Azure Identity And Access Management Part 39 – Azure Role-Based Access Control(RBAC) 1 – Overview
Hello All,
Hope you all are doing good!!! .
First of all thanks you all for your comments and suggestions for our previous series Learn Basics Of Azure Networking In 60 Hours.
In our last Azure AD series articles we have discussed, about Azure Active Directory – Password Protection And Smart Lockout. Today In this article, we will continue with our series and start a new very very crucial topic Azure Role-Based Access Control (RBAC) .
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
- *
- *
- *
Part 25 – Azure Active Directory – Identity Governance
Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview
Part 32 – Azure Active Directory – Application Management 1 – Overview
Part 33 – Azure Active Directory – Application Management 2 – Integrate SaaS Application
Part 34 – Azure Active Directory – Application Management 3 – SSO Configuration For SaaS Application
Part 35 – Azure Active Directory – Application Management 4 – User Provisioning For SaaS Application
Part 36 – Azure Active Directory – Application Management 5 – Self-Service Application Access
Part 37 – Azure Active Directory – Plan Authentication With Azure AD
Part 38 – Azure Active Directory – Password Protection And Smart Lockout
Next Article : Part 40 – Azure Role-Based Access Control(RBAC) 2 – Configure Custom RBAC Role Using Azure portal
What Is Azure Role-Based Access Control (RBAC) :
Azure role-based access control (Azure RBAC) is an authorization system and it built on Azure Resource Manager that provides fine-grained access management of Azure resources. Azure RBAC helps us to manage, who has access to Azure resources, what they can do with those resources, and what areas they have access to.
How Azure RBAC works :
There are following two major components\concepts in Azure ARM, which are playing a major role in Azure RBAC process and tell us how permissions are enforced.
- Role Assignment
- Deny Assignment
A Role Assignment and a Deny Assignment consists of following three elements.
Security Principal – A security principal representing following objects that which is requesting access to Azure resources.
- User
- Group
- Service Principal
- Managed Identity
Role Definition / Role – A Role Definition is a collection of permissions that can be performed, such as read, write, and delete. We also called it a Role. Azure RBAC has over 120 built-in roles and we can also create our own custom roles if required.
As we know Azure provides 120 built- in roles, each role is specific to a resource and associated to its resource provider. For example some roles are specific to Virtual Machine and some are for database and some roles are for Virtual Networks and some roles for common for all. If we try to check the available roles in subscription level, we can find all roles provided by Azure.
But when we go to resource specific, the above list of roles keep changing specific to selected resource. if we see in the Access control (IAM) of virtual machine, there are very fewer roles and it is specific to Virtual Machine. So when we plan a role assignment, we can be very specific about the security principal and the resources to choose.
Following figure showing a sample of role definition declaration.
Scope – Scope is the set of Azure resources that the access applies to. It is structured in a parent and child relationship. Scopes are categorized in following manner.
- Management Group
- Subscription
- Resource Group
- Resource
Role Assignments :
A Role Assignment is the process of attaching a role definition to a security principal at a particular scope for the purpose of granting access. By creating a role assignment, we can grant access and by removing the role assignment we can revoke the access.
When we assign a role in subscription level, that role assignment will be inherited by all it’s children for e.g. Resource Group of that subscription as well as all resources under those resource groups. Because everything has structured as a parent child relationship.
As shown in the above figure, user ‘Rasmita‘ has Owner permission in subscription level, then she has Owner permission inherited in all its Resource Group as well as Resources under each of it’s Resource Group. If ‘Manas‘ has given Contributor permission to a specific Resource Group then, he has Contributor permission with all resources of this specific Resource Group but not with other Resource Group and subscription. The flow of permissions inheritance is only downward. So it required to make sure that, when we are giving a permission, we need to give it to a specific node and try to avoid assign role to subscription level if not strongly required to avoid unauthorized access at resource level.
Deny Assignments :
Now Azure RBAC supports deny assignments, which was not there in initial phase. But it supporting in a limited way. Like a role assignment, a Deny Assignment attaches a set of deny actions to a security principal at a particular scope for the purpose of denying access.
