Microsoft recently launched a query tool, AuthorizationResources table, to enable IT departments to efficiently manage their Azure role-based access control (RBAC) permissions. This tool is accessible through Azure Resource Graph (ARG). It empowers organizations to identify the number of roles assigned for supervising Azure services and calculate the count of individuals dispensed a specific role.
Microsoft allows “up to 4,000 role assignments” per Azure subscription and “up to 5,000 custom roles in a directory,” as mentioned in the company's document. Consequently, one crucial use of the AuthorizationResources ARG queries is to ascertain the number of issued roles actually utilized by organizations. This data enables organizations to “act on the results to clean up unused role definitions, remove redundant role assignments, or optimize your existing role assignments using Azure AD [Entra ID] Groups,” according to Microsoft's announcement.
RBAC Assignments Cleanup as Good Security Practice
Cleaning up RBAC assignments was also emphasized upon in the announcement as a good security practice. Microsoft in the past has also hinted towards the deprecation of an older roles assignment method associated with “Azure Cloud Services,” often referred to as “Classic.”. The technology giant is planning to deprecate Azure Cloud Services, together with its roles aspect, on August 31, 2024.
The company suggests that organizations should employ ARG to convert those roles that were assigned using the older “Classic” approach, “With Classic Admins set to be deprecated in August 2024, you can leverage ARG to convert Classic Admins to Role Assignments.”
Transition to Azure Cloud Services (Extended Support)
Microsoft provided notice of its plan to “retire” Azure Cloud Services Classic on Aug. 31, 2024 a couple of years ago. RBAC is one of the capabilities particularly getting affected by this retirement change, along with “deployment templates” and “regional resiliency.”.
Microsoft emphasized that IT departments should switch to “Cloud Services (extended support)” rather than continuing with the Classic version. Directions on Microsoft analyst, Rob Sanfilippo, clarified that the “extended support” term was not connected to the terminology Microsoft uses with its server products. Sanfilippo explained Azure Cloud Services is just the name of an early Azure service.
Microsoft is committed to its Azure Resource Manager (ARM) based services. The Classic version of Azure Services, while currently still available, is not encouraged for customers building new applications. Sanfilippo noted, “Aug. 31, 2024 will be the end date for these Classic services, including Classic virtual machines.”