Azure Classroom notes 19/Dec/2023

Azure Management Groups

  • Refer Here of Management groups for effectively governing multiple subscriptions

Azure RBAC Roles

  • Azure uses RBAC (Role Based Access control) for authorizing permissions to Resources
  • Note: we have alreay understood the inherited role assignments
  • Lets view a role


  • Azure built in roles – Owner 
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "properties": {
        "roleName": "Owner",
        "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • Now lets use the json of Reader
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "properties": {
        "roleName": "Reader",
        "description": "View all resources, but does not allow you to make any changes.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • Azure Role is a json file with the following components
    • scope: where the role can be applied
      • management group
      • subscription
      • resource group
      • resource
    • Actions: They represent activities that are allowed
    • notActions: They Represent activities that are denied
    • dataActions: TBD
    • notActions: TBD

Activity 1

  • Ensure you have a user
  • using root user or owner account create a resource group and then create
    • virtual network
    • storage account
  • Now assign the user role of Storage Account Contributor at subscription level
  • view the resources in resource group

  • Try creating a vnet


Activity 2:

  • Ensure the user has permissions to do any activity on storage account and read permissions on others
  • Exercises:
    • Delete all existing role assignments to a user
    • Give the user the permission to create virtual machines in resource group test and not in other resource groups.
    • Give the user the permission to view all the resources in subscription
    • In Resoruce group test also give permission to do any thing in virtual network
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Customized Social Media Icons from Acurax Digital Marketing Agency

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%