Azure has many different predefined access roles that allow administrators to manage Azure services flexibly in terms of security and segregation of duties. In this post, I'll walk you through how to manage Azure role-based access control (RBAC) using PowerShell.

Baki Onur Okutucu

Onur is a subject matter expert for Office 365, Azure, and PowerShell technologies. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For eight years in a row, Microsoft has recognized him as a Most Valuable Professional. You can follow Onur on Twitter: @BakiOnur.

Latest posts by Baki Onur Okutucu (see all)

Managing role definitions ^

Almost every day we keep hearing of new developments and features coming in Azure. With this, it is getting more important to maintain services in an isolated and secure manner. Azure has a very wide range of services that several different teams at companies consume. At a company, it is critical to separate roles and permissions and assign correct permissions to correct teams so that each team can only access the resources they are responsible for.

Each role in Azure consists of a number of role actions that are like permission sets. You can customize these permission sets if you need to create any custom roles. In such cases, you can pick up required actions and place them in a custom role definition that you can then assign to a specific user, group, or application.

First, let's take a look at all available roles in Azure. Roles in Azure are called "role definitions." You can list them with this command:

Role definitions represent Azure roles

Role definitions represent Azure roles

There are currently 62 roles available in Azure, but Microsoft will no doubt add new roles as they roll out new services in the future.

Each role consists of several actions, which basically represent the permission sets over certain services. For example, the Network Contributor role contains several actions like Microsoft.Network/*. This one basically entails every possible action in the Microsoft.Network resource provider. So if we grant a user the Network Contributor role, the user will be able to take any actions in specified network resources.

So to see all actions available in a specific Azure role, we should execute the following:

The actions in a role definition are permission sets used to grant access to objects

As seen above, the Network Contributor role has seven actions defined in it. Let's look at another example for the Virtual Machine Contributor role and see what actions it contains.

Virtual Machine Contributor role actions

Virtual Machine Contributor role actions

The Virtual Machine Contributor role has a number of actions available. You may have noticed that both the Network Contributor and Virtual Machine Contributor roles have some common actions defined in their action lists. That's because virtual machine administrators may need to manage network-related resources such as network interface cards, load balancers, and so on, which might be associated with a certain virtual machine.

Managing role assignments ^

It is also important for admins to check who has access on resources such as a subscription or a resource group. To view current permissions on all resources to which a user has access, use the following line:

In case we'd like to list the permissions of a group a specific user is a member of on all resources, we need to use the following:

A user's permissions on a resource inherited from a group

A user's permissions on a resource inherited from a group

ObjectType simply shows whether the object is a user, group, or application.

If we want to list permissions on a specific resource, we can narrow down the result by specifying the scope using this command:

All objects that have permissions over a specific subscription

All objects that have permissions over a specific subscription

This command lists all objects including users, groups, and applications that have permissions on a specific resource. In this scenario it is a subscription.

Managing custom roles ^

Besides listing roles and permissions in Azure, it is also very important for admins to be able to grant users or groups the necessary roles on certain resources. To be able to assign a role to a group, first we need to get the group's ObjectID using the command below:

Getting a group's ObjectID

Getting a group's ObjectID

We can now assign a role to this group using the ObjectID of the group, the role definition required, and the scope. In this scenario we will assign the Virtual Machine Contributor role to the Sales group over the subscription with a subscription ID of f0675ec9-480d-4c2a-982a-ed97983af390.

Creating a custom role and assigning it to a group

Creating a custom role and assigning it to a group

Of course, we can grant users and applications specific permissions in exactly the same way we used above.

To remove a role from a specific user, group, or application:

Removing a custom role

Removing a custom role

As you can see, there are hundreds of different scenarios when it comes to managing roles and permissions in Azure.

Creating a role-based access control report ^

Lastly, let's create a report in detail showing all the permissions assigned to users, groups, and applications throughout a subscription.

Reporting Azure roles assigned to the objects

Reporting Azure roles assigned to the objects

In this article, we've had a look at Azure roles and how we can easily manage role assignment tasks for Azure resources.

Win the monthly 4sysops member prize for IT pros


Related Posts


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account