What is Azure RBAC?

Completed100 XP
8 minutes

When it comes to identity and access, most organizations that are considering using the
public cloud are concerned about two things:
1. Ensuring that when people leave the organization, they lose access to resources in
the cloud.
2. Striking the right balance between autonomy and central governance; for example,
giving project teams the ability to create and manage virtual machines in the cloud
while centrally controlling the networks those VMs use to communicate with other
resources.

Microsoft Entra ID and Azure role-based access control (Azure RBAC) work together to
make it simple to carry out these goals.

Azure subscriptions

First, remember that each Azure subscription is associated with a single Microsoft Entra
directory. Users, groups, and applications in that directory can manage resources in the
Azure subscription. The subscriptions use Microsoft Entra ID for single sign-on (SSO)
and access management. You can extend your on-premises Active Directory to the
cloud by using Microsoft Entra Connect. This feature allows your employees to
manage their Azure subscriptions by using their existing work identities. When you
disable an on-premises Active Directory account, it automatically loses access to all
Azure subscriptions connected with Microsoft Entra ID.

What's Azure RBAC?

Azure role-based access control (Azure RBAC) is an authorization system built on Azure
Resource Manager that provides fine-grained access management for resources in
Azure. With Azure RBAC, you can grant the exact access that users need to do their jobs.
For example, you can use Azure RBAC to let one employee manage virtual machines in a
subscription while another manages SQL databases within the same subscription.
The following video describes Azure RBAC in detail:

You can grant access by assigning the appropriate Azure role to users, groups, and
applications at a certain scope. The scope of a role assignment can be a management
group, subscription, a resource group, or a single resource. A role assigned at a parent
scope also grants access to the child scopes contained within it. For example, a user with
access to a resource group can manage all the resources it contains, like websites, virtual
machines, and subnets. The Azure role that you assign dictates what resources the user,
group, or application can manage within that scope.

The following diagram depicts how the classic subscription administrator roles, Azure
roles, and Microsoft Entra roles are related at a high level. Roles assigned at a higher
scope, like an entire subscription, are inherited by child scopes, like service instances.

In the preceding diagram, a subscription is associated with only one Microsoft Entra
tenant. Also note that a resource group can have multiple resources, but it's associated
with only one subscription. Although it's not obvious from the diagram, a resource can
be bound to only one resource group.
What can I do with Azure RBAC?

Azure RBAC allows you to grant access to Azure resources that you control. Suppose
you need to manage access to resources in Azure for the development, engineering,
and marketing teams. You’ve started to receive access requests, and you need to quickly
learn how access management works for Azure resources.

Here are some scenarios you can implement with Azure RBAC:
Allow one user to manage virtual machines in a subscription and another user to
manage virtual networks
Allow a database administrator group to manage SQL databases in a subscription
Allow a user to manage all resources in a resource group, such as virtual machines,
websites, and subnets
Allow an application to access all resources in a resource group

Azure RBAC in the Azure portal

In several areas in the Azure portal, you'll see a pane named Access control (IAM), also
known as identity and access management. On this pane, you can see who has access to
that area and their role. Using this same pane, you can grant or remove access.

The following shows an example of the Access control (IAM) pane for a resource group.
In this example, Alain has been assigned the Backup Operator role for this resource
group.
How does Azure RBAC work?

You can control access to resources using Azure RBAC by creating role assignments,
which control how permissions are enforced. To create a role assignment, you need
three elements: a security principal, a role definition, and a scope. You can think of these
elements as "who," "what," and "where."

1. Security principal (who)

A security principal is just a fancy name for a user, group, or application to which you
want to grant access.
2. Role definition (what you can do)

A role definition is a collection of permissions. It's sometimes just called a role. A role
definition lists the permissions the role can perform, such as read, write, and delete.
Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor.

Azure includes several built-in roles that you can use. The following lists four
fundamental built-in roles:
Owner: Has full access to all resources, including the right to delegate access to
others
Contributor: Can create and manage all types of Azure resources, but can’t grant
access to others
Reader: Can view existing Azure resources
User Access Administrator: Lets you manage user access to Azure resources

If the built-in roles don't meet the specific needs of your organization, you can create
your own custom roles.

3. Scope (where)

Scope is the level where the access applies. This is helpful if you want to make someone
a Website Contributor, but only for one resource group.
In Azure, you can specify a scope at multiple levels: management group, subscription,
resource group, or resource. Scopes are structured in a parent-child relationship. When
you grant access at a parent scope, those permissions are inherited by the child scopes.
For example, if you assign the Contributor role to a group at the subscription scope, that
role is inherited by all resource groups and resources in the subscription.

Role assignment

Once you have determined the who, what, and where, you can combine those elements
to grant access. A role assignment is the process of binding a role to a security principal
at a particular scope for the purpose of granting access. To grant access, you'll create a
role assignment. To revoke access, you'll remove a role assignment.

The following example shows how the Marketing group has been assigned the
Contributor role at the sales resource group scope.
Azure RBAC is an allow model

Azure RBAC is an allow model. This means that when you're assigned a role, Azure RBAC
allows you to perform certain actions, such as read, write, or delete. So, if one role
assignment grants you read permissions to a resource group and a different role
assignment grants you write permissions to the same resource group, you'll have read
and write permissions on that resource group.

