Managing Azure Role Based Access Control (RBAC)

Question 1

RBAC - What is the maximum number of role assignments per Azure subscription?

Answer 1

2,000

Question 2

RBAC - What is the maximum number of custom roles per tenant?

Answer 2

2,000

Question 3

This lists the operations that can be performed on a security principal.

Answer 3

Role Definitions

Question 4

Generally termed as a “Role” it is a collection of permissions.

Answer 4

Role Definitions

Question 5

An object that represents an individual, collection of individuals, an application or service that requires access to an Azure resource.

Answer 5

Security Principal

Question 6

What 3 types of objects does a security principal object represent?

Answer 6

An individual.
A collection of individuals.
An application or service that requires access to an Azure resource.

Question 7

In reference to a security principal, individuals are represented by what?

Answer 7

An Azure AD user or a user in another tenant

Question 8

In reference to a security principal, a collection of individuals are represented by what?

Answer 8

An Azure AD group

Question 9

In reference to a security principal, applications and services are represented by what?

Answer 9

A service principal

Question 10

What are three examples or expressions of operations that are defined by a role definition?

Answer 10

Read, Write, and Delete

Question 11

The boundary that access applies to is…

Answer 11

Scope

Question 12

What are four scopes that a role may be assigned?

Answer 12

Management group
Subscription
Resource group
Resource

Question 13

(T/F) A role assignment can be inherited by a child scope level from its parent.

Answer 13

True.

Role assignments are structured in a parent-child relationship where access at the parent scope is inherited at child scope.

Question 14

The identity to which the permissions will apply for a role assignment is…

Answer 14

… a security principal.

Question 15

The collection of permissions tied to a role assignment is…

Answer 15

… a role definition.

Question 16

A role assignment’s access applies to…

Answer 16

… a scope.

Question 17

Why is RBAC used in Azure? (3 answers)

Answer 17

1. Ensures that the principle of least privilege is used.
2. Reduces chance of unauthorized actions being performed.
3. Reduce chance of accidental actions being performed.

Question 18

(T/F) Role assignments are structured in a peer-to-peer relationship where access given to one security principal on a scope level is given to all other security principals.

Answer 18

False.

Role assignments are structured in a parent-child relationship where access at the parent scope is inherited at child scope.

Question 19

This entity represents all principals in an Azure AD and uses the “Zero” GUID.

Answer 19

The Everyone principal

Question 20

This binds a set of actions to a security principal at a particular scope for the purpose of denying access.

Answer 20

Deny Assignments

Question 21

(T/F) Deny assignments are read-only.

Answer 21

True

Question 22

(T/F) Role assignments are read-only.

Answer 22

False, Deny Assignments are read-only.

Question 23

To prevent a user access to certain principals or prevent inheritance for assignments that are generally provided subscription-wide, an admin might use a…

Answer 23

… deny assignment.

Question 24

Management operations are specified in these two properties of a role definition.

Answer 24

“Actions” and “NotActions”

Question 25

Data operations are specified in these two properties of a role definition.

Answer 25

“DataActions” and “NotDataActions”

Question 26

The following are examples of what type of operation?

• Create, update, or delete a blob container
• Delete a resource group and its contents
• Set up access to a storage account

Answer 26

Management Operations

Question 27

The following are examples of what type of operation?

• Read a list of blobs in a container
• Write to a storage blob in a container
• Delete a message in a queue

Answer 27

Data Operations

Question 28

What are the four fundamental RBAC roles for most Azure features and a description of what they can do?

Answer 28

Owner
- Manage everything including access to resources.
Contributor
- Manage everything except access to resources.
Reader
- Read only access to everything.
User Access Administrator
- Manage user access to Azure resources

Question 29

(T/F) An account that can manage security policies but not access a resource cannot grant itself access to that resource.

Answer 29

False

An account is able to grant itself access to any resource if it is allowed to manage security policies. This is, however, logged in Azure.

Question 30

What PowerShell cmdlet is used to create a role assignment for a principal?

