Manage Role Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a mechanism for managing access to resources in a system based on the roles assigned to users or groups. In Azure, RBAC is used to control access to Azure resources and services.
To manage RBAC in Azure, follow these steps:
- Create a custom role: You can create a custom role by defining the permissions that the role should have, and then assigning the role to users or groups.
- Assign roles: You can assign roles to users or groups by using the Azure portal, PowerShell, Azure CLI, or Azure SDKs.
- Review access: You can review the access of a user or group by checking the roles assigned to them, and then verifying the permissions associated with those roles.
- Remove access: You can remove access by removing the roles assigned to a user or group.
- Use built-in roles: Azure also provides built-in roles that you can use to manage access to resources. These roles include Owner, Contributor, Reader, and User Access Administrator, among others.
- Understand scope: Roles can be assigned at the subscription, resource group, or resource level. When a role is assigned at a higher level, it applies to all resources below that level.
By effectively managing RBAC in Azure, you can control access to resources and ensure that users have the appropriate level of access to perform their tasks, while maintaining security and compliance.
Create a Custom Role
In order to complete the process of editing a customer role it is required to hold roles of a Owner or User Access Administrator. We shall now be using an illustration to create a custom role named Reader Support Tickets using Azure PowerShell.
STEPS TO CREATE A CUSTOM ROLE
One of the easiest way to create a custom role is to start with a built-in role, edit it, and then create a new role.
- Step 1 – In PowerShell, use the Get-AzProviderOperation command to get the list of operations for the Microsoft.Support resource provider. Since it is good to know the operations which are available to create the permissions.
- Step 2 – Use the Get-AzRoleDefinition command to output the Reader role in JSON format.
- Step 3 – Open the ReaderSupportRole.json file in an editor.
- Step 4 – Edit the JSON file to add the “Microsoft.Support/*” operation to the Actions property. Be sure to include a comma after the read operation. This action will allow the user to create support tickets.
- Step 5 – Get the ID of the subscription using the Get-AzSubscription command.
- Step 6 – In AssignableScopes, add subscription ID with the following format: “/subscriptions/00000000-0000-0000-0000-000000000000”. We must add explicit subscription IDs, otherwise we won’t be allowed to import the role into the subscription.
- Step 7 – Delete the Id property line and change the IsCustom property to true.
- Step 8 – Change the Name and Description properties to “Reader Support Tickets” and “View everything in the subscription and also open support tickets.”
- Step 9 – To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.
- Step 10 – The new custom role is now available in the Azure portal and can be assigned to users, groups, or service principals just like built-in roles.
Update a Custom Role
In order to update the custom role, we are required to update the JSON file or use the PSRoleDefinition object. Following are the steps used to update a custom role –
- Step 1 – For updating the JSON file, use the Get-AzRoleDefinition command to output the custom role in JSON format.
- Step 2 – Open the file in an editor.
- Step 3 – In Actions, add the operation to create and manage resource group deployments “Microsoft.Resources/deployments/*”.
- Step 4 – To update the custom role, use the Set-AzRoleDefinition command and specify the updated JSON file.
- Step 5 – To use the PSRoleDefintion object to update your custom role, first use the Get-AzRoleDefinition command to get the role.
- Step 6 – To use the PSRoleDefintion object to update the custom role, first use the Get-AzRoleDefinition command to get the role.
- Step 7 – Use the Set-AzRoleDefinition to update the role.
Delete a Custom Role
- Step 1 – Use the Get-AzRoleDefinition command to get the ID of the custom role.
- Step 2 – Use the Remove-AzRoleDefinition command and specify the role ID to delete the custom role.
- Step 3 – For confirmation, type Y.
Troubleshoot RBAC
What are the issues with RBAC role assignments?
- In case we are unable to add a role assignment in the Azure portal on Access control (IAM) due to the Add > Add role assignment option being disabled or because we get the permissions error – “The client with object id does not have authorization to perform action”, it is suggested to check whether we are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Owner or User Access Administrator at the scope us trying to assign the role.
- If you get the error message “No more role assignments can be created (code: RoleAssignmentLimitExceeded)” then we can try to assign a role, as well as try to reduce the number of role assignments by assigning roles to groups instead. Azure supports up to 2000 role assignments per subscription.
What are the issue with custom roles?
- In case we are unable to update an existing custom role, it is suggested to check whether we are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinition/write permission such as Owner or User Access Administrator.
- In case we are unable to delete a custom role and get the error message “There are existing role assignments referencing role (code: RoleDefinitionHasAssignments)”, then there are role assignments still using the custom role. Remove those role assignments and try to delete the custom role again.