Azure RBAC has something called NotActions permissions. You can use NotActions to
create a set of not allowed permissions. The access a role grants—the effective
permissions—is computed by subtracting the NotActions operations from the Actions
operations. For example, the Contributor role has both Actions and NotActions. The
wildcard (*) in Actions indicates that it can perform all operations on the control plane.
You'd then subtract the following operations in NotActions to compute the effective
permissions:
Delete roles and role assignments
Create roles and role assignments
Grant the caller User Access Administrator access at the tenant scope
Create or update any blueprint artifacts
Delete any blueprint artifacts
Question And Answers related RBAC--->
1. What is a role definition in Azure?

Ans- A role definition in Azure is a collection of permissions with a name that you can
assign to a user, group, or application.

2. Suppose an administrator wants to assign a role to allow a user to create and

manage Azure resources but not be able to grant access to others. Which of the
following built-in roles would support this?

Ans- A contributor can create and manage all types of Azure resources, but they can't
grant access to other users.

What is the inheritance order for scope in Azure?

Ans- Management group, Subscription, Resource group, Resource

Note-The inheritance order for scope is Management group, Subscription, Resource

group, Resource. For example, if you assigned a Contributor role to a group at the
Subscription scope level, it will be inherited by all Resource groups and Resources.

Exercise - List access using Azure RBAC and the

Azure portal

At First Up Consultants, you've been granted access to a resource group for the
marketing team. You want to familiarize yourself with the Azure portal and see what
roles are currently assigned.

You need an Azure subscription to complete the exercises. If you don't have an Azure
subscription, create a free account and add a subscription before you begin. If you're a
student, you can take advantage of the Azure for students offer.

List role assignments for yourself

Follow these steps to see what roles are currently assigned to you.

3. Sign in to the Azure portal.

4. On the Profile menu, select the ellipsis (...) to see more links.
 5. Select My permissions to open the My permissions pane.

You'll find the roles that you've been assigned and the scope. Your list will look
different.

List role assignments for a resource group

Follow these steps to see what roles are assigned at the resource group scope.

6. In the Search box at the top, search for and select Resource groups.
7. In the list of resource groups, select a resource group.

These steps use a resource group named example-group, but your resource
group's name will be different.

8. On the left menu pane, select Access control (IAM).

9. Select the Role assignments tab.

This tab shows who has access to the resource group. Notice that some roles are
scoped to This resource, while others are (Inherited) from a parent scope.
List roles

As you learned in the previous unit, a role is a collection of permissions. Azure has more
than 70 built-in roles that you can use in your role assignments. To list the roles:

In the menu bar at the top of the pane, select the Roles tab to list of all the built-in
and custom roles.

Select a role's View link in the Details column, then select the Assignments tab to
display the number of users and groups assigned to that role.
In this unit, you learned how to list the role assignments for yourself in the Azure portal.
You also learned how to list the role assignments for a resource group.

Grant access using Azure RBAC and the Azure portal

Completed100 XP
8 minutes

A co-worker named Alain at First Up Consultants needs permission to create and

manage virtual machines for a project on which he's working. Your manager has asked
that you handle this request. Using the best practice to grant users the least privileges
to get their work done, you decide to assign Alain the Virtual Machine Contributor role
for a resource group.
Grant access

Follow this procedure to assign the Virtual Machine Contributor role to a user at the
resource group scope.

10. Sign in to the Azure portal as an administrator that has permissions to assign roles,
such as User Access Administrator or Owner.
11. In the Search box at the top, search for Resource groups.

12. In the list of resource groups, select a resource group.

These steps use a resource group named example-group, but your resource
group's name will be different.

13. On the left menu pane, select Access control (IAM).

14. Select the Role assignments tab to display the current list of role assignments at
this scope.
15. Select Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.

The Add role assignment page opens.

16. On the Role tab, search for and select Virtual Machine Contributor.
17. Select Next.
18. On the Members tab, select Select members.
19. Search for and select a user.
 20. Select Select to add the user to the Members list.
21. Select Next.
22. On the Review + assign tab, review the role assignment settings.
23. Select Review + assign to assign the role.

After a few moments, the user is assigned the Virtual Machine Contributor role at
the resource group scope. The user can now create and manage virtual machines
just within this resource group.

Remove access

In Azure RBAC, you can remove a role assignment to remove access.

24. In the list of role assignments, check the box for the user with the Virtual Machine
Contributor role.
25. Select Remove.
 26. In the Remove role assignments message that appears, select Yes.

In this unit, you learned how to grant a user access to create and manage virtual
machines in a resource group using the Azure portal.

View activity logs for Azure RBAC changes

Completed100 XP
4 minutes

First Up Consultants reviews Azure role-based access control (Azure RBAC) changes
quarterly for auditing and troubleshooting purposes. You know that changes get logged
in the Azure Activity Log. Your manager has asked if you can generate a report of the
role assignment and custom role changes for the last month.
View activity logs

The easiest way to get started is to view the activity logs with the Azure portal.

27. Select All services, then search for Activity log.

28. Select Activity log to open the activity log.

29. Set the Timespan filter to Last month.

30. Add an Operation filter and type role to filter the list.
31. Select the following Azure RBAC operations:

Create role assignment (role Assignments)

Delete role assignment (role Assignments)
Create or update custom role definition (role Definitions)
Delete custom role definition (roleDefinitions)
 After a moment, you'll get a list of all the role assignment and role definition
operations for the last month. There's also a button at the top of the screen to
download the activity log as a CSV file.

32. Select one of the operations to get the activity log details.

In this unit, you learned how to use Azure Activity Log to list Azure RBAC changes in the
portal and generate a simple report.