Merge pull request #111884 from rolyon/rolyon-rbac-best-practices

[Azure RBAC] Best practices

Author: PMEds28

.openpublishing.redirection.json

@@ -33548,8 +33548,13 @@
     },
     {
       "source_path": "articles/active-directory/pim-azure-resource.md",
-      "redirect_url": "/azure/role-based-access-control/pim-azure-resource",
-      "redirect_document_id": true
+      "redirect_url": "/azure/role-based-access-control/best-practices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/role-based-access-control/pim-azure-resource.md",
+      "redirect_url": "/azure/role-based-access-control/best-practices",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/role-based-access-control-resource-provider-operations.md",

articles/databox/data-box-logs.md

@@ -43,7 +43,7 @@ To restrict access to an order, you can:
 - Assign a role at an order level. The user only has those permissions as defined by the roles to interact with that specific Data Box order only and nothing else.
 - Assign a role at the resource group level, the user has access to all the Data Box orders within a resource group.
 
-For more information on suggested RBAC use, see [Best practices for RBAC](../role-based-access-control/overview.md#best-practice-for-using-rbac).
+For more information on suggested RBAC use, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md).
 
 ## Track the order
 

articles/role-based-access-control/TOC.yml

@@ -28,8 +28,8 @@
     href: tutorial-custom-role-cli.md
 - name: Concepts
   items:
-  - name: PIM for Azure resources
-    href: pim-azure-resource.md
+  - name: Best practices
+    href: best-practices.md
   - name: Conditional Access for Azure management
     href: conditional-access-azure-management.md
 - name: How-to guides

articles/role-based-access-control/best-practices.md

@@ -0,0 +1,46 @@
+---
+title: Best practices for Azure RBAC
+description: Best practices for using Azure role-based access control (Azure RBAC).
+services: active-directory
+documentationcenter: ''
+author: rolyon
+manager: mtillman
+ms.service: role-based-access-control
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 04/17/2020
+ms.author: rolyon
+ms.reviewer: bagovind
+
+#Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
+---
+
+# Best practices for Azure RBAC
+
+This article describes some best practices for using Azure role-based access control (Azure RBAC). These best practices are derived from our experience with Azure RBAC and the experiences of customers like yourself.
+
+## Only grant the access users need
+
+Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.
+
+When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.
+
+![RBAC and least privilege](./media/best-practices/rbac-least-privilege.png)
+
+For information about how to add role assignments, see [Add or remove role assignments](role-assignments-portal.md).
+
+## Limit the number of subscription owners
+
+You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. This recommendation can be monitored in Azure Security Center. For other identity and access recommendations in Security Center, see [Security recommendations - a reference guide](../security-center/recommendations-reference.md).
+
+## Use Azure AD Privileged Identity Management
+
+To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. Access can be time bound after which privileges are revoked automatically. 
+
+For more information, see [What is Azure AD Privileged Identity Management?](../active-directory/privileged-identity-management/pim-configure.md).
+
+## Next steps
+
+- [Troubleshoot Azure RBAC](troubleshooting.md)

articles/role-based-access-control/media/overview/rbac-least-privilege.png renamed to articles/role-based-access-control/media/best-practices/rbac-least-privilege.png

@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 03/19/2020
+ms.date: 04/17/2020
 ms.author: rolyon
 ms.reviewer: bagovind
 
@@ -34,14 +34,6 @@ Here are some examples of what you can do with RBAC:
 - Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
 - Allow an application to access all resources in a resource group
 
-## Best practice for using RBAC
-
-Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.
-
-When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.
-
-![RBAC and least privilege](./media/overview/rbac-least-privilege.png)
-
 ## How RBAC works
 
 The way you control access to resources using RBAC is to create role assignments. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.