How Azure RBAC Take Decision To Grant Access :
The following are the high-level steps that Azure RBAC uses to determine if you have access to a resource on the management plane. This is helpful to understand if you are trying to troubleshoot an access issue.
- A service principal acquires a token for Azure Resource Manager. The token includes the service principal’s group memberships (including transitive group memberships).
- The service principal makes a REST API call to Azure Resource Manager with the token attached.
- Azure Resource Manager collect all the role assignments and deny assignments that apply to the requested resource.
- Azure Resource Manager narrows the role assignments that apply to this service principal and determines what roles the service principal has for this resource.
- Azure Resource Manager determines if the action in the API call is included in the roles the service principal has for this resource.
- If the service principal doesn’t have a role with the action at the requested scope, access is not granted. Otherwise, Azure Resource Manager checks if a deny assignment applies.
- If a deny assignment applies, access is blocked. Otherwise access is granted.
Recommendations For Azure RBAC :
- Grant access to security principal if required .
- Limit the number owner for a subscription.
- Use Azure AD Privileged Identity Management (PIM)
Azure role-based access control limits :
As per Microsoft document Azure RBACK has following limitations. So we need to consider the following points before plan for Azure RBACK.
| Resource | Limit |
|---|---|
| Role assignments for Azure resources per Azure subscription | 2,000 |
| Role assignments for Azure resources per management group | 500 |
| Azure custom roles per tenant | 5,000 |
| Azure custom roles per tenant (for Azure Germany and Azure China 21Vianet) | 2,000 |
PowerShell Commands :
Get-AzADUser -StartsWith <string_in_quotes>
Get-AzADGroup -SearchString <group_name_in_quotes>
Get-AzADServicePrincipal -SearchString <service_name_in_quotes>
List role assignments for a subscription :
Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>
List role assignments for a user :
Get-AzRoleAssignment -SignInName <email_or_userprincipalname>
List role assignments for a resource group :
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
List role assignments for a management group :
Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<group_id>
List role assignments for a resource :
Get-AzRoleAssignment -Scope “/subscriptions/<subscription_id>/resourcegroups/<resource_group_name>/providers/<provider_name>/<resource_type>/<resource>
List role assignments for a managed identity :
Get-AzRoleAssignment -ObjectId <objectid>
User at a resource group scope :
New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -ResourceGroupName <resource_group_name>
Using the unique role ID :
New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionId <role_id> -Scope <resource_group_name/resource/management groups>
Group at a resource scope :
New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -ResourceName <resource_name> -ResourceType <resource_type> -ParentResource <parent resource> -ResourceGroupName <resource_group_name>
Application at a subscription scope :
New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>
User at a management group scope :
New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>
Remove a role assignment :
Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>
Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>
CLI Commands :
List role assignments for a user :
az role assignment list –assignee {assignee}
az role assignment list –all –assignee patlong@contoso.com –output json –query ‘[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}’
List role assignments for a resource group :
az role assignment list –resource-group {resourceGroup}
az role assignment list –resource-group pharma-sales –output json –query ‘[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}’
List role assignments for a subscription :
az role assignment list –subscription {subscriptionNameOrId}
az role assignment list –subscription 00000000-0000-0000-0000-000000000000 –output json –query ‘[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}’
List role assignments for a management group :
az role assignment list –scope /providers/Microsoft.Management/managementGroups/{groupId}
az role assignment list –scope /providers/Microsoft.Management/managementGroups/sales-group –output json –query ‘[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}’
List role assignments for a managed identity :
az role assignment list –assignee {objectId}
License requirements :
Using this feature is free and included in our Azure subscription.
References :
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview https://www.youtube.com/watch?v=_kuTP4wdoxk
As I am exploring the Azure Identity and Access Management (IAM), please let me know if I missed anything important. In my next article we will continue one more feature of Azure IAM .
Next Article : Part 40 – Azure Role-Based Access Control(RBAC) 2 – Configure Custom RBAC Role Using Azure portal
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .
1 Response
[…] Part 39 – Azure Role-Based Access Control(RBAC) 1 – Overview […]
You must log in to post a comment.