Lab: Managing Azure Role-Based Access Control

Student lab manual

Lab scenario

With Azure Active Directory (Azure AD) becoming integral part of its identity management environment, the Adatum Enterprise Architecture team must also determine the optimal authorization approach. In the context of controlling access to Azure resources, such approach must involve the use of Azure Role-Based Access Control (RBAC). Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

The key concept of Azure RBAC is role assignment. A role assignment consists of three elements: security principal, role definition, and scope. A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. A role definition is a collection of the operations that the role assignments will grant, such as read, write, or delete. Roles can be generic or resource specific. Azure includes four built-in generic roles (Owner, Contributor, Reader, and User Access Administrator) and a fairly large number of built-in resource-specific roles (such as, for example, Virtual Machine Contributor, which includes permissions to create and manage Azure virtual machines). It is also possible to define custom roles. A scope is the set of resources that the access applies to. A scope can be set at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship.

The Adatum Enterprise Architecture team wants to test delegation of Azure management by using custom Role-Based Access Control roles. To start its evaluation, the team intends to create a custom role that provides restricted access to Azure virtual machines.

Objectives

After completing this lab, you will be able to:

  • Define a custom RBAC role

  • Assign a custom RBAC role

Lab Environment

Windows Server admin credentials

  • User Name: Student

  • Password: Pa55w.rd1234

Estimated Time: 60 minutes

Lab Files

  • \\AZ303\AllFiles\Labs\11\azuredeploy30311suba.json

  • \\AZ303\AllFiles\Labs\11\azuredeploy30311rga.json

  • \\AZ303\AllFiles\Labs\11\azuredeploy30311rga.parameters.json

  • \\AZ303\AllFiles\Labs\11\roledefinition30311.json

Instructions

Exercise 0: Prepare the lab environment

The main tasks for this exercise are as follows:

  1. Deploy an Azure VM by using an Azure Resource Manager template

  2. Create an Azure Active Directory user

Task 1: Deploy an Azure VM by using an Azure Resource Manager template

  1. From your lab computer, start a web browser, navigate to the Azure portal, and sign in by providing credentials of a user account with the Owner role in the subscription you will be using in this lab.

  2. In the Azure portal, open Cloud Shell pane by selecting on the toolbar icon directly to the right of the search textbox.

  3. If prompted to select either Bash or PowerShell, select PowerShell.

    Note: If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and select Create storage.

  4. In the toolbar of the Cloud Shell pane, select the Upload/Download files icon, in the drop-down menu select Upload, and upload the file \\AZ303\AllFiles\Labs\11\azuredeploy30311suba.json into the Cloud Shell home directory.

  5. From the Cloud Shell pane, run the following to create a resource groups (replace the <Azure region> placeholder with the name of the Azure region that is available for deployment of Azure VMs in your subscription and which is closest to the location of your lab computer):

    $location = '<Azure region>'
    New-AzSubscriptionDeployment `
      -Location $location `
      -Name az30311subaDeployment `
      -TemplateFile $HOME/azuredeploy30311suba.json `
      -rgLocation $location `
      -rgName 'az30311a-labRG'
    

    Note: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

  6. From the Cloud Shell pane, upload the Azure Resource Manager template \\AZ303\AllFiles\Labs\11\azuredeploy30311rga.json.

  7. From the Cloud Shell pane, upload the Azure Resource Manager parameter file \\AZ303\AllFilesLabs\11\azuredeploy30311rga.parameters.json.

  8. From the Cloud Shell pane, run the following to deploy a Azure VM running Windows Server 2019 that you will be using in this lab:

    New-AzResourceGroupDeployment `
      -Name az30311rgaDeployment `
      -ResourceGroupName 'az30311a-labRG' `
      -TemplateFile $HOME/azuredeploy30311rga.json `
      -TemplateParameterFile $HOME/azuredeploy30311rga.parameters.json `
      -AsJob
    

    Note: Do not wait for the deployment to complete but instead proceed to the next task. The deployment should take less than 5 minutes.

Task 2: Create an Azure Active Directory user

  1. In the Azure portal, from the PowerShell session in the Cloud Shell pane, run the following to authenticate to the Azure AD tenant associated with your Azure subscription:

    Connect-AzureAD
    
  2. From the Cloud Shell pane, run the following to identify the Azure AD DNS domain name:

    $domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name
    
  3. From the Cloud Shell pane, run the following to create a new Azure AD user:

    $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
    $passwordProfile.Password = 'Pa55w.rd1234'
    $passwordProfile.ForceChangePasswordNextLogin = $false
    New-AzureADUser -AccountEnabled $true -DisplayName 'az30311aaduser1' -PasswordProfile $passwordProfile -MailNickName 'az30311aaduser1' -UserPrincipalName "az30311aaduser1@$domainName"
    
  4. From the Cloud Shell pane, run the following to identify the user principal name of the newly created Azure AD user:

    (Get-AzureADUser -Filter "MailNickName eq 'az30311aaduser1'").UserPrincipalName
    

    Note: Record the user principal name of the newly created Azure AD user. You will need it later in this lab.

