RBAC Roles

Authors
  • avatar
    Name
    Michael Bui
    Twitter

Overview

Documentation: Microsoft Docs

RBAC (Role Based Access Control) helps manage who has access to Azure Resources. You assign RBAC roles to a security principal to restrict the amount of permissions it has.

In this lab, we'll be using the following lab structure below provided by Microsoft Learning

  • We have a RBAC Management group & lab subscription already created.
  • We'll create a custom role definition that only allows the user to read resource groups & manage support requests only inside the LAB subscription

Instructions

Custom RBAC Role

  1. Role Definition
{
   "Name": "Support Request Contributor (Custom)",
   "IsCustom": true,
   "Description": "Allows to create support requests",
   "Actions": [
       "Microsoft.Resources/subscriptions/resourceGroups/read",
       "Microsoft.Support/*"
   ],
   "NotActions": [
   ],
   "AssignableScopes": [
       "/providers/Microsoft.Management/managementGroups/rbac-management-group",
       "/subscriptions/SUBSCRIPTION_ID"
   ]
}
  1. Open cloud shell and upload the .json custom role

Assigning Role

We have created a user named RBAC_Lab_User for this lab

  1. Go to the RBAC management group -> Add -> Role Assignment
  2. Search for our created custom role
  3. Select the RBAC Lab user

Verification

  1. Log in as RBAC Lab User
  2. Browse to Resource Groups
  3. We can confirm that there are no resource groups
  4. Using a global admin, create a resource group with a storage account resource inside
  5. Now back on RBAC Lab User we can see the resource group
  6. However, we still do not see resources on our RBAC Lab User account