One of the things I often find in Azure deployments is the lack of RBAC usage, which is quite easy now in the new portal and integrated quite easily with AzureAD. By default the one that creates the a Azure Subscription has the role of Owner which has full rights to view/manage and can create resources within a subscription. The same user also becomes part of a group called Subscription admins, which will get full access to all Resource Groups by default, because the rights will be inherited from the subscription itself.
But we can also define direct access to a resource let’s say we want a speicific individual to be able to only manage certain virtual machines or services within Azure for instance DNS or an AppService for instance we need to define direct access to that resource.
So for instance we define a predefined role access to for instance a virtual network.
So when I now login with my account which as assigned access to some resources I will only get the resources that I’m assigned to.
So now in this case I’ve assigned my user account a pre-defined role called Virtual Machine Contributer, what kind of access does it have? There is a good list here which lists out which kind of rights the different prebuilt roles have –> https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Now what if we want to have a custom role which is not part of the pre-builtin roles? Well then we have to leverage PowerShell or REST. The first find is to find out which actions we want the custom role to have.
Get PowerShell up and running first.
Install-Module AzureRM
Login-AzureRMaccount
This command will list out all actions available for the providers in the subscription.
Get-AzureRMProviderOperation “*” | fl Operation |
but let’s say we want to define a custom role who only have access to restart virtual machines for instance, so we only need actions which are against virtual machines. So from the action list here we need
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/restart/action
$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Reboot Helpdesk Operator”
$role.Description = “Can restart virtual machines.”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.Compute/virtualMachines/read”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/restart/action”)
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add(“/subscriptions/subscriptionID”)
New-AzureRmRoleDefinition -Role $role
Now after I have added the Custom Role in Azure and go back into the portal for that particular subscription you can see that the role appears. Note that the role will only appear on resources which the role actions might apply to.
NOTE: When adding users to a role I can add a user from within the existing AzureAD which the subscription is linked to or I can add an external user which is not part of the AzureAD, for instance an external consultant who needs access to do some work.
So for instance if I open up Virtual Networks which reside in the Network resource provider, I will not get the Reboot Helpdesk operator role since it has actions which only target the Microsoft.Compute/virtualMachine provider.
So the end result of the user which logs in to the portal, I can’t connet I can’t shutdown I can only Restart the VM.
So using RBAC with custom roles is a good way to define access on a more granular level within an Azure subscription, and should always be used to define access based upon areas of responsibility and least-privilege access.