Module 2 - Configure Role based Access control Flashcards
What is Azure RBAC?
RBAC is used to manage permissions and access control to resources and services in Azure. You can define and manage who has access to azure resources , what access they can do with the resources , and what areas of azure they can access.
RBAC allows you to follow the principle of least privilege, which means granting only the necessary permissions to individuals or applications to perform their tasks, reducing the risk of unauthorized access or inadvertent resource changes.
!Remmeber!:
RBAC
allows you to manage azure resources vs azure indentities which is azure AD roles( global admin , user admin and billing admin) this gives you access to the entire tenant)
allows authorization
Think Roles > scopes > role assigments> principal
What are the key Components of Azure RBAC?
-
Roles
RBAC defines a set of built in roles that provides a specific set of permissions
The built in roles are:
Owner - have full access to all resources within a resource group or subscription. They can manage resources and access control , and they can delegate access to others.
Contributor - Can manage all resources within the resource group or subscription , except for access control. They can create , update , delete resources but cannot manage access to resources.
Reader - can view resources and their properties but cannot make any changes. Typically used for auditing and monotoring purposes.
**user access administrator ** - Designed for managing user access to azure resources. They can assign roles to user , groups and service principles.
Network contributor - can manage netwroking resources like virtual networks , subnets , and network security groups within a resource group
Storage account contributor - Grants permissions to manage azure storage accounts , including the ability to create , manage , delete storage resources.
Security Admin - Have the same access as security readers but also have the ability to manage security policies and recommendations
Security readers - Has the abiltiy to view securty related information in Azure security center and Azure defender
2. Scope
RBAC can be applied to the diffenrent scopes within Azure , such as managemnt group , subscription , resource groups and individaul resources. This allows for the control access at the granuler level
3. Role Assigments
Involves associating a role with a specific user , group , or service principal , and defining the scope at which the role assigment is applicable. This defines what actions the user or group can perform on the resources within that scope.
4. Principle
A principal can be a user , group , or service principal to whom the role is assigned. service principles are often used to for applications and services that need to interact with azure resources programmatically.
Compare Azure RBAC Roles to Azure AD roles
Access management:
RBAC Roles -Manages access to azure Resources
Microsoft Entra ID - Manages access to Microsoft Entra objects.
Scope assignment:
RBAC - Scope can be specified at multiple levels , including manamgemnt groups , subscriptions , resource groups and resources
Microsoft Entra ID - Scope is specified at the tenant level
Role definitions
RBAC - Roles can be defined via the Azure CLI , Azure portal , azure powershell , resource manager templates and rest API.
Microsfot Entra ID - Roles can be defined via azure admin portal , microsoft office 365 admin portal , microsoft graph powershell
What is a role Definition?
Role defintion is a collection of permissons that lists the opreations that can be performed.
A role definition is a blueprint or template often created in a JSON format that defines the set of permissions and actions that are associated with a specific role.
It specifies a particular role and specifies what that role can do and cannot do within an azure subscription , resource group or resource.
Creating a role definition
The custom role definition is composed of components that can make up the role definition:
{
“Name”: “RoleName”,
“IsCustom”: true,
“Description”: “Role description”,
“Actions”: [
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
…
],
“NotActions”: [
“Microsoft.Compute/virtualMachines/delete/action”,
“Microsoft.Network/networkSecurityGroups/delete”,
…
],
“DataActions”: [
“dataAction1”,
“dataAction2”,
…
],
“NotDataActions”: [
“dataAction3”,
“dataAction4”,
…
],
“AssignableScopes”: [
“/subscriptions/{subscriptionId}”,
“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}”,
…
]
}
1.Name
The name of the role , which serves as the unique identifier for that role. It should be a string without spaces or special characters
2. IsCustom
A boolean filed indicating whether the role is a custom role or a built in role. Set the feild to True for a cuctom role.
- **Decription **
A brief decsription of the roles prupose and the permissions it includes.
4. Actions
An array of actions or permissions that are allowed by the role. Each action is represented as a string and corresponds to a specific operation on azure resources.
5. NotActions
An optional array of actions that explicitly denied by the role , even if they fall under the permissions defined in the “actions” field
6. DataActions
if you defining data actions such as data lake storage , these actions can be specified here.
7. NotDataActions
used to deny specific data actions if needed
8. AssignableScope
An array that specifies the Azure resource scopes at which the role can be assigned. It defines the scope at which the role is applicable , such as subscription , resource group or management group.
Create a role assignment
Process of binding a role defintion to a user , group or service principle at a scope for the purpose of granting access.
Using azure portal:
1. Navigate to specific Azure resource or resource group you want to create a role assignment
2. Select the Access control( IAM) tab
3. Click add button to create a new role assignment
4. In the add permissions panel you need to specify following:
Role
assign access to
select user , group or service principal
save
Using azure CLI:
az role assignment create –role “Contributor” –assignee <user_principal_id_or_object_id> --scope /subscriptions/<subscription_id>/resourceGroups/<resource_group_name></resource_group_name></subscription_id></user_principal_id_or_object_id>
In the above command it is assigning the contributor role to a user for a resource group.
- A resource inherits role assigmnets from its parent resource.
Apply RBAC Authentication
Azure AD admin roles are usually applied at the tenant level which means they can only make changes that effect the tenant but not the resources.
The 4 most common are
1.Global admin
Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
Application admin
Can create and manage all aspects of app registrations and enterprise apps.
Application developer
Can create application registrations independent of the ‘Users can register applications’ setting.
Billing admin
Can perform common billing related tasks like updating payment information.
RBAC scope
When you grant access at the parent scope , those permissions are inherited to the child scopes;
In azure , you can specify a scope at multiple levels management group>subscription>resource group>resource
Management - allows to apply policy to multiple subscriptions that are placed in groups.
Subscription - allows to manage billing
Resource group
Resource
Built in azure RBAC roles
Owner
has full access to all resources and delegate access to others
Contributor
Creates and manages all types of azure resources but cannot grant access to others
Reader
Views azure resources
Also can built in roles per resource
vm reader
storage contributor
etc.
User access admin ( Azure AD role)
Manages user access to azure resources
Access control(IAM)
Used To view access control to a particular scope or resource
Allows you to add , view and check access for specific RBAC roles to that resource group or scope that is was set to.
