Azure role-based access control (Azure RBAC) is a system that allows us to define and manage fine-grained access to Azure resources. RBAC not only provides Azure admins a lot of control by neatly defining roles and responsibilities, but also enables admins to control access to team members/users by allowing or disabling actions they can perform on Azure Resources.

Even though Azure offers many built-in roles, it's sometimes necessary to create custom roles with a specific permission to meet a requirement. For example, you may need to remove the "Restart" and "Shutdown" Virtual Machine permissions for a user or an intern so that they don't accidently shut down a production VM. This is exactly the use case where you need custom roles. We will cover this example below and learn to create a custom role and assign it to a user using Azure PowerShell.

First things first. Log in to your Azure account using the command below from a PowerShell Console, assuming that you already have the Azure PowerShell module installed on your system. It will prompt you to provide the email address and password associated with your Azure account. Once submitted, it will sign in your account from PowerShell console.

Login-AzAccount

If you have multiple Azure subscriptions, select the subscription where you want to work using the following commands:

Select-AzSubscription -Subscription "Your Subscription"

Before you can proceed with creating a custom role, let's first quickly understand how to retrieve actions that can be allowed or restricted on a role. You can use the following cmdlet to list all the operations that are applicable on an Azure resource, such as "Virtual Machine," and select the actions that you want to control in a role, such as "Power off / restart Virtual Machine." These are highlighted in the following image.

Get-AzProviderOperation "Microsoft.Compute/virtualMachines/*" | Select-Object Operation*
List allowed operations on an Azure resource.jpg

List allowed operations on an Azure resource.jpg

Create custom role definition ^

Once you have the names of the operations, such as "Microsoft.Compute/virtualMachines/powerOff/action" and "Microsoft.Compute/virtualMachines/restart/action," then you can use the following JSON template to create a JSON file and mention the operation names under the "Actions" and "NotActions" properties. The "NotActions" property restricts the operation on a role, which is our use case. Be sure to change the value of the "AssignableScopes" property with the Subscription ID of your Azure subscription.

{
 "Name": "Disable VM Shutdown and restart",
 "Id": null,
 "IsCustom": true,
 "Description": "The users of this role can't shut down and restart virtual machines",
 "Actions": [
  "Microsoft.Compute/*/read",
  "Microsoft.Compute/virtualMachines/start/action"
 ],
 "NotActions": [
  "Microsoft.Compute/virtualMachines/powerOff/action",
  "Microsoft.Compute/virtualMachines/restart/action"
 ],
 "AssignableScopes": [
  "/subscriptions/<your subscription id>
 ]
}

After updating your file, save it as "role.json" and use the following cmdlet to create the Custom Role with the definition defined in the JSON file:

New-AzRoleDefinition -InputFile C:\temp\role.json
Create new Azure custom role definition.jpg

Create new Azure custom role definition.jpg

Once the custom role definition is created, it can be verified using the following command:

Get-AzRoleDefinition -Custom
Check Azure custom role definition.jpg

Check Azure custom role definition.jpg

Assign a custom role to a user ^

Now that you have created the Azure custom role definition, you can assign it to a user using the command below. Here you have to mention the sign-in name of the user, name of the role definition, and the resource group where you want to apply this custom role.

$params = @{
  SignInName = "useremail@domain.com"
  RoleDefinitionName = "Disable VM Shutdown and restart"
  ResourceGroupName = "RG"
}

New-AzRoleAssignment @params
Assigning an Azure custom role definition to a user.jpg

Assigning an Azure custom role definition to a user.jpg

After running the command, if you log in to Azure using the above-mentioned Azure account, go to the resource group, and attempt to restart or shut down the virtual machine, you will see an error message in the top right corner, as shown in the following image. This shows that the user is unauthorized to perform these actions on the Azure Virtual Machine, because you didn't allow these actions in your custom role definition.

Subscribe to 4sysops newsletter!

Testing the Azure custom role definition for a user.jpg

Testing the Azure custom role definition for a user.jpg

Conclusion ^

Azure custom roles provide more fine-grained control to customize roles and actions users can perform, compared to the Azure built-in roles. On top of that, Azure PowerShell makes it very simple to automate creating custom roles and keeping your role definitions as JSON files, which can also be treated as Infrastructure-as-Code to track changes in permissions and Azure roles. Once a custom role is created, with just a few Azure PowerShell commands, you can assign the role to users and enforce the custom permissions with ease and simplicity.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account