Role-based access control (RBAC) is a crucial approach in Azure security administration that provides fine-grained access management for Azure resources. Azure RBAC has many built-in roles, but sometimes, there may not be an exact match for what exactly your application needs – this is when custom Roles come in handy in Azure AD.
Creating Custom Roles
Creating custom roles allows you to define a role with specific permissions that carefully match the responsibility of the role bearer. The role can then be assigned to users to grant them the specific permissions needed to perform their job.
In order to create custom roles, you need to have the owner or User Access Administrator permissions. Here is a simplified process to follow when creating a custom role in Azure:
- Define the properties of the custom role in a JSON file. The JSON file specifies the actions, notActions, dataActions, and notDataActions that the role can perform. For example:
{
"Name": "Contoso On-call",
"Id": null,
"IsCustom": true,
"Description": "Lets you manage everything except access to resources.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId}"
]
}
- Deploy the JSON file with the role definition to Azure:
You can use Azure CLI, Azure PowerShell, or Azure portal to create a custom role from a JSON file.
Azure AD Custom Roles
Azure Active Directory (Azure AD) roles help admins manage Azure AD resources in a portal, such as the Azure portal, the Azure AD portal, the Enterprise App portal, and other Microsoft services like Office 365.
Custom roles in Azure AD allow you to further tailor the default Azure AD Roles to better suit the specific needs of your organization. You can define a role with granular permissions and then assign this role to users, groups, or service principals within your organization. It is important to note that currently custom roles can be created in Azure AD only for managing resources that are linked to Azure AD like user, groups, and service principal management, and not for managing Azure resources.
Remember, only users who are assigned to the Privileged Role Administrator role can create, read, update, or delete custom roles in Azure AD.
Here is an example to create a custom role in Azure AD:
New-AzureADMSRoleDefinition -RolePermissions @($rolePermission) -DisplayName "Minimal guest inviter" -Description "Can invite guests with minimal attributes" -TemplateId "91228ccb-1e63-4b7e-9a99-15c37ba385ee" -IsEnabled $true
This PowerShell command creates a new Azure AD custom role named ‘Minimal guest inviter’ which has a limited set of permissions associated with the ‘$rolePermission’ object.
Conclusion
In summary, the flexibility that comes with custom roles in Azure RBAC and Azure AD helps to enforce the principle of least privilege which is a standard security practice. By assigning only the necessary permissions required to perform a specific duty, it drastically reduces your vulnerabilities or potential damage if there’s a compromised account. Make sure you gauge your needs and follow best practices when creating your custom roles.
Practice Test
True/False: Azure AD roles and role-based access control (RBAC) are the same things.
- True
- False
Answer: False
Explanation: While both permissions, RBAC and Azure AD roles are fundamentally different. RBAC is for checking who has access to Azure resources while Azure AD roles are used for controlling who has access to manage the Azure directory scope.
What allows Azure administrators to provide only the amount of access necessary to perform certain jobs?
- a. Azure AD Groups
- b. Azure AD Roles
- c. Azure AD Connect
- d. Azure RBAC
Answer: d. Azure RBAC
Explanation: Role-Based Access Control (RBAC) supports the principle of least privilege by allowing administrators to provide only the extent of access to users, groups, and applications that is essential to perform their jobs.
Custom roles in Azure RBAC can be created using which of the following?
- a. Azure portal
- b. Powershell
- c. Azure CLI
- d. All of the above
Answer: d. All of the above
Explanation: Azure RBAC custom roles can be made and managed using the Azure portal, Azure CLI, or PowerShell.
Custom Azure roles can be created by all users by default. True/False?
- True
- False
Answer: False
Explanation: Only users with the Microsoft.Authorization/roleDefinitions/write permission can create Azure custom roles.
In order to create custom roles in Azure, users need:
- a. Global admin permissions
- b. Write permissions for Microsoft.Authorization/roleDefinitions/
- c. Billing Account Owner permissions
- d. Azure Advisor permissions
Answer: b. Write permissions for Microsoft.Authorization/roleDefinitions/
Explanation: Custom Azure roles can be made by users with the Microsoft.Authorization/roleDefinitions/write permission.
Which Azure AD Roles can’t be modified or deleted?
- a) Directory Writers
- b) User administrators
- c) Custom Roles
- d) Powered User roles
Answer: b) User administrators
Explanation: Built-in directory roles like User administrators cannot be modified or deleted in Azure AD.
True/False: We can assign custom roles at the management group level.
- True
- False
Answer: True
Explanation: Custom roles can be assigned at the management group level, which are then inherited by all the subscriptions, resource groups, and resources within the management group.
