Lab: Role-Based Access Control

All tasks in this lab are performed from the Azure portal (including a PowerShell Cloud Shell session)

Note: When not using Cloud Shell, the lab virtual machine must have the Azure PowerShell 1.2.0 module (or newer) installed https://docs.microsoft.com/en-us/powershell/azure/install-az-ps

Lab files: none

Scenario

Adatum Corporation wants to use Azure Role Based Access Control and Azure Policy to control provisioning and management of their Azure resources. It also wants to be able to automate and track provisioning and management tasks.

Objectives

After completing this lab, you will be able to:

  • Configure delegation of provisioning and management of Azure resources by using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies

  • Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events

Exercise 1: Configure delegation of provisioning and management of Azure resources by using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies

The main tasks for this exercise are as follows:

  1. Create Azure Active Directory (AD) users and groups

  2. Create Azure resource groups

  3. Delegate management of an Azure resource group via a built-in RBAC role

  4. Assign a built-in Azure policy to an Azure resource group

Task 1: Create Azure AD users and groups

  1. From the lab virtual machine, start Microsoft Edge, browse to the Azure portal at http://portal.azure.com and sign in by using a Microsoft account that has the Owner role in the Azure subscription you intend to use in this lab and is a Global Administrator of the Azure AD tenant associated with that subscription.

  2. In the Azure portal, navigate to the Azure Active Directory blade

  3. From the Azure Active Directory blade, navigate to the Custom domain names blade and identify the primary DNS domain name associated the Azure AD tenant. Note its value - you will need it later in this task.

  4. From the Azure AD Custom domain names blade, navigate to the Users - All users blade.

  5. From the Users - All users blade, create a new user with the following settings:

    • User name: aaduser100011@<DNS-domain-name> where <DNS-domain-name> represents the primary DNS domain name you identified earlier in this task.

    • Name: aaduser100011

    • First name: not set

    • Last name: not set

    • Auto-generate password

    • Password: select the checkbox Show Password and note the string appearing in the Password text box. You will need it later in this lab.

    • Groups: 0 groups selected

    • Roles: User

    • Block sign in: No

    • Usage location: United States

    • Job title: not set

    • Department: not set

  6. From the Users - All users blade, navigate to the Groups - All groups blade.

  7. From the Groups - All groups blade, create a new group with the following settings:

    • Group type: Security

    • Group name: az1001 Contributors

    • Group description: az1001 Contributors

    • Membership type: Assigned

    • Members: aaduser100011

Task 2: Create Azure resource groups

  1. In the Azure portal, navigate to the Resource groups blade.

  2. From the Resource groups blade, create the first resource group with the following settings:

    • Resource group name: az1000101-RG

    • Subscription: the name of the subscription you are using in this lab

    • Resource group location: the name of the Azure region which is closest to the lab location and where you can provision Azure VMs.

      Note: To identify Azure regions available in your subscription, refer to https://azure.microsoft.com/en-us/regions/offers/

  3. From the Resource groups blade, create the second resource group with the following settings:

    • Resource group name: az1000102-RG

    • Subscription: the name of the subscription you selected in the previous step

    • Resource group location: the name of the Azure region you selected in the previous step

Task 3: Delegate management of an Azure resource group via a built-in RBAC role

  1. In the Azure portal, from the Resource groups blade, navigate to the az1000101-RG blade.

  2. From the az1000101-RG blade, display its Access control (IAM) blade.

  3. From the az1000101-RG - Access control (IAM) blade, display the Role assignments blade.

  4. From the Role assignments blade, create the following role assignment:

    • Role: Contributor

    • Assign access to: Azure AD user, group, or service principal

    • Select: az1001 Contributors

Task 4: Assign a built-in Azure policy to an Azure resource group

  1. From the az1000101-RG blade, display its Policies blade.

  2. From the Policy - Compliance blade, display the Assign policy blade.

  3. Assign the policy with the following settings:

    • Basics tab:

      • Scope: <name of the subscription you are using in this lab>/az1000101-RG

      • Exclusions: leave the entry blank

      • Policy definition: Allowed virtual machine SKUs

      • Assignment name: Allowed virtual machine SKUs

      • Description: Allowed selected virtual machine SKUs (Standard_DS1_v2)

      • Policy enforcement: Enabled

      • Assigned by: leave the entry set to its default value

    • Parameters tab:

      • Allowed SKUs: Standard_DS1_v2
    • Remediation tab:

      • Create a Managed Identity: leave the entry blank

Result: After you completed this exercise, you have created an Azure AD user and an Azure AD group, created two Azure resource groups, delegated management of the first Azure resource group via the built-in Azure VM Contributor RBAC role, and assigned to the same resource group the built-in Azure policy restricting SKUs that can be used for Azure VMs.

Exercise 2: Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events

The main tasks for this exercise are as follows:

  1. Identify an available DNS name for an Azure VM deployment

  2. Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin

  3. Perform an automated deployment of a policy compliant Azure VM as a delegated admin

  4. Review Azure Activity Log events corresponding to Azure VM deployments

Task 1: Identify an available DNS name for an Azure VM deployment

  1. From the Azure Portal, start a PowerShell session in the Cloud Shell.

    Note: If this is the first time you are launching the Cloud Shell in the current Azure subscription, you will be asked to create an Azure file share to persist Cloud Shell files. If so, accept the defaults, which will result in creation of a storage account in an automatically generated resource group.

