# 4.- AZ-104 Azure RBAC - Role-based Access Control

# AZ-104 Azure RBAC - Understanding Roles in Azure

[Manage RBAC](https://learn.microsoft.com/en-us/training/modules/manage-subscription-access-azure-rbac/)

- Describing RBAC
- Describing Azure Roles
- Describing Azure AD Roles
- Azure Roles vs Azure AD Roles
- RBAC Architecture

##### **<span style="background-color: rgb(0, 0, 0);">Describing RBAC</span>**

"Who can do what, where, who what and where"

Describing Azure Roles

- Owner: Full access to resources and delegates access to other users
- Reader: Provides the ability to view sources, cannot perform actions on resources
- contributor: Can create and manage resources
- User Access Administrator: Can delegate access to resources

Describing Azure Entra ID Roles

- Special set of roles for providing access to manage identity objects inside our azure tenant, to manage user application or devices not resources.
- Global Administrator: Provide access to manage AD Resources
- Billing Administrator: Perform billing tasks
- User Administrator: Can manage users and groups inside Azure Entra ID Tenant
- Helpdesk Administrator: perform password resets if SSPR is not enabled.

## Microsoft Entra and Azure roles

Microsoft Entra roles and Azure roles are often confused when you first work with Azure. Microsoft Entra roles provide the mechanism for managing permissions to Microsoft Entra resources, like user accounts and passwords. Azure roles provide a wealth of capabilities for managing Azure resources like virtual machines (VMs) at a granular level.

<table border="1" id="bkmrk-azure-roles-microsof" style="border-collapse: collapse; width: 100%; height: 197.267px;"><colgroup><col style="width: 50%;"></col><col style="width: 50%;"></col></colgroup><tbody><tr style="height: 29.7167px;"><td class="align-center" style="height: 29.7167px;">Azure Roles  
</td><td class="align-center" style="height: 29.7167px;">Microsoft Entra ID Roles  
</td></tr><tr style="height: 46.5167px;"><td style="height: 46.5167px;">Manage access to Azure resources like VMs, storage, networks, and more</td><td style="height: 46.5167px;">Manage access to Microsoft Entra resources like user accounts and passwords</td></tr><tr style="height: 46.5167px;"><td style="height: 46.5167px;">Multiple scope levels (management group, subscription, resource group, resource)</td><td style="height: 46.5167px;">Scope only at tenant level  
</td></tr><tr style="height: 74.5167px;"><td style="height: 74.5167px;">Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API</td><td style="height: 74.5167px;">Role information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, [Microsoft Graph PowerShell](https://learn.microsoft.com/en-us/powershell/microsoftgraph/overview)</td></tr></tbody></table>

<table border="1" id="bkmrk-azure-roles-azure-en" style="border-collapse: collapse; width: 100%; height: 246.634px;"><colgroup><col style="width: 50.0567%;"></col><col style="width: 50.0567%;"></col></colgroup><tbody><tr style="height: 29.7167px;"><td class="align-center" style="height: 29.7167px;">**Azure Roles**  
</td><td style="height: 29.7167px;">Azure Entra ID Roles  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">Manage access to Azure resources  
</td><td style="height: 29.7167px;">Manage access to Azure AD Resources at tenant  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">Scope can be at multiple levels  
</td><td style="height: 29.7167px;">Scope is at tenant level  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">Support custom roles  
</td><td style="height: 29.7167px;">Support custom roles  
</td></tr><tr style="height: 127.767px;"><td style="height: 127.767px;">Main roles:

- Owner
- Contributor
- Reader
- User Access Administrator

</td><td style="height: 127.767px;">Main roles:

- Global Administrator
- User Administrator
- Billing Administrator

</td></tr></tbody></table>

<table border="1" id="bkmrk-azure-roles-azure-en-1" style="border-collapse: collapse; width: 100%; height: 165.384px;"><colgroup><col style="width: 50%;"></col><col style="width: 50%;"></col></colgroup><tbody><tr style="height: 29.7167px;"><td style="height: 29.7167px;">**Azure Roles**</td><td style="height: 29.7167px;">Azure Entra ID Roles</td></tr><tr style="height: 46.5167px;"><td style="height: 46.5167px;">Control access to azure resources, VMs, Virtual Networks  
</td><td style="height: 46.5167px;">Control Access to Azure AD REsources, user objects, group devices, ad features  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">Referred to as Azure RBAC  
</td><td style="height: 29.7167px;">Built in roles  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">Built in roles  
</td><td style="height: 29.7167px;">Custom roles  
</td></tr><tr style="height: 29.7167px;"><td style="height: 29.7167px;">custom roles  
</td><td style="height: 29.7167px;">Scope at Azure AD Tenant level, provide access for user that exist inside of our Azure Entra ID tenants to perform administrative functions inside of the tenant itself</td></tr><tr><td>Scope at management groups subscription groups resource groups and resources using identities that exist inside our azure AD Tenant  
</td><td>  
</td></tr></tbody></table>