Answer 30

New-AzRoleAssignment

Legacy: New-AzureRmRoleAssignment

Question 31

What Azure CLI command is used to create a role assignment for a principal?

Answer 31

az role assignment create

Question 32

Aside from using the Azure Portal, PowerShell, and the Azure CLI, what other methods can be used to create role assignments?

Answer 32

REST API

ARM Template

Question 33

This tracks what changes are made to role assignments and definitions.

Answer 33

RBAC Auditing

Question 34

Details of changes that are made to role assignments or role definitions within a subscription are written to…

Answer 34

… the Azure Activity Log.

Question 35

The Azure Activity Log can be directly queried for how long?

Answer 35

90 days

Question 36

(T/F) Azure Activity Log can be configured to store data for longer than the default amount of time.

Answer 36

True

Question 37

What five (5) RBAC operations are written to the Azure Activity Log?

Answer 37

• Create role assignment
• Delete role assignment
• Create custom role definition
• Update custom role definition
• Delete custom role definition

Question 38

This sets certain requirements that allows or denies access to Azure management endpoints such as the Azure Portal.

Answer 38

Conditional Access policies

Question 39

What is required to be able to implement conditional access policies?

Answer 39

Azure Active Directory P2

Question 40

What are four (4) examples of policies that can be set by conditional access?

Answer 40

• Sign-in risk
• Device platform
• Device state (compliance)
• Location

Question 41

Which PowerShell cmdlet is used to view the assignment changes in a subscription that are recorded in the Azure Activity Log?

Answer 41

Get-AzLog

Legacy: Get-AzureRMLog

Question 42

This is used to enforce different rules and effects over Azure resources.

Answer 42

An Azure Policy.

For example it can control the types of resources that can be deployed or verify whether a particular resource exists during deployment of an ARM template.

Question 43

Define the difference between an RBAC and an Azure Policy?

Answer 43

RBAC focuses on what can be done within a scope while an Azure Policy controls the specifics of what is done. (ie. RBAC controls whether a user is allowed to deploy a VM, an Azure Policy controls how that VM is named)

Question 44

What are two scenarios where it is appropriate to use RBAC with Azure Policies?

Answer 44

Where consistency is needed over large subscriptions.

Where regulation compliance requires specific forms of control over the use of cloud resources.

Question 45

What can be used to audit whether and how specific RBAC roles are implemented within a subscription?

Answer 45

An Azure Policy

This can be accomplished by the use of an “auditIfNotExists” policy with an IF portion.

Question 46

(T/F) Role assignments can be automatically deployed.

Answer 46

True, with Azure Policy and ARM Templates.

Write a policy that audits for the presence of role assignments for certain role definitions and principals. This policy can pick up inherited permissions from parent Management Groups if role assignments were inherited. An administrator can use the “deployIfNotExists” property and specify an ARM Template with role assignment details to deploy.

Question 47

How do you determine within the Azure Portal whether a role definition is one of the built-in Azure roles or custom?

Answer 47

If the resource icon is orange instead of the default blue.

Question 48

(T/F) Custom role definitions cannot be shared across subscriptions.

Answer 48

False

Question 49

Role definitions are in what format?

Answer 49

JSON

Question 50

(T/F) The “NotActions” property in a custom role definition can be used to establish a deny operation rule for a security principal on a given resource.

Answer 50

False.

If a security principal is assigned a role that excludes an action in the “NotActions” property and then assigned a second role that grants access to that operation, the principal can perform that operation. To properly deny access to an operation a Deny Assignment must be used.

Question 51

What property within a custom role definition can be used to specify what scope a role can be used and what value will allow all scopes?

Answer 51

“AssignableScopes”

If this property is set to “/” it will allow the role to be assigned within all scopes.

Question 52

Which built-in roles have the appropriate permissions to create custom roles?

Answer 52

Owner or User Access Administrator

Question 53

Which two properties within a custom role definition do you add to allow or deny management operations?

Answer 53

“Actions” and “NotActions”

Question 54

Which two properties within a custom role definition do you add to allow or deny data operations?

Answer 54

“DataActions” and “NotDataActions”