16/08/2023, 07:03 Access

Access

Table of Content

How to gain Access to an Azure subscription

Overview to Azure application enviroment access

How to order Access in IdM

Standard IdM roles

Manage access with functional Ids

Managed Identities and service principal request

General info and tips on setting up managed

Identities

Service principals (No longer offered by

Azure@ericsson see detalied info in link)

Fine Grain Access information

[Link] 1/20
16/08/2023, 07:03 Access

Introduction

How Fine grain access works

Summary
How does Functional ID works for access to an subscription.
What is an Managed identity
How do i order an Service principal
How does Fine grain access work

"Different Methods and ways to Access Azure Cloud"

How to gain Access to an Azure subscription

Overview to Azure Application Environment Access

Accesses to Azure Application Environment (Azure subscription) are based on
RBAC and are granted through roles in IdM. There are different roles that give
varying levels of access in the application environment.

As part of the onboarding process for your application an Azure Subscription has
been created to contain the application services, servers, and other objects. Also,
there are one or more roles create in the Ericsson Identity Manager (IDM) that
give access to this Azure Subscription. To get access to your application
environment, you'll have to order the role that corresponds to that environment.
(IdM application has url [Link] The IDM role name
itself will contain the application name, application environment, and the
corresponding Azure role that determines what level of access the user will get to
the resource group.

[Link] 2/20
16/08/2023, 07:03 Access

There is a special folder for Azure roles in the IdM folder structure. Each new
application will have its own folder containing all defined roles for that
application. Anyone with an valid Signum and EGAD account can request an
access role to an Enterprise IT application resource group. It is up to the
application owner or service manager to approve access. Note that some
accesses to production environment require specific typ of identities (e.g.
Functional IDs).

Our roles are mostly based on built-in Azure roles. See Microsoft documentation
for information​.​

Note! CBM does only set up Approvers in IdM. Approvers does not gain access to
a Subscription. In order to gain access you must apply for the actual role, e.g
contributor.

Back

How to order access in IdM

​ hen you get a new Subscription several IdM roles are created. As a Subscription
W
administrator you need to be a member in the Subscription contributor role.

Note! Even if you are the approver of this role you still have to request access to
it before you can access the Subscription.

The process of requesting access in IdM is the following:

1. Login to IdM: [Link]

2. When logged in (it should be automatic login as your current Ericsson user
(signum)
3. Select "Manage access" then Click on the radio button All IT Access Roles.
Let the content load (it can take a short time).

[Link] 3/20
16/08/2023, 07:03 Access

4. .When the list of content have loaded, select the Search for IT
Accesses Search box and enter
then name of your assigned IdM role.

5. Then klick on the role you want access to and klick on the blue icon
"Request access.

[Link] 4/20
16/08/2023, 07:03 Access

6. You will get a notification in your browser window that the request has
been sent. If you are the approver, the role will be automatically granted to
you. Please allow 4 hours for synchronization until your Azure Subscription
is visible. Now you should have access to your Subscription.
7. If you want to request for someone else or you want to request for an
Functional ID first choose the "Order for" in the left pane.

8. type in signum for person you want to order for, then follow the flow
outlined above.

Back

Standard IdM roles for an Azure subscription

[Link] 5/20
16/08/2023, 07:03 Access

I​n Azure you always get Contributor and Reader role as default. Depending if you
have requested an ECN Subscription you will get the VM-admin role as well.

IdM role: Azure Appy Test - Contributor​

This IdM role would be required to get the Azure role "Contributor" on the
"Appy-Test" Azure subscription.
The Contributor role grants you full access to create and manage all
resources but does not allow you to assign roles in Azure RBAC.​

IdM role: Azure Appy Test - Reader

This IdM role would be required to get the Azure role "Reader" on the
"Appy-Test" Azure subscription.
The Reader role lets you view all resources​but does not allow you to m
​ ake
any changes.

IdM role: Azure Appy Test - VM Admin

This IdM role would be required to get Admin authority on any VM's
created in the "Appy-Test" Azure subscription.
The VM Admin role follows with ECN Subscriptions. This role lets you view
Virtual Machines in the portal and login as administrator​. Note that for ECN
connected VMs there are some pre-requisites to get this to function
properly.​​

NOTE! Recertification and orderarbility of IdM groups mandatory

since End August 2021

Starting from 30/8 2021 access roles are classified as Privileged and non-
privileged. Privileged groups. This will affect recertification of IdM groups and the
orderability in different ways.

Production: Privileged groups (Contributor, VM Admin)

Recertification - Every 90 day all group members and the information approver(s)
will receive an e-mail when the membership is about to expire. The information
[Link] 6/20
16/08/2023, 07:03 Access

approver has 10 days to recertify the user access or the membership will be
removed.

Orderability - Functional ids only.

Production: Unprivileged groups (Reader)

Recertification - Every 365 day all group members and the information
approver(s) will receive an e-mail when the membership is about to expire. The
information approver have 10 days to recertify the user access or the
membership will be removed.

Orderability - Functional, Workforce and Partner.

Non-Production: For non-production environments all groups are classified as

unprivileged.

