In managing your organization’s resources in Azure, a significant amount of control and governance comes from defining roles and assigning access permissions. Whether you are preparing for the SC-300 Microsoft Identity and Access Administrator exam or simply using Azure for your organization, understanding how to configure custom roles is a must-have skill. This post will explain how to work with Azure’s custom role configuration for better resource management.

Table of Contents

What are Azure Roles?

In Azure, roles are collections of permissions that are aimed at managing access to Azure resources. Built-in roles such as Owner, Contributor, and Reader offer broad access ranges while other roles like Virtual Machine Contributor and SQL Server Contributor target specific resources.

However, these built-in roles might not always fit your requirements – this is where custom roles come in. Custom roles allow you to be more flexible in defining access control to Azure resources.

Creating Azure Custom Roles

Using Azure Portal

  • Step One: Head to the Azure portal, locate and select “Subscriptions”.
  • Step Two: Take note of your subscription ID, select “Access control (IAM)”, and then click “+ Add”.
  • Step Three: Select “Add custom role”.
  • Step Four: In the “Basics” tab, enter your custom role name, a brief description, and specify whether it’s assignable at the subscription or resource group level.
  • Step Five: On the “Permissions” tab, select permissions that your custom role requires.
  • Step Six: Review your settings on the “JSON” tab, and then click “Create” to finish.

Using Azure PowerShell

You can also use PowerShell to create a new custom role. Initialize a variable to hold the set of permissions that you want to assign to the role:

$actions = "Microsoft.Support/*","Microsoft.Advisor/*"

Then, utilize the New-AzRoleDefinition command to create a custom role:

New-AzRoleDefinition -Name "Custom Role" -Description "Allows for specific actions." -Actions $actions -AssignableToScope "/subscriptions/{subscriptionId}"

Comparing Azure Built-In Roles and Custom Roles

Aspect Azure Built-In Roles Custom Roles
Flexibility Limited High
Management Microsoft managed User managed
Assignment scope Subscription or resource group Subscription, resource group, or specific resource

Conclusion

Configuring custom Azure roles provides a higher level of control in assigning access to your Azure resources. Whether via Azure portal or PowerShell, you can easily create roles that align perfectly with your organization’s requirements, making it simpler and safer to manage your resources/accounts.

As you prepare for the SC-300 Microsoft Identity and Access Administrator exam, understanding these principles of identity and access management, particularly custom role creation, is a valuable tool in your study arsenal.

Remember to consult the Microsoft official documentation to stay tuned with any updates or changes. Happy learning!

Practice Test

True or False: Custom Azure roles can be created using the Azure portal.

  • True
  • False

Answer: True

Explanation: Apart from using Azure PowerShell and Azure CLI, custom Azure roles can also be created directly from the Azure portal.

In Azure, who can assign roles?

  • A) Owner
  • B) Reader
  • C) Contributor
  • D) User Access Admin

Answer: A) Owner and D) User Access Admin

Explanation: Both Owner and User Access Admin have permissions to assign roles in Azure.

What is the maximum number of custom roles that can be created per subscription in Azure?

  • A) 2000
  • B) 5000
  • C) 1000
  • D) 4000

Answer: A) 2000

Explanation: You can create a maximum of 2000 custom roles per subscription in Azure.

True or False: It is possible to change the name of a built-in role in Azure.

  • True
  • False

Answer: False

Explanation: The name of a built-in role in Azure can’t be changed. You can only change the name of a custom role.

Which command can be used to create a custom role in Azure CLI?

  • A) az role definition create
  • B) az role definition list
  • C) az role definition delete
  • D) az role definition update

Answer: A) az role definition create

Explanation: The ‘az role definition create’ command is used in the Azure Command Line Interface (CLI) to create a custom role.

Which of the following permissions are needed to create, update, or delete custom roles at the subscription scope in Azure?

  • A) Microsoft.Authorization/roleDefinitions/read
  • B) Microsoft.Authorization/roleDefinitions/write
  • C) Microsoft.Authorization/roleDefinitions/delete
  • D) Microsoft.Authorization/roleDefinitions/list

Answer: B) Microsoft.Authorization/roleDefinitions/write and C) Microsoft.Authorization/roleDefinitions/delete

Explanation: To create and delete custom roles at the subscription scope, Microsoft.Authorization/roleDefinitions/write and Microsoft.Authorization/roleDefinitions/delete permissions are necessary.

True or False: To make a custom Azure role available at the management group and subscription level, you must assign it at the tenant root group level.

  • True
  • False

Answer: True

Explanation: To make a custom role available at all scopes of management groups and subscriptions, you must assign it at the tenant root group level.