  5. Close the Cloud Shell pane.

Exercise 1: Define a custom RBAC role

The main tasks for this exercise are as follows:

  1. Identify actions to delegate via RBAC

  2. Create a custom RBAC role in an Azure AD tenant

Task 1: Identify actions to delegate via RBAC

  1. In the Azure portal, navigate to the az30311a-labRG blade.

  2. On the az30311a-labRG blade, select Access Control (IAM).

  3. On the az30311a-labRG - Access Control (IAM) blade, select Roles.

  4. On the Roles blade, select Owner.

  5. On the Owner blade, select Permissions.

  6. On the Permissions (preview) blade, select Microsoft Compute.

  7. On the Microsoft Compute blade, select Virtual machines.

  8. On the Virtual Machines blade, review the list of management actions that can be delegated through RBAC. Note that they include the Deallocate Virtual Machine and Start Virtual Machine actions.

Task 2: Create a custom RBAC role in an Azure AD tenant

  1. On the lab computer, open the file \\AZ303\AllFiles\Labs\11\roledefinition30311.json and review its content:

    {
       "Name": "Virtual Machine Operator (Custom)",
       "Id": null,
       "IsCustom": true,
       "Description": "Allows to start/restart Azure VMs",
       "Actions": [
           "Microsoft.Compute/*/read",
           "Microsoft.Compute/virtualMachines/restart/action",
           "Microsoft.Compute/virtualMachines/start/action"
       ],
       "NotActions": [
       ],
       "AssignableScopes": [
           "/subscriptions/SUBSCRIPTION_ID"
       ]
    }
    
  2. On the lab computer, in the browser window displaying the Azure portal, start a PowerShell session within the Cloud Shell.

  3. From the Cloud Shell pane, upload the Azure Resource Manager template \\AZ303\AllFiles\Labs\11\roledefinition30311.json into the home directory.

  4. From the Cloud Shell pane, run the following to replace the SUBSCRIPTION_ID placeholder with the ID value of the Azure subscription:

    $subscription_id = (Get-AzContext).Subscription.id
    (Get-Content -Path $HOME/roledefinition30311.json) -Replace 'SUBSCRIPTION_ID', "$subscription_id" | Set-Content -Path $HOME/roledefinition30311.json
    
  5. From the Cloud Shell pane, run the following to verify that the SUBSCRIPTION_ID placeholder was replaced with the ID value of the Azure subscription:

    Get-Content -Path $HOME/roledefinition30311.json
    
  6. From the Cloud Shell pane, run the following to create the custom role definition:

    New-AzRoleDefinition -InputFile $HOME/roledefinition30311.json
    
  7. From the Cloud Shell pane, run the following to verify that the role was created successfully:

    Get-AzRoleDefinition -Name 'Virtual Machine Operator (Custom)'
    
  8. Close the Cloud Shell pane.

Exercise 2: Assign and test a custom RBAC role

The main tasks for this exercise are as follows:

  1. Create an RBAC role assignment

  2. Test the RBAC role assignment

Task 1: Create an RBAC role assignment

  1. In the Azure portal, navigate to the az30311a-labRG blade.

  2. On the az30311a-labRG blade, select Access Control (IAM).

  3. On the az30311a-labRG - Access Control (IAM) blade, select + Add and select the Add role assignment option.

  4. On the Add role assignment blade, specify the following settings (leave others with their existing values) and select Save:

    Setting Value
    Role Virtual Machine Operator (Custom)
    Assign access to Azure AD user, group, or service principal
    Select az30311aaduser1

Task 2: Test the RBAC role assignment

  1. From the lab computer, start a new in-private web browser session, navigate to the Azure portal, and sign in by using the az30311aaduser1 user account with the Pa55w.rd1234 password.

    Note: Make sure to use the user principal name of the az30311aaduser1 user account, which you recorded earlier in this lab.

  2. In the Azure portal, navigate to the Resource groups blade. Note that you are not able to see any resource groups.

  3. In the Azure portal, navigate to the All resources blade. Note that you are able to see only the az30311a-vm0 and its managed disk.

  4. In the Azure portal, navigate to the az30311a-vm0 blade. Try stopping the virtual machine. Review the error message in the notification area and note that this action failed because the current user is not authorized to carry it out.

  5. Restart the virtual machine and verify that the action completed successfully.

  6. Close the in-private web browser session.

Task 3: Remove Azure resources deployed in the lab

  1. From the lab computer, in the existing browser window displaying the Azure portal, start a PowerShell session within the Cloud Shell pane.

  2. From the Cloud Shell pane, run the following to list the resource group you created in this exercise:

    Get-AzResourceGroup -Name 'az30311*'
    

    Note: Verify that the output contains only the resource group you created in this lab. This group will be deleted in this task.

  3. From the Cloud Shell pane, run the following to delete the resource group you created in this lab

    Get-AzResourceGroup -Name 'az30311*' | Remove-AzResourceGroup -Force -AsJob
    
  4. Close the Cloud Shell pane.

  5. In the Azure portal, navigate to the Users blade of the Azure Active Directory tenant associated with your Azure subscription.

  6. In the list of user accounts, select the entry representing the az30311aaduser1 user account, select the ellipsis icon in the toolbar, select Delete user and select Yes when prompted to confirm.

  7. In the Azure portal, navigate to the blade displaying properties of your Azure subscriptions, select the Access control (IAM) entry, and then select Roles.

  8. In the list of roles, select the Virtual Machine Operator (Custom) entry, select Remove and, when prompted to confirm, select Yes.