# AZ-104 Azure RBAC - Assigning access to resources

[Secure Azure RBAC](https://learn.microsoft.com/en-us/training/modules/secure-azure-resources-with-rbac/ "Azure RBAC")

- Explaning Azure RBAC
- Understanding Role definitions
- Additive Property

##### **<span style="background-color: rgb(0, 0, 0);">Explaining Azure RBAC</span>**

Azure RBAC is an authorization system

- Security Principal: Defining the who we want to authorize, WHO?
- Role Definition: assign a role definition to that identity, WHAT?
- Scope: where we are defining where we are going to perform this actions, WHERE?

We have to provide this access explicit, there is an implicit deny

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/56DuzeloUU59iqkf-image.png)

##### **<span style="background-color: rgb(0, 0, 0);">Understanding Role Definitions</span>**

Contributor

- Actions: Define what actions are allowed to be performed on the management plane, managing resources inside of azure like starting or stopping virtual machines.
- NotActions: Actions we are going to deny on managing resources inside of Azure. For example, if we wanted to allow a user to perform a restart on a virtual machine, we could outline that in Actions, but it could be overwritten and overruled by a NotAction denying that same action inside this role definition.

Then we have the next component, which are our DataActions, and our NotDataActions.And these are the same kind of thing as our Actions and NotActions, except for rather than being on the control plane of managing Azure resources, this will take an impact on data-related actionssuch as working with data inside of Azure Storage accounts.

- AssignableScope: where we define where we're going to assign the scope for this resource. And it can be all the way down  
    to a specific resource, where we assign the scope to a resource group, to a subscription, or even a management group.

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/n8K71nNcOTePw0Jj-image.png)

For example, if we have this user here in our Azure Active Directory tenant that is assigned the Contributor role at the management group scope here, but also assigned a Reader role at a resource group scope inside of the same hierarchical structure, what we have to understand when we have overlapping roles like this, and multiple role assignments for a single identity, is that roles follow an additive property. So what we do is we add the effective permissions of each of these role definitions, and by performing this addition, this will inform us what the effective permissions will be. So in this case, Contributor + Reader = Contributor, because Contributor provides Reader functionality. So effectively, this user will have Contributor at the management group scope, and that will be inherited all the way down. And there's no additional permissions that are being provided by actually having the Reader role assignment. So this user's permissions will just waterfall all the way down and be inherited to the lowest level.

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/1ps3q5JkZ1bgfvwh-image.png)

##### <span style="background-color: rgb(0, 0, 0);">**Assigning access**</span>

Lets go to resource groups and select a group (K8s\_group in example below) then if we go to roles we can see all role assignments, here we can determine a user can be a contributor (grants full access to manage all roesources bu tdoes not allow you to assign roles in Azure RBAC)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/g79ZSRaqzITvLSsf-image.png)

We select contributor,, then add then add role assignment

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/dz3pGV0IkjCHFYrM-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/tZFFagtRuaNAWqVs-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/wa5QLTXD3pj6LJFA-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/tDpaCtKpFZ8egJXb-image.png)

Now back on resources group we can see the role assignments

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/bgqbgm9vEEWXXlWY-image.png)

Same inside those resources it inherited the assignment

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/FjowRw530mFiKQjZ-image.png)

Authorization system

- Provide identities with access to azure resources
- Roles are a collection of permissions
- There is a scoping hierarchy for role assignment
- Implicit deny - Explicit Allow - Explicit Deny

# AZ-104 Azure RBAC - LAB Using service Principal Identity to List AD Roles

In this hands-on lab, you are tasked with gathering the role definitions and role assignments for your organization.

You do not have access to the portal, so you must collect this information via SSH connection, by using a Linux VM and a service principal. Once you have gained access to the Azure subscription, use the Azure CLI to collect the required information, and output to a file so you can email it to your manager.

