Microsoft announced that 16 new Azure Active Directory (Azure AD) lower-privileged roles are available today in preview to help admins improve security by decreasing the number of Global administrators, and to enhance Azure and Microsoft 365 granular delegation capabilities.
“Performing your daily administrative tasks in Azure Active Directory (Azure AD) shouldn’t require you to be a Global administrator,” says the Microsoft 365 team in a blog post published today.
We introduced 16 new roles in Azure AD designed to help you reduce the number of Global administrators by delegating administration tasks and assigning lower-privileged roles.”
New built-in Azure AD roles in preview
Microsoft advises assigning Global administrator roles to as few people as possible to reduce business security risks stemming from this role’s capability of reading and changing all administrative settings in an Azure AD organization.
When more than five users have a Global Administrator role in an organization, you should find roles that better match the users’ needs using the Type filter for Azure AD Roles and administrators to get a subset of the roles based on role types.
“To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization,” says Microsoft Identity Division Corporate Vice President Alex Simons.https://platform.twitter.com/embed/index.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&frame=false&hideCard=false&hideThread=false&id=1182374280668966912&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosoft-improves-azure-active-directory-security-with-new-roles%2F&siteScreenName=BleepinComputer&theme=light&widgetsVersion=ed20a2b%3A1601588405575&width=550px
The list of new roles includes the Global reader role supported across Microsoft 365 services, a role which enables one to view all settings and administrative info, with possible uses in planning, audit, and investigation tasks.
Microsoft also added new Authentication administrator and Privileged authentication administrator credential management roles that come with granular permissions.
These roles are available globally for all subscriptions according to Simmons and are highlighted within the Azure portal using green flags as shown in the screenshot above.
The full list of new built-in Azure AD roles including their permissions is listed below:• Authentication administrator: View, set, and reset authentication method information and passwords for any non-admin user.
• Azure DevOps administrator: Manage Azure DevOps organization policy and settings.
• B2C user flow administrator: Create and manage all aspects of user flows.
• B2C user flow attribute administrator: Create and manage the attribute schema available to all user flows.
• B2C IEF Keyset administrator: Manage secrets for federation and encryption in the Identity Experience Framework.
• B2C IEF Policy administrator: Create and manage trust framework policies in the Identity Experience Framework.
• Compliance data administrator: Create and manage compliance data and alerts.
• External Identity Provider administrator: Configure identity providers for use in direct federation.
• Global reader: View everything a Global administrator can view without the ability to edit or change.
• Kaizala administrator: Manage settings for Microsoft Kaizala.
• Message center privacy reader: Read Message center posts, data privacy messages, groups, domains and subscriptions.
• Password administrator: Reset passwords for non-administrators and Password administrators.
• Privileged authentication administrator: View, set, and reset authentication method information for any user (admin or non-admin).
• Security operator: Creates and manages security events.
• Search administrator: Create and manage all aspects of Microsoft Search settings.
• Search editor: Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.
More Azure AD security enhancements
Microsoft also announced in August that its Azure AD Identity Protection detection algorithms’ accuracy has been increased by 100%, while the false-positive rate decreased by roughly 30%.
“Together, these improvements improved our ability to detect compromised sign-ins by over 100 percent,” said Simmons at the time.
“We also reduced our false positive rate by 30 percent—which means a more seamless sign-in experience for legitimate users and fewer investigations for your security operations personnel.”
In April, Redmond also made the Azure AD Password Protection feature generally available making it possible to block compromised and commonly used passwords to dramatically reduce password spray attack risks.
To get started with Azure AD Passwords Protection, you have to sign-in to the Azure Portal with a global administrator account, go to the Azure Active Directory, and then to the Authentication methods blade, that will display the Password protection dialog.
Azure AD now also has support for FIDO2 security keys providing users with passwordless authentication capabilities and for passwords with a maximum of 256 characters just