Please note that CBM support cannot help with recertification. If you have any
questions, please raise an IT Support request with the IdM team.​
(Select SAP IdM as Affected service)

Back

Manage access with functional Ids

For Production environments Functional IDs are required to access to your
Subscription. This page describes how to order a new Functional ID and how to
request access for a Functional ID in IDM.​

Why do we have to use Functional IDs?

In Ericsson IT systems with more than one user, privileged access and non-
privileged access for the same individual shall not be allocated to the same user
account. The privileged access shall thus be assigned to a separate user account,
with logging enabled. Privileged access in this case is the functional ID.

For more information use this link.

[Link] 7/20
16/08/2023, 07:03 Access

How to setup Functional ID (Type M)?

See below instructions on how to order the Admin account. This is logically
separated from your normal account, but still tied to you personally. One good
feature is that it forces Multi-factor authentication in all cases.

Each person that needs access using Functional Admin accounts needs to request
Admin account:

Go to [Link]
Click “Functional Identity Management”
Click Create:

Administration ID (M) account

Fill in needed info

[Link] 8/20
16/08/2023, 07:03 Access

Submit request

Approval by Line manager who receives initial password. If no password is

received, log an IT support request for password reset on functional ID (10
letters).

How to change the temporary password there are multiple ways. Below we
describe two ways. Do either 1 or 2. Not both.

Option 1:
Go
to [Link] or [Link]
[Link]/SvcPwdReset/ <- (login with your own SIGNUM)
In Pre-Sign-In Notification click Proceed.
In primary authentication enter user ID and the initial password
When the web asks for old password and new password. The old password
is the initial password
​Click accept/next. Once the pop up appears say password successfully
changed you are done with this step.

Option 2:
(Requires MWP/VICS): Log into functional ID on MWP or VICS (will be
forced to change initial password, that is the point). Once password is
changed you can log out. You can even use a colleagues computer.

[Link] 9/20
16/08/2023, 07:03 Access

Depending ​on your device you might be blocked to log in, but since the
point is to reset the initial password, this doesn't matter.

Log into [Link] with Functional ID (M) (username = functional ID) and
setup Symantec VIP second factor o(mobile app). You can use the same app you
already have for your normal Signum account.

Instructions
here: [Link]

You now have a functional ID (Type M) with MFA.

​How to order access for Functional ID in IdM

To order access to a IDM group that only allows for Functional ID orderability
follow the steps below.
1. Login to IdM: [Link]
2. Click on Order for in the left hand menu
3. Enter the name of the Functional ID for which you want to assign access
4. Click All IT Access Roles and search the group name you are looking for
5. Select the group you want to request access to and click Requst access in
the menu on the right.

Logging in to Public Cloud Portal using Functional ID

How to login using Functional ID:

Username <functional id>@[Link]

Password: what you selected
MFA factor: use 6 digit code on mobile app. ​

Back

Managed Identities and service principal request

[Link] 10/20
16/08/2023, 07:03 Access

Important Note! Starting 2022-07-07 Azure@ericsson will no longer

provide any Service Principals. All request should be raised to

Ericssons AD WAM team directly. Order can be placed

here: [Link]

[Link]/dwp/app/#/itemprofile/27901

General info and tips on setting up Managed Identities

​Managed identities.
Note! Microsoft suggests using Managed Identities over Service principal.

Managed Identities are in essence 100% identical in functionality and use case
than Service Principals. In fact, they are actually Service Principals.

What makes them different though, is:

– They are always linked to an Azure Resource, not to an application or 3rd party
connector

– They are automatically created for you, including the credentials; big benefit
here is that no one knows the credentials

Managed Identities exist in 2 formats: –

System assigned; in this scenario, the identity is linked to a single Azure Resource,
e.g. a Virtual Machine, a Logic App, a Storage Account, Web App, Function App,…
so almost anything. Next, they also “live” with the Azure Resource, which means
they get deleted when the Azure Resource gets deleted.

User Assigned Managed Identity, which means that you first have to create it as a
stand-alone Azure resource by itself, after which it can be linked to multiple Azure
Resources. An example here could be out of an integration with Key Vault, where
different Workload services belonging to the same application stack, need to read
out information from Key Vault. In this case, one could create a “read KV”

[Link] 11/20
16/08/2023, 07:03 Access

Managed Identity, and link it to the web app, storage account, function, logic
app,… all belonging to the same application architecture.

Let’s walk through a quick demo scenario for both, using a Virtual Machine as
Azure Resource:

· From the Azure Portal, select the Virtual Machine; under settings, find Identity

· Set Status as On, and save the changes

Switching to Azure Key Vault / Access Policies, we can now define this System
Assigned Managed Identity having get and list permissions (or any other) for
keys, secrets or certificates. For example reading out an Azure Storage Account
Access key or similar.

Notice how Azure Key Vault is expecting a Service Principal object here (where in
reality we are using a Managed Identity).

