Chapter 16 Directory Role and RBAC

This Chapter covers following Topic Lessons

• Assign Azure AD Directory Role to Users
• Assigning Administrative Permissions using Role Based Access Control

This Chapter covers following Lab Exercises

• Assign User3 Directory role of Limited Administrator
• Check User3 Access by creating a User
• Assigning User3 Role of Reader in Resource Group
• Check User3 Access level in Azure Portal
• Adding Co-Administrator to the subscription
• Check User3 Access level in Azure Portal

Chapter Topology

In this chapter we will Assign Azure AD Directory Role to Azure AD Users. We will also assign Administrative Permissions using Role Based Access Control (RBAC) to Azure AD Users.

Assign Azure AD Directory Role to Users

User is assigned Directory role during user creation time. You also have the option to change user Directory role from Azure AD User Profile Dashboard.

A user can be assigned one of the following 3 directory roles:

Global Administrator : The Global administrators have full control over all directory resources.

Limited Administrator : Limited administrator role has full access to particular Directory feature. Following Limited Administrative roles are available in Azure.

User : User can login to Azure portal but cannot create, manage or view a resource. For a user to create, view or manage a resource in Azure Portal it needs to be assigned permissions Using Role based Access Control (RBAC).

Note : You can change user Directory role from Azure AD Dashboard.

Exercise 143: Assign User3 Directory role of Limited Administrator

In this Exercise we will assign User3 Directory role of Limited Administrator with role of User Account Administrator. Users with this role can create and manage all aspects of users and Groups. User3 was created in Implementing and Managing Azure AD Exercise 88, Chapter 9 with Directory role of User.

1. In Azure AD Dashboard>Click Users in left pane> All Users blade open>Click User3 in right pane>User3 Profile blade opens>Click Directory Role in left pane>Click +Add Assignment>Directory Roles Blade opens>Scroll down and select User administrator and click select.

2. User3 is now assigned Directory role of User administrator.

Exercise 144: Check User3 Access by creating a User

In this exercise we will log on to Azure Portal with User3 credentials and will try to create a User.

1. Open Firefox and Log on to Azure Portal @ https://portal.azure.com with User3 credentials- user3@mikescottoutlook.onmicrosoft.com

2. In Azure Portal click Azure Active Directory in left pane>In Azure AD Dashboard click Users in left pane>All Users blade opens>Click + New User>Create User blade opens> Enter User4 in name and user4@mikescottoutlook.onmicrosoft.com in user name and click create.

3. User4 was successfully created. Last row in below figure.

Assigning Administrative Permissions using Role Based Access Control

Before going into RBAC let’s discuss why we need it in first place. Unlimited access to users in Azure can be security threat. Too few permissions means that users can't get their work done efficiently. Azure Role-Based Access Control (RBAC) helps address above problem by offering fine-grained access management for Azure resources. With RBAC users are given amount of access based on their Job Roles. For example, use RBAC to let one employee manage virtual machines in a subscription, while another can manage SQL databases.

Role Based Access Management in Azure

You can assign roles to users, groups, and applications at a certain level. The level of a role assignment can be a subscription, a resource group, or a single resource.

Figure below shows RBAC can be assigned to User, Group & Application and can be applied at Subscription or Resource Group or single resource level.

Azure RBAC Built-in roles (Important Concept)

Owner has full access to all resources including the right to delegate access to others.

Contributor can create and manage all types of Azure resources but can’t grant access to others.

Reader can view existing Azure resources.

Azure RBAC Scope and Assignment

Scope: RBAC role assignments are scoped to a specific subscription, resource group, or resource.

A user given access to a single resource cannot access any other resources in the same subscription.

A role assigned at a parent scope also grants access to the children contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and Virtual Networks etc.

Role: Within the scope of the assignment, access is narrowed even further by assigning a role. Roles can be high-level, like owner, or specific, like virtual machine reader.

Following is a partial list of built-in roles available.

How Administrative Permissions (RBAC) are assigned

Administrative permissions are assigned to Users using Access Control (IAM) Tab in Resource or Resource Group or Subscription Dashboard.

Exercise 145: Checking User3 Access level

In this exercise we will check User3 Access level in Azure Portal. User3 was created in Exercise 88, Chapter 9.

Open Firefox and Log on to Azure portal @ https://portal.azure.com with User3 Credentials (user3@mikescottoutlook.onmicrosoft.com) and password. You can see there are no resources to display for User3 and user has no access to resources and User cannot create any resources.

Exercise 146: Assigning User3 Role of Reader in Resource Group

In this Exercise we will assign User3, Role of Reader in Resource Group RGCloud. User3 was created in Exercise 88, Chapter 9.

1. Go to Resource Group RGCloud Dashboard>Click Access control (IAM) in left pane>In Right pane Click +Add role assignment>In Add role assignment blade select reader from down box and select User3> Click save.

2. Click Role assignments and you can see User3 is assigned the role of Reader.

Exercise 147: Check User3 Access level in Azure Portal

1. Open Firefox and Log on to Azure Portal @ https://portal.azure.com with User3 credentials- user3@mikescottoutlook.onmicrosoft.com

2. Click Resource Groups in left pane> In right pane you can see User3 has access to only one Resource Group

3. Click the Resource Group RGCloud. You can see all the resources created in Resource Group RGCloud.

4. As an Exercise to users try to create a Resource in Resource Group RGCloud. It will fail as User3 has only Reader role assigned.

Exercise 148: Adding Co-Administrator to the subscription

In this exercise we will assign User3 role of Contributor at Subscription level. With Contributor role User3 can manage and create all resources in subscription but cannot delegate access to other users.

1. In subscription Dashboard click Access Control (IAM) in left pane> In Right pane Click +Add role assignment>In Add role assignment blade select contributor from down box and select User3> Click save.

2. Click Role assignments. User3 is assigned the role of Contributor.

Exercise 149: Check User3 Access level in Azure Portal

1. Open Firefox and Log on to Azure Portal @ https://portal.azure.com with User3 credentials- user3@mikescottoutlook.onmicrosoft.com

2. Click All Resource in left pane> In right pane you can see User3 has access to All the Resources which we have created in the Subscription.

As an Exercise try to create Storage Account and it will succeed.