Customizing Role Based Access Control in Azure

By | December 13, 2016

One of the things I often find in Azure deployments is the lack of RBAC usage, which is quite easy now in the new portal and integrated quite easily with AzureAD. By default the one that creates the a Azure Subscription has the role of Owner which has full rights to view/manage and can create resources within a subscription. The same user also becomes part of a group called Subscription admins, which will get full access to all Resource Groups by default, because the rights will be inherited from the subscription itself.

image

But we can also define direct access to a resource let’s say we want a speicific individual to be able to only manage certain virtual machines or services within Azure for instance DNS or an AppService for instance we need to define direct access to that resource.

image

So for instance we define a predefined role access to for instance a virtual network.

image

So when I now login with my account which as assigned access to some resources I will only get the resources that I’m assigned to.

image

So now in this case I’ve assigned my user account a pre-defined role called Virtual Machine Contributer, what kind of access does it have? There is a good list here which lists out which kind of rights the different prebuilt roles have –> https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

Now what if we want to have a custom role which is not part of the pre-builtin roles? Well then we have to leverage PowerShell or REST. The first find is to find out which actions we want the custom role to have.

Get PowerShell up and running first.

Install-Module AzureRM

Login-AzureRMaccount

This command will list out all actions available for the providers in the subscription.

Get-AzureRMProviderOperation “*” | fl Operation |

but let’s say we want to define a custom role who only have access to restart virtual machines for instance, so we only need actions which are against virtual machines. So from the action list here we need

Microsoft.Compute/virtualMachines/read

Microsoft.Compute/virtualMachines/restart/action

image

$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Reboot Helpdesk Operator”
$role.Description = “Can restart virtual machines.”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.Compute/virtualMachines/read”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/restart/action”)
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add(“/subscriptions/subscriptionID”)
New-AzureRmRoleDefinition -Role $role

image

Now after I have added the Custom Role in Azure and go back into the portal for that particular subscription you can see that the role appears. Note that the role will only appear on resources which the role actions might apply to.

NOTE: When adding users to a role I can add a user from within the existing AzureAD which the subscription is linked to or I can add an external user which is not part of the AzureAD, for instance an external consultant who needs access to do some work.

image

image

So for instance if I open up Virtual Networks which reside in the Network resource provider, I will not get the Reboot Helpdesk operator role since it has actions which only target the Microsoft.Compute/virtualMachine provider.

So the end result of the user which logs in to the portal, I can’t connet I can’t shutdown I can only Restart the VM.

image

So using RBAC with custom roles is a good way to define access on a more granular level within an Azure subscription, and should always be used to define access based upon areas of responsibility and least-privilege access.

Leave a Reply

Your email address will not be published. Required fields are marked *