Is it possible to assign a role to a service principal in Azure RBAC?
- a. Yes
- b. No
Answer: a. Yes
Explanation: In Azure RBAC, a role can be assigned to a service principal, which represents a security identity used by applications or services.
Who can assign roles in Azure RBAC?
- a. Owner
- b. User Access Administrator
- c. Both a and b
- d. None of the above
Answer: c. Both a and b
Explanation: Roles can be assigned by the User Access Administrator and Owner roles in Azure RBAC.
The scope of permissions for a custom role in Azure RBAC can include:
- a. Management Group
- b. Resources
- c. Resource Group
- d. All of the above
Answer: d. All of the above
Explanation: The scope of a custom role in Azure RBAC can range from a specific resource to a management group.
How many Azure AD roles can be assigned to a single user or group?
- a. Only one
- b. Up to five
- c. Up to ten
- d. Up to 250
Answer: d. Up to 250
Explanation: Azure AD allows up to 250 directory roles to be assigned to a user or group.
True/False: Azure AD roles can be assigned across multiple tenants.
- True
- False
Answer: False
Explanation: Azure AD roles are tenant-specific, and role assignments are not shared across tenants.
Which of the following Azure AD roles provides full access to manage all resources, including access to the access control panel and all data?
- a. Global administrator
- b. Security administrator
- c. Security reader
- d. User administrator
Answer: a. Global administrator
Explanation: The Global administrator role in Azure AD has access to all administrative features and can manage all resources within the Azure environment.
Azure AD roles do not provide permissions to manage Azure resources. True/False?
- True
- False
Answer: True
Explanation: Azure AD roles are for controlling access to the Azure AD directory, not for managing access to Azure resources.
True/False: Azure RBAC roles are Azure AD directory-wide roles.
- True
- False
Answer: False
Explanation: Azure RBAC roles are not directory-wide in Azure AD. They assign permissions to manage Azure resources.
Interview Questions
What is role-based access control (RBAC) in Azure?
RBAC is an authorization system built into Azure that provides fine-grained access management of Azure resources. It allows you to create policies that enforce certain permissions for different user roles on specific resources.
How many types of roles are there in Azure RBAC?
There are three types of roles in Azure RBAC: Owner, Contributor, and Reader. The Owner can manage everything, including access to resources. The Contributor can manage everything except access to resources. The Reader can only view existing resources.
How to define a custom role in Azure RBAC?
A custom role in Azure RBAC can be defined by creating a JSON file with the necessary specifics such as a unique name and ID, a description, assignable scopes, and a list of permissions.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory, and identity management service. It provides core directory services, application access management, and identity protection.
Who can create custom roles in Azure AD?
Global administrators and Privileged Role administrators can create custom roles in Azure AD.
What is the difference between Azure RBAC and Azure AD roles?
Azure RBAC controls access to resources within Azure, whereas Azure AD roles control access to Azure AD resources. Azure RBAC roles are at the management group, subscription, resource group, and resource scope, while Azure AD roles are at the directory scope.
When would you typically create a custom role?
One would typically create a custom role when none of the built-in roles meet specific organizational requirements, such as a user needs to perform certain tasks that aren’t encapsulated in a single built-in role.
What are assignable scopes within the Azure RBAC?
Assignable scopes define the set of resources that the permissions of the custom role apply to. This can range from the entire subscription to a specific resource group or even a single resource.
Are permissions in Azure RBAC cumulative?
Yes, in Azure RBAC, if a user is assigned to more than one role, they will have the combined permissions of all the roles.
Can Azure AD roles be assigned at the subscription or resource level?
No, Azure AD roles are assigned at the directory level. Azure RBAC roles govern permissions at the management group, subscription, and resource levels.
Can multiple assignable scopes be applied to a single role?
Yes, a single Azure RBAC role can have multiple assignable scopes, allowing the role to apply to multiple subscriptions or resource groups.
What is the process to assign a role in Azure RBAC?
You first select the scope (subscription, resource group, or single resource), then select the “+ Add” option under the “Access Control (IAM)” option, choose “Add role assignment”, select the user and role, and finally click Save.
Is there a limit to the number of Azure custom roles you can create?
Yes, there is a limit. One Azure AD directory can have up to 5000 unique role definitions, which includes both Azure custom roles and built-in roles.
Can custom Azure AD roles be assigned to groups?
Yes, custom Azure AD roles can be assigned to groups, users, service principals, and managed identities.
Can an Azure custom role be deleted?
Yes, an Azure custom role can be deleted, but only if there are no assignments for the role. If there are any assignments, they must be removed before deleting the role.
extutorials.com