Imagine that you're responsible for managing users' access to a company's Azure account. In this exercise, you will:
Follow these steps to see what roles are currently assigned to you.
1. Sign in to the Azure portal.
2. On the Profile menu, select the ellipsis (...) to see more links.
3. Select My permissions to open the My permissions pane. You'll find the roles that you've been assigned and the scope. Your list may look a little different, which is totally okay!
Now that you know how to check your own access level, let's see what roles are assigned at the resource group level.
1. In the Search box at the top, search for and select Resource groups.
You can also find Resource groups in your left hand menu.
2. Select a resource group from the list.
3. On the left hand menu, select Access control (IAM).
4. Select the Role assignments tab.
This tab shows who has access to the resource group. Notice that some roles are scoped to This resource, while others are (Inherited) from a parent scope. What do you think that means?
5. You can check out the Roles tab to see a list of all the built-in and custom roles.
Remember: Azure has more than 70 built-in (i.e. pre-made, template) roles that you can use in your role assignments.
6. Select a role's View link in the Details column, then select the Assignments tab to display the number of users and groups assigned to that role.
Now, you will grant permissions to your role. Let's say a user doesn't have access to creating and managing virtual machines in Azure. What would you do to give that user access?
1. While you're in the Access control (IAM) page, select Add ➝ Add role assignment.
2. Search for and select Virtual Machine Contributor.
3. Select Next.
4. On the Members tab, select Select members.
5. Search for and select a user. Since you're the only user in your Azure account, you can look for yourself.
6. Select Select to add the user to the Members list.
7. Select Next.
8. On the Review + assign tab, review the role assignment settings.
9. Select Review + assign to assign the role.
After a few moments, the user is assigned the Virtual Machine Contributor role at the resource group scope. The user can now create and manage virtual machines just within this resource group.
In Azure RBAC, you can remove a role assignment to remove access.
1. In the list of role assignments, check the box for the user with the Virtual Machine Contributor role.
2. Select Remove.
3. In the Remove role assignments message that appears, select Yes.
Imagine you're asked by your company to review all the Azure RBAC changes for auditing and troubleshooting purposes. How would you generate a report for all of the changes in role assignments and custom roles for a given time frame (e.g. for the last month)?
The easiest way to get started is to view the activity logs with the Azure portal.
1. Select All services, then search for Activity log.
2. Select Activity log to open the activity log.
3. Set the Timespan filter to Last month (to view the last month's activity)
4.Add an Operation filter and type role to filter the list.
5. Select the following Azure RBAC operations:
6.Create role assignment (roleAssignments)
7. Delete role assignment (roleAssignments)
8. Create or update custom role definition (roleDefinitions)
9. Delete custom role definition (roleDefinitions)
10. A list of all of the changes appears! Select one of them to get their activity log details.
11. Export the report by clicking Download as CSV at the top of the screen. Try opening the file and have a peek at what's inside!
Congratulations. RBAC will play a critical role in securing resources in Azure environment. Awesome work in: