Merge pull request #256830 from rolyon/rolyon-rbac-role-assignments-card-tabs

[Azure RBAC] List or manage privileged administrator role assignments

Author: JamesJBarnett

articles/role-based-access-control/best-practices.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 06/28/2022
+ms.date: 11/06/2023
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
@@ -33,6 +33,17 @@ For information about how to assign roles, see [Assign Azure roles using the Azu
 
 You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. This recommendation can be monitored in Microsoft Defender for Cloud. For other identity and access recommendations in Defender for Cloud, see [Security recommendations - a reference guide](../security-center/recommendations-reference.md).
 
+## Limit privileged administrator role assignments
+
+Some roles are identified as [privileged administrator roles](./role-assignments-steps.md#privileged-administrator-roles). Consider taking the following actions to improve your security posture:
+
+- Remove unnecessary privileged role assignments.
+- Avoid assigning a privileged administrator role when a [job function role](./role-assignments-steps.md#job-function-roles) can be used instead.
+- If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource, instead of a broader scope, such as management group or subscription.
+- If you are assigning a role with permission to create role assignments, consider adding a condition to constrain the role assignment. For more information, see [Delegate the Azure role assignment task to others with conditions (preview)](delegate-role-assignments-portal.md).
+
+For more information, see [List or manage privileged administrator role assignments](./role-assignments-list-portal.md#list-or-manage-privileged-administrator-role-assignments).
+
 <a name='use-azure-ad-privileged-identity-management'></a>
 
 ## Use Microsoft Entra Privileged Identity Management
@@ -58,7 +69,7 @@ For more information, see [Assign a role using the unique role ID and Azure Powe
 
 ## Avoid using a wildcard when creating custom roles
 
-When creating custom roles, you can use the wildcard (`*`) character to define permissions. It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` may be unwanted behavior using the wildcard. For more information, see [Azure custom roles](custom-roles.md#wildcard-permissions).
+When creating custom roles, you can use the wildcard (`*`) character to define permissions. It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` might be unwanted behavior using the wildcard. For more information, see [Azure custom roles](custom-roles.md#wildcard-permissions).
 
 ## Next steps
 

articles/role-based-access-control/media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 09/13/2022
+ms.date: 11/06/2023
 ms.author: rolyon
 ---
 
@@ -52,6 +52,28 @@ Users that have been assigned the [Owner](built-in-roles.md#owner) role for a su
 
    ![Screenshot of subscription Access control and Role assignments tab.](./media/role-assignments-list-portal/sub-access-control-role-assignments-owners.png)
 
+## List or manage privileged administrator role assignments
+
+On the **Role assignments** tab, you can list and see the count of privileged administrator role assignments at the current scope. For more information, see [Privileged administrator roles](role-assignments-steps.md#privileged-administrator-roles).
+
+1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
+
+1. Click the specific resource.
+
+1. Click **Access control (IAM)**.
+
+1. Click the **Role assignments** tab and then click the **Privileged** tab to list the privileged administrator role assignments at this scope.
+
+    :::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png" alt-text="Screenshot of Access control page, Role assignments tab, and Privileged tab showing privileged role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png":::
+
+1. To see the count of privileged administrator role assignments at this scope, see the **Privileged** card.
+
+1. To manage privileged administrator role assignments, see the **Privileged** card and click **View assignments**.
+
+    On the **Manage privileged role assignments** page, you can add a condition to constrain the privileged role assignment or remove the role assignment. For more information, see [Delegate the Azure role assignment task to others with conditions (preview)](delegate-role-assignments-portal.md).
+
+    :::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png" alt-text="Screenshot of Manage privileged role assignments page showing how to add conditions or remove role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png":::
+
 ## List role assignments at a scope
 
 1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.

articles/role-based-access-control/media/role-assignments-list-portal/access-control-role-assignments-privileged.png

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 09/20/2023
+ms.date: 11/06/2023
 ms.author: rolyon
 ms.custom: contperf-fy21q3-portal,subject-rbac-steps
 ---
@@ -68,9 +68,9 @@ If you need to assign administrator roles in Microsoft Entra ID, see [Assign Mic
 
 1. If you want to assign a privileged administrator role, select the **Privileged administrator roles** tab to select the role.
 
