gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 03:16:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:24:43 +00:00
parent 10e2881a9b
commit 9ce07d92a3
245 changed files with 9883 additions and 12659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

482
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -1,48 +1,48 @@
# Az - Basic Information
# Az - Osnovne informacije
{{#include ../../../banners/hacktricks-training.md}}
## Organization Hierarchy
## Hijerarhija organizacije
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
### Management Groups
### Grupa za upravljanje
- It can contain **other management groups or subscriptions**.
- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
- **10,000 management** groups can be supported in a single directory.
- A management group tree can support **up to six levels of depth**. This limit doesnt include the root level or the subscription level.
- Each management group and subscription can support **only one parent**.
- Even if several management groups can be created **there is only 1 root management group**.
- The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
- All subscriptions within a single management group must trust the **same Entra ID tenant.**
- Može sadržati **druge grupe za upravljanje ili pretplate**.
- Ovo omogućava **primenu kontrola upravljanja** kao što su RBAC i Azure Policy jednom na nivou grupe za upravljanje i da se one **naslede** od svih pretplata u grupi.
- **10.000 grupa za upravljanje** može biti podržano u jednoj direktoriji.
- Drvo grupa za upravljanje može podržati **do šest nivoa dubine**. Ova granica ne uključuje nivo korena ili nivo pretplate.
- Svaka grupa za upravljanje i pretplata mogu podržavati **samo jednog roditelja**.
- Čak i ako se može kreirati nekoliko grupa za upravljanje, **postoji samo 1 grupa za upravljanje korenom**.
- Grupa za upravljanje korenom **sadrži** sve **druge grupe za upravljanje i pretplate** i **ne može se premestiti ili obrisati**.
- Sve pretplate unutar jedne grupe za upravljanje moraju verovati **istom Entra ID tenant-u.**
<figure><img src="../../../images/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
### Azure Subscriptions
### Azure pretplate
- Its another **logical container where resources** (VMs, DBs…) can be run and will be billed.
- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
- It **trust only one Entra ID** directory
- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
- To je još jedan **logički kontejner u kojem se mogu pokretati resursi** (VM-ovi, DB-ovi…) i za koji će se naplaćivati.
- Njegov **roditelj** je uvek **grupa za upravljanje** (i može biti grupa za upravljanje korenom) jer pretplate ne mogu sadržati druge pretplate.
- **Veruje samo jednoj Entra ID** direktoriji
- **Dozvole** primenjene na nivou pretplate (ili bilo kojem od njenih roditelja) se **nasleđuju** na sve resurse unutar pretplate
### Resource Groups
### Grupe resursa
[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
[Iz dokumenata:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) Grupa resursa je **kontejner** koji sadrži **povezane resurse** za Azure rešenje. Grupa resursa može uključivati sve resurse za rešenje, ili samo one **resurse koje želite da upravljate kao grupom**. Generalno, dodajte **resurse** koji dele **isti životni ciklus** u istu grupu resursa kako biste ih lako implementirali, ažurirali i obrisali kao grupu.
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
Svi **resursi** moraju biti **unutar grupe resursa** i mogu pripadati samo jednoj grupi, a ako se grupa resursa obriše, svi resursi unutar nje se takođe brišu.
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
### Azure Resource IDs
### Azure ID resursa
Every resource in Azure has an Azure Resource ID that identifies it.
Svaki resurs u Azure-u ima Azure ID resursa koji ga identifikuje.
