Azure roles are associated with Azure Resource Management and control what actions users can take on resources. Azure AD roles, meanwhile, are associated with identity management, user sign-ins, multi-factor authentication, self-service password management, and other Azure AD functions.
Azure roles apply to Azure services while Azure AD roles apply to directory-level actions. Users with an Azure role for a resource have access to that resource, but this does not grant them permission to Azure AD and vice versa.
Creating Azure custom roles
Azure provides pre-defined roles to help you manage your access control, such as the Contributor or Reader roles. However, you may need to create a custom role tailored to your organization’s needs. You can configure your custom role based on up to 2,000 actions, notActions, dataActions, or notDataActions.
Here are the steps:
- Open the Azure portal.
- Navigate to Subscriptions > Access control (IAM) > Roles.
- Click ‘Add’ and then ‘Add custom role’.
- Create the new role using ‘JSON’ or by cloning an existing role.
- Set properties for the new role.
- Define the permissions and scope.
- Review and create the role.
You can also create custom roles and list available roles using the Azure CLI or PowerShell. For example, using the Azure CLI:
az role definition create --role-definition
az role definition list
Assigning Azure roles
Once you have your roles, you can assign them:
- Go to the resource you want to assign a role to.
- Navigate to Access Control (IAM).
- Click ‘Add role assignment’.
- Choose the role you want to assign.
- Select the member to whom you want to assign the role.
- Click ‘Save’.
The Azure CLI can also be used to assign roles:
az role assignment create --role "
Azure AD Custom Roles
With Azure AD premium license, you can create custom roles for more granular control. The process is as follows:
- Open the Azure portal.
- Navigate to Azure Active Directory > Roles and administrators > New custom role.
- Enter the basics for the role.
- Define permissions.
- Review and create the role.
Roles can also be assigned using PowerShell or Graph API. The following PowerShell example creates a custom role and assigns a user to it:
New-AzureADMSRoleDefinition -RolePermissions $appRolePermissions -DisplayName "CRUD Applications" -IsEnabled $true -Description "Can create, read, update, and delete applications."
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
Assigning Azure AD custom roles
Once the role is created, you can assign it:
- Go to Azure Active Directory > Users.
- Select a user.
- Click ‘Assigned roles’ > ‘Add assignments’.
- Select the custom role you created.
- Click ‘Add’.
Summary
Managing Azure and Azure AD roles is crucial in maintaining a secure and well-managed Azure environment. Custom roles allow more nuanced control in a complex or multi-user environment. It’s important to understand the distinction between Azure and Azure AD roles and the mechanics of creating and assigning such roles when preparing for the AZ-500 exam.
Practice Test
True or False: Azure Active Directory (Azure AD) only has one built-in role for resource management.
- Answer: False
Explanation: Azure AD has multiple built-in roles for resource management like the Global Administrator, User Administrator, and others.
Which of the following Azure roles allows the user to manage user groups?
- A. Contributor
- B. Owner
- C. User Access Administrator
- D. Reader
Answer: C. User Access Administrator
Explanation: The User Access Administrator role allows the user to manage access to Azure resources, which includes managing user groups.
True or False: Custom roles can only be assigned at the subscription level in Azure.
- Answer: False
Explanation: Custom roles in Azure can be assigned at multiple levels, such as the management group, subscription, or resource group level.
In Azure roles, which of the following can be performed by the ‘Owner’?
- a) Read Resources
- b) Write Resources
- c) Delete Resources
- d) Assign Roles
Answer: a) Read Resources, b) Write Resources, c) Delete Resources, d) Assign Roles.
Explanation: ‘Owner’ has full access to all resources including the right to delegate access to others.
True or False: Azure AD roles can be assigned to users, groups, service principals, and managed identities.
- Answer: True
Explanation: Azure AD roles can indeed be assigned to users, groups, service principals, and managed identities to provide access rights.
Can the ‘Reader’ role in Azure AD create or delete resources?
- A. Yes
- B. No
Answer: B. No
Explanation: The ‘Reader’ role can view existing resources but cannot create, delete, or modify resources.
Which of the following Azure roles allows the user to view all resources, but not make any changes?
- A. Reader
- B. Contributor
- C. Owner
- D. User Access Administrator
Answer: A. Reader
Explanation: The ‘Reader’ role provides read-only access to Azure resources; it does not allow for any modifications.
True or False: It’s possible to modify built-in roles in Azure.
- Answer: False
Explanation: Built-in roles in Azure cannot be modified. However, you can create and manage custom roles.
The ‘___’ Azure role has full access to Azure resources.
- A. Reader
- B. User Access Administrator
- C. Contributor
- D. Owner
Answer: D. Owner
Explanation: The ‘Owner’ role has full access to Azure resources, including rights to delegate access to others.
Which Azure built-in role grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC?
- A. Owner
- B. User Access Administrator
- C. Contributor
- D. Global Administrator
Answer: C. Contributor
Explanation: The ‘Contributor’ role in Azure has full permissions to manage all resources, but does not allow you to assign roles in Azure RBAC.
Interview Questions
Q1: What is Azure RBAC?
A1: Azure Role-Based Access Control (RBAC) is a feature provided by Azure to manage and restrict access to resources in Azure.
Q2: What are Azure AD roles?
A2: Azure AD roles are used to manage Azure Active Directory resources. This helps to assign privileges to users, groups, and applications to manage AD resources.
Q3: How can we create a custom role in Azure?
A3: We can create a custom role in Azure by navigating to the “Roles and Administrators” in Azure AD, choosing “New custom role”, and then defining the permissions for the role.
Q4: What is the purpose of assigning roles in Azure?
A4: Assigning roles in Azure helps to provide specific access to users, groups, or services on specific resources. This helps in better control and management of resources.
Q5: How can we assign roles in Azure AD?
A5: We can assign roles in Azure AD by first navigating to the “Roles and Administrator” tab in Azure AD, then selecting the role, and adding the users or groups to that role.
Q6: What are the different types of roles in Azure AD?
A6: Some of the different types of roles in Azure AD are: Global administrator, User administrator, Billing administrator, Service administrator, and Password administrator.
Q7: What is the maximum number of custom roles that you can create in Azure AD?
A7: The maximum number of custom roles you can create in Azure AD is 500.
Q8: Can we assign a custom role to a group in Azure?
A8: Yes, we can assign a custom role to a group in Azure.
Q9: How often are changes to role assignments applied in Azure AD?
A9: Changes to role assignments are applied immediately in Azure AD.
Q10: What is the JSON file used for in creating a custom role in Azure?
A10: The JSON file is used to define the actions, notactions, assignable scopes, and description properties for the custom role in Azure.
Q11: What are the types of Azure roles?
A11: Some types of Azure roles are: Owner, Contributor, Reader, and User Access Administrator.
Q12: What are some common uses of custom roles in Azure?
A12: Some common uses of custom roles in Azure are: to provide specific access to manage resources, to delegate access to users or services, and to limit access to certain actions or resources.
Q13: Can we modify a built-in role in Azure AD?
A13: No, we cannot modify a built-in role in Azure AD. We can only create custom roles.
Q14: What is the Azure Policy built-in role used for?
A14: The Azure Policy built-in role is used to manage all policy related resources in Azure.
Q15: Can we delete custom roles in Azure AD?
A15: Yes, we can delete custom roles in Azure AD, but we cannot delete built-in roles.
extutorials.com