  2. In the Cloud Shell pane, run the following command, substituting the placeholder <custom-label> with any string which is likely to be unique and the placeholder <location-of-az1000101-RG> with the name of the Azure region in which you created the az1000101-RG resource group.

    Test-AzDnsAvailability -DomainNameLabel <custom-label> -Location '<location-of-az1000101-RG>'
    
  3. Verify that the command returned True. If not, rerun the same command with a different value of the <custom-label> until the command returns True.

  4. Note the value of the <custom-label> that resulted in the successful outcome. You will need it in the next task

  5. Run these commands:

    Register-AzResourceProvider –ProviderNamespace Microsoft.Network
    
    Register-AzResourceProvider –ProviderNamespace Microsoft.Compute
    

    Note: These cmdlets register the Azure Resource Manager Microsoft.Network and Microsoft.Compute resource providers. This is a one-time operation (per subscription) required when using Azure Resource Manager templates to deploy resources managed by these resource providers (if these resource providers have not been yet registered).

    Also Note: If you encounter an error after running these commands that mentions a token expiry set to a time that is before the current time, click the power button icon on our Cloud Shell UI and reboot your Cloud Shell instance. Once restarted, retry these commands.

Task 2: Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin

  1. Launch another browser window in the InPrivate mode.

  2. In the new browser window, navigate to the Azure portal and sign in using the user account aaduser100011@<DNS-domain-name> where <DNS-domain-name> represents the primary DNS domain name you identified earlier. When prompted, change the password to a new value.

  3. In the Azure portal, navigate to the Resource groups blade and note that you can view only the resource group az1000101-RG.

  4. In the Azure portal, navigate to the New blade.

  5. From the New blade, search Azure Marketplace for Template deployment.

  6. Use the list of search results to navigate to the Deploy a custom template blade.

  7. On the Custom deployment blade, in the Load a GitHub quickstart template drop-down list, select the 101-vm-simple-linux entry and navigate to the Edit template blade.

  8. On the Edit template blade, navigate to the Variables section and locate the vmSize entry.

  9. Note that the template is using hard-coded Standard_B2s VM size.

  10. Discard any changes you might have made to the template and navigate to the Deploy a simple Ubuntu Linux VM blade.

  11. From the Deploy a simple Ubuntu Linux VM blade, initiate a template deployment with the following settings:

    • Subscription: the same subscription you selected in the previous exercise

    • Resource group: az1000101-RG

    • Location: the name of the Azure region which you selected in the previous exercise

    • Admin Username: Student

    • Authentication Type: password

    • Admin Password Or Key: Pa55w.rd1234

    • Dns Label Prefix: the <custom-label> you identified in the previous task

    • Accept the default values of the remaining settings

  12. Note that the initiation of the deployment fails. Navigate to the Errors blade and note that the deployment of the resource is not allowed by the policy Allowed virtual machine SKUs.

Task 3: Perform an automated deployment of a policy compliant Azure VM as a delegated admin

  1. From the Deploy a simple Ubuntu Linux VM blade, navigate to the Edit parameters blade.

  2. On the Edit parameters blade, locate the vmSize entry.

  3. Replace the value Standard_B2s with Standard_DS1_v2 and save the change.

  4. Initiate a deployment again. Note that this time validation is successful.

  5. Do not wait for the deployment to complete but proceed to the next task.

Task 4: Review Azure Activity Log events corresponding to Azure VM deployments

  1. Switch to the browser window that you used in the previous exercise.

  2. In the Azure portal, navigate to the az1000101-RG resource group blade.

  3. From the az1000101-RG resource group blade, display its Activity log blade.

  4. In the list of operations, note the ones corresponding to the failed and successful validation events.

  5. Refresh the view of the blade and observe events corresponding to the Azure VM provisioning, including the final one representing the successful deployment.

Result: After you completed this exercise, you have identified an available DNS name for an Azure VM deployment, attempted an automated deployment of a policy non-compliant Azure VM as a delegated admin, performed an automated deployment of a policy compliant Azure VM as the same delegated admin, and reviewed Azure Activity Log entries corresponding to both Azure VM deployments.

Exercise 3: Remove lab resources

Task 1: Open Cloud Shell

  1. At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.

  2. At the Cloud Shell interface, select Bash.

  3. At the Cloud Shell command prompt, type in the following command and press Enter to list all resource groups you created in this lab:

    az group list --query "[?starts_with(name,'az1000')].name" --output tsv
    
  4. Verify that the output contains only the resource groups you created in this lab. These groups will be deleted in the next task.

Task 2: Delete resource groups

  1. At the Cloud Shell command prompt, type in the following command and press Enter to delete the resource groups you created in this lab

    az group list --query "[?starts_with(name,'az1000')].name" --output tsv | xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'
    
  2. Close the Cloud Shell prompt at the bottom of the portal.

Result: In this exercise, you removed the resources used in this lab.