Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.
Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.
We will also look at common scenarios when troubleshooting role-based access control in Azure.
Learning Objectives
- Identify the different elements that create the role assignment
- Configure access to resources in Azure
- Implement a custom role
- Troubleshoot common RBAC problems
Intended Audience
- People who want to become Azure administrators
Prerequisites
- General knowledge of the Azure portal
Related Training Content
To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.
Role-based access control is how you can manage access to resources in Azure. As you navigate through Azure, from the management group, subscription, resource group all the way down to the individual resources, you will notice a blade called Access Control IAM. This is where you can view, add and remove role assignments. Let's go to the Azure portal and see how we can view, add and remove these role assignments. Here we are in the Azure portal under Resource Groups. Let's select our resource group and we will notice that we have a virtual machine that is already deployed. Let's give access to Ari as he is tasked with managing all virtual machines in this resource group. Click on Access Control. To add a role assignment, we can add it by clicking on the Add button on the right-hand side or we can hit the Add Role Assignment in the menu bar. Under Role, we will see a list of all the built-in roles possible. And we'll scroll all the way down to Virtual Machine Contributor. In the Select field, we can search for Ari's name, select his name and hit Save. Now Ari has access to this user's group and to manage the virtual machine.
We can check Ari's access by typing in his name. And here we'll see the results of the access that he has. We can close that. As well as you can go to Role Assignments. Here we'll see all of the role assignments for the resource group. Some of them are inherited and Ari is at the bottom, we're a virtual machine contributor for this resource group. We can remove Ari's access by selecting his user and clicking Remove. In this short demo, we added our user, Ari, to the virtual machine contributor role. We then verified his access by going to Check Access and reviewed the Role Assignments tab. We then finished off by removing the role assignment to the resource group.
With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.
When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.