Identity and Access Management Permissions for Cloud Deployment

Identity and Access Management Permissions for Cloud Deployment

Each Identity and Access Management (IAM) Implementation is unique in nature. The organization, business rules, decisions and processes outline the path taken for a successful implementation. As with any IAM implementation, access rights are needed to the various systems that will be provisioned. Outlined below are the necessary requirements outlined by the major vendors for managing each system.

It is highly recommended that the Network Administrator for any organization review the rights granted to any service account to assure the security of the system.

ACTIVE DIRECTORY

Active Directory permissions for managing objects can be extremely granular. The issue with granular permissions is if it is not well documented it will eventually cause issues for management. Ultimately, when it comes to the management of Active Directory, any account that will be managing objects will need to read, write, create and modify (CRUD) permissions to the user account, container or Organizational Unit that the objects reside in.

By default, Microsoft assigns the appropriate permissions to Domain Administrators and Account Operators; however, this is completely dependent on the underlying environment. If you have not made changes to the default functionality of Account Operators, it should have the CRUD permissions required and is the desired service account level that Identity Automation needs.
For reference, Microsoft provides the following document outlining the specific group permissions:

Active Directory Security Groups (Windows 10) - Microsoft 365 Security
Domain Admins

GOOGLE

Pre-Built administrator roles - Google Workspace Admin Help

User Management Administrator
Can perform all actions on users who aren't administrators. This administrator can perform the following tasks both from the Admin console and via the Admin API:

• View user profiles and your organizational structure.
• View organizational units.
• Create and delete user accounts. *
• Rename users and change passwords. *
• Manage a user's individual security settings. *
• Perform these other user management tasks.*
• When you assign a user to the User Management Admin role, you can limit their privileges to specific organizational units.

*Applies only for users who aren't administrators. This administrator can't assign administrator privileges, reset an administrator's password, or make other changes to an administrator account. Only a super administrator can perform those tasks.

OFFICE 365

Azure Oauth2 Configuration Documentation from Microsoft