<details id="bkmrk-solution-log-in-to-t"><summary>Solution</summary>

Log in to the virtual machine using the credentials provided:

```
ssh cloud_user@<PUBLIC_IP_ADDRESS>

```

### Log in to Azure using the Service Principal

1. Once connected to the lab VM, perform the `az login` command with the `--service-principal` flag to login to the Azure account:

```
az login --service-principal \
-u "<CLIENT_ID>" \
-p "<CLIENT_SECRET>" \
--tenant "<TENANT_ID>"

```

> **NOTE:** To get your own `Tenant ID`, search for `Tenant properties` in the Azure portal. The value will be under the `Tenant ID` field.

If you experience an error regarding invalid arguments, please see the Additional Information section for the details of a fix.

### List the Role Definitions and Role Assignments

1. List the role definitions: ```
    az role definition list
    
    ```
2. Output the list to a file named `roleinfo.json`: ```
    az role definition list > roleinfo.json
    
    ```
3. List the role assignments: ```
    az role assignment list --all
    
    ```
4. Append the list to the `roleinfo.json` file: ```
    az role assignment list --all >> roleinfo.json
    
    ```
5. Verify that the file was created successfully: ```
    vi roleinfo.json
    
    ```

</details>![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/jVruvsGW87BGZsLG-image.png)

# AZ-104 Azure RBAC - Creating custom roles

[Custom Roles RBAC](https://learn.microsoft.com/en-us/training/modules/create-custom-azure-roles-with-rbac/)

- Describing custom roles
- Creating role definitions

- Custom role definition
- No built in role met requirement
- user access administrator or owner role for the account

## Assignment and scope of custom roles

Users with the User Access Administrator or Owner roles can create or assign custom roles in Azure RBAC.

You can assign custom roles to:

<div class="buttons buttons-right margin-bottom-none margin-top-sm" id="bkmrk-">  
</div><div class="buttons buttons-right margin-bottom-none margin-top-sm" id="bkmrk--1">  
</div><div class="has-inner-focus" id="bkmrk-security-principal-s"><table aria-label="Assignment and scope of custom roles" class="table" style="width: 100%;"><thead><tr><th style="width: 27.3406%;">Security principal</th><th style="width: 72.7727%;">Summary</th></tr></thead><tbody><tr><td style="width: 27.3406%;">**User**</td><td style="width: 72.7727%;">An individual who has a profile in Microsoft Entra ID</td></tr><tr><td style="width: 27.3406%;">**Group**</td><td style="width: 72.7727%;">A set of users created in Microsoft Entra ID</td></tr><tr><td style="width: 27.3406%;">**Service principals**</td><td style="width: 72.7727%;">A security identity used by applications or services to access specific Azure resources</td></tr><tr><td style="width: 27.3406%;">**Managed identity**</td><td style="width: 72.7727%;">An identity in Microsoft Entra ID that is automatically managed by Azure</td></tr></tbody></table>

</div>Sometimes, built-in roles don't grant the precise level of access you need. Custom roles allow you to define roles that meet the specific needs of your organization. You can assign the Azure custom roles you create to users, groups, and service principals at the scope of subscription, resource group, or resource.

Microsoft Entra roles and Azure roles are often confused when you first work with Azure. Microsoft Entra roles provide the mechanism for managing permissions to Microsoft Entra resources, like user accounts and passwords. Azure roles provide a wealth of capabilities for managing Azure resources like virtual machines (VMs) at a granular level

![Diagram that shows relationship of Azure roles and Microsoft Entra roles.](https://learn.microsoft.com/en-us/training/modules/create-custom-azure-roles-with-rbac/media/2-azure-office-roles.svg)

<details id="bkmrk-helpdesk.json-name-%C2%A0"><summary>helpdesk.json</summary>

```json
Name    "Helpdesk Administrators"
Description    "Can Read, Restart VMs, and log support tickets with Microsoft"
Actions    
0    "*/read"
1    "Microsoft.Compute/virtualMachines/start/action"
2    "Microsoft.Support/*"
NotActions    []
DataActions    []
NotDataActions    []
AssignableScopes    
0    "/subscriptions/subscriptionId"
```

</details>Open powershell tytpe ini code and name of the json file, right click on top bar to save and exit editor

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/z8lQBwT4UYJ6FftB-image.png)

create custom role

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/PKrYA67pW8NjXAwc-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/Nf58TldFoiAkP73o-image.png)

Assign, you can assign to members groups, etc.

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/HIlvBuEeJF2b6PKV-image.png)

Here we can check our own access or check someone else access

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/3eRXpj4XxHeMH1zf-image.png)

- Provide identities with access to Azure Resources
- Roles are collection of permissions
- Scoping hierarchy for role assignments
- Custom role definition
- No built-in role meets requirements
- User Access Administrator or Owner role for the account