Create a role/policy in the Remediation dashboard
This article describes how you can use the Remediation dashboard in Microsoft Entra Permissions Management to create roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
Note
To view the Remediation tab, you must have Viewer, Controller, or Administrator permissions. To make changes on this tab, you must have Controller or Administrator permissions. If you don't have these permissions, contact your system administrator.
Note
Microsoft Azure uses the term role for what other cloud providers call policy. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use role/policy to refer to both.
Create a policy for AWS
Note
For information on AWS service quotas, and to request an AWS service quota increase, visit the AWS documentation.
On the Microsoft Entra home page, select the Remediation tab, and then select the Role/Policies tab.
Use the dropdown lists to select the Authorization System Type and Authorization System.
Select Create Policy.
On the Details page, the Authorization System Type and Authorization System are pre-populated from your previous settings.
- To change the settings, make a selection from the dropdown.
Under How Would You Like To Create The Policy, select the required option:
- Activity of User(s): Allows you to create a policy based on user activity.
- Activity of Group(s): Allows you to create a policy based on the aggregated activity of all the users belonging to the group(s).
- Activity of Resource(s): Allows you to create a policy based on the activity of a resource, for example, an EC2 instance.
- Activity of Role: Allows you to create a policy based on the aggregated activity of all the users that assumed the role.
- Activity of Tag(s): Allows you to create a policy based on the aggregated activity of all the tags.
- Activity of Lambda Function: Allows you to create a new policy based on the Lambda function.
- From Existing Policy: Allows you to create a new policy based on an existing policy.
- New Policy: Allows you to create a new policy from scratch.
In Tasks performed in last, select the duration: 90 days, 60 days, 30 days, 7 days, or 1 day.
Depending on your preference, select or deselect Include Access Advisor data.
In Settings, from the Available column, select the plus sign (+) to move the identity into the Selected column, and then select Next.
On the Tasks page, from the Available column, select the plus sign (+) to move the task into the Selected column.
- To add a whole category, select a category.
- To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
In Resources, select All Resources or Specific Resources.
If you select Specific Resources, a list of available resources appears. Find the resources you want to add, and then select Add.
In Request Conditions, select JSON .
In Effect, select Allow or Deny, and then select Next.
In Policy name:, enter a name for your policy.
To add another statement to your policy, select Add Statement, and then, from the list of Statements, select a statement.
Review your Task, Resources, Request Conditions, and Effect settings, and then select Next.
On the Preview page, review the script to confirm it's what you want.
If your controller isn't enabled, select Download JSON or Download Script to download the code and run it yourself.
If your controller is enabled, skip this step.
Select Split Policy, and then select Submit.
A message confirms that your policy has been submitted for creation
The Permissions Management Tasks pane appears on the right.
- The Active tab displays a list of the policies Permissions Management is currently processing.
- The Completed tab displays a list of the policies Permissions Management has completed.
Once data collection for the specified authorization system is complete, the newly created policy information is reflected.
Create a role for Azure
On the Permissions Management home page, select the Remediation tab, and then select the Role/Policies tab.
Use the dropdown lists to select the Authorization System Type and Authorization System.
Select Create Role.
On the Details page, the Authorization System Type and Authorization System are pre-populated from your previous settings.
- To change the settings, select the box and make a selection from the dropdown.
Under How Would You Like To Create The Role?, select the required option:
- Activity of User(s): Allows you to create a role based on user activity.
- Activity of Group(s): Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
- Activity of App(s): Allows you to create a role based on the aggregated activity of all apps.
- From Existing Role: Allows you to create a new role based on an existing role.
- New Role: Allows you to create a new role from scratch.
In Tasks performed in last, select the duration: 90 days, 60 days, 30 days, 7 days, or 1 day.
Depending on your preference:
- Select or deselect Ignore Non-Microsoft Read Actions.
- Select or deselect Include Read-Only Tasks.
In Settings, from the Available column, select the plus sign (+) to move the identity into the Selected column, and then select Next.
On the Tasks page, in Role name:, enter a name for your role.
From the Available column, select the plus sign (+) to move the task into the Selected column.
- To add a whole category, select a category.
- To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
Select Next.
(Optional) An Admin can copy the Resource Groups scope string to use as the scope. In Azure, select Resource group > Monitoring > Properties, then copy the Resource ID.
On the Preview page, review:
- The list of selected Actions and Not Actions.
- The JSON or Script to confirm it's what you want.
If your controller isn't enabled, select Download JSON or Download Script to download the code and run it yourself.
If your controller is enabled, skip this step.
Select Submit.
A message confirms that your role has been submitted for creation
The Permissions Management Tasks pane appears on the right.
- The Active tab displays a list of the policies Permissions Management is currently processing.
- The Completed tab displays a list of the policies Permissions Management has completed.
Once data collection for the specified authorization system is complete, the newly created role information is reflected.
Create a role for GCP
On the Permissions Management home page, select the Remediation tab, and then select the Role/Policies tab.
Use the dropdown lists to select the Authorization System Type and Authorization System.
Select Create Role.
On the Details page, the Authorization System Type and Authorization System are pre-populated from your previous settings.
- To change the settings, select the box and make a selection from the dropdown.
Under How Would You Like To Create The Role?, select the required option:
- Activity of User(s): Allows you to create a role based on user activity.
- Activity of Group(s): Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
- Activity of Service Account(s): Allows you to create a role based on the aggregated activity of all service accounts.
- From Existing Role: Allows you to create a new role based on an existing role.
- New Role: Allows you to create a new role from scratch.
In Tasks performed in last, select the duration: 90 days, 60 days, 30 days, 7 days, or 1 day.
If you selected Activity Of Service Account(s) in the previous step, select or deselect Collect activity across all GCP Authorization Systems.
From the Available column, select the plus sign (+) to move the identity into the Selected column, and then select Next.
On the Tasks page, in Role name:, enter a name for your role.
From the Available column, select the plus sign (+) to move the task into the Selected column.
- To add a whole category, select a category.
- To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
Select Next.
On the Preview page, review:
- The list of selected Actions.
- The YAML or Script to confirm it's what you want.
If your controller isn't enabled, select Download YAML or Download Script to download the code and run it yourself.
Select Submit. A message confirms that your role has been submitted for creation
The Permissions Management Tasks pane appears on the right.
- The Active tab displays a list of the policies Permissions Management is currently processing.
- The Completed tab displays a list of the policies Permissions Management has completed.
Once data collection for the specified authorization system is complete, the newly created role information is reflected.
Next steps
- For information on how to view existing roles/policies, requests, and permissions, see View roles/policies, requests, and permission in the Remediation dashboard.
- For information on how to modify a role/policy, see Modify a role/policy.