Can the actions of a custom Azure role be updated after it is created?

Answer: Yes

Explanation: The permissions of custom Azure roles can be updated after their creation, using either the Azure portal or Azure CLI commands.

The Azure custom role has specific permissions that you can’t assign using the built-in roles.

  • A) True
  • B) False

Answer: A) True

Explanation: Azure custom roles give you the flexibility to create roles with specific permissions that may not be covered by the built-in roles.

Which role allows users to manage role assignments but can’t change access to resources in Azure?

  • A) User Access Administrator
  • B) Reader
  • C) Contributor
  • D) Owner

Answer: A) User Access Administrator

Explanation: The User Access Administrator role allows users to manage role assignments, but does not allow them to change access to resources.

Custom Azure roles can be assigned to only users, not groups. True or False?

  • True
  • False

Answer: False

Explanation: In Azure, custom roles can be assigned to users, groups, service principals, and managed identities.

Is it required to specify Actions, NotActions, DataActions or NotDataActions for Azure custom roles?

  • A) True
  • B) False

Answer: A) True

Explanation: At least one of the fields among Actions, NotActions, DataActions and NotDataActions must be specified when defining custom Azure roles.

A custom role in Azure can be made available throughout all scopes in Azure to:

  • A) A directory
  • B) A subscription
  • C) A resource group
  • D) All of the above

Answer: A) A directory

Explanation: A custom role can be made available throughout all scopes in Azure at the directory level, also known as the tenant level.

The Azure role-based access control (RBAC) model includes __ custom role(s).

  • A) Only one
  • B) More than one

Answer: B) More than one

Explanation: The Azure Role-based Access Control (RBAC) model allows you to create more than one custom role depending on the specific needs of the organization.

The AzureAD module is used in PowerShell to list all custom roles in Azure Active Directory. True or False?

  • True
  • False

Answer: True

Explanation: The AzureAD module in PowerShell is used for Azure Active Directory cmdlets, including getting a list of all custom roles.

Interview Questions

What is the purpose of configuring custom Azure roles?

Configuring custom Azure roles allow organizations to create their own roles with specific permissions as per their unique business needs. This way, they can grant only the required access to individuals or groups.

Can you modify properties of built-in roles in Azure?

No, properties of built-in roles in Azure cannot be modified. However, you can copy a built-in role, modify the copy based on your needs, and then save it as a custom role.

How do you create a custom role in Azure?

A custom role in Azure can be created using Azure portal, Azure CLI, or Azure PowerShell. You need to specify a name, description, assignable scopes, and permissions for the role.

What is the role of an assignable scope when creating a custom Azure Role?

The assignable scope defines the set of resources where the custom role is available for assignment. This scope can include subscriptions, resource groups, and individual resources.

How many permissions can you add to a custom Azure role?

You can add up to 2000 actions, notActions, dataActions, or notDataActions combined to a custom Azure role.

What happens when you delete a custom role in Azure?

When you delete a custom Azure role, it is removed from the Azure Role-Based Access Control (RBAC) system and it is no longer available for assigning to users, groups, and service principals.

Can you restore a deleted custom role in Azure?

No, once a custom role has been deleted, it cannot be restored.

Where do you define the permissions for the custom roles in Azure?

Permissions for custom roles in Azure are defined in the ‘actions’, ‘notActions’, ‘dataActions’, and ‘notDataActions’ properties of the role definition.

Can a custom role be assigned at the management group level?

Yes, a custom role can be assigned at the management group level. This allows the role to be available for assignment across multiple subscriptions.

How is a custom role in Azure different from built-in roles?

Unlike built-in roles that come predefined by Azure, custom roles in Azure can be tailored to the needs of the organization by selecting only the permissions that are needed.

What is RBAC in relation to Azure?

Role-Based Access Control (RBAC) is an authorization system in Azure that helps manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Why should you not use the wildcard (*) character when defining actions in a custom role in Azure?

The wildcard (*) character is not recommended because it can lead to the role having excessive permissions, as it includes all the actions in the resource provider. It’s always best to grant only the necessary permissions for a role.

Can you change the name of a custom role?

Yes, you can change the name of a custom role by updating the role in Azure portal, Azure CLI, or Azure PowerShell.

How can you review the permissions of a custom role in Azure?

You can review the permissions of a custom role from Azure portal, Azure CLI, or Azure PowerShell. In Azure portal, you can find the detailed permissions under the ‘permissions’ tab of the role.

Can you assign a custom role to an Azure AD group?

Yes, you can assign a custom role to an Azure AD group. All members in the group will inherit the permissions defined in the role.

Leave a Reply

Your email address will not be published. Required fields are marked *