The format of an Azure Resource ID is as follows:
Format Azure ID resursa je sledeći:
- `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
Za virtuelnu mašinu nazvanu myVM u grupi resursa `myResourceGroup` pod ID-jem pretplate `12345678-1234-1234-1234-123456789012`, Azure ID resursa izgleda ovako:
- `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
@@ -50,327 +50,323 @@ For a virtual machine named myVM in a resource group `myResourceGroup` under sub
### Azure
Azure is Microsofts comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
Azure je Microsoftova sveobuhvatna **platforma za cloud računarstvo, koja nudi širok spektar usluga**, uključujući virtuelne mašine, baze podataka, veštačku inteligenciju i skladištenje. Deluje kao osnova za hostovanje i upravljanje aplikacijama, izgradnju skalabilnih infrastruktura i pokretanje modernih radnih opterećenja u oblaku. Azure pruža alate za programere i IT profesionalce da kreiraju, implementiraju i upravljaju aplikacijama i uslugama bez problema, zadovoljavajući razne potrebe od startapa do velikih preduzeća.
### Entra ID (formerly Azure Active Directory)
### Entra ID (ranije Azure Active Directory)
Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
Entra ID je usluga za upravljanje **identitetom i pristupom zasnovana na oblaku** koja je dizajnirana da upravlja autentifikacijom, autorizacijom i kontrolom pristupa korisnika. Omogućava siguran pristup Microsoftovim uslugama kao što su Office 365, Azure i mnoge aplikacije trećih strana. Sa funkcijama kao što su jedinstveno prijavljivanje (SSO), višefaktorska autentifikacija (MFA) i politike uslovnog pristupa, između ostalog.
### Entra Domain Services (formerly Azure AD DS)
### Entra Domain Services (ranije Azure AD DS)
Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
Entra Domain Services proširuje mogućnosti Entra ID nudeći **upravljane usluge domena kompatibilne sa tradicionalnim Windows Active Directory okruženjima**. Podržava nasleđene protokole kao što su LDAP, Kerberos i NTLM, omogućavajući organizacijama da migriraju ili pokreću starije aplikacije u oblaku bez implementacije lokalnih kontrolera domena. Ova usluga takođe podržava grupne politike za centralizovano upravljanje, što je čini pogodnom za scenarije u kojima nasleđena ili AD-bazirana radna opterećenja treba da koegzistiraju sa modernim cloud okruženjima.
## Entra ID Principals
## Entra ID Principali
### Users
### Korisnici
- **New users**
- Indicate email name and domain from selected tenant
- Indicate Display name
- Indicate password
- Indicate properties (first name, job title, contact info…)
- Default user type is “**member**”
- **External users**
- Indicate email to invite and display name (can be a non Microsft email)
- Indicate properties
- Default user type is “**Guest**”
- **Novi korisnici**
- Naznačite ime i domen e-pošte iz odabranog tenant-a
- Naznačite prikazano ime
- Naznačite lozinku
- Naznačite svojstva (ime, radno mesto, kontakt informacije…)
- Podrazumevani tip korisnika je “**član**”
- **Spoljni korisnici**
- Naznačite e-poštu za poziv i prikazano ime (može biti e-pošta koja nije Microsoft)
- Naznačite svojstva
- Podrazumevani tip korisnika je “**Gost**”
### Members & Guests Default Permissions
### Podrazumevane dozvole članova i gostiju
You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
Možete ih proveriti na [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) ali među ostalim radnjama član će moći da:
- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
- Invite Guests (_can be turned off_)
- Create Security groups
- Read non-hidden Group memberships
- Add guests to Owned groups
- Create new application (_can be turned off_)
- Add up to 50 devices to Azure (_can be turned off_)
- Čita sve korisnike, grupe, aplikacije, uređaje, uloge, pretplate i njihove javne osobine
- Poziva goste (_može se isključiti_)
- Kreira sigurnosne grupe
- Čita ne-skrivene članstva grupa
- Dodaje goste u vlasničke grupe
- Kreira nove aplikacije (_može se isključiti_)
- Dodaje do 50 uređaja u Azure (_može se isključiti_)
> [!NOTE]
> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
> Zapamtite da da biste enumerisali Azure resurse, korisnik treba da ima eksplicitno odobrenje za dozvolu.
