This is the next section from AZ-500 study guide, now I’m concentrating on the following topics:
- Configure Azure role permissions for management groups, subscriptions, resource
- groups, and resources
- Interpret role and resource permissions
- Assign built-in Azure AD roles
- Create and assign custom roles, including Azure roles and Azure AD roles
I opened a little bit in the previous section what are Custom roles and templates.
Mutta koska kertaus on opintojen äiti. Old Finnish saying and translating something like, Repeating is the mother of education. Sounds funny as translated but so true.
Table of Contents
What are Azure roles?
- Classic subscription administrator roles
- Azure roles
- Azure Active Directory (Azure AD) roles
How roles are related
Here a comprehensive list of Azure Built-in roles.
RBAC limitations
Resource | Limit |
---|---|
Azure role assignments per Azure subscription The role assignments limit for a subscription is currently being increased. For more information, see Troubleshoot Azure RBAC. | 2,000 |
Azure role assignments per management group | 500 |
Size of description for Azure role assignments | 2 KB |
Size of condition for Azure role assignments | 8 KB |
Azure custom roles per tenant | 5,000 |
Azure custom roles per tenant (for Azure Germany and Azure China 21Vianet) | 2,000 |
Different role types
Classic admins
Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are still using the classic deployment model, you’ll need to use a classic subscription administrator role: Service Administrator and Co-Administrator.
RBAC (Azure roles)
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC includes over 70 built-in roles. There are four fundamental Azure roles. The first three apply to all resource types:
Azure role | Permissions | Notes |
---|---|---|
Owner | Full access to all resourcesDelegate access to others | The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope Applies to all resource types. |
Contributor | Create and manage all of types of Azure resourcesCreate a new tenant in Azure Active DirectoryCannot grant access to others | Applies to all resource types. |
Reader | View Azure resources | Applies to all resource types. |
User Access Administrator | Manage user access to Azure resources |
Azure AD roles
Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following table describes a few of the more important Azure AD roles.
Azure AD role | Permissions | Notes |
---|---|---|
Global Administrator | Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active DirectoryAssign administrator roles to othersReset the password for any user and all other administrators | The person who signs up for the Azure Active Directory tenant becomes a Global Administrator. |
User Administrator | Create and manage all aspects of users and groupsManage support ticketsMonitor service healthChange passwords for users, Helpdesk administrators, and other User Administrators | |
Billing Administrator | Make purchasesManage subscriptionsManage support ticketsMonitors service health |
Differences between Azure roles and Azure AD roles
At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure Active Directory resources. The following table compares some of the differences.
Azure roles | Azure AD roles |
---|---|
Manage access to Azure resources | Manage access to Azure Active Directory resources |
Supports custom roles | Supports custom roles |
Scope can be specified at multiple levels (management group, subscription, resource group, resource) | Scope can be specified at the tenant level (organization-wide), administrative unit, or on an individual object (for example, a specific application) |
Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API | Role information can be accessed in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, AzureAD PowerShell |
By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
Classic admin roles
Were can we find classic admins roles, they reside in many places example under Subscription and IAM blade.
Example a Co-administrator is a Classic admin role.
Add a guest user as a Co-Administrator
To add a guest user as a Co-Administrator, follow the same steps as in the previous Add a Co-Administrator section. The guest user must meet the following criteria:
- The guest user must have a presence in your directory. This means that the user was invited to your directory and accepted the invite.
RBAC (Azure roles)
Built-in roles created by Microsoft that can’t be changed and using built-in roles in Azure AD is free
RBAC uses Azure Resource Manager to deploy the roles.
Terminology for Azure Resource Manager
- resource – A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
- resource group – A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. See Resource groups.
- resource provider – A service that supplies Azure resources. For example, a common resource provider is
Microsoft.Compute
, which supplies the virtual machine resource.Microsoft.Storage
is another common resource provider. See Resource providers and types. - Resource Manager template – A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group, subscription, management group, or tenant. The template can be used to deploy the resources consistently and repeatedly. See Template deployment overview.
- declarative syntax – Syntax that lets you state “Here is what I intend to create” without having to write the sequence of programming commands to create it. The Resource Manager template is an example of declarative syntax. In the file, you define the properties for the infrastructure to deploy to Azure. See Template deployment overview.
Scopes levels
You can find Management Groups from the search bar by typing Management.
There You will see Your Management group which has all the subscriptions linked to it.
Creating new Management groups
By default all Security Principals can create new groups but under settings You require write permissions.
Managing the group
Click on top of the Group.
From here You can see the Subscriptions, Resource groups and manage Access.
