{"id":1285,"date":"2025-04-02T13:19:13","date_gmt":"2025-04-02T13:19:13","guid":{"rendered":"https:\/\/blog.gustavomagella.com\/?p=1285"},"modified":"2025-04-30T12:53:18","modified_gmt":"2025-04-30T12:53:18","slug":"004-beyond-the-cloud-spin-off-cloud-security-cap02-09","status":"publish","type":"post","link":"https:\/\/blog.gustavomagella.com\/index.php\/2025\/04\/02\/004-beyond-the-cloud-spin-off-cloud-security-cap02-09\/","title":{"rendered":"#004 | Beyond the Cloud &#8211; Spin-Off | Cloud Security | C02-09 &#8211; Identity and Access Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">[en-gb] \u26a0\ufe0f Important Disclaimer<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>1\ufe0f\u20e3 Some time ago, I recorded a course on cloud security in Microsoft environments for a Brazilian university called IGTI. This course was part of a Cloud Computing bootcamp and helped many students who were just starting their careers in the field. (After the institution shut down, the content became unavailable.)<\/p>\n\n\n\n<p>\ud83c\udfaf So, I decided to remaster, sanitize, and re-release this content for free on YouTube, with the goal of continuing to support those who are beginning their journey in Cloud and Cloud Security.<\/p>\n\n\n\n<p>2\ufe0f\u20e3 The original course is in Portuguese (pt-BR), but throughout the series I\u2019ll also publish articles in English (en-US) so the content can reach more people \u2014 at least until the new courses in English are recorded and ready.<\/p>\n\n\n\n<p>3\ufe0f\u20e3 Important: this series is not certification prep and not a silver bullet.<br>The goal here is to share structured knowledge, with a hands-on, accessible approach focused on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud beginners,<\/li>\n\n\n\n<li>Security enthusiasts, and<\/li>\n\n\n\n<li>Anyone looking to better understand how Azure actually handles security.<\/li>\n<\/ul>\n\n\n\n<p>4\ufe0f\u20e3 Microsoft has <strong>rebranded some of its products<\/strong> \u2014 for example, <em>Azure Security Center<\/em> is now <strong>Defender for Cloud<\/strong>, and <em>Azure Active Directory<\/em> is now <strong>Entra ID<\/strong>. Some lessons may still refer to the old names, but don\u2019t worry \u2014 the <strong>core concepts, technical foundations, and functionalities remain the same<\/strong>. Focus on the architecture and principles being taught.<\/p>\n\n\n\n<p>Hope you enjoy it! Big hug!<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfac Watch Episode #02 of 09 Now<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 <strong><a href=\"https:\/\/youtu.be\/2FeBjah0cJk\" data-type=\"link\" data-id=\"https:\/\/youtu.be\/2FeBjah0cJk\">Click here to watch on YouTube \u2013 Episode 02 of 09.<\/a><\/strong><br><em>(And yes, hit that subscribe button. I\u2019m watching\u2026 \ud83d\udc40)<\/em><\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">[EN-US] Beyond The Cloud &#8211; Spin-Off | Chapter 02: Access &amp; Identity Security in Azure<\/h2>\n\n\n\n<p><strong>Hey, what\u2019s up folks!?<\/strong> Back for another chapter? Good. Because today we\u2019re unlocking one of the most crucial layers of cloud security: <strong>Access and Identity in Azure<\/strong>. And if you&#8217;re still thinking passwords are enough \u2014 this post might just save your environment.<\/p>\n\n\n\n<p>Let\u2019s be honest: if attackers can bypass your identity controls, it doesn\u2019t matter how many firewalls you\u2019ve set up. <strong>Identity is the new perimeter.<\/strong> And that\u2019s where we begin.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 Auth vs. Authz: Know the Difference<\/h3>\n\n\n\n<p>Let me paint a scenario for you:<\/p>\n\n\n\n<p>Imagine Crist\u00f3v\u00e3o Colombo (our brave test user) logs into your Azure tenant. He enters his credentials and gets in. Boom! He\u2019s authenticated.<\/p>\n\n\n\n<p>But wait \u2014 can he view resources? Can he create a VM? Can he delete a storage account?<\/p>\n\n\n\n<p>That\u2019s <strong>authorization<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Authentication<\/strong>: Proves who you are. It\u2019s the door key.