### Users Default Configurable Permissions
### Podrazumevane konfigurabilne dozvole korisnika
- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Register Applications: Default **Yes**
- Restrict non-admin users from creating tenants: Default **No**
- Create security groups: Default **Yes**
- Restrict access to Microsoft Entra administration portal: Default **No**
- This doesnt restrict API access to the portal (only web)
- Allow users to connect work or school account with LinkedIn: Default **Yes**
- Show keep user signed in: Default **Yes**
- Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
- Read other users: Default **Yes** (via Microsoft Graph)
- **Guests**
- **Guest user access restrictions**
- **Guest users have the same access as members** grants all member user permissions to guest users by default.
- **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
- **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
- **Guests can invite**
- **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
- **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
- **Only users assigned to specific admin roles can invite guest users**
- **No one in the organization can invite guest users including admins (most restrictive)**
- **External user leave**: Default **True**
- Allow external users to leave the organization
- **Članovi (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Registracija aplikacija: Podrazumevano **Da**
- Ograničavanje ne-administrativnih korisnika od kreiranja tenant-a: Podrazumevano **Ne**
- Kreiranje sigurnosnih grupa: Podrazumevano **Da**
- Ograničavanje pristupa Microsoft Entra administrativnom portalu: Podrazumevano **Ne**
- Ovo ne ograničava API pristup portalu (samo web)
- Dozvoliti korisnicima da povežu radni ili školski nalog sa LinkedIn-om: Podrazumevano **Da**
- Prikazati zadržavanje korisnika prijavljenim: Podrazumevano **Da**
- Ograničiti korisnike od oporavka BitLocker ključeva za njihove vlasničke uređaje: Podrazumevano Ne (proverite u podešavanjima uređaja)
- Čitati druge korisnike: Podrazumevano **Da** (putem Microsoft Graph)
- **Gosti**
- **Ograničenja pristupa gostujućim korisnicima**
- **Gosti imaju iste pristupe kao članovi** dodeljuju sve dozvole članova gostujućim korisnicima podrazumevano.
- **Gosti imaju ograničen pristup svojstvima i članstvima objekata direktorijuma (podrazumevano)** ograničava pristup gostiju samo na njihov vlastiti korisnički profil podrazumevano. Pristup informacijama o drugim korisnicima i grupama više nije dozvoljen.
- **Pristup gostujućim korisnicima je ograničen na svojstva i članstva njihovih vlastitih objekata direktorijuma** je najrestriktivniji.
- **Gosti mogu pozivati**
- **Svako u organizaciji može pozvati gostujuće korisnike uključujući goste i ne-administratore (najinkluzivnije) - Podrazumevano**
- **Članovi korisnici i korisnici dodeljeni specifičnim administrativnim ulogama mogu pozvati gostujuće korisnike uključujući goste sa članovskim dozvolama**
- **Samo korisnici dodeljeni specifičnim administrativnim ulogama mogu pozvati gostujuće korisnike**
- **Niko u organizaciji ne može pozvati gostujuće korisnike uključujući administratore (najrestriktivnije)**
- **Spoljni korisnici mogu napustiti**: Podrazumevano **Tačno**
- Dozvoliti spoljnim korisnicima da napuste organizaciju
> [!TIP]
> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
> Čak i ako su podrazumevano ograničeni, korisnici (članovi i gosti) sa dodeljenim dozvolama mogli bi izvršiti prethodne radnje.
### **Groups**
### **Grupe**
There are **2 types of groups**:
Postoje **2 tipa grupa**:
- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
- This will have an **email address** with the domain of the EntraID tenant.
- **Sigurnosne**: Ova vrsta grupe se koristi za davanje članovima pristupa aplikacijama, resursima i dodeljivanje licenci. Korisnici, uređaji, servisni principi i druge grupe mogu biti članovi.
- **Microsoft 365**: Ova vrsta grupe se koristi za saradnju, dajući članovima pristup zajedničkoj pošti, kalendaru, datotekama, SharePoint lokaciji itd. Članovi grupe mogu biti samo korisnici.
