Azure Classroom Series – 02/Oct/2021

Azure AD and RBAC

  • Scenario 1: We need to assign permissions for QA Engineers 10 users who have Reader permissions a Contributor permission on a specific Resource Group.
    • Solution:
  • Scenario 2: We are asked to create permissions for QA Engineers, We need to give access to the QA Engineers to perform Contributor for Virtual Machines and SQL Databases for all of the other services they should be readers.
    • Create a custom Role definition with the actions mentioned
      {
    "id": "/subscriptions/ec402c1e-e1fd-4f6d-8501-77ab3f944a13/providers/Microsoft.Authorization/roleDefinitions/a33bbe76-9907-424b-8b26-2db54f96677f",
    "properties": {
        "roleName": "justforlearning",
        "description": "",
        "assignableScopes": [
            "/subscriptions/ec402c1e-e1fd-4f6d-8501-77ab3f944a13"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Compute/availabilitySets/*",
                    "Microsoft.Compute/locations/*",
                    "Microsoft.Compute/virtualMachines/*",
                    "Microsoft.Compute/virtualMachineScaleSets/*",
                    "Microsoft.Compute/cloudServices/*",
                    "Microsoft.Compute/disks/write",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.DevTestLab/schedules/*",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
                    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
                    "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
                    "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
                    "Microsoft.Network/loadBalancers/probes/join/action",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/locations/*",
                    "Microsoft.Network/networkInterfaces/*",
                    "Microsoft.Network/networkSecurityGroups/join/action",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/publicIPAddresses/join/action",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.RecoveryServices/locations/*",
                    "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
                    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
                    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
                    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
                    "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
                    "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
                    "Microsoft.RecoveryServices/Vaults/read",
                    "Microsoft.RecoveryServices/Vaults/usages/read",
                    "Microsoft.RecoveryServices/Vaults/write",
                    "Microsoft.ResourceHealth/availabilityStatuses/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.SerialConsole/serialPorts/connect/action",
                    "Microsoft.SqlVirtualMachine/*",
                    "Microsoft.Storage/storageAccounts/listKeys/action",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Support/*",
                    "*/read",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.ResourceHealth/availabilityStatuses/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Sql/locations/*/read",
                    "Microsoft.Sql/servers/databases/*",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Support/*",
                    "Microsoft.Insights/metrics/read",
                    "Microsoft.Insights/metricDefinitions/read"
                ],
                "notActions": [
                    "Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
                    "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
                    "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
                    "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
                    "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
                    "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
                    "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
                    "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
                    "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
                    "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
                    "Microsoft.Sql/servers/databases/auditingSettings/*",
                    "Microsoft.Sql/servers/databases/auditRecords/read",
                    "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
                    "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
                    "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
                    "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
                    "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
                    "Microsoft.Sql/servers/databases/securityMetrics/*",
                    "Microsoft.Sql/servers/databases/sensitivityLabels/*",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
                    "Microsoft.Sql/servers/vulnerabilityAssessments/*"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
      • Other option would be create multiple role assignments with Reader, Virtual Machine Contributor and SQL DB Contributor at the subscription scope
  • Scenario 3:
    • Try to find out role definitions from cli
     az role definition list  --query "[*].{roleName: roleName, roleType: roleType}" --output table
    • Create user from cli Refer Here. Create a user called as user2
    • Create a group called as learners Refer Here
     az ad user create --display-name 'user2' --password 'learningazure@123' --user-principal-name 'user2@qtkhajacloudgmail.onmicrosoft.com' --force-change-password-next-login false

 az ad group create --display-name 'learners' --mail-nickname 'learners'
    • Now lets try to assign the role Reader to the group at the subscription level
     az role assignment create --role 'Reader' --assignee '230699b6-3882-4666-bc9f-3af8f436efab' --scope "/subscriptions/ec402c1e-e1fd-4f6d-8501-77ab3f944a13"

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Media Icons Powered by Acurax Web Design Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%