8000 Initial stage of bootstrap feature by soulemike · Pull Request #32 · Cloud-Architekt/EntraOps · GitHub
[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial stage of bootstrap feature #32

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Initial stage of bootstrap feature #32

wants to merge 4 commits into from

Conversation

soulemike
Copy link
@soulemike soulemike commented Jan 6, 2025
edited
Loading

This PR stages a new feature to support bootstrapping groups in alignment with EAM and registering corresponding Access Packages and PIM. The groups can be further assigned to specific authorizations and monitored through the core EntraOps feature set.

  • Add cmdlets to module export
  • Create a Service Role object template for Azure Landing Zone architecture
  • Peer review that groups align with EAM
  • Add attribute to flag in reports
  • Documentation of EntraOps ServiceRoles

image

Overview of EntraOps ServiceRoles Object Structure

The EntraOps ServiceRoles are an array of objects each with three properties.

Properties

  • Name - The Name property for a service role defines the type of members the corresponding group object will contain. There are three currently supported Name values.
    • Members - The intent of the Members Name is to provide a default authorization that identifies individuals who are monitor or manage the deliver of a service. This could be individual contributors of a specific project team, individuals of a specific job role, family, or department, or any other combination of members that would be involved with the service.
    • Users - The Users Name identifies authorizations providing non-privileged access to the application interfaces, either user or programmatic. These authorizations could be the primary means for authorizing any user access to the service or be a specific group for the team delivering the service to use for validation independent of the primary user authorization mechanism.
    • Admins - The Admins Name identifies authorizations providing privileged access to control, management, and workload planes of the service and infrastructure.
  • Type - The Type property for a service role defines the access plane the group should interface with. There are currently four supported values.
    • "" - An unset Type identifies that there are no implicit authorizations for this role. Commonly this is exclusive to the Members role, and multiple service roles could be used for different forms of information distribution or communication management regarding the service.
    • Workload - The Workload Type signifies authorizations to the workload, or data, plane of the service. The access can be through the application itself, such as for an access override, or through privileged intermediaries or interfaces, such as the Azure Portal.
    • Management - The Management Type signifies privileged authorizations to the management plane of the service. Typically this will be through privileged intermediaries or interfaces, such as the Azure Portal.
    • Entitlement - The Entitlement Type signifies privileged authorizations to the control plane of the service with the specific scope or entitlement or authorization administration.
  • GroupType - The GroupType property for a service role defines the Entra group object type to create. There are two currently support GroupType values.
    • Unified - The Unified GroupType identifies that an Entra Unified Group object should be used for authorization management of the role.
    • "" - An unset GroupType identifies that an Entra Security Group object should be used for authorization management of the role.

Example ServiceRoles

The following is the default ServiceRoles object structure used by the bootstrap feature. The following are created from this:

  • 7 Entra Groups
    • Members - A Unified Group containing all ServiceMembers.
    • SG--Members-Management - A Security Group containing all ServiceMembers.
    • SG--Users-Workload - A Security Group to allow for user access to the workload, or data, plane of the service.
    • SG--Admins-Entitlement - A Security Group for administration of PIM and Entitlement Management control plane objects.
    • SG--Admins-Management - A Security Group for administration of service management plane objects.
    • SG--Admins-Workload - A Security Group for administrator access to the workload, or data, place objects.
    • SG-PIM--Admins-Management - A Security Group for an eligible PIM elevation for administration of service management plane objects.
  • 1 Entra ID Governance Entitlement Management Catalog for all service authorizations.
    • Including the Resource registrations for each of the 7 groups.
    • Including the Resource Role registrations for the owner and member roles of group objects.
  • 5 Entra ID Governance Entitlement Management Access Packages for each of the groups, with the members groups being in one Access Package, and the PIM group being excluded from the Access Packages.
    • Including Resource registrations for the owner and member roles for each of the corresponding groups.
  • 2 Entra ID Governance Entitlement Management Access Package Policies. Initial members policy allowing for self-service to join the Members Access Package with manager and existing member approvals. Baseline policy for privileged access requiring peer approval.
    • Including assignment of the corresponding policy to the Access Packages.
    • Including assignment of the Access Packages to the ServiceMembers.
  • 1 Entra ID Privileged Identity Management Policy to require MFA.
    • Including assignment of the policy to the corresponding PIM group.
    • Including eligibility assignment to the groups for ServiceMembers.
  • 1 Azure Resource Group.
    • Including setting the Azure RBAC permissions with the corresponding groups.
name type groupType
Members Unified
Members Management
Users Workload
Admins Workload
Admins Entitlement
Admins Management

@jadedcaveman-01
Copy link

Nice job Mike!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@soulemike @jadedcaveman-01
0