1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Introduction to Azure Resource Manager

Demo: Access Control in Azure Resource Manager

Start course
Duration1h 30m


In the previous lecture, we explored the access control capabilities offered by Azure Resource Manager (ARM) Policy and Role-Based Access Control (RBAC). In this demonstration, we will use the ARM PowerShell module to show how these mechanisms work. ARM Policy either allows or denies an action, based on inputs to the request, such as the targeted Azure Region (Location), or the tags on a resource. ARM RBAC enables an administrator to authorize access to an Azure Subscription, Resource Group, or individual Resource(s), for an Azure Active Directory (AAD) user account or group.


In this demonstration, we're going to take a look at how to use resource management policy from the Azure RM PowerShell module. First, we're going to install the Azure Resource Management PowerShell module from the gallery, and then we're going to install all of the Azure Resource Managemer child modules. It's important to note that the install module command requires PowerShell version five, which includes the PowerShell Get module. Next, we need to authenticate to the Microsoft Azure platform and to do that, we're going to call the Add-AzureRMAccount command. So I'm going to go ahead and hit F8 to run the selected code, and it's going to prompt me for my credential. When I type in my username and password, I'm now authenticated to the Microsoft Azure public cloud. The next step is to create a resource group that we'll apply the policy to. So let's go ahead and select that code. We're going to create a resource group called CloudAcademyPolicy inside of the North Europe region. We call the New-AzureRMResourceGroup command to create the resource group. The next command we're going to run is the New-AzureRMPolicyDefinition command. This is going to create a new policy that denies us access to Microsoft Azure storage operations. So let's go ahead and hit F8 to run this code. And that's going to create a new resource manager policy definition inside of our subscription. Finally, I need to assign that policy to a resource group. So I'm going to assign it to the resource group that we created before using the New-AzureRMPolicyAssignment command. So now I have assigned that policy to the resource group. So now, let's go ahead and try to perform an operation such as New-AzureRMStorageAccount. When we attempt to run this command, you'll see that we get an exception. As you can see, the exception is request disallowed by policy. The resource action, Microsoft.storage, which is the resource provider in Resource Manager, /storage accounts, that's the name of the resource type that we're trying to perform an operation against, /write, that's the name of the operation or action is disallowed by one or more policies. And as you can see, it actually gives us the identifier for that policy so that if we want to change that or remove that policy, we can actually understand which one's affecting us. As you can see, we can perform other operations such as creating a Redis Cache inside of that resource group. We call the New-AzureRMRedisCache command to create the Redis Cache. And as you can see, that command succeeds because we don't have a policy that's explicitly denying us access to that command or that action. Finally, we'll just call the Remove-AzureRMResourceGroup command to clean up the resource group and Remove-Azure RMPolicyDefinition to clean up the policy definition that we created. Hello, in this demonstration, we're going to explore the usage of Azure Resource Manager Role-Based Access Control to restrict the operations that a user can perform against a resource group. As with any PowerShell script, I need to make sure that I have the Azure RM module installed along with the child modules. The first step of our Azure RBAC test is to log in with our administrative account. So I'm going to go ahead and select that code and hit F8 to run the command. I'm going to type my password and then I am now authenticated to Microsoft Azure. I'm going to create a test resource group called CloudAcademyRBACTest in the North Europe Region. I simply call the New-AzureRMResourceGroup to achieve this. The next thing I need to do is to create a custom role definition. So this role definition is going to grant access to Microsoft's .cache commands. And as you can see, I've already created another role definition with the same name, so I'm just going to go ahead and change the name very quickly and rerun the command. The actions that this role allows are Microsoft.cache, which is one of the Azure Resource Manager resource providers, and I'm allowing all actions underneath that resource provider. Under the not actions property, I've specified that the user cannot issue the delete operation or action against the Microsoft.cache Redis resource. So now that I've created that new role definition, I need to assign that role to a user. So I have a test user here called Julia@trevorsullivan.net, and I'm going to grant or assign access to that user using the role definition that I just created. So now Julia@trevorsullivan.net has the Enable Cache Management role over the resource group that I created in the first step. So now, let's test out the access that that user has. So I'm going to actually log in as that user. And now that I've logged in with that restricted profile, I can create a new Redis Cache. You'll see that this command succeeds because, again, Julia has all actions available to her on the Redis Cache resource provider for this specific resource group except that she can't delete resources. So when we attempt to call the Remove-Azure RMRedisCache command, you'll see that we get an authorization failed exception that Julia@trevorsullivan.net doesn't have the ability to call the delete action on the Redis resource type, which is a member of the Microsoft.cache resource provider. So our policy worked successfully. Now, I'm going to switch back to my administrative user, and I'm going to clean up the role assignment for Julia. And then, I'm simply going to call the Remove-AzureRMResourceGroup command to delete the test resource group and then, finally, clean up my test role definition. There's one other command that we should be familiar with called Get-AzureRMAuthorizationChangeLog. This command allows us to view changes to authorization in a specified period of time. So as you can see, I have log entries here that are showing the actions that I performed as an administrator to grant or un-grant access to Julia@trevorsullivan.net.

About the Author

Trevor Sullivan is a Microsoft MVP for Windows PowerShell, and enjoys working with cloud and automation technologies. As a strong, vocal veteran of the Microsoft-centric IT field since 2004, Trevor has developed open source projects, provided significant amounts of product feedback, authored a large variety of training resources, and presented at IT functions including worldwide user groups and conferences.