- Ovo će imati **adresu e-pošte** sa domenom EntraID tenant-a.
There are **2 types of memberships**:
Postoje **2 tipa članstva**:
- **Assigned**: Allow to manually add specific members to a group.
- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
- **Dodeljeno**: Omogućava ručno dodavanje specifičnih članova u grupu.
- **Dinamičko članstvo**: Automatski upravlja članstvom koristeći pravila, ažurirajući uključivanje grupe kada se atributi članova promene.
### **Service Principals**
### **Servisni principi**
A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
**Servisni princip** je **identitet** kreiran za **upotrebu** sa **aplikacijama**, hostovanim uslugama i automatizovanim alatima za pristup Azure resursima. Ovaj pristup je **ograničen ulogama dodeljenim** servisnom principu, dajući vam kontrolu nad **koji resursi mogu biti pristupljeni** i na kojem nivou. Iz bezbednosnih razloga, uvek se preporučuje da **koristite servisne principe sa automatizovanim alatima** umesto da im dozvolite prijavu sa korisničkim identitetom.
It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
Moguće je **direktno se prijaviti kao servisni princip** generišući mu **tajnu** (lozinku), **sertifikat** ili dodeljujući **federisani** pristup platformama trećih strana (npr. Github Actions) preko njega.
- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
- If you choose certificate authentication, make sure the **application will have access over the private key**.
- Ako izaberete **lozinku** za autentifikaciju (podrazumevano), **sačuvajte generisanu lozinku** jer je nećete moći ponovo pristupiti.
- Ako izaberete autentifikaciju sertifikatom, uverite se da će **aplikacija imati pristup privatnom ključu**.
### App Registrations
### Registracije aplikacija
An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
**Registracija aplikacije** je konfiguracija koja omogućava aplikaciji da se integriše sa Entra ID i da izvršava radnje.
#### Key Components:
#### Ključne komponente:
1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
4. **API Permissions:** Specifies what resources or APIs the app can access.
5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
1. The **service principal** will get all the requested permissions it was configured with.
1. **ID aplikacije (Client ID):** Jedinstveni identifikator za vašu aplikaciju u Azure AD.
2. **Redirect URIs:** URL-ovi na koje Azure AD šalje odgovore na autentifikaciju.
3. **Sertifikati, tajne i federisani kredencijali:** Moguće je generisati tajnu ili sertifikat za prijavu kao servisni princip aplikacije, ili dodeliti federisani pristup (npr. Github Actions).&#x20;
1. Ako je **sertifikat** ili **tajna** generisana, moguće je da osoba **prijavi kao servisni princip** koristeći CLI alate znajući **ID aplikacije**, **tajnu** ili **sertifikat** i **tenant** (domen ili ID).
4. **API dozvole:** Određuje koje resurse ili API-je aplikacija može pristupiti.
5. **Podešavanja autentifikacije:** Definiše podržane tokove autentifikacije aplikacije (npr., OAuth2, OpenID Connect).
6. **Servisni princip**: Servisni princip se kreira kada se aplikacija kreira (ako se to uradi iz web konzole) ili kada se instalira u novom tenant-u.
1. **Servisni princip** će dobiti sve tražene dozvole sa kojima je konfigurisan.
### Default Consent Permissions
### Podrazumevane dozvole pristanka
**User consent for applications**
**Korisnički pristanak za aplikacije**
- **Do not allow user consent**
- An administrator will be required for all apps.
- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
- All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
- **Default** low impact permissions (although you need to accept to add them as low):
- User.Read - sign in and read user profile
- offline_access - maintain access to data that users have given it access to
- openid - sign users in
- profile - view user's basic profile
- email - view user's email address
- **Allow user consent for apps (Default)**
- All users can consent for any app to access the organization's data.