- In case we get the error message “Role definition limit exceeded. No more role definitions can be created (code: RoleDefinitionLimitExceeded)” when we try to create a new custom role, delete any custom roles that are not being used. Azure supports up to 5000 custom roles in a tenant.
- In case we get an error similar to “The client has permission to perform action ‘Microsoft.Authorization/roleDefinitions/write’ on scope ‘/subscriptions/{subscriptionid}’, however the linked subscription was not found” when we try to update a custom role, check whether one or more assignable scopes have been deleted in the tenant. Suppose the scope was deleted, then it is required to create a support ticket as there is no self-service solution available at this time.
Implementing RBAC Policies
The conditional access in Azure Active Directory (Azure AD) is used to control access to cloud apps based on specific conditions that we specify.
In order to allow access, we must create Conditional Access policies which allow or block access based on whether or not the requirements in the policy are met. In general, we use Conditional Access to control access to the cloud apps. We can also set up policies to control access to Azure management based on certain conditions (such as sign-in risk, location, or device) and to enforce requirements like multi-factor authentication.
We have to create a policy for Azure management, then we must select Microsoft Azure Management under Cloud apps when choosing the app to which to apply the policy.
The policy that we create applies to all Azure management endpoints, including –
- Azure portal
- Azure Resource Manager provider
- Classic Service Management APIs
- Azure PowerShell
- Visual Studio subscriptions administrator portal
- Azure DevOps
- Azure Data Factory portal
Assigning Role Based Access Control (RBAC) Roles
We must learn how to create a resource group, following are some of the step used –
- In the navigation list, click Resource groups.
- Click Add to open the Resource group blade.
- r Resource group name, enter rbac-resource-group.
- Select a subscription and a location.
- Click Create to create the resource group.
- Click Refresh to refresh the list of resource groups.The new resource group appears in the resource groups list.
How to grant access?
In RBAC, to grant access, you create a role assignment.
- In the list of Resource groups, click the new rbac-resource-group resource group.
- Click Access control (IAM).
- Click the Role assignments tab to see the current list of role assignments.
- Click Add > Add role assignment to open the Add role assignment pane.
- In the Role drop-down list, select Virtual Machine Contributor.
- In the Select list, select either yourself or another user.
- Click Save to create the role assignment.
How to remove access?
In RBAC, to remove access, we must remove a role assignment.
- In the list of role assignments, add a check mark next to the user with the Virtual Machine Contributor role.
- Click Remove.
- In the remove role assignment message that appears, click Yes
AZ-104 Exam Practice Questions
Question: You want to give a user the ability to view resources in a specific resource group, but not modify or delete them. Which built-in role should you assign to the user?
A. Owner
B. Contributor
C. Reader
D. User Access Administrator
Answer: c. Reader
Explanation: The Reader role allows a user to view resources in a specified scope, but not modify or delete them. This role is useful for users who need to monitor resource activity, but should not be able to make any changes.
Question: You need to create a custom role that allows a user to modify the configuration settings of a virtual machine, but not access any other resources. Which permissions should you include in the custom role?
A. Virtual machine contributor
B. Virtual machine administrator login
C. Resource group contributor
D. None of the above
Answer: a. Virtual machine contributor
Explanation: The Virtual machine contributor permission allows a user to manage the configuration settings of a virtual machine, but not access any other resources. This permission is ideal for users who need to manage specific virtual machines, but should not be able to access any other resources in the subscription or resource group.
Question: You want to restrict access to a resource group so that users can only view resources in the resource group if they are accessing them from a specific IP address range. Which RBAC feature should you use to achieve this?
A. Conditional access
B. Custom roles
C. Resource locks
D. Azure Policy
Answer: a. Conditional access
Explanation: Conditional access is an RBAC feature that allows you to restrict access to resources based on specific conditions, such as IP address range, time of day, or user group membership. By using conditional access, you can ensure that users can only view resources in a resource group if they are accessing them from an approved IP address range.
Question: You want to give a user the ability to manage virtual machines in a specific resource group, but not modify any other resources in the subscription. Which built-in role should you assign to the user?
A. Owner
B. Virtual machine contributor
C. Contributor
D. Reader
Answer: b. Virtual machine contributor
Explanation: The Virtual machine contributor role allows a user to manage virtual machines in a specified scope, but not modify any other resources in the subscription. This role is useful for users who need to manage specific virtual machines, but should not be able to modify or delete any other resources in the subscription.