If You open IAM, You can add role assignment to users or Managed identities.
Once the role are added You can see inside are Resource group that they will be inherited from the parent.
Azure AD roles
Administrative roles are used for granting access for privileged actions in Azure AD. We recommend using these built-in roles for delegating access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration.
There is currently 77 different Azure AD roles predefined.
Prerequisites
- Privileged Role Administrator or Global Administrator
- Azure AD Premium P2 license when using Privileged Identity Management (PIM)
- AzureADPreview module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
How to assign to users?
I will use Application developer role in my example.
How to assign to a group?
How role assignments to groups work
To assign a role to a group, you must create a new security or Microsoft 365 group with the isAssignableToRole
property set to true
. In the Azure portal, you set the Azure AD roles can be assigned to the group option to Yes. Either way, you can then assign one or more Azure AD roles to the group in the same way as you assign roles to users.
Assigning to a group
When you create a group You can enabled Azure AD role assignment.
But when You switch this setting to ‘Yes’ to use this group to assign roles the group’s eligibility for role assignment is permanent. You cannot change it back.
When You create a new group You will have Dynamic user available but when You change it to Azure AD role enabled group, You will loose this possibility. Azure AD role enabled groups are always assigned.
If You create a security group without Azure AD roles enabled, You cannot enable them afterwards.
And therefore You cannot add them in the Azure AD role assignment, only the one we enabled it for.
Custom roles
Custom roles created and managed by your organization.
- Azure AD Premium P1 or P2 license
- Privileged Role Administrator or Global Administrator
- AzureADPreview module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
Creating custom role
First we need to create a JSON file, for this what would be a better tool than Visual Studio Code for the Web
Figuring out what resource providers to use.
Microsoft has an excellent resource to browse thru different resources and it’s called Resource Explorer.
Let’s find Microsoft.ApiManagement provider.
Enabling resource providers
You can check what resource providers have been registered from GUI and register them.
With Shell.
1 |
Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState |
And register a provider.
1 |
Register-AzureRmResourceProvider -ProviderNamespace microsoft.aad |
Creating JSON
First we need to find Your subscription ID You are currently logged in:
1 |
az account show --query id --output tsv |
Or all subscription You have:
1 |
az account list --output table |
And then we construct the JSON file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ "Name": "API Management Reader role", "IsCustom": true, "Description": "Can check API Name Availability.", "Actions": [ "Microsoft.ApiManagement/checkNameAvailability/read/*", "Microsoft.ApiManagement/service/read/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/you Subscription ID" ] } |
Uploading JSON
Open Upload / Download file menu from Shell.
And Upload Your JSON file.
And the file is there.
Creating a role based on JSON
Create new custom role with the following.
1 |
az role definition create --role-definition "ApiReaderRole.json" |
And You will see output for the command.
Querying the custom role
With the following command You can find Your custom role and display only Rolename and RoleType columns.
1 |
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}' |
Or find the Custom role with GUI.
And select only Custom roles.
Adding a role assignment
You can now add the created Custom role to identities.
You can choose Users or Managed identities.
And you can also create the Custom role from GUI with cloning an existing role, Creating from Scratch or from JSON.
With cloning You can select any existing role and copy it to a Custom role.
You can add or exclude permissions.
And add Assignable scopes. Management group is still in preview so it won’t be coming to the test but it’s a nice feature.
And when You select what You want, You will get a freshly created JSON. How cool is that!
Things to remember
Different role types:
- Classic subscription administrator roles
- Azure roles
- Azure Active Directory (Azure AD) roles
And their licensing:
Custom roles
- Azure AD Premium P1 or P2 license
- Privileged Role Administrator or Global Administrator
- AzureADPreview module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
Azure roles
- Free built-in roles and managed by Microsoft.
- You can copy them and make Custom roles but cannot edit without copying.
Azure Active Directory (Azure AD) roles
- Privileged Role Administrator or Global Administrator
- Azure AD Premium P2 license when using Privileged Identity Management (PIM)
- AzureADPreview module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
RBAC limitations
Resource | Limit |
---|---|
Azure role assignments per Azure subscription The role assignments limit for a subscription is currently being increased. For more information, see Troubleshoot Azure RBAC. | 2,000 |
Azure role assignments per management group | 500 |
Size of description for Azure role assignments | 2 KB |
Size of condition for Azure role assignments | 8 KB |
Azure custom roles per tenant | 5,000 |
Azure custom roles per tenant (for Azure Germany and Azure China 21Vianet) | 2,000 |
And that’s it for Manage access control, phuuh. Keep on going and learning!