<\/li>\n\n\n\n<li><strong>Authorization<\/strong>: Determines what you can do once inside. It&#8217;s which doors you&#8217;re allowed to open.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-2-1024x566.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1291\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-2-1024x566.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-2-300x166.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-2-768x425.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-2.png 1172w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Don\u2019t confuse the two. They walk together, but have different purposes.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude91 Azure Active Directory (Now Microsoft Entra ID)<\/h3>\n\n\n\n<p>We all remember the classic AD from on-prem days. Microsoft Entra ID is that \u2014 evolved, modernized, cloud-native, and powerful.<\/p>\n\n\n\n<p>Some features you should be leveraging:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SSO<\/strong> for seamless access across services;<\/li>\n\n\n\n<li><strong>App registration<\/strong> and management;<\/li>\n\n\n\n<li><strong>Guest access (B2B)<\/strong> for external collaboration;<\/li>\n\n\n\n<li><strong>Device identity<\/strong> and compliance policies;<\/li>\n\n\n\n<li><strong>Conditional Access<\/strong> for dynamic access control;<\/li>\n<\/ul>\n\n\n\n<p>In practice: You can bulk create users, manage groups, assign roles, invite guest users, and fine-tune their access.<\/p>\n\n\n\n<p>And here&#8217;s a pro tip:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Directory roles are different from RBAC roles. Keep that separation clear.<\/p>\n<\/blockquote>\n\n\n\n<p>Colombo as a basic user? He can log in and read some details. Colombo as a <strong>Global Administrator<\/strong>? That man can light the whole place on fire.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddf1 MFA: Multi-Factor Authentication, The Right Way<\/h3>\n\n\n\n<p>Still running single-factor logins in your cloud environment? That&#8217;s like leaving your front door open with a sign that says &#8220;Please knock.&#8221;<\/p>\n\n\n\n<p>Azure gives you <strong>free MFA<\/strong>, no P1 or P2 license required. And here\u2019s how it works:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Something you know<\/strong> (Password or PIN);<\/li>\n\n\n\n<li><strong>Something you have<\/strong> (Phone, token, smartcard);<\/li>\n\n\n\n<li><strong>Something you are<\/strong> (Biometrics);<\/li>\n<\/ul>\n\n\n\n<p>I always recommend using the Microsoft Authenticator App \u2014 QR code, setup, push notifications. Done.<\/p>\n\n\n\n<p>But don\u2019t stop there. Configure fallback options: SMS, phone call, and backup admins. Losing access to MFA shouldn&#8217;t mean panic.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd75\ufe0f RBAC: Role-Based Access Control<\/h3>\n\n\n\n<p>Now let\u2019s talk power and permissions.<\/p>\n\n\n\n<p>RBAC in Azure is surgical. It lets you grant exactly the right access at exactly the right scope. But if you mess up? You either give too much (disaster) or too little (frustration).<\/p>\n\n\n\n<p>RBAC =<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Security Principal<\/strong>: Who? (user, group, service principal);<\/li>\n\n\n\n<li><strong>Role Definition<\/strong>: What? (read, write, delete, manage);<\/li>\n\n\n\n<li><strong>Scope<\/strong>: Where? (Management Group &gt; Subscription &gt; Resource Group &gt; Resource);<\/li>\n<\/ol>\n\n\n\n<p>Give <strong>Colombo Reader access to a VNet<\/strong> if all he needs is visibility. Giving him Owner at the subscription level? You\u2019re giving him the nuclear codes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"571\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-3-1024x571.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1292\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-3-1024x571.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-3-300x167.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-3-768x428.