Scenario
Adatum Corporation wants to implement custom RBAC roles to delegate permissions to start and stop (deallocate) Azure VMs.
Objectives
After completing this lab, you will be able to:
- Define a custom RBAC role
- Assign a custom RBAC role
Exercise 1: Define a custom RBAC role
The main tasks for this exercise are as follows:
- Deploy an Azure VM by using an Azure Resource Manager template
- Identify actions to delegate via RBAC
- Create a custom RBAC role in an Azure AD tenant
Task 1: Deploy an Azure VM by using an Azure Resource Manager template
1.From the lab virtual machine, start Microsoft Edge and browse to the Azure portal at http://portal.azure.com and sign in by using the Microsoft account that has the Owner role in the target Azure subscription.
2.In the Azure portal, in the Microsoft Edge window, start a PowerShell session within the Cloud Shell.
3.If you are presented with the You have no storage mounted message, configure storage using the following settings:
- Subsciption: the name of the target Azure subscription
- Cloud Shell region: the name of the Azure region that is available in your subscription and which is closest to the lab location
- Resource group: the name of a new resource group az3000900-LabRG
- Storage account: a name of a new storage account
- File share: a name of a new file share
4.From the Cloud Shell pane, create a resource groups by running (replace the <Azure region> placeholder with the name of the Azure region that is available in your subscription and which is closest to the lab location)
| New-AzResourceGroup -Name az3000901-LabRG -Location <Azure region> |
5.From the Cloud Shell pane, upload the Azure Resource Manager template \allfiles\AZ-300T03\Module_04\azuredeploy09.json into the home directory.
6.From the Cloud Shell pane, upload the parameter file \allfiles\AZ-300T03\Module_04\azuredeploy09.parameters.json into the home directory.
| New-AzResourceGroupDeployment -ResourceGroupName az3000901-LabRG -TemplateFile $home/azuredeploy09.json -TemplateParameterFile $home/azuredeploy09.parameters.json |
Note: Do not wait for the deployment to complete but instead proceed to the next task
8.In the Azure portal, close the Cloud Shell pane.
Task 2: Identify actions to delegate via RBAC
- In the Azure portal, navigate to the az3000901-LabRG blade.
- On the az3000901-LabRG blade, click Access Control (IAM).
- On the az3000901-LabRG – Access Control (IAM) blade, click Roles.
- On the Roles blade, click Owner.
- On the Owner blade, click Permissions.
- On the Permissions (preview) blade, click Microsoft Compute.
- On the Microsoft Compute blade, click Virtual machines.
- On the Virtual Machines blade, review the list of management actions that can be delegated through RBAC. Note that they include the Deallocate Virtual Machine and Start Virtual Machine actions.
Task 3: Create a custom RBAC role in an Azure AD tenant
1.On the lab computer, open the file \allfiles\AZ-300T03\Module_04\customRoleDefinition09.json and review its content:
| { “Name”: “Virtual Machine Operator (Custom)”, “Id”: null, “IsCustom”: true, “Description”: “Allows to start and stop (deallocate) Azure VMs”, “Actions”: [ “Microsoft.Compute/*/read”, “Microsoft.Compute/virtualMachines/deallocate/action”, “Microsoft.Compute/virtualMachines/start/action” ], “NotActions”: [ ], “AssignableScopes”: [ “/subscriptions/SUBSCRIPTION_ID” ] } |
2.In the Azure portal, in the Microsoft Edge window, start a PowerShell session within the Cloud Shell.
