AZ‐500 Microsoft Azure Security Technologies Study Guide_30 - itnett/FTD02H-N GitHub Wiki

🔐 Role-Based Access Control (RBAC) Lab

In this lab, you will practice using Role-Based Access Control (RBAC) to manage access to Azure resources. You will:

  • ✅ Create Azure users and groups.
  • ✅ Assign roles to groups using RBAC.
  • ✅ Verify the assignments.

This lab provides you with essential hands-on experience for mastering RBAC, a key concept in the AZ-500 certification exam.

🧑‍🏫 Lab Scenario

Your organization has requested a proof of concept demonstrating how to create users and groups in Azure, and how to use Role-Based Access Control (RBAC) to manage access by assigning roles to these groups. Specifically, you will:

  • Create a System Admins group containing the user account of Alex Johnson.
  • Create a Support Engineers group containing the user account of Mia Patel.
  • Create a Help Desk group containing the user account of Ethan Lee.
  • Assign the Virtual Machine Contributor role to the Help Desk group.

All resources will be deployed in the East US region.

🎯 Lab Objectives

You will complete the following exercises:

  1. Exercise 1: Create the System Admins group with the user Alex Johnson as its member (using the Azure Portal).
  2. Exercise 2: Create the Support Engineers group with the user Mia Patel as its member (using PowerShell).
  3. Exercise 3: Create the Help Desk group with the user Ethan Lee as its member (using Azure CLI).
  4. Exercise 4: Assign the Virtual Machine Contributor role to the Help Desk group.

📝 Exercise 1: Create the System Admins Group (Azure Portal)

Task 1: Create a user account for Alex Johnson

  1. 🔑 Log in to the Azure Portal.
  2. In the Search bar, type Microsoft Entra ID and press Enter.
  3. On the Microsoft Entra ID page, go to Users, then click + New user.
  4. Fill in the following details for the new user:
    • User name: Alex
    • Name: Alex Johnson
    • Auto-generate password: Enabled
    • Ensure Show password is selected, and note down the password.
  5. Click Create.
  6. Verify that Alex Johnson's account was successfully created by refreshing the Users page.

Task 2: Create the System Admins group and add Alex Johnson

  1. Navigate back to the Microsoft Entra ID page.
  2. Select Groups from the left-hand menu and click + New group.
  3. Fill in the group details:
    • Group type: Security
    • Group name: System Admins
    • Membership type: Assigned
  4. Add Alex Johnson as a member of the group:
    • Click No members selected, search for Alex Johnson, and click Select.
  5. Click Create to finalize the group.

📝 Exercise 2: Create the Support Engineers Group (PowerShell)

Task 1: Create a user account for Mia Patel

  1. Open Cloud Shell in the Azure portal, ensuring PowerShell is selected.

  2. Create a password profile object for Mia Patel by running the following command:

    $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

  3. Set the password in the profile:

    $passwordProfile.Password = "P@ssw0rd123!"

  4. Connect to Microsoft Entra ID (formerly Azure AD):

    Connect-AzureAD

  5. Create a user account for Mia Patel:

    New-AzureADUser -DisplayName "Mia Patel" -PasswordProfile $passwordProfile -UserPrincipalName "[email protected]" -AccountEnabled $true -MailNickName "Mia"

  6. Verify the user account has been created by listing all users:

    Get-AzureADUser -All $true | Where-Object {$_.UserPrincipalName -like "*@yourdomain.com*"}

Task 2: Create the Support Engineers group and add Mia Patel

  1. In the same PowerShell session, create a new security group for Support Engineers:

    New-AzureADGroup -DisplayName "Support Engineers" -MailEnabled $false -SecurityEnabled $true -MailNickName SupportEngineers

  2. Add Mia Patel to the group:

    $user = Get-AzureADUser -Filter "UserPrincipalName eq '[email protected]'"
Add-AzureADGroupMember -ObjectId (Get-AzureADGroup -Filter "DisplayName eq 'Support Engineers'").ObjectId -RefObjectId $user.ObjectId

📝 Exercise 3: Create the Help Desk Group (Azure CLI)

Task 1: Create a user account for Ethan Lee

  1. Open Cloud Shell in the Azure portal, this time selecting Bash.

  2. Run the following command to create a user for Ethan Lee:

    az ad user create --display-name "Ethan Lee" --password "P@ssw0rd123!" --user-principal-name [email protected]

  3. Verify the user creation:

    az ad user list --output table

Task 2: Create the Help Desk group and add Ethan Lee

  1. Create the Help Desk group:

    az ad group create --display-name "Help Desk" --mail-nickname "HelpDesk"

  2. Add Ethan Lee to the group:

    USER_ID=$(az ad user show --id "[email protected]" --query objectId -o tsv)
az ad group member add --group "Help Desk" --member-id $USER_ID

📝 Exercise 4: Assign Virtual Machine Contributor Role to Help Desk Group

Task 1: Create a resource group

  1. In the Azure Portal, type Resource groups in the search bar and click + Create.
  2. Fill in the details:
    • Resource group name: AzureLabRG
    • Region: East US
  3. Click Review + Create, and then Create.

Task 2: Assign the role

  1. Go to the Resource groups page and select AzureLabRG.
  2. In the left-hand menu, click Access Control (IAM), then click + Add > Add role assignment.
  3. Select the Virtual Machine Contributor role.
  4. Under Assign access to, choose User, group, or service principal.
  5. In the Select members section, search for Help Desk, and click Review + Assign.

🧹 Clean-Up: Removing Resources

To avoid unnecessary costs, remove any Azure resources you created:

  1. Open the Cloud Shell.

  2. Run the following to remove the resource group:

    Remove-AzResourceGroup -Name "AzureLabRG" -Force -AsJob

🎉 Congratulations!

You have successfully completed the lab. You now know how to create users and groups in Azure, assign roles using Role-Based Access Control, and verify permissions.

This Markdown can be used for your GitHub Wiki to guide others through a hands-on Role-Based Access Control (RBAC) lab, ensuring a unique, engaging, and practical learning experience.