking costs. Tagging rules can be enforced with Azure Policies. Tags applied to the resource group or subscription aren’t inherited by the resources.
Cloud Adoption Framework
The cloud adoption framework is professional guidance offered right from Microsoft designed to help organizations create and implement business and technology strategies to succeed in Azure. Any successful cloud operation will entail defining a strategy, having a plan, getting ready, adopting technology, having proper governance, and finally managing the final solution.
Security Privacy Compliance
Privacy is about making meaningful choices for how and why data is collected and used. In this modern age so much data is collected, it is paramount that big companies like Microsoft do a great job with transparency regarding data collection and use.
Security is protecting the data that is entrusted to Microsoft by using strong encryption and access controls. Compliance with regulation for any organization is critical, and Microsoft aims to ease this task as much as possible for customers. The Azure Compliance Documentation helps with finding relevant compliance standards and is grouped geographically and by industry. There are also template audit documents available that can be tailored to the needs of your organization. The Microsoft Privacy Statement explains what data Microsoft processes, how Microsoft processes it, and for what purpose data is utilized. This goes back to that commitment to transparency that Microsoft has adhered to. The Online Service Terms (OST) contains all the terms and conditions for software and online services through Microsoft Commercial Licensing Programs. OST is now known as the Product Terms Site. Data Protection Amendment (DPA) further defines the data processing and security terms for online services, including compliance, disclosure, security, transfer, and retention. This is also known as the Data Protection Addendum.
Azure Trust Center
The Azure Trust Center is where one can learn about the four pillars of trust in Microsoft Azure:
Azure Sovereign Regions
These are special regions that may be required for compliance or legal purposes. These include Government, China, and Germany.
Azure Governance, Privacy, And Compliance Summary
This aspect of the cloud is not the most exciting per se, but it is important to be aware of how services deployed and consumed affect users. Particularly, we saw how important data collection transparency, meeting regulatory compliance, and top-notch data security are.