-    Privileged administrator roles are roles that grant privileged administrator access, such as the ability to manage Azure resources or assign roles to other users. You should avoid assigning a privileged administrator role when a job function role can be assigned instead. If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource. For more information, see [Privileged administrator roles](./role-assignments-steps.md#privileged-administrator-roles).
-
-   ![Screenshot of Add role assignment page with Privileged administrator roles tab selected.](./media/shared/privileged-administrator-roles.png)
+    For best practices when using privileged administrator role assignments, see [Best practices for Azure RBAC](best-practices.md#limit-privileged-administrator-role-assignments).
+    
+    ![Screenshot of Add role assignment page with Privileged administrator roles tab selected.](./media/shared/privileged-administrator-roles.png)
 
 1. In the **Details** column, click **View** to get more details about a role.
 

articles/role-based-access-control/media/role-assignments-list-portal/azure-role-assignments-user.png

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 08/09/2023
+ms.date: 11/06/2023
 ms.author: rolyon
 ---
 
@@ -56,9 +56,10 @@ Privileged administrator roles are roles that grant privileged administrator acc
 | --- | --- |
 | [Owner](built-in-roles.md#owner) | <ul><li>Grants full access to manage all resources</li><li>Assign roles in Azure RBAC</li></ul> |
 | [Contributor](built-in-roles.md#contributor) | <ul><li>Grants full access to manage all resources</li><li>Can't assign roles in Azure RBAC</li><li>Can't manage assignments in Azure Blueprints or share image galleries</li></ul> |
+| [Role Based Access Administrator (Preview)](built-in-roles.md#role-based-access-control-administrator-preview) | <ul><li>Manage user access to Azure resources</li><li>Assign roles in Azure RBAC</li><li>Assign themselves or others the Owner role</li><li>Can't manage access using other ways, such as Azure Policy</li></ul> |
 | [User Access Administrator](built-in-roles.md#user-access-administrator) | <ul><li>Manage user access to Azure resources</li><li>Assign roles in Azure RBAC</li><li>Assign themselves or others the Owner role</li></ul> |
 
-It's a best practice to grant users the least privilege to get their work done. You should avoid assigning a privileged administrator role when a job function role can be assigned instead. If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource, instead of a broader scope, such as management group or subscription.
+For best practices when using privileged administrator role assignments, see [Best practices for Azure RBAC](best-practices.md#limit-privileged-administrator-role-assignments). For more information, see [Privileged administrator role definition](./role-definitions.md#privileged-administrator-role-definition).
 
 ## Step 3: Identify the needed scope
 

articles/role-based-access-control/media/role-assignments-list-portal/rg-access-control-role-assignments.png

@@ -8,7 +8,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/05/2023
+ms.date: 11/06/2023
 ms.author: rolyon
 ms.custom:
 ---
@@ -359,6 +359,23 @@ Although it's possible to create a custom role with a resource instance in `Assi
 
 For more information about `AssignableScopes` for custom roles, see [Azure custom roles](custom-roles.md).
 
+## Privileged administrator role definition
+
+Privileged administrator roles are roles that grant privileged administrator access, such as the ability to manage Azure resources or assign roles to other users. If a built-in or custom role includes any of the following actions, it is considered privileged. For more information, see [List or manage privileged administrator role assignments](./role-assignments-list-portal.md#list-or-manage-privileged-administrator-role-assignments).
+
+> [!div class="mx-tableFixed"]
+> | Action string | Description |
+> | --- | --- |
+> | `*` | Create and manage resources of all types. |
+> | `*/delete` | Delete resources of all types. |
+> | `*/write` | Write resources of all types. |
+> | `Microsoft.Authorization/denyAssignments/delete` | Delete a deny assignment at the specified scope. |
+> | `Microsoft.Authorization/denyAssignments/write` | Create a deny assignment at the specified scope. |
+> | `Microsoft.Authorization/roleAssignments/delete` | Delete a role assignment at the specified scope. |
+> | `Microsoft.Authorization/roleAssignments/write` | Create a role assignment at the specified scope. |
+> | `Microsoft.Authorization/roleDefinitions/delete` | Delete the specified custom role definition. |
+> | `Microsoft.Authorization/roleDefinitions/write` | Create or update a custom role definition with specified permissions and assignable scopes. |
+
 ## Next steps
 
 * [Understand role assignments](role-assignments.md)