- **Ne dozvoliti korisnički pristanak**
- Administrator će biti potreban za sve aplikacije.
- **Dozvoliti korisnički pristanak za aplikacije od verifikovanih izdavača, za odabrane dozvole (Preporučeno)**
- Svi korisnici mogu dati pristanak za dozvole klasifikovane kao "niskog uticaja", za aplikacije od verifikovanih izdavača ili aplikacije registrovane u ovoj organizaciji.
- **Podrazumevane** dozvole niskog uticaja (iako morate prihvatiti da ih dodate kao niske):
- User.Read - prijavite se i pročitajte korisnički profil
- offline_access - održava pristup podacima kojima su korisnici dali pristup
- openid - prijavite korisnike
- profile - pogledajte osnovni profil korisnika
- email - pogledajte adresu e-pošte korisnika
- **Dozvoliti korisnički pristanak za aplikacije (Podrazumevano)**
- Svi korisnici mogu dati pristanak za bilo koju aplikaciju da pristupi podacima organizacije.
**Admin consent requests**: Default **No**
**Zahtevi za pristanak administratora**: Podrazumevano **Ne**
- Users can request admin consent to apps they are unable to consent to
- If **Yes**: Its possible to indicate Users, Groups and Roles that can consent requests
- Configure also if users will receive email notifications and expiration reminders&#x20;
- Korisnici mogu zatražiti pristanak administratora za aplikacije za koje ne mogu dati pristanak
- Ako je **Da**: Moguće je naznačiti korisnike, grupe i uloge koje mogu dati zahteve za pristanak
- Takođe konfigurišite da li će korisnici primati obaveštenja putem e-pošte i podsetnike o isteku&#x20;
### **Managed Identity (Metadata)**
### **Upravljani identitet (metapodaci)**
Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
Upravljani identiteti u Azure Active Directory nude rešenje za **automatsko upravljanje identitetom** aplikacija. Ovi identiteti se koriste od strane aplikacija u svrhu **povezivanja** sa **resursima** kompatibilnim sa autentifikacijom Azure Active Directory (**Azure AD**). Ovo omogućava **uklanjanje potrebe za hardkodiranjem cloud kredencijala** u kodu jer će aplikacija moći da kontaktira **metapodatkovnu** uslugu kako bi dobila važeći token za **izvršavanje radnji** kao naznačeni upravljani identitet u Azure-u.
There are two types of managed identities:
Postoje dva tipa upravljanih identiteta:
- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
- **Sistemom dodeljeni**. Neke Azure usluge omogućavaju vam da **omogućite upravljani identitet direktno na instanci usluge**. Kada omogućite sistemom dodeljeni upravljeni identitet, **servisni princip** se kreira u Entra ID tenant-u kojem veruje pretplata u kojoj se resurs nalazi. Kada se **resurs** **obriše**, Azure automatski **briše** **identitet** za vas.
- **Korisnikom dodeljeni**. Takođe je moguće da korisnici generišu upravljane identitete. Ovi se kreiraju unutar grupe resursa unutar pretplate i servisni princip će biti kreiran u EntraID kojem veruje pretplata. Zatim, možete dodeliti upravljeni identitet jednoj ili **više instanci** Azure usluge (više resursa). Za korisnikom dodeljene upravljane identitete, **identitet se upravlja odvojeno od resursa koji ga koriste**.
Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
Upravljani identiteti **ne generišu večne kredencijale** (kao što su lozinke ili sertifikati) za pristup kao servisni princip koji je povezan sa njima.
### Enterprise Applications
### Preduzeća aplikacije
Its just a **table in Azure to filter service principals** and check the applications that have been assigned to.
To je samo **tabela u Azure-u za filtriranje servisnih principa** i proveru aplikacija koje su dodeljene.
**It isnt another type of “application”,** there isnt any object in Azure that is an “Enterprise Application”, its just an abstraction to check the Service principals, App registrations and managed identities.
