Exercise: RBAC

Natasha Ong
This is some text inside of a div block.
4 min read

Exercise Overview:

Imagine that you're responsible for managing users' access to a company's Azure account. In this exercise, you will:

  • Check for your own access level in Azure
  • See what roles look like in Azure
  • Assign roles to a user
  • Remove a user's role
  • Bonus: view activity logs for RBAC in Azure

Task 1: Check the Azure role assigned to yourself

Follow these steps to see what roles are currently assigned to you.

1. Sign in to the Azure portal.

2. On the Profile menu, select the ellipsis (...) to see more links.

3. Select My permissions to open the My permissions pane. You'll find the roles that you've been assigned and the scope. Your list may look a little different, which is totally okay!

Task 2: Check the role assignment for a resource group

Now that you know how to check your own access level, let's see what roles are assigned at the resource group level.

1. In the Search box at the top, search for and select Resource groups.

You can also find Resource groups in your left hand menu.

2. Select a resource group from the list.

3. On the left hand menu, select Access control (IAM).

4. Select the Role assignments tab.

This tab shows who has access to the resource group. Notice that some roles are scoped to This resource, while others are (Inherited) from a parent scope. What do you think that means?

5. You can check out the Roles tab to see a list of all the built-in and custom roles.

Remember: Azure has more than 70 built-in (i.e. pre-made, template) roles that you can use in your role assignments.

6. Select a role's View link in the Details column, then select the Assignments tab to display the number of users and groups assigned to that role.

Task 3: Grant access using Azure RBAC and the Azure portal

Now, you will grant permissions to your role. Let's say a user doesn't have access to creating and managing virtual machines in Azure. What would you do to give that user access?

1. While you're in the Access control (IAM) page, select AddAdd role assignment.

2. Search for and select Virtual Machine Contributor.

3. Select Next.

4. On the Members tab, select Select members.

5. Search for and select a user. Since you're the only user in your Azure account, you can look for yourself.

6. Select Select to add the user to the Members list.

7. Select Next.

8. On the Review + assign tab, review the role assignment settings.

9. Select Review + assign to assign the role.

After a few moments, the user is assigned the Virtual Machine Contributor role at the resource group scope. The user can now create and manage virtual machines just within this resource group.

Task 4: Remove role assignment

In Azure RBAC, you can remove a role assignment to remove access.

1. In the list of role assignments, check the box for the user with the Virtual Machine Contributor role.

2. Select Remove.

3. In the Remove role assignments message that appears, select Yes.

Bonus task: View activity logs for Azure RBAC changes

Imagine you're asked by your company to review all the Azure RBAC changes for auditing and troubleshooting purposes. How would you generate a report for all of the changes in role assignments and custom roles for a given time frame (e.g. for the last month)?

The easiest way to get started is to view the activity logs with the Azure portal.

1. Select All services, then search for Activity log.

2. Select Activity log to open the activity log.

3. Set the Timespan filter to Last month (to view the last month's activity)

4.Add an Operation filter and type role to filter the list.

5. Select the following Azure RBAC operations:

6.Create role assignment (roleAssignments)

7. Delete role assignment (roleAssignments)

8. Create or update custom role definition (roleDefinitions)

9. Delete custom role definition (roleDefinitions)

10. A list of all of the changes appears! Select one of them to get their activity log details.

11. Export the report by clicking Download as CSV at the top of the screen. Try opening the file and have a peek at what's inside!

Congratulations. RBAC will play a critical role in securing resources in Azure environment. Awesome work in:

  • Checking your access in Azure
  • Checking the roles in Azure
  • Assigning additional roles to an user
  • Removing access to an user
  • Viewing activity logs for RBAC in Azure