3.From the Cloud Shell pane, upload the Azure Resource Manager template \allfiles\AZ-300T03\Module_04\customRoleDefinition09.json into the home directory
4.From the Cloud Shell pane, run the following to replace the $SUBSCRIPTION_ID placeholder with the ID value of the Azure subscription
| $subscription_id = (Get-AzContext).Subscription.id(Get-Content -Path $HOME/customRoleDefinition09.json) -Replace ‘SUBSCRIPTION_ID’, “$subscription_id” | Set-Content -Path $HOME/customRoleDefinition09.json |
5.From the Cloud Shell pane, run the following to create the custom role definition:
| New-AzRoleDefinition -InputFile $HOME/customRoleDefinition09.json |
6.From the Cloud Shell pane, run the following to verify that the role was created successfully:
| Get-AzRoleDefinition -Name ‘Virtual Machine Operator (Custom)’ |
8.Close the Cloud Shell pane
Result: After you completed this exercise, you have defined a custom RBAC role
Exercise 2: Assign and test a custom RBAC role
The main tasks for this exercise are as follows:
- Create an Azure AD user
- Create an RBAC role assignment
- Test the RBAC role assignment
Task 1: Create an Azure AD userFrom the Cloud Shell pane, run the following to explicitly authenticate to the target Azure AD tenant:
1.In the Azure portal, in the Microsoft Edge window, start a PowerShell session within the Cloud Shell.
2.From the Cloud Shell pane, run the following to explicitly authenticate to the target Azure AD tenant:
| Connect-AzureAD |
3.From the Cloud Shell pane, run the following to identify the Azure AD DNS domain name:
| $domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name |
4.From the Cloud Shell pane, run the following to create a new Azure AD user:
| $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $passwordProfile.Password = ‘Pa55w.rd1234’ $passwordProfile.ForceChangePasswordNextLogin = $false New-AzureADUser -AccountEnabled $true -DisplayName ‘lab user0901’ -PasswordProfile $passwordProfile -MailNickName ‘labuser0901’ -UserPrincipalName “labuser0901@$domainName” |
5.From the Cloud Shell pane, run the following to identify the user principal name of the newly created Azure AD user:
| (Get-AzureADUser -Filter “MailNickName eq ‘labuser0901′”).UserPrincipalName |
6. Close the Cloud Shell pane.
Task 2: Create an RBAC role assignment
- In the Azure portal, navigate to the az3000901-LabRG blade.
- On the az3000901-LabRG blade, click Access Control (IAM).
- On the az3000901-LabRG – Access Control (IAM) blade, click + Add and select the Add role assignment option.
- On the Add role assignment blade, specify the following settings and click Save:
- Role: Virtual Machine Operator (Custom)
- Assign access to: Azure AD user, group, or service principal
- Select: lab user0901
Task 3: Test the RBAC role assignment
- Start a new in-private Microsoft Edge window, browse to the Azure portal at http://portal.azure.com and sign in by using the newly created user account:
- Username: the user principal name you identified in the first task of this exercise
- Password: Pa55w.rd1234
- In the Azure portal, navigate to the Resource groups blade. Note that you are not able to see any resource groups.
- In the Azure portal, navigate to the All resources blade. Note that you are able to see only the az3000901-vm and its managed disk.
- In the Azure portal, navigate to the az3000901-vm blade. Try restarting the virtual machine. Review the error message in the notification area and note that this action failed because the current user is not authorized to carry it out.
- Stop the virtual machine and verify that the action completed successfully.
Result: After you completed this exercise, you have assigned and tested a custom RBAC role
Exercise 3: Remove lab resources
Task 1: Open Cloud Shell
- At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.
- If needed, switch to the Bash shell session by using the drop down list in the upper left corner of the Cloud Shell pane.
- At the Cloud Shell command prompt, type in the following command and press Enter to list all resource groups you created in this lab:
4.az group list --query "[?starts_with(name,'az30009')]".name --output tsv
- Verify that the output contains only the resource groups you created in this lab. These groups will be deleted in the next task.
Task 2: Delete resource groups
- At the Cloud Shell command prompt, type in the following command and press Enter to delete the resource groups you created in this lab
az group list --query "[?starts_with(name,'az30009')]".name --output tsv | xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'
- Close the Cloud Shell prompt at the bottom of the portal.
Result: In this exercise, you removed the resources used in this lab.
MORE RELATED
Microsoft Azure Architect Technologies Step by step Implementing and Configuring Azure Storage File and Blob Services (part 2 of 6)
Microsoft Azure Architect Technologies Step by step Implementing Highly Available Azure IaaS Compute Architecture (part 1 of 6)
Microsoft Azure Architect Technologies – Step by step Implementing and Managing Application Services (part 10 of 10)