Share via

Creating a resource guard and enabling multiuser authentication

Stewart-7072 0 Reputation points
2024-06-14T02:08:27.0833333+00:00

Hey all, I need to improve the security on our vaults and was planning on working my through creating the guard and then enabling multiuser authentication, my problem is our permissions are not that granular. So im wondering what the impact would be if the users assigned to the guard are all Global Admins, meaning if someone was trying to change a policy for example would that prompt others to approve it before it could be completed or would their rights exclude them from needing approval?
Thanks

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,169 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 21,851 Reputation points MVP
    2024-06-14T07:06:39.38+00:00

    Hi,

    Global Admins is not Azure RBAC role. Global Admins is Microsoft Entra role. By Default Global Admins do not have access to Azure subscriptions but they can elevate themselves and gain access to any subscription. But keep in mind that resource guard only works if the users that should not have the permissions do not have permissions on the resource guard resource. That is why the resource guard resource is usually in another subscription to prevent users who have access to the vault does not have access to the resource guard resource.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments