Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.
Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.
We will also look at common scenarios when troubleshooting role-based access control in Azure.
Learning Objectives
- Identify the different elements that create the role assignment
- Configure access to resources in Azure
- Implement a custom role
- Troubleshoot common RBAC problems
Intended Audience
- People who want to become Azure administrators
Prerequisites
- General knowledge of the Azure portal
Related Training Content
To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.
The Azure Activity Log provides visibility into subscription-level events that have occurred in Azure. Using the Activity Log, you can determine what operations were taken on the resources in your subscription. The Activity Log has eight categories. Administrative. This will contain all the records for create, update, delete, and actions operations performed. Here we will see events related to RBAC like create role assignment and delete role assignment. Service health. Service health will contain any health-related events that affect Azure. Resource health will contain the records of any resource health events that have occurred to your deployed resources in Azure. Alerts will contain all the alerts that were activated. Autoscale will include the records related to autoscaling. Recommendations. This will have the recommendations from Azure Advisor.
Security, which will contain all of the logs generated by Azure Security Center. And finally, policy. The policy will contain records of all effect actions performed by Azure Policy. The Azure Activity Log only retains records for the last 90 days, and if you need to keep them longer for auditing or compliance reasons, you will need to use an Azure Event Hub to send your logs to your security information and event management application or archive the records in an Azure storage account. For Role-Based Access Control, the Azure Activity Log will log any changes made to role assignments or role definitions in your subscription. The events will be recorded as create role assignment, delete role assignment, create or update custom role definition, and delete custom role definition.
With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.
When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.