**To nije još jedan tip "aplikacije",** ne postoji nijedan objekat u Azure-u koji je "Preduzeće aplikacija", to je samo apstrakcija za proveru servisnih principa, registracija aplikacija i upravljanih identiteta.
### Administrative Units
### Administrativne jedinice
Administrative units allows to **give permissions from a role over a specific portion of an organization**.
Administrativne jedinice omogućavaju **davanje dozvola iz uloge nad specifičnim delom organizacije**.
Example:
Primer:
- Scenario: A company wants regional IT admins to manage only the users in their own region.
- Implementation:
- Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
- Populate AUs with users from their respective regions.
- AUs can **contain users, groups, or devices**
- AUs support **dynamic memberships**
- AUs **cannot contain AUs**
- Assign Admin Roles:
- Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
- Scenario: Kompanija želi da regionalni IT administratori upravljaju samo korisnicima u svojoj regiji.
- Implementacija:
- Kreirajte administrativne jedinice za svaku regiju (npr., "Severna Amerika AU", "Evropa AU").
- Popunite AU sa korisnicima iz njihovih odgovarajućih regija.
- AU može **sadržati korisnike, grupe ili uređaje**
- AU podržavaju **dinamička članstva**
- AU **ne mogu sadržati AU**
- Dodelite administrativne uloge:
- Dodelite ulogu "Administrator korisnika" regionalnom IT osoblju, ograničeno na AU njihove regije.
- Ishod: Regionalni IT administratori mogu upravljati korisničkim nalozima unutar svoje regije bez uticaja na druge regije.
### Entra ID Roles
### Entra ID uloge
- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
- Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- The most privileged role is **Global Administrator**
- In the Description of the role its possible to see its **granular permissions**
- Da bi upravljali Entra ID, postoje neke **ugrađene uloge** koje se mogu dodeliti Entra ID principima za upravljanje Entra ID
- Proverite uloge na [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- Najprivilegovanija uloga je **Globalni administrator**
- U opisu uloge moguće je videti njene **granularne dozvole**
## Roles & Permissions
## Uloge i dozvole
**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
**Uloge** se **dodeljuju** **principima** na **opsegu**: `principal -[HAS ROLE]->(scope)`
**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
**Uloge** dodeljene **grupama** se **nasleđuju** od svih **članova** grupe.
Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
U zavisnosti od opsega na koji je uloga dodeljena, **uloga** se može **naslediti** na **druge resurse** unutar kontejnera opsega. Na primer, ako korisnik A ima **ulogu na pretplati**, imaće tu **ulogu na svim grupama resursa** unutar pretplate i na **svim resursima** unutar grupe resursa.
### **Classic Roles**
### **Klasične uloge**
| **Owner** | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Contributor** | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul> | All resource types |
| **Reader** | • View all resources | All resource types |
| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| **Vlasnik** | <ul><li>Puni pristup svim resursima</li><li>Može upravljati pristupom za druge korisnike</li></ul> | Svi tipovi resursa |
| ------------------------------- | ------------------------------------------------------------------------------------------ | ------------------ |
| **Doprinosilac** | <ul><li>Puni pristup svim resursima</li><li>Ne može upravljati pristupom</li></ul> | Svi tipovi resursa |
| **Čitač** | • Pregled svih resursa | Svi tipovi resursa |
| **Administrator pristupa korisnika** | <ul><li>Pregled svih resursa</li><li>Može upravljati pristupom za druge korisnike</li></ul> | Svi tipovi resursa |
### Built-In roles
### Ugrađene uloge
[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
[Iz dokumenata: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure kontrola pristupa zasnovana na ulogama (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) ima nekoliko **ugrađenih uloga** koje možete **dodeliti** **korisnicima, grupama, servisnim principima i upravljanim identitetima**. Dodeljivanje uloga je način na koji kontrolišete **pristup Azure resursima**. Ako ugrađene uloge ne zadovoljavaju specifične potrebe vaše organizacije, možete kreirati svoje [**Azure prilagođene uloge**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
**Ugrađene** uloge se primenjuju samo na **resurse** za koje su **namenjene**, na primer, proverite ova 2 primera **ugrađenih uloga** nad Compute resursima:
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Omogućava dozvolu za backup vault za izvršavanje backup-a diska. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Pregledajte virtuelne mašine u portalu i prijavite se kao običan korisnik. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
Ove uloge se **takođe mogu dodeliti nad logičkim kontejnerima** (kao što su grupe za upravljanje, pretplate i grupe resursa) i principi na koje se to odnosi će ih imati **nad resursima unutar tih kontejnera**.
- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
- Pronađite ovde listu sa [**svim ugrađenim ulogama Azure-a**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Pronađite ovde listu sa [**svim ugrađenim ulogama Entra ID**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
### Custom Roles
### Prilagođene uloge
- Its also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
- Its possible to configure all the granular permissions the custom role will have
- Its possible to exclude permissions
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
Example of permissions JSON for a custom role:
- Takođe je moguće kreirati [**prilagođene uloge**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- One se kreiraju unutar opsega, iako uloga može biti u više opsega (grupe za upravljanje, pretplate i grupe resursa)
- Moguće je konfigurisati sve granularne dozvole koje će prilagođena uloga imati
- Moguće je isključiti dozvole
- Princip sa isključenom dozvolom neće moći da je koristi čak i ako se dozvola dodeljuje negde drugde
- Moguće je koristiti džoker znakove
- Korišćeni format je JSON
- `actions` su za kontrolu radnji nad resursom
- `dataActions` su dozvole nad podacima unutar objekta
Primer dozvola JSON za prilagođenu ulogu:
```json
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
```
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- Da bi **principal imao pristup resursu**, potrebno je da mu bude dodeljena eksplicitna uloga (na bilo koji način) **koja mu daje tu dozvolu**.
- Eksplicitna **dodela uloge za odbijanje ima prioritet** nad ulogom koja dodeljuje dozvolu.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
### Global Administrator
Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
Global Administrator je uloga iz Entra ID koja dodeljuje **potpunu kontrolu nad Entra ID tenant-om**. Međutim, po defaultu ne dodeljuje nikakve dozvole nad Azure resursima.
Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
Korisnici sa ulogom Global Administrator imaju mogućnost da '**povećaju' na User Access Administrator Azure ulogu u Root Management Group**. Tako Global Administratori mogu upravljati pristupom u **svim Azure pretplatama i upravljačkim grupama.**\
Ovo povećanje može se izvršiti na kraju stranice: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Azure Policies
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
**Azure Policies** su pravila koja pomažu organizacijama da osiguraju da njihovi resursi ispunjavaju specifične standarde i zahteve usklađenosti. Omogućavaju vam da **sprovodite ili proveravate podešavanja na resursima u Azure-u**. Na primer, možete sprečiti kreiranje virtuelnih mašina u neovlašćenoj regiji ili osigurati da svi resursi imaju specifične oznake za praćenje.
Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
Azure Policies su **proaktivne**: mogu sprečiti kreiranje ili promenu neusklađenih resursa. Takođe su **reaktivne**, omogućavajući vam da pronađete i ispravite postojeće neusklađene resurse.
#### **Key Concepts**
1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
3. **Initiatives**: A collection of policies grouped together for broader enforcement.
4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
1. **Policy Definition**: Pravilo, napisano u JSON-u, koje specificira šta je dozvoljeno ili zahtevano.
2. **Policy Assignment**: Primena politike na specifičan opseg (npr. pretplata, grupa resursa).
3. **Initiatives**: Kolekcija politika grupisanih zajedno za širu primenu.
4. **Effect**: Specificira šta se dešava kada se politika aktivira (npr. "Deny," "Audit," ili "Append").