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-3.png 1273w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You want fine control? Use <strong>Access Control (IAM)<\/strong> on each resource. Assign, audit, adjust.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Remember: roles cascade downward. If you assign at the subscription level, every child resource inherits it.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udc41\ufe0f Real-World Chaos: Colombo Goes Wild<\/h3>\n\n\n\n<p>Let\u2019s say you made Colombo an Owner at subscription level &#8220;just for a test.&#8221;<\/p>\n\n\n\n<p>He now sees everything. All three resource groups, all the networks, all the VMs.<\/p>\n\n\n\n<p>He clicks &#8220;delete&#8221; on a VNet. No prompt. No warning. Gone.<\/p>\n\n\n\n<p>Next time you look, half your infra is gone. And Colombo? He just wanted to see how things worked.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2728 Naming Policies &amp; Group Management<\/h3>\n\n\n\n<p>Want to stop users from creating groups called &#8220;Test123&#8221; or &#8220;Cool Admins&#8221;?<\/p>\n\n\n\n<p>Define <strong>naming conventions<\/strong>, restrict keywords, and enforce structure. Also:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assign <strong>managers<\/strong> to accounts<\/li>\n\n\n\n<li>Use <strong>group nesting<\/strong><\/li>\n\n\n\n<li>Define <strong>security groups<\/strong> vs <strong>M365 groups<\/strong> appropriately<\/li>\n<\/ul>\n\n\n\n<p>Assign Cabral as part of the &#8220;Navegadores&#8221; group, report to Colombo, and you\u2019ve got a neat, auditable structure.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude96 Practical Checklist<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 Enable MFA for all users (even guest users);<\/li>\n\n\n\n<li>\u2705 Review sign-in logs monthly;<\/li>\n\n\n\n<li>\u2705 Audit RBAC assignments and scopes;<\/li>\n\n\n\n<li>\u2705 Avoid default roles; use custom where possible;<\/li>\n\n\n\n<li>\u2705 Always use the principle of least privilege;<\/li>\n\n\n\n<li>\u2705 Keep naming structured and logical;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcca My Tech Two Cents<\/h2>\n\n\n\n<p>If identity is your front door, MFA is the lock, and RBAC is your house key distribution system.<\/p>\n\n\n\n<p>No point in using biometric locks if everyone gets the master key.<\/p>\n\n\n\n<p>Train your team. Document everything. And never \u2014 ever \u2014 give subscription-level Owner access casually.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcc6 Coming Up Next&#8230;<\/h2>\n\n\n\n<p>In <strong>Chapter 03<\/strong>, we\u2019ll tackle <strong>Network Security<\/strong> in Azure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSGs;<\/li>\n\n\n\n<li>Azure Firewall;<\/li>\n\n\n\n<li>DDoS Protection;<\/li>\n<\/ul>\n\n\n\n<p>You&#8217;re gonna love it.<\/p>\n\n\n\n<p>Much love, and secure that identity perimeter! \ud83c\udf39\u2764\ufe0f<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">[pt-br] \u26a0\ufe0f Um aviso importante:<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>1\ufe0f\u20e3 H\u00e1 um tempo, eu gravei um curso de seguran\u00e7a em nuvem focado em ambientes Microsoft para uma universidade brasileira chamada <strong>IGTI<\/strong>. Esse curso fazia parte de um bootcamp de Cloud Computing e, na \u00e9poca, ajudou muitos alunos que estavam come\u00e7ando suas jornadas na \u00e1rea. (Com o fechamento da institui\u00e7\u00e3o, o conte\u00fado acabou ficando indispon\u00edvel.)<\/p>\n\n\n\n<p>\ud83c\udfaf Sendo assim, resolvi <strong>remasterizar, sanitizar e re-lan\u00e7ar esse conte\u00fado gratuitamente no YouTube<\/strong>, com o objetivo de continuar ajudando quem est\u00e1 come\u00e7ando na \u00e1rea de Cloud e Cloud Security.<\/p>\n\n\n\n<p>2\ufe0f\u20e3 O curso original est\u00e1 em <strong>portugu\u00eas (pt-BR)<\/strong>, mas ao longo da s\u00e9rie vou publicar tamb\u00e9m <strong>artigos em ingl\u00eas (en-US)<\/strong>, para que o conte\u00fado possa alcan\u00e7ar mais pessoas at\u00e9 que os novos cursos em ingl\u00eas estejam gravados e dispon\u00edveis.