[Link] 12/20
16/08/2023, 07:03 Access

Similarly, let’s remove the System Assigned MI of the VM and use a User
Assigned one in the next example (an Azure Resource can only be linked to one
or the other, not both…):

From the Azure Virtual Machine blade, navigate to Identity and switch the
“Status” toggle button to Off. This will prompt for your confirmation when
saving the settings
This will prompt for your confirmation when saving the settings

As you notice, the Managed Identity object gets immediately removed from
Azure AD. Yes, security is key here…

Wait for the deregistration of the object.

[Link] 13/20
16/08/2023, 07:03 Access

Remember that a User Assigned Managed Identity is a stand-alone Azure

Resource, which needs to be created first, after which you can assign it to another
Azure Resource (our VM in this scenario).

From the Azure Portal, create new Resource, and search for “User Assigned
Managed Identity”

click Create.
Specify the Resource Group, Azure Region and Name for this resource.

[Link] 14/20
16/08/2023, 07:03 Access

Confirm by clicking create and Wait for the resource creation to complete
successfully.
Once created, switch back to the Azure Virtual Machine, select Identity and
select User Assigned
Notice the Managed Identity you just created.

Select it and add it as a Virtual Machine User Assigned object.

Select another Azure Resource in your subscription, for example an Azure Web
App or Logic App and once more select Identity from the settings. Below
screenshot shows what it looks like for an Azure Web App Resource:

To complete the sample scenario, let’s go back to Azure Key Vault, and specify
another Access Policy for this User Assigned Managed Identity:
[Link] 15/20
16/08/2023, 07:03 Access

Select your Azure Key Vault resource, followed by selecting Access Policy
from the settings.
Specify the Key and/or Secret Permissions (for example get, list)
Click “Select Principal” and search for the User Assigned Managed Identity
you created earlier

After saving the changes, the result is that now both the Azure Virtual Machine as
well as the Web App – having the User Assigned Managed Identity assigned to
them – can read our keys and secrets from Azure Key Vault

Service principal consideration and how to order

(no longer applicable after 2022-07-07
Starting 2022-07-07 Azure@ericsson will no longer provide any Service
Principals. All request should be raised to Ericssons AD WAM team
directly. Order can be placed here: [Link]
[Link]/dwp/app/#/itemprofile/27901

Request flow and considerations

[Link] 16/20
16/08/2023, 07:03 Access

However, if you have a traditional setup which has been using Service principal,
you can still request it.

Bear in mind the Azure Service Principal Permissions:

The effective permissions of app will be the

Delegated Used by apps that have a
privileged . App can never have more privi
permissions: signed-in user present.
than the signed-in user

Used by apps that run

Application The effective permissions of app will be the
without a signed-in user
permissions : level of privileges.
present.

IMPORTANT! Azure@Ericsson only provides the delegated

permissions e.g. Sign-in and read user profile.

Service Principal with specific API permissions for User authentication

& authorization​with Ericsson credentials
If you need to allow users to authenticate and authorize with Ericsson credentials
you likely need: "Delegated permission: Sign-in and read user profile".​
Step 1: Submit a MySupport request "Public Cloud (Microsoft Azure) -
Change"​. Include the following information:
Name of Service Principal:
Owner(s) of Service Principals:
Redirect URIs
Permissions required by Service Principal:
Rationale behind request:
Step 2: A Service Principal will be created, assigned the permissions and
ownership will be assigned. Owner can then create access keys or
certificate. ​

Limits to ordering requiring AD admin approvals

For Service principals that require AD admin API permissions, request should be
raised to Ericssons AD WAM team. Order can be placed here: [Link]
[Link]/dwp/app/#/itemprofile/27901

[Link] 17/20
16/08/2023, 07:03 Access

Example of such request include: Permissions to read additional Azure AD

information or Microsoft Graph permissions that require admin consent.

Fine Grain Access information

Introduction​​
To meet customer requirements of self-controlling access to subscriptions and
particular resource groups Fine Grained Access Control (aka FGAC) has been
developed.

This new solution gives individuals possibility to manage access control

of owning resources by themselves and keep core resources like ECN
connectivity secured by CBM team at the same time.​​

How Fine Grain access works

Components​​
The solution consists of 2 components:
custom role "[CBM]Role Assigner"
the role can be assigned by onboarding team on subscription level
for new subscriptions it's part of provisioning process
for existing Subscriptions it can be assigned on demand
​the role can be assigned to either IdM group, Service Principal or
Managed identity
it gives individual or application permission
to view, add and delete role assignments on subscription and resource
group level. Because of that it's possible to remove own access or even
access for entire team so use it carefully.​

custom azure policy which validates access control changes (described

below on diagram)

Rules​

[Link] 18/20
16/08/2023, 07:03 Access

Below list of principles for FGAC

the solution differentiates behavior for subscription and resource group
level access change
on subscription level only roles from allowedRoles list are accepted
on resource group level all roles are allowed
resource group containing spoke vnet is protected from direct access
assignment
​it allows to assign permission for IdM groups, Service
Principals and Managed Identities

Diagram​​
Following diagram depicts validation flow for RBAC assignments:​​

[Link] 19/20
16/08/2023, 07:03 Access

[Link] 20/20