**Some examples:**
**Neki primeri:**
1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
1. **Osiguranje usklađenosti sa specifičnim Azure regijama**: Ova politika osigurava da se svi resursi postavljaju u specifične Azure regije. Na primer, kompanija može želeti da osigura da su svi njeni podaci smešteni u Evropi radi usklađenosti sa GDPR-om.
2. **Sprovođenje standarda imenovanja**: Politike mogu sprovoditi konvencije imenovanja za Azure resurse. Ovo pomaže u organizaciji i lakom identifikovanju resursa na osnovu njihovih imena, što je korisno u velikim okruženjima.
3. **Ograničavanje određenih tipova resursa**: Ova politika može ograničiti kreiranje određenih tipova resursa. Na primer, politika može biti postavljena da spreči kreiranje skupih tipova resursa, kao što su određene veličine VM-a, kako bi se kontrolisali troškovi.
4. **Sprovođenje politika označavanja**: Oznake su parovi ključ-vrednost povezani sa Azure resursima koji se koriste za upravljanje resursima. Politike mogu sprovoditi da određene oznake moraju biti prisutne, ili imati specifične vrednosti, za sve resurse. Ovo je korisno za praćenje troškova, vlasništvo ili kategorizaciju resursa.
5. **Ograničavanje javnog pristupa resursima**: Politike mogu sprovoditi da određeni resursi, kao što su skladišni nalozi ili baze podataka, nemaju javne krajnje tačke, osiguravajući da su dostupni samo unutar mreže organizacije.
6. **Automatsko primenjivanje bezbednosnih podešavanja**: Politike se mogu koristiti za automatsko primenjivanje bezbednosnih podešavanja na resurse, kao što je primena specifične grupe bezbednosti mreže na sve VM-ove ili osiguranje da svi skladišni nalozi koriste enkripciju.
Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
Napomena da se Azure Policies mogu prikačiti na bilo koji nivo Azure hijerarhije, ali se **najčešće koriste u root management group** ili u drugim upravljačkim grupama.
Azure policy json example:
```json
{
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
}
```
### Nasleđivanje dozvola
### Permissions Inheritance
U Azure **dozvole se mogu dodeliti bilo kojem delu hijerarhije**. To uključuje upravljačke grupe, pretplate, grupe resursa i pojedinačne resurse. Dozvole se **nasleđuju** od sadržanih **resursa** entiteta gde su dodeljene.
In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
This hierarchical structure allows for efficient and scalable management of access permissions.
Ova hijerarhijska struktura omogućava efikasno i skalabilno upravljanje dozvolama pristupa.
<figure><img src="../../../images/image (26).png" alt=""><figcaption></figcaption></figure>
### Azure RBAC vs ABAC
**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
**RBAC** (kontrola pristupa zasnovana na ulozi) je ono što smo već videli u prethodnim sekcijama: **Dodeljivanje uloge principalu kako bi mu se omogućio pristup** resursu.\
Međutim, u nekim slučajevima možda ćete želeti da obezbedite **preciznije upravljanje pristupom** ili **pojednostavite** upravljanje **stotinama** dodela uloga.
Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
Azure **ABAC** (kontrola pristupa zasnovana na atributima) se oslanja na Azure RBAC dodavanjem **uslova dodele uloga zasnovanih na atributima** u kontekstu specifičnih akcija. _Uslov dodele uloge_ je **dodatna provera koju možete opcionalno dodati svojoj dodeli uloge** kako biste obezbedili precizniju kontrolu pristupa. Uslov filtrira dozvole dodeljene kao deo definicije uloge i dodele uloge. Na primer, možete **dodati uslov koji zahteva da objekat ima specifičnu oznaku da bi se pročitao objekat**.\
Ne možete eksplicitno **odbiti** **pristup** specifičnim resursima **korišćenjem uslova**.
## References
## Reference
- [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
- [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
- [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
{{#include ../../../banners/hacktricks-training.md}}