<\/p>\n\n\n\n<p>3\ufe0f\u20e3 <strong>Importante:<\/strong> essa s\u00e9rie <strong>n\u00e3o \u00e9 preparat\u00f3ria para certifica\u00e7\u00f5es<\/strong> e <strong>n\u00e3o \u00e9 uma bala de prata<\/strong>.<br>A proposta aqui \u00e9 <strong>compartilhar conhecimento de forma estruturada<\/strong>, com uma pegada pr\u00e1tica e acess\u00edvel, voltada para:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Iniciantes em Cloud,<\/li>\n\n\n\n<li>Entusiastas de seguran\u00e7a, e<\/li>\n\n\n\n<li>quem busca entender melhor como o Azure trata seguran\u00e7a de verdade.<\/li>\n<\/ul>\n\n\n\n<p>4\ufe0f\u20e3 A Microsoft <strong>renomeou alguns de seus produtos<\/strong> \u2014 por exemplo, o <em>Azure Security Center<\/em> agora se chama <strong>Defender for Cloud<\/strong>, e o <em>Azure Active Directory<\/em> virou <strong>Entra ID<\/strong>. Em algumas aulas, os nomes antigos ainda aparecem, mas foquem nos <strong>conceitos e fundamentos t\u00e9cnicos<\/strong>, que continuam v\u00e1lidos e extremamente relevantes.<\/p>\n\n\n\n<p>Espero que voc\u00eas gostem! Um forte Abra\u00e7o!<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n<\/blockquote>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">[PT-BR] Beyond The Cloud &#8211; Spin-Off | Cap\u00edtulo 02: Seguran\u00e7a de Acesso e Identidade no Azure<\/h2>\n\n\n\n<p>E a\u00ed, seus trens bonitows!? Se preparem que hoje o trem \u00e9 s\u00e9rio. Vamos falar sobre o <strong>alicerce da seguran\u00e7a em nuvem<\/strong>: a identidade.<\/p>\n\n\n\n<p>Sim, aquele velho ditado mudou: <strong>Identidade \u00e9 o novo per\u00edmetro<\/strong>.<\/p>\n\n\n\n<p>Esse tipo de insight \u00e9 ouro. E \u00e9 sobre isso que vamos falar ao longo da s\u00e9rie.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfac Assista o Cap\u00edtulo 02<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 <strong><a href=\"https:\/\/youtu.be\/2FeBjah0cJk\">Assista agora no YouTube \u2013 Cap\u00edtulo 02 de 09<\/a><\/strong><br>(E se inscreve no canal, sen\u00e3o vou saber que voc\u00ea pulou essa parte\u2026 rs)<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 Autentica\u00e7\u00e3o vs Autoriza\u00e7\u00e3o<\/h3>\n\n\n\n<p>Autentica\u00e7\u00e3o: voc\u00ea \u00e9 voc\u00ea mesmo? Digitou sua senha?<\/p>\n\n\n\n<p>Autoriza\u00e7\u00e3o: beleza, agora que voc\u00ea entrou, o que voc\u00ea pode fazer aqui dentro?<\/p>\n\n\n\n<p>N\u00e3o adianta autenticar se voc\u00ea libera acesso total pra quem n\u00e3o deveria.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1-1024x574.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1290\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1-1024x574.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1-768x430.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1.png 1271w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude91 Azure AD virou Entra ID \u2014 e t\u00e1 cada vez mais robusto<\/h3>\n\n\n\n<p>Com o <strong>Microsoft Entra ID<\/strong>, voc\u00ea pode:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Criar e gerenciar usu\u00e1rios (em massa inclusive)<\/li>\n\n\n\n<li>Convidar terceiros (guest users)<\/li>\n\n\n\n<li>Configurar roles de diret\u00f3rio (diferentes das RBAC de recurso)<\/li>\n\n\n\n<li>Monitorar logins e atividades<\/li>\n<\/ul>\n\n\n\n<p>Colombo como user normal? V\u00ea o que precisa. Colombo como Global Admin? Sai de perto.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddf1 MFA: o novo m\u00ednimo<\/h3>\n\n\n\n<p>Senha sozinha n\u00e3o segura mais nada.<\/p>\n\n\n\n<p>Com o <strong>MFA gratuito da Microsoft<\/strong>, voc\u00ea j\u00e1 consegue proteger todo seu tenant.<\/p>\n\n\n\n<p>Use os 3 pilares:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>O que voc\u00ea sabe (senha)<\/li>\n\n\n\n<li>O que voc\u00ea tem (celular, token)<\/li>\n\n\n\n<li>O que voc\u00ea \u00e9 (biometria)<\/li>\n<\/ul>\n\n\n\n<p>Configure o Microsoft Authenticator, escaneia o QR code, escolhe as op\u00e7\u00f5es. E crie alternativas: SMS, chamada, etc.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd75\ufe0f RBAC: acesso na medida certa<\/h3>\n\n\n\n<p>No Azure, a autoriza\u00e7\u00e3o \u00e9 feita via <strong>RBAC<\/strong>. Ela \u00e9 composta por:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Security Principal: o &#8220;quem&#8221;;<\/li>\n\n\n\n<li>Role Definition: o &#8220;o qu\u00ea&#8221;;<\/li>\n\n\n\n<li>Scope: o &#8220;onde&#8221;;<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1024x570.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1289\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-1024x570.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-300x167.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image-768x428.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/image.png 1279w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Exemplo cl\u00e1ssico:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Colombo precisa ler uma VNet?<\/li>\n\n\n\n<li>D\u00ea a ele <em>Reader<\/em> s\u00f3 nela. N\u00e3o na Subscription inteira.<\/li>\n<\/ul>\n\n\n\n<p>Lembre-se: roles herdadas viram uma dor de cabe\u00e7a r\u00e1pido.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udc41\ufe0f Colombo invadiu tudo? Deu mole<\/h3>\n\n\n\n<p>Se voc\u00ea der permiss\u00e3o de Owner na subscription, ele consegue ver tudo. E deletar tudo. Sem aviso!!<\/p>\n\n\n\n<p>Voc\u00ea precisa de controle granular. RBAC \u00e9 poderoso, mas perigoso.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2728 Nomea\u00e7\u00e3o e Grupos<\/h3>\n\n\n\n<p>Crie padr\u00f5es de nomea\u00e7\u00e3o. Evite grupos chamados &#8220;admin geral&#8221; ou &#8220;teste&#8221;.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nomeie gestores (manager)<\/li>\n\n\n\n<li>Use hierarquia de grupos<\/li>\n\n\n\n<li>Restrinja roles ao m\u00e1ximo<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude96 Checklist R\u00e1pido<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 MFA habilitado pra todo mundo! (Sem excess\u00f5es!)<\/li>\n\n\n\n<li>\u2705 Log de login revisado; (Um olho no peixe, outro no gato)<\/li>\n\n\n\n<li>\u2705 RBAC sob controle;<\/li>\n\n\n\n<li>\u2705 Nada de Owner de gra\u00e7a; (De prefer\u00eancia use o PIM)<\/li>\n\n\n\n<li>\u2705 Naming e grupos bem definidos; (Padronize, sempre que poss\u00edvel)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcca Minha Tech Two Cents<\/h2>\n\n\n\n<p>\u2b50 Seguran\u00e7a come\u00e7a na identidade.<\/p>\n\n\n\n<p>\u2b50 MFA \u00e9 o cadeado. RBAC \u00e9 quem tem chave de cada porta.<\/p>\n\n\n\n<p>\u2b50 N\u00e3o adianta usar biometria se voc\u00ea d\u00e1 a chave-mestra pra todo mundo.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcc6 Pr\u00f3ximo Cap\u00edtulo<\/h2>\n\n\n\n<p>Cap\u00edtulo 03: <strong>Seguran\u00e7a de Rede no Azure<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSGs;<\/li>\n\n\n\n<li>Azure Firewall;<\/li>\n\n\n\n<li>DDoS Protection;<\/li>\n<\/ul>\n\n\n\n<p>Vai ser insano!!!!! lol #borapranuvem<\/p>\n\n\n\n<p>Um bjo no cora\u00e7\u00e3o e se cuidem! \ud83c\udf39\u2764\ufe0f<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[en-gb] \u26a0\ufe0f Important Disclaimer \ud83c\udfac Watch Episode #02 of 09 Now \ud83d\udd17 Click here to watch on YouTube \u2013 Episode 02 of 09.(And yes, hit&#8230;<\/p>\n","protected":false},"author":2,"featured_media":1295,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[24,23],"class_list":["post-1285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-01-my-tech-two-cents","tag-en-gb","tag-pt-br"],"menu_order":0,"_links":{"self":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/comments?post=1285"}],"version-history":[{"count":4,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1285\/revisions"}],"predecessor-version":[{"id":1297,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1285\/revisions\/1297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media\/1295"}],"wp:attachment":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media?parent=1285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/categories?post=1285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/tags?post=1285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}