• Notes

  • Roles
    • Role assignments
    • Built-in roles
    • Custom roles

• Tasks

  • Create assignment
  • Delete assignment
  • Read assignment
  • Create role definition
  • Configure cost center quotas and tagging
  • Elevate permissions

• Sources

• AZ-103: 1.4

• AZ-104: 1.2

RBAC roles are supported only by Azure Portal and the ARM APIs.

Access is applied to one of four levels of scope:

• Management groups help organizations to group many subscriptions. However, custom roles may not be applied at this scope.
• Subscriptions organize access to Azure resources and determine how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment arrangement, which allows different offices, departments, and projects to manage their own expenses.
• Resource groups are containers that hold related resources for an Azure solution.
• Resources

For example, a policy applied to a subscription is said to be at the "subscription scope". Policy can also be applied to Management Groups, which is an additional scope above subscription. In this way, several subscriptions can inherit a single policy through a Management Group.

There is a built-in role named Resource Policy Contributor, which includes access to most Policy operations and should be considered privileged.

RBAC roles can be used to grant rights to 2 types of principals:

1. User principal: identity associated with a user or group of users.
2. Service principal: identity associated with an application.

RBAC roles can also be applied to a subscription through Management Groups, which represent the recommended practice for ensuring consistent application of tenant-wide security. Management groups form a hierarchy where each child inherits policy from its single parent while having additional controls. There is a single Management Group at the root of the hierarchy, associated with the Azure AD tenant (which is associated, in turn, with a subscription) that cannot be moved or deleted.

Azure methods of administering access to resources can be divided into two groups

• Classic subscription administrators have full access to a subcription. They can access resources through Azure Portal, ARM APIs (PowerShell and CLI), and classic deployment model APIs. By default, the account that is used to sign up for a subscription is automatically set as both Account Administrator and Service Administrator. There can only be one Account Administrator per account and only 1 Service Administrator per subscription. Co-Administrators have the same access as Service Administrators, and there can be 200 of them per subscription, but cannot change the association of subscriptions to directories.
• Role-Based Access Controls (RBAC): There are more than 70 built-in RBAC roles, allowing fine-grained access management, but 4 of them are foundational:
  • Owner has full access to all resources and can delegate access. Service Administrator and Co-Administrators are assigned this role at the subscription scope.
  • Contributor can create and manage all resources (full read/write privileges), but cannot delegate access.
  • Reader can view resources.
  • User Access Administrator only manages user access to resources.

RBAC is configured by selecting a role and associating it with a security principal, such as a user, group, or service identity. Child reosurces inherit the roles of their parents (role inheritance).

Components of a role assignment:

• Security principal: objects associated with a role definition and a scope to apply RBAC to azure resources (i.e. a user, group, service principal, or managed identity which is an application registration that is managed automatically by Azure and an Azure service)
  • User principal: identity associated with a user or group of users.
  • Service principal: identity associated with an application.
• Role definition: list of permissions which define what actions can or cannot be performed against a resource. In addition to the 4 foundational roles, there are many other built-in roles and custom roles can be defined using a JSON file.
• Scope: 4 scopes at which RBAC can be applied: Management groups, subscriptions, resource groups, and resources

Current assignments for classic admins can be seen in the Properties blade of a subscription in Azure Portal. Co-Administrator assignments can be added by opening the Access Control (IAM) blade of a subscription, then clicking the Add co-administrator button.

RBAC roles are supported only by Azure Portal and the ARM APIs. Access is applied to a scope, which includes subscriptions, resource groups, or resources: a policy applied to a subscription is said to be at the "subscription scope". Policy can also be applied to Management Groups, which is an additional scope above subscription. In this way, several subscriptions can inherit a single policy through a Management Group.

RBAC roles can also be applied to a subscription through Management Groups, which represent the recommended practice for ensuring consistent application of tenant-wide security. Management groups form a hierarchy where each child inherits policy from its single parent while having additional controls. There is a single Management Group at the root of the hierarchy, associated with the Azure AD tenant (which is associated, in turn, with a subscription) that cannot be moved or deleted.

• Cloud Device Administrator users have full access to manage devices in Azure AD.
• Resource Policy Contributor includes access to most Policy operations and should be considered privileged.
• User Administrator can manage all aspects of users and groups, including resetting passwords for limited admins.
• User Access Administrator grants the following permissions at the subscription scope, which are necessary to assign a user administrative access at the subscription scope
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete

Custom roles configure two types of privileges and are specified by two different properties of the definition JSON file: Management and Data. This provides safety from allowing unrestricted access to data.

The values of these properties is an array of strings, each of which follows the format Company.ProviderName/ResourceType/Action where action can be of values read, write, action, delete, or *.

To allow only the permission to read network resources

"Actions": [
  "Microsoft.Network/*/read"
]

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

Assign the Owner role to a user at the subscription scope

• Navigate to resource group > Access Control (IAM) > Role Assignments tab > Add > Add Role Assignment
• Open Subscription > Access Control (IAM) > Add Role Assignment> select a Role > Select target principal

1. Access control (AIM) pane > Add > Add role assignment
2. Select a role in the Role dropdown and a user in the Select field. Then Save

Grant a user RBAC rights

New-AzRoleAssignment -SignInName "[email protected]" -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName ExamRefRG

New-AzRoleAssignment -SignInName rbacuser@example.com -RoleDefinitionName "Owner" -Scope "/subscriptions/<subscriptionID>"

az role assignment create --assignee "[email protected]" --role "Virtual Machine Contributor" --resource-group ExamRefRG

az role assignment create --assignee [email protected] --role "Owner" --subscription <subscription_name_or_id>

Navigate to resource group > Access Control (IAM) > Role Assignments tab > Select one or more security principals > Remove

Remove RBAC assignments from a user

Remove-AzRoleAssignment -SignInName "[email protected]" -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName ExamRefRG

Remove-AzRoleAssignment -SignInName $u -ResourceGroupName $rg -RoleDefinitionName "Virtual Machine Contributor" 

Azure AD group

$g = Get-AzADGroup -SearchString "Cloud Admins"
Remove-AzRoleAssignment -ObjectId $g.Id -ResourceGroupName $rg -RoleDefinitionName "Virtual Machine Contributor" 

az role assignment delete --assignee $u --resource-group $rg --role "Virtual Machine Contributor" 

Azure AD group

g=$(az ad group list --query "[?displayName=='Cloud Admins'].objectId" -o tsv)
az role assignment delete --role "Virtual Machine Contributor" -–assignee-object-id $g --resource-group $rg

Get-AzRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json

az role definition list -n "Virtual Machine Contributor"

List custom roles available for assignment

Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $true }

az role definition list --custom-role-only -o table

View all role assignments in a subscription

az role assignment list --all

New-AzRoleDefinition -InputFile "C:\ARM_templates\customrole1.json"

Grant a group RBAC rights

$group = Get-AzADGroup -SearchString "Cloud Admins"
New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName ExamRefRG

Remove RBAC assignments from a group

$group = Get-AzADGRoup -SearchString "Cloud Admins"
Remove-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName ExamRefRG

For Azure AD Global Administrators who want to temporarily elevate permissions

1. Sign into Azure portal as an Azure AD Global Administrator.^?
2. Navigate to Azure Active Directory > Properties. At the bottom of the page, under "Access management for Azure resources" click Yes then Save.
3. Sign out and sign in again.
4. Assign roles
5. Revoke elevated access by returning to Azure Active Directory > Properties and selecting No under "Access management for Azure resources".

• Elevating global administrator access
• Understand Azure role definitions