- How to enable Azure App Service Automatic Scaling - Fri, Apr 19 2024
- An Azure Storage Actions example - Fri, Mar 29 2024
- An example of using PowerShell to manage system and user-assigned managed identities in Azure - Fri, Feb 9 2024
Managing role definitions
Almost every day we keep hearing of new developments and features coming in Azure. With this, it is getting more important to maintain services in an isolated and secure manner. Azure has a very wide range of services that several different teams at companies consume. At a company, it is critical to separate roles and permissions and assign correct permissions to correct teams so that each team can only access the resources they are responsible for.
Each role in Azure consists of a number of role actions that are like permission sets. You can customize these permission sets if you need to create any custom roles. In such cases, you can pick up required actions and place them in a custom role definition that you can then assign to a specific user, group, or application.
First, let's take a look at all available roles in Azure. Roles in Azure are called "role definitions." You can list them with this command:
GetAzureRmRoleDefinition | ft name
Role definitions represent Azure roles
There are currently 62 roles available in Azure, but Microsoft will no doubt add new roles as they roll out new services in the future.
Each role consists of several actions, which basically represent the permission sets over certain services. For example, the Network Contributor role contains several actions like Microsoft.Network/*. This one basically entails every possible action in the Microsoft.Network resource provider. So if we grant a user the Network Contributor role, the user will be able to take any actions in specified network resources.
So to see all actions available in a specific Azure role, we should execute the following:
(Get-AzureRmRoleDefinition "Network Contributor").actions
The actions in a role definition are permission sets used to grant access to objects
As seen above, the Network Contributor role has seven actions defined in it. Let's look at another example for the Virtual Machine Contributor role and see what actions it contains.
(Get-AzureRmRoleDefinition "Virtual Machine Contributor").actions
Virtual Machine Contributor role actions
The Virtual Machine Contributor role has a number of actions available. You may have noticed that both the Network Contributor and Virtual Machine Contributor roles have some common actions defined in their action lists. That's because virtual machine administrators may need to manage network-related resources such as network interface cards, load balancers, and so on, which might be associated with a certain virtual machine.
Managing role assignments
It is also important for admins to check who has access on resources such as a subscription or a resource group. To view current permissions on all resources to which a user has access, use the following line:
Get-AzureRmRoleAssignment -SignInName "[email protected]"
In case we'd like to list the permissions of a group a specific user is a member of on all resources, we need to use the following:
Get-AzureRmRoleAssignment -SignInName "[email protected]" -ExpandPrincipalGroups
A user's permissions on a resource inherited from a group
ObjectType simply shows whether the object is a user, group, or application.
If we want to list permissions on a specific resource, we can narrow down the result by specifying the scope using this command:
Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | select displayname
All objects that have permissions over a specific subscription
This command lists all objects including users, groups, and applications that have permissions on a specific resource. In this scenario it is a subscription.
Managing custom roles
Besides listing roles and permissions in Azure, it is also very important for admins to be able to grant users or groups the necessary roles on certain resources. To be able to assign a role to a group, first we need to get the group's ObjectID using the command below:
Get-AzureRmADGroup -SearchString "Sales (Sample Group)"
Getting a group's ObjectID
We can now assign a role to this group using the ObjectID of the group, the role definition required, and the scope. In this scenario we will assign the Virtual Machine Contributor role to the Sales group over the subscription with a subscription ID of f0675ec9-480d-4c2a-982a-ed97983af390.
New-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" ‑RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Creating a custom role and assigning it to a group
Of course, we can grant users and applications specific permissions in exactly the same way we used above.
To remove a role from a specific user, group, or application:
Remove-AzureRmRoleAssignment -ObjectId "74b007ea-ab34-4209-981e-c538200fe251" -RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390"
Removing a custom role
As you can see, there are hundreds of different scenarios when it comes to managing roles and permissions in Azure.
Creating a role-based access control report
Lastly, let's create a report in detail showing all the permissions assigned to users, groups, and applications throughout a subscription.
$result=@()
$result+="displayname,objecttype,roledefinitionname,actions"
Get-AzureRmRoleAssignment -scope "/subscriptions/f0675ec9-480d-4c2a-982a-ed97983af390" | foreach{
$displayname=$_.DisplayName
$objecttype=$_.ObjectType
$roledefinitionname=$_.RoleDefinitionName
$actions=(Get-AzureRmRoleDefinition -Name $_.roledefinitionname).actions
$result+="$displayname,$objecttype,$roledefinitionname,$actions"
}
$result | out-file c:\filename.csv
Reporting Azure roles assigned to the objects
Subscribe to 4sysops newsletter!
In this article, we've had a look at Azure roles and how we can easily manage role assignment tasks for Azure resources.
IT Administration News
- IBM to Acquire HashiCorp, Inc. Creating a Comprehensive End-to-End Hybrid Cloud Platform
- Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks | Ars Technica
- Microsofts Configuration Manager Update 2403 Brings Diagnostic Dashboard, Other New Features
- GitHub Touts 2FA Adoption Success, Looks Ahead to Further Adoption – Thurrott.com
- OpenAI